Problemas de rede do Docker no Ubuntu 16.04

1

Eu tenho um sistema Ubuntu 16.04 x86_64 rodando em cloudfoundry.
O docker ce mais recente foi instalado, então eu tentei o beta também.

Atualmente na
Versão do Docker 17.09.0-ce, construção de afdb6d4

Estou executando o hadoop (HDP 2.6.1) sob o docker, que expõe uma enorme quantidade de portas, que podem ser acessadas muito bem no host do docker.

No entanto, não consigo acessar nenhuma dessas portas de outros sistemas. Tanto quanto eu posso ver

    O
  1. encaminhamento está ativado no kernel (veja sysctl -a abaixo)
  2. Eu acho que o iptables está ok
  3. O firewall externo dentro da rede CF está configurado para permitir essas portas - e, na verdade, estou usando um dos mesmos grupos de segurança que faço com um sistema executando praticamente o mesmo código nativamente (não docker), e há funciona, sugerindo que a configuração do firewall é boa.

Esta imagem do docker está em execução: 93b77a0480c7 sandbox-hdp “/usr/sbin/sshd -D” 12 hours ago Up 12 hours 0.0.0.0:1000->1000/tcp, 0.0.0.0:1100->1100/tcp, 0.0.0.0:1220->1220/tcp, 0.0.0.0:1988->1988/tcp, 0.0.0.0:2100->2100/tcp, 0.0.0.0:2181->2181/tcp, 0.0.0.0:4040->4040/tcp, 0.0.0.0:4200->4200/tcp, 0.0.0.0:5007->5007/tcp, 0.0.0.0:5011->5011/tcp, 0.0.0.0:6001->6001/tcp, 0.0.0.0:6003->6003/tcp, 0.0.0.0:6008->6008/tcp, 0.0.0.0:6080->6080/tcp, 0.0.0.0:6188->6188/tcp, 0.0.0.0:8000->8000/tcp, 0.0.0.0:8005->8005/tcp, 0.0.0.0:8020->8020/tcp, 0.0.0.0:8040->8040/tcp, 0.0.0.0:8042->8042/tcp, 0.0.0.0:8050->8050/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8082->8082/tcp, 0.0.0.0:8086->8086/tcp, 0.0.0.0:8088->8088/tcp, 0.0.0.0:8090-8091->8090-8091/tcp, 0.0.0.0:8188->8188/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8744->8744/tcp, 0.0.0.0:8765->8765/tcp, 0.0.0.0:8886->8886/tcp, 0.0.0.0:8888-8889->8888-8889/tcp, 0.0.0.0:8983->8983/tcp, 0.0.0.0:8993->8993/tcp, 0.0.0.0:9000->9000/tcp, 0.0.0.0:9090->9090/tcp, 0.0.0.0:9995-9996->9995-9996/tcp, 0.0.0.0:10000-10001->10000-10001/tcp, 0.0.0.0:10500->10500/tcp, 0.0.0.0:11000->11000/tcp, 0.0.0.0:15000->15000/tcp, 0.0.0.0:16010->16010/tcp, 0.0.0.0:16030->16030/tcp, 0.0.0.0:18080->18080/tcp, 0.0.0.0:19888->19888/tcp, 0.0.0.0:21000->21000/tcp, 0.0.0.0:42111->42111/tcp, 0.0.0.0:50070->50070/tcp, 0.0.0.0:50075->50075/tcp, 0.0.0.0:50095->50095/tcp, 0.0.0.0:50111->50111/tcp, 0.0.0.0:60000->60000/tcp, 0.0.0.0:60080->60080/tcp, 0.0.0.0:61888->61888/tcp, 0.0.0.0:2222->22/tcp sandbox

O encaminhamento do kernel parece estar ok:

cloudu

sr@dev:~$ sudo sysctl -a | grep '.forwarding’
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.docker0.forwarding = 1
net.ipv4.conf.ens3.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.veth61e5501.forwarding = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.all.forwarding = 1
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
sysctl: reading key "net.ipv6.conf.docker0.stable_secret"
net.ipv6.conf.docker0.forwarding = 1
sysctl: reading key "net.ipv6.conf.ens3.stable_secret"
net.ipv6.conf.ens3.forwarding = 1
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
sysctl: reading key "net.ipv6.conf.veth61e5501.stable_secret"
net.ipv6.conf.veth61e5501.forwarding = 1

Iptables parece ok para mim

cloudusr@dev:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:61888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:60080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:60000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50111
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50095
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50075
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50070
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:42111
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:21000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:19888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:18080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:16030
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:16010
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:15000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:11000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:10500
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:10001
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:webmin
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9996
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9995
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9090
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8993
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8983
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8889
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8886
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8765
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8744
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8443
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8188
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8091
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8090
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:omniorb
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8086
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8082
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:http-alt
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8050
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8042
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8040
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8020
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8005
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6188
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6008
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:x11-3
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:x11-1
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:5011
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:5007
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:4200
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:4040
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:2181
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:2100
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1988
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1220
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1100
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:ssh

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

O próprio Ubuntu está atualizado - o kernel atual é

cloudusr@dev:~$ uname -a
Linux dev 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
    
por Nigel Jones 05.10.2017 / 12:56

0 respostas

Tags