Всем добра!
Хочу сделать так чтоб докер-контейнер был в той же сети что и Хост-машина. Айпи Хост-машины - 192.168.1.2, ну а айпи докер-контейнера - 192.168.1.3.
Но ничего не получается - прошу о помощи знающих.
Делаю все действия по этой доке https://docs.docker.com/articles/networking/#bridge-building:
Создал бридж:
# cat /etc/network/interfaces
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet manual
auto bridge0
iface bridge0 inet static
address 192.168.1.2
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0
И теперь состояние на интерфейсах (docker0 я удалил как и советует руководство https://docs.docker.com/articles/networking/#bridge-building)
root@docker:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bridge0 state UP group default qlen 1000
link/ether 08:00:27:a5:22:5d brd ff:ff:ff:ff:ff:ff
4: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 08:00:27:a5:22:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global bridge0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fea5:225d/64 scope link
valid_lft forever preferred_lft forever
root@docker:~#
Маршруты на Хосте такие:
root@docker:~# ip r
default via 192.168.1.1 dev bridge0
192.168.1.0/24 dev bridge0 proto kernel scope link src 192.168.1.2
Iptables тут же:
root@docker:~# sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Сеть на Хосте работает:
root@docker:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=35.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=52 time=36.0 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 35.617/35.823/36.030/0.280 ms
root@docker:~#
Идем дальше по доке https://docs.docker.com/articles/networking/#bridge-building:
# echo 'DOCKER_OPTS="-b=bridge0"' >> /etc/default/docker
Проверяем что внутри:
# cat /etc/default/docker
# Docker Upstart and SysVinit configuration file
# Customize location of Docker binary (especially for development testing).
#DOCKER="/usr/local/bin/docker"
# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"
# This is also a handy place to tweak where Docker's temporary files go.
#export TMPDIR="/mnt/bigdrive/docker-tmp"
DOCKER_OPTS="-b=bridge0"
Стартуем docker и создаем контейнер:
root@docker:~# service docker start
docker start/running, process 1413
root@docker:~# docker run -i -t ubuntu /bin/bash
Unable to find image 'ubuntu:latest' locally
511136ea3c5a: Pull complete
511136ea3c5a: Download complete
f3c84ac3a053: Download complete
a1a958a24818: Download complete
9fec74352904: Download complete
d0955f21bf24: Download complete
Status: Downloaded newer image for ubuntu:latest
В самом контейнере:
root@727346abe539:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:01:03 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:c0ff:fea8:103/64 scope link
valid_lft forever preferred_lft forever
root@727346abe539:/#
Айпи на интерфейсе с той же сети 192.168.1.3.
Но пинги не идут:
root@727346abe539:/# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.058 ms
^C
--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.058/0.059/0.061/0.007 ms
root@727346abe539:/# ping 192.168.1.41
PING 192.168.1.41 (192.168.1.41) 56(84) bytes of data.
^C
--- 192.168.1.41 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2014ms
root@727346abe539:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.1.2: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.2)
From 192.168.1.2: icmp_seq=3 Redirect Host(New nexthop: 192.168.1.2)
From 192.168.1.2: icmp_seq=4 Redirect Host(New nexthop: 192.168.1.2)
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2998ms
root@727346abe539:/#
Т.е. контейнер видит только хост-машину с айпи 192.168.1.2. На хосте нет разных селинуксов, аппарморов. Это убунта 14.04, как и в контейнере.
Tcpdump, примером, на 192.168.1.41 не видит никаких icmp-пакетов от контейнера.
Таблица роутов на контейнере:
root@727346abe539:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@727346abe539:/#
Айпитейблз на хост-машине, после старта контейнера:
root@docker:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0
Chain DOCKER (2 references)
target prot opt source destination
root@docker:~#
Т.е. вроде все верно (как я думаю), но контейнер ничего не видит :(