Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/docker/10.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Docker AWS容器到Ping第二个接口_Docker_Networking_Nat_Amazon Ecs - Fatal编程技术网
Fatal编程技术网
  • docker/
  • Docker AWS容器到Ping第二个接口

Docker AWS容器到Ping第二个接口

docker networking

Docker AWS容器到Ping第二个接口,docker,networking,nat,amazon-ecs,Docker,Networking,Nat,Amazon Ecs,我正面临一个奇怪的问题。一个EC2实例,具有两个接口: eth0: 10.0.0.57 eth2: 10.0.1.8 ECS容器以网桥网络模式启动。Ping到10.0.0.57将通过。Ping到10.0.1.8不会得到回复。同一容器可以ping来自同一子网10.0.1.*的接口,前提是这些接口连接到其他实例,而不是本地实例。我不知道该怎么做 它似乎不相关,但其他实例可以ping 10.0.1.8 以下是我的路线表: Destination Gateway Genmask

我正面临一个奇怪的问题。一个EC2实例,具有两个接口:

eth0: 10.0.0.57
eth2: 10.0.1.8
ECS容器以网桥网络模式启动。Ping到10.0.0.57将通过。Ping到10.0.1.8不会得到回复。同一容器可以ping来自同一子网10.0.1.*的接口,前提是这些接口连接到其他实例,而不是本地实例。我不知道该怎么做

它似乎不相关,但其他实例可以ping 10.0.1.8

以下是我的路线表:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ip-10-0-0-1.ec2 0.0.0.0         UG    0      0        0 eth0
default         ip-10-0-1-1.ec2 0.0.0.0         UG    10002  0        0 eth2
10.0.0.0        *               255.255.255.192 U     0      0        0 eth0
10.0.1.0        *               255.255.255.192 U     0      0        0 eth2
instance-data.e *               255.255.255.255 UH    0      0        0 eth0
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0
主机上的TCP转储显示已收到请求,但没有应答

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:10:02.788057 IP ip-172-17-0-3.ec2.internal > ip-10-0-1-8.ec2.internal: ICMP echo request, id 2038, seq 0, length 64
添加了路由表条目:

[root@ip-10-0-0-52 ec2-user]# ip route show table all
default via 10.0.1.1 dev eth1  table 10001
10.0.1.0/26 dev eth1  table 10001  proto kernel  scope link  src 10.0.1.8
default via 10.0.0.1 dev eth0
default via 10.0.1.1 dev eth1  metric 10001
10.0.0.0/26 dev eth0  proto kernel  scope link  src 10.0.0.52
10.0.1.0/26 dev eth1  proto kernel  scope link  src 10.0.1.8
169.254.169.254 dev eth0
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown
broadcast 10.0.0.0 dev eth0  table local  proto kernel  scope link  src 10.0.0.52
local 10.0.0.52 dev eth0  table local  proto kernel  scope host  src 10.0.0.52
broadcast 10.0.0.63 dev eth0  table local  proto kernel  scope link  src 10.0.0.52
broadcast 10.0.1.0 dev eth1  table local  proto kernel  scope link  src 10.0.1.8
local 10.0.1.8 dev eth1  table local  proto kernel  scope host  src 10.0.1.8
broadcast 10.0.1.63 dev eth1  table local  proto kernel  scope link  src 10.0.1.8
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 172.17.0.0 dev docker0  table local  proto kernel  scope link  src 172.17.0.1 linkdown
local 172.17.0.1 dev docker0  table local  proto kernel  scope host  src 172.17.0.1
broadcast 172.17.255.255 dev docker0  table local  proto kernel  scope link  src 172.17.0.1 linkdown
unreachable ::/96 dev lo  metric 1024  error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -113 pref medium
unreachable 2002:a00::/24 dev lo  metric 1024  error -113 pref medium
unreachable 2002:7f00::/24 dev lo  metric 1024  error -113 pref medium
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -113 pref medium
unreachable 2002:ac10::/28 dev lo  metric 1024  error -113 pref medium
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -113 pref medium
unreachable 2002:e000::/19 dev lo  metric 1024  error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -113 pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
fe80::/64 dev eth1  proto kernel  metric 256  pref medium
fe80::/64 dev docker0  proto kernel  metric 256 linkdown  pref medium
unreachable default dev lo  proto kernel  metric 4294967295  error -101 pref medium
local ::1 dev lo  table local  proto none  metric 0  pref medium
local fe80::42:efff:fe9c:756d dev lo  table local  proto none  metric 0  pref medium
local fe80::103b:91ff:fe01:1b38 dev lo  table local  proto none  metric 0  pref medium
local fe80::1065:f1ff:fea5:ba1e dev lo  table local  proto none  metric 0  pref medium
ff00::/8 dev eth0  table local  metric 256  pref medium
ff00::/8 dev eth1  table local  metric 256  pref medium
ff00::/8 dev docker0  table local  metric 256 linkdown  pref medium
unreachable default dev lo  proto kernel  metric 4294967295  error -101 pref medium
我做了一些调试,对本地第二个接口的ping增加了Nat预路由数据包计数(使用“iptables-vL-tnat”命令测试)、过滤器前向计数(“iptables-vL-t filter”)和mangle预路由(“iptables-vL-t mangle”)

其中,对本地第一个接口的ping增加了过滤器输入、过滤器输出、mangle预路由、mangle输入、mangle输出数据包计数

需要找到一种方法使容器能够ping所有本地接口。无法修改docker网桥网络,也无法在主机模式下运行容器。非常感谢您的帮助

提前感谢,, Ruben检查EC2上的ip规则

[root@ip-10-0-0-57 ec2-user]# ip rule
0:      from all lookup local
32765:  from 10.0.0.192 lookup 10001
32766:  from all lookup main
32767:  from all lookup default
删除32765规则

ip rule del prio  32765
在那之后,规则应该是这样的

[root@ip-10-0-0-57 ec2-user]# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
然后,ping和其他通信将正常通过

这是一个临时解决方案。大约15分钟后,将重新创建该规则。此外,删除该规则将阻止从网络访问该接口。