问题
I cannot reach external network from docker-compose containers.
Consider the following docker-compose file:
version: '2'
services:
nginx:
image: nginx
Using the simple docker run -it nginx bash I manage to reach external IPs or Internet IPs (ping www.google.com).
On the other hand if I use docker-compose and attach to the container, I cannot reach external IP addresses / DNS.
docker info:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 1.12.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 7
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-38-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.859 GiB
Name: ***
ID: ****
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
127.0.0.0/8
docker-compose 1.8.1, build 878cff1
daemon.json file:
{
"iptables" : false,
"dns" : ["8.8.8.8","8.8.4.4"]
}
回答1:
The last time I had a problem like that, I solved it like this:
https://github.com/docker/docker/issues/866#issuecomment-19218300
pkill docker
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
docker -d
It will force docker to recreate the bridge and reinit all the network rules.
As for reasons why this happens, I don't have good answers. But I did recently trace the problem back to journald. When I restart journald (for example because I changed its config), DNS resolution inside docker-compose containers consistently/reproducibly breaks. I don't know why exactly, I can only say that this is a reliable way for me to reproduce it on RHEL.
EDIT The docker -d command might not work for you based on the version of docker you are using but don't worry about it, you can omit that command.
回答2:
Check /etc/default/docker to ensure it doesn't have the following line:
DOCKER_OPTS="--iptables=false"
Also check /etc/docker/daemon.json to ensure it doesn't have the following key:
{
"iptables":false
}
We added this on one server to get UFW working with docker. We then changed to an external firewall. Spent ages looking for the reason external networking wasn't working because it was removed from our deploy guide. Hope this helps someone else.
回答3:
Docker containers has the ability to access internet by default. Here is how I solved the problem last week: docker container can only access internet with net host
Or you just let the container in host mode:
version: '2'
service:
nginx:
image: nginx
network_mode: host
But as @peedee pointed out on comment, this solution will lost network separation between host and containers.
回答4:
The image nginx you are pulling doesn't have ping installed by default. So if you are really using ping to test your connection, you must first install it.
I created a custom Dockerfile to have it installed:
FROM nginx:latest
RUN apt update && apt -y install iputils-ping
Then I built it locally and tagged as mynginx.
Then I changed docker-compose.yml to use the custom image mynginx:
version: '2'
services:
nginx:
image: mynginx
Finally, I fired docker-compose up, and did a docker exec into it, and tested ping. All worked just fine. I also did docker run -ti ... and it worked.
What bugs me on your question is how docker run can give you a container with different behaviour than if created by docker-compose up.
More clarity on how you check internet access would be helpful though.
来源:https://stackoverflow.com/questions/39867602/no-internet-inside-docker-compose-service