docker-compose网络创建让我脱离了ssh

时间:2017-01-19 07:32:56

标签: networking ssh docker-compose

由于docker-compose网络,我需要帮助了解我的网络日志。

我正在进入 VM ,我有两个使用docker-compose的项目。第一个是使用docker-compose up启动的。当我尝试启动第二个时,我的ssh会话冻结了,我再也无法进入虚拟机。经过大量的试验和错误,在阅读this之后,我尝试将第二个项目的docker-compose.yml文件追加到以下内容:

networks:
  default:
    external:
      name: ffamfe_default

其中ffamfe_default是由第一个项目的docker-compose up创建的网络的名称。有了这个,第二个项目的docker-compose up不会让我退出ssh会话。

我在/var/log/*.log中添加了日志,这是docker-compose.yml文件中带有网络部分的输出(没有时间戳前缀:Jan 19 09:13:42 hostname kernel: [420096.305357]):

aufs au_opts_verify:1597:dockerd[13813]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth6a84537 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth6a84537: link is not ready
eth0: renamed from veth2480623
IPv6: ADDRCONF(NETDEV_CHANGE): veth6a84537: link becomes ready
br-fe0deb0149df: port 18(veth6a84537) entered forwarding state
br-fe0deb0149df: port 18(veth6a84537) entered forwarding state
aufs au_opts_verify:1597:dockerd[25317]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth1a3c1e3 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth1a3c1e3: link is not ready
br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state
br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state
eth0: renamed from veth54e576d
IPv6: ADDRCONF(NETDEV_CHANGE): veth1a3c1e3: link becomes ready
br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state
veth54e576d: renamed from eth0
br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state
device veth1a3c1e3 left promiscuous mode
br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state
br-fe0deb0149df: port 18(veth6a84537) entered forwarding state

这是输出没有 networks部分(即当我被踢出ssh会话时):

IPv6: ADDRCONF(NETDEV_UP): br-55349b03453a: link is not ready
aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[3051]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth7a1bcde entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth7a1bcde: link is not ready
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
eth0: renamed from veth5d8a2ea
IPv6: ADDRCONF(NETDEV_CHANGE): veth7a1bcde: link becomes ready
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): br-55349b03453a: link becomes ready
aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch
aufs au_opts_verify:1597:dockerd[13922]: dirperm1 breaks the protection by the permission bits on the lower branch
device veth3253bd4 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth3253bd4: link is not ready
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered disabled state
eth0: renamed from veth9c8aaa3
IPv6: ADDRCONF(NETDEV_CHANGE): veth3253bd4: link becomes ready
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered forwarding state
br-55349b03453a: port 2(veth3253bd4) entered disabled state
veth9c8aaa3: renamed from eth0
br-55349b03453a: port 2(veth3253bd4) entered disabled state
device veth3253bd4 left promiscuous mode
br-55349b03453a: port 2(veth3253bd4) entered disabled state
br-55349b03453a: port 1(veth7a1bcde) entered forwarding state
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
veth5d8a2ea: renamed from eth0
br-55349b03453a: port 1(veth7a1bcde) entered disabled state
device veth7a1bcde left promiscuous mode
br-55349b03453a: port 1(veth7a1bcde) entered disabled state

我真的不明白如何阅读这些日志。 Here也是ifconfig。 有人可以帮我阅读日志并找出问题所在吗?

