混杂模式下 Docker 容器的网络接口
[英]Docker Container's network interface in promiscuous mode
问题描述
compose a 3 services architecture and a virtual bridged network on which the three services are attached.
组成一个 3 服务架构和一个虚拟桥接网络,三个服务都附加在该网络上。 I want one of the container to be able to listen to all the traffic within the virtual network (promiscuous mode).我希望其中一个容器能够监听虚拟网络中的所有流量(混杂模式)。 Is it possible?有可能吗? I've tried almost everything but nothing seems to be working.我几乎尝试了所有方法,但似乎没有任何效果。
What I've tried:我试过的:
- Giving full privileges to the container赋予容器完全权限
- Setting the container eth0 interface to promiscuous (ifconfig eth0 promisc)将容器 eth0 接口设置为混杂(ifconfig eth0 promisc)
- restart the network manager inside the container重启容器内的网络管理器
- setting the veth relative to container in promiscuous mode from the host machine从主机以混杂模式设置相对于容器的 veth
- modify the mode from "bridge" to "passthru" in the macvlan configuration from the pipework script在pipework脚本的macvlan配置中将模式从“bridge”修改为“passthru”
- setting the container as gateway in the network properties of the docker-compose file在 docker-compose 文件的网络属性中将容器设置为网关
many of the above attempts results in the container's eth0 interface to "think" it is in promiscuous mode, in fact both ifconfig and syslog (from the host) say it is, but the container still sees only its own traffic.上述许多尝试导致容器的 eth0 接口“认为”它处于混杂模式,事实上 ifconfig 和 syslog(来自主机)都说它是,但容器仍然只能看到自己的流量。
I'm using Docker 1.11 and the base image inside the container is Ubuntu 14.04:latest我使用的是 Docker 1.11,容器内的基本映像是 Ubuntu 14.04:latest
Below is listed my docker-compose file Thanks in advance下面列出了我的 docker-compose 文件提前致谢
docker-compose.yml docker-compose.yml
version: '2'
networks:
snort_net:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.19.0.0/24
gateway: 172.19.0.3
services:
mysql:
build:
context: .
dockerfile: MySql/MySqlFile
environment:
- MYSQL_ALLOW_EMPTY_PASSWORD=yes
networks:
snort_net:
ipv4_address: 172.19.0.2
snort:
build:
context: .
dockerfile: Snort/SnortFile
depends_on:
- snorby
env_file:
- Snort/snort_variables.env
networks:
snort_net:
ipv4_address: 172.19.0.3
expose:
- "80"
- "21"
ports:
- "10100:80"
- "10101:80/udp"
- "21:21"
cap_add:
- NET_ADMIN
privileged: true
snorby:
build:
context: .
dockerfile: Snorby/SnorbyFile
depends_on:
- mysql
env_file:
- Snorby/snorby_variables.env
networks:
snort_net:
ipv4_address: 172.19.0.4
ports:
- "3000:3000"
2 个解决方案
解决方案1
1 2018-10-03 06:51:08
我可以在创建容器时使用以下命令使其工作,因为我决定关闭以侦听所有流量
administrator@gitlabrunner-prod01:~$ docker run --rm --privileged -t -d -p 23:22 --name ubuntu ubuntu
解决方案2
0 2016-10-19 14:04:27
A container is effectively attached to a virtual switch;容器有效地附加到虚拟交换机; it's never going to see anything other than (a) unicast traffic to the container or (b) broadcast/multicast traffic on the docker network.除了 (a) 到容器的单播流量或 (b) docker 网络上的广播/多播流量之外,它永远不会看到任何其他内容。 If you have it set up as a network gateway, it would also see any traffic being sent from other containers to destinations outside the network (but would still not see communication between other containers on the same network).如果您将其设置为网络网关,它还会看到从其他容器发送到网络外目的地的任何流量(但仍然看不到同一网络上其他容器之间的通信)。
If you were using Linux bridges rather than macvlan, you should be able to attach tcpdump to the docker bridge and get what you want (either by running it on the host, or by running it inside a container with --net=host ).如果您使用的是 Linux 网桥而不是 macvlan,您应该能够将tcpdump附加到 docker 网桥并获得您想要的(通过在主机上运行它,或者通过在容器中运行它--net=host )。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.