由于docker-compose
网络,我需要帮助了解我的网络日志。
我正在进入 VM ,我有两个使用docker-compose的项目。第一个是使用docker-compose up
启动的。当我尝试启动第二个时,我的ssh会话冻结了,我再也无法进入虚拟机。经过大量的试验和错误,在阅读this之后,我尝试将第二个项目的docker-compose.yml
文件追加到以下内容:
networks:
default:
external:
name: ffamfe_default
其中ffamfe_default
是由第一个项目的docker-compose up
创建的网络的名称。有了这个,第二个项目的docker-compose up
不会让我退出ssh会话。
我在/var/log/*.log
中添加了日志,这是docker-compose.yml
文件中带有网络部分的输出(没有时间戳前缀:Jan 19 09:13:42 hostname kernel: [420096.305357]
):
aufs au_opts_verify:1597:dockerd[13813]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth6a84537 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth6a84537: link is not ready
eth0: renamed from veth2480623
IPv6: ADDRCONF(NETDEV_CHANGE): veth6a84537: link becomes ready
br-fe0deb0149df: port 18(veth6a84537) entered forwarding state
br-fe0deb0149df: port 18(veth6a84537) entered forwarding state
aufs au_opts_verify:1597:dockerd[25317]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth1a3c1e3 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth1a3c1e3: link is not ready
br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state
br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state
eth0: renamed from veth54e576d
IPv6: ADDRCONF(NETDEV_CHANGE): veth1a3c1e3: link becomes ready
br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state
veth54e576d: renamed from eth0
br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state
device veth1a3c1e3 left promiscuous mode
br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state
br-fe0deb0149df: port 18(veth6a84537) entered forwarding state
这是输出没有 networks
部分(即当我被踢出ssh会话时):
IPv6: ADDRCONF(NETDEV_UP): br-55349b03453a: link is not ready
aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[3051]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth7a1bcde entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth7a1bcde: link is not ready
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
eth0: renamed from veth5d8a2ea
IPv6: ADDRCONF(NETDEV_CHANGE): veth7a1bcde: link becomes ready
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): br-55349b03453a: link becomes ready
aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[13922]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth3253bd4 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth3253bd4: link is not ready
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered disabled state
eth0: renamed from veth9c8aaa3
IPv6: ADDRCONF(NETDEV_CHANGE): veth3253bd4: link becomes ready
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered disabled state
veth9c8aaa3: renamed from eth0
br-55349b03453a: port 2(veth3253bd4) entered disabled state
device veth3253bd4 left promiscuous mode
br-55349b03453a: port 2(veth3253bd4) entered disabled state
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
veth5d8a2ea: renamed from eth0
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
device veth7a1bcde left promiscuous mode
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
我真的不明白如何阅读这些日志。
Here也是ifconfig
。
有人可以帮我阅读日志并找出问题所在吗?
答案 0 :(得分:6)
我们的团队将运行Ubuntu 18.04的AWS EC2实例用作开发服务器。我们最近收到有关docker-compose断开SSH连接的报告。即使重新启动后,仍然无法访问devserver。所以我开始调查。
我仅通过使用docker复制就能够排除docker-compose的原因。
ubuntu@ip-172-31-115-116:~$ docker network create -d bridge my-bridge-network
aca5884d60f146cef81ac55c8cccd231a43f40927d645168642d9b28c5e009a6
ubuntu@ip-172-31-115-116:~$ docker network prune
WARNING! This will remove all custom networks not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Networks:
my-bridge-network
ubuntu@ip-172-31-115-116:~$ docker network create -d bridge my-bridge-network
f0a7a06a9627bc2de00eb60091a92010451690626d95e077f622f3058cc3a07c
ubuntu@ip-172-31-115-116:~$ docker network prune
WARNING! This will remove all custom networks not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Networks:
my-bridge-network
ubuntu@ip-172-31-115-116:~$ docker network create -d bridge my-bridge-network
Connection reset by 172.31.115.116 port 22
然后是我的根本原因。
docker-compose down
或docker network prune
时,网桥网络将被拆除。接下来的docker-compose run
或docker network create
将创建一个新的桥接网络。172.17.0.0/16
。docker network create -d bridge my-bridge-network
命令时,它为172.18.0.0/16
创建了一个新的网桥适配器。172.19.0.0/16
创建的。172.20.0.0/16
创建了第三个网桥适配器。但是,这是我们的Engineering VPN IP范围。因此,重叠导致服务器无法与我们的笔记本电脑通信。解决方案是确保新的docker bridge网络将跳过我们的VPN IP范围。
如果我们将跳过的IP范围添加到系统路由表中,则docker将自动跳过它们。因此,只要重新启动devserver,我们就可以运行以下脚本。
sudo route add -net [our VPN IP range] netmask 255.255.0.0 gw [our gateway]
此解决方案并不完美,因为重启机器后新路由将被丢弃。
我们应该将路由更改永久应用于所有devserver。
echo " routes:" | sudo tee -a /etc/netplan/50-cloud-init.yaml
echo " - to: [our VPN IP range]" | sudo tee -a /etc/netplan/50-cloud-init.yaml
echo " via: [our gateway]" | sudo tee -a /etc/netplan/50-cloud-init.yaml
sudo netplan apply
我们还计划修改docker default-address-pools以重新定义docker IP范围。请参阅https://github.com/docker/compose/issues/4336#issuecomment-457326123。我会说修改/etc/docker/daemon.json
会更好。
答案 1 :(得分:3)
br- xxxxxxx 是Docker的桥接接口,而veth xxxxxxx 是容器的虚拟接口,Docker使用那些veth接口但你不直接在它上面进行交互,他们使用IPv6地址,没有IPv4。 Docker无法创建NAT接口,它只能为容器创建IPv6桥接和veth。您可以将网桥链接到主机的任何物理或虚拟接口。
所以它的工作原理如下:
eth0 (您的界面或v-interface,如果需要)↔br xxxxx (泊坞桥)↔ veth xxxxx (容器的v接口)
我只能说,我不确定别人会回答,没有很多Docker专家,所以我会给你所有信息,以帮助你理解你的日志。
答案 2 :(得分:3)
我遇到了同样的问题,我通过在docker compose上设置network_mode
选项解决了这个问题(请参阅文档here。解决方案来自this thread)。
services:
my_service:
image: ...
network_mode: "host"
答案 3 :(得分:2)
我终于运行了docker network ls
。输出是超过15个网络的列表,这些网络非常古老。我运行docker ps
以确保与这些网络无关的任何内容仍在运行。一个容器确实仍在运行(redis),它位于名为bridge
的网络上。我停下了容器。然后我开始使用docker network rm <network name>
遍历所有网络,直到我留下4个网络:网桥,主机,无网络,以及唯一仍在工作的网络。然后我可以像往常一样再次使用docker-compose up
启动新网络