用于Ping第二个接口的AWS容器

时间:2018-03-09 00:20:11

标签: docker networking nat amazon-ecs

我面临一个奇怪的问题。一个带有两个接口的EC2实例:

eth0: 10.0.0.57
eth2: 10.0.1.8

ECS容器以桥接网络模式启动。 Ping到10.0.0.57通过。 Ping到10.0.1.8没有得到回复。如果它们连接到其他实例而不是本地实例,则同一容器可以ping来自同一子网10.0.1。*的接口。不知道如何处理这个问题。

它看起来并不相关,但其他实例可以ping 10.0.1.8。

以下是我的路线表:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ip-10-0-0-1.ec2 0.0.0.0         UG    0      0        0 eth0
default         ip-10-0-1-1.ec2 0.0.0.0         UG    10002  0        0 eth2
10.0.0.0        *               255.255.255.192 U     0      0        0 eth0
10.0.1.0        *               255.255.255.192 U     0      0        0 eth2
instance-data.e *               255.255.255.255 UH    0      0        0 eth0
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0

主机上的TCP转储显示已收到请求但没有回复

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:10:02.788057 IP ip-172-17-0-3.ec2.internal > ip-10-0-1-8.ec2.internal: ICMP echo request, id 2038, seq 0, length 64

添加了路由表条目:

[root@ip-10-0-0-52 ec2-user]# ip route show table all
default via 10.0.1.1 dev eth1  table 10001
10.0.1.0/26 dev eth1  table 10001  proto kernel  scope link  src 10.0.1.8
default via 10.0.0.1 dev eth0
default via 10.0.1.1 dev eth1  metric 10001
10.0.0.0/26 dev eth0  proto kernel  scope link  src 10.0.0.52
10.0.1.0/26 dev eth1  proto kernel  scope link  src 10.0.1.8
169.254.169.254 dev eth0
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown
broadcast 10.0.0.0 dev eth0  table local  proto kernel  scope link  src 10.0.0.52
local 10.0.0.52 dev eth0  table local  proto kernel  scope host  src 10.0.0.52
broadcast 10.0.0.63 dev eth0  table local  proto kernel  scope link  src 10.0.0.52
broadcast 10.0.1.0 dev eth1  table local  proto kernel  scope link  src 10.0.1.8
local 10.0.1.8 dev eth1  table local  proto kernel  scope host  src 10.0.1.8
broadcast 10.0.1.63 dev eth1  table local  proto kernel  scope link  src 10.0.1.8
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 172.17.0.0 dev docker0  table local  proto kernel  scope link  src 172.17.0.1 linkdown
local 172.17.0.1 dev docker0  table local  proto kernel  scope host  src 172.17.0.1
broadcast 172.17.255.255 dev docker0  table local  proto kernel  scope link  src 172.17.0.1 linkdown
unreachable ::/96 dev lo  metric 1024  error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -113 pref medium
unreachable 2002:a00::/24 dev lo  metric 1024  error -113 pref medium
unreachable 2002:7f00::/24 dev lo  metric 1024  error -113 pref medium
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -113 pref medium
unreachable 2002:ac10::/28 dev lo  metric 1024  error -113 pref medium
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -113 pref medium
unreachable 2002:e000::/19 dev lo  metric 1024  error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -113 pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
fe80::/64 dev eth1  proto kernel  metric 256  pref medium
fe80::/64 dev docker0  proto kernel  metric 256 linkdown  pref medium
unreachable default dev lo  proto kernel  metric 4294967295  error -101 pref medium
local ::1 dev lo  table local  proto none  metric 0  pref medium
local fe80::42:efff:fe9c:756d dev lo  table local  proto none  metric 0  pref medium
local fe80::103b:91ff:fe01:1b38 dev lo  table local  proto none  metric 0  pref medium
local fe80::1065:f1ff:fea5:ba1e dev lo  table local  proto none  metric 0  pref medium
ff00::/8 dev eth0  table local  metric 256  pref medium
ff00::/8 dev eth1  table local  metric 256  pref medium
ff00::/8 dev docker0  table local  metric 256 linkdown  pref medium
unreachable default dev lo  proto kernel  metric 4294967295  error -101 pref medium

我做了一些调试,ping到本地第二个接口增加了Nat-prerouting数据包计数(使用" iptables -vL -t nat"命令测试),过滤前转计数(" iptables -vL -t filter")和mangle-prerouting(" iptables -vL -t mangle")

对本地第一个接口的ping增加了filter-input和filter-output,mangle-prerouting,mangle-input,mangle-output packet counts。

需要找到容器能够ping所有本地接口的方法。无法修改docker bridge网络,也无法在主机模式下运行容器。希望对此有所帮助。

提前致谢, 鲁

1 个答案:

答案 0 :(得分:0)

检查EC2上的ip规则

[root@ip-10-0-0-57 ec2-user]# ip rule
0:      from all lookup local
32765:  from 10.0.0.192 lookup 10001
32766:  from all lookup main
32767:  from all lookup default

删除32765规则

ip rule del prio  32765

之后规则应该像

[root@ip-10-0-0-57 ec2-user]# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

然后ping和其他流量将通过正常

相关问题
最新问题