对我来说这是一个非常标准的设置,我有一个ubuntu机器运行docker和ufw作为我的防火墙.
如果我的防火墙启用,docker实例无法连接到外部
$docker run -i -t ubuntu /bin/bash
WARNING: Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
root@d300c5f17207:/# apt-get update
Err http://archive.ubuntu.com precise InRelease
0% [Connecting to archive.ubuntu.com]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/InRelease
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/Release.gpg Temporary failure resolving 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored,or old ones used instead.
这是ufw日志,显示从docker容器阻止的连接.
$sudo tail /var/log/ufw.log
Jun 30 15:41:56 localhost kernel: [61609.503199] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14886 DF PROTO=UDP SPT=60192 DPT=53 LEN=44
Jun 30 15:42:01 localhost kernel: [61614.500867] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.4.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=16137 DF PROTO=UDP SPT=44812 DPT=53 LEN=44
Jun 30 15:42:06 localhost kernel: [61619.498516] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14887 DF PROTO=UDP SPT=60192 DPT=53 LEN=44
我尝试使用ip添加规则.
$sudo ufw allow in from 172.16.42.2
$sudo ufw allow out from 172.16.42.2
而没有变化仍然被阻止.
如何通过ufw规则允许从容器到外部的所有连接?
也许这是由于当前的版本,但目前的答案在我的系统(Docker 0.7.2与基本的Ubuntu映像)不起作用.
解决方案解释为here in the official Docker documentation.
对于懒惰的:
>编辑/ etc / default / ufw将DEFAULT_FORWARD_POLICY的值更改为“ACCEPT”,
>重新加载[sudo] ufw重新加载.
这样可以确保将您的流量转移到Docker的桥接网络(正如我目前对这些事情的理解).