4 个答案:

答案 0 :(得分:6)

诊断

我们的团队将运行Ubuntu 18.04的AWS EC2实例用作开发服务器。我们最近收到有关docker-compose断开SSH连接的报告。即使重新启动后,仍然无法访问devserver。所以我开始调查。

我仅通过使用docker复制就能够排除docker-compose的原因。

ubuntu@ip-172-31-115-116:~$ docker network create -d bridge my-bridge-network
aca5884d60f146cef81ac55c8cccd231a43f40927d645168642d9b28c5e009a6

ubuntu@ip-172-31-115-116:~$ docker network prune
WARNING! This will remove all custom networks not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Networks:
my-bridge-network

ubuntu@ip-172-31-115-116:~$ docker network create -d bridge my-bridge-network
f0a7a06a9627bc2de00eb60091a92010451690626d95e077f622f3058cc3a07c

ubuntu@ip-172-31-115-116:~$ docker network prune
WARNING! This will remove all custom networks not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Networks:
my-bridge-network

ubuntu@ip-172-31-115-116:~$ docker network create -d bridge my-bridge-network
Connection reset by 172.31.115.116 port 22

然后是我的根本原因。

根本原因

  • 我们的docker-compose文件正在使用网桥网络模式,默认情况下会创建一个新的网桥网络。运行docker-compose downdocker network prune时,网桥网络将被拆除。接下来的docker-compose rundocker network create将创建一个新的桥接网络。
  • docker0网桥适配器的默认IP范围是172.17.0.0/16
  • 当我第一次运行docker network create -d bridge my-bridge-network命令时,它为172.18.0.0/16创建了一个新的网桥适配器。
  • 第二个网桥适配器是为172.19.0.0/16创建的。
  • 自然地,为172.20.0.0/16创建了第三个网桥适配器。但是,这是我们的Engineering VPN IP范围。因此,重叠导致服务器无法与我们的笔记本电脑通信。

解决方案

解决方案是确保新的docker bridge网络将跳过我们的VPN IP范围。

临时解决方案

如果我们将跳过的IP范围添加到系统路由表中,则docker将自动跳过它们。因此,只要重新启动devserver,我们就可以运行以下脚本。

sudo route add -net [our VPN IP range] netmask 255.255.0.0 gw [our gateway]

此解决方案并不完美,因为重启机器后新路由将​​被丢弃。

主要解决方案

我们应该将路由更改永久应用于所有devserver。

echo "            routes:" | sudo tee -a /etc/netplan/50-cloud-init.yaml
echo "            - to: [our VPN IP range]" | sudo tee -a /etc/netplan/50-cloud-init.yaml
echo "              via: [our gateway]" | sudo tee -a /etc/netplan/50-cloud-init.yaml
sudo netplan apply

Docker IP更改

我们还计划修改docker default-address-pools以重新定义docker IP范围。请参阅https://github.com/docker/compose/issues/4336#issuecomment-457326123。我会说修改/etc/docker/daemon.json会更好。

答案 1 :(得分:3)

br- xxxxxxx 是Docker的桥接接口,而veth xxxxxxx 是容器的虚拟接口,Docker使用那些veth接口但你不直接在它上面进行交互,他们使用IPv6地址,没有IPv4。 Docker无法创建NAT接口,它只能为容器创建IPv6桥接和veth。您可以将网桥链接到主机的任何物理或虚拟接口。

所以它的工作原理如下:

eth0 (您的界面或v-interface,如果需要)↔br xxxxx (泊坞桥)↔ veth xxxxx (容器的v接口)

我只能说,我不确定别人会回答,没有很多Docker专家,所以我会给你所有信息,以帮助你理解你的日志。

答案 2 :(得分:3)

我遇到了同样的问题,我通过在docker compose上设置network_mode选项解决了这个问题(请参阅文档here。解决方案来自this thread)。

services:
  my_service:
    image: ...
    network_mode: "host"

答案 3 :(得分:2)

我终于运行了docker network ls。输出是超过15个网络的列表,这些网络非常古老。我运行docker ps以确保与这些网络无关的任何内容仍在运行。一个容器确实仍在运行(redis),它位于名为bridge的网络上。我停下了容器。然后我开始使用docker network rm <network name>遍历所有网络,直到我留下4个网络:网桥,主机,无网络,以及唯一仍在工作的网络。然后我可以像往常一样再次使用docker-compose up启动新网络