Docker容器无法使用macvlan网络驱动程序访问或ping WAN
[英]Docker container can't reach or ping WAN using macvlan network driver
问题描述
I'm trying to configure a Docker network using the macvlan driver, but my containers can't reach the gateway or the WAN. 
我正在尝试使用macvlan驱动程序配置Docker网络,但我的容器无法访问网关或WAN。
The network is set up like so: 网络设置如下:
docker network create -d macvlan --subnet=10.1.1.0/24 --ip-range=10.1.1.160/28 --gateway=10.1.1.1 -o parent=ens160 pub_net
The host OS is Ubuntu 16.04, which itself is a VM running on ESXi (lots of layers, I know). 主机操作系统是Ubuntu 16.04,它本身就是在ESXi上运行的VM(很多层,我知道)。 The ens160 interface is connected to an ESXi vSwitch ("LAN"). ens160接口连接到ESXi vSwitch(“LAN”)。 The gateway (10.1.1.1) is a pfSense VM on the same machine, and connected to the same "LAN" vSwitch. 网关(10.1.1.1)是同一台机器上的pfSense VM,并连接到相同的“LAN”vSwitch。 The pfSense VM is also connected to a "WAN" vSwitch which physically connects to the upstream network. pfSense VM还连接到物理连接到上游网络的“WAN”vSwitch。 The Ubuntu host OS has an IP and full WAN connectivity, but the Docker container does not. Ubuntu主机操作系统具有IP和完整的WAN连接,但Docker容器没有。
Some details about the Ubuntu host: 关于Ubuntu主机的一些细节:
host$ ifconfig
docker0 Link encap:Ethernet HWaddr aa:bb:cc:00:e2:77
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ens160 Link encap:Ethernet HWaddr aa:bb:cc:9b:be:f2
inet addr:10.1.1.22 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::c7b7:d64c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64642 errors:0 dropped:0 overruns:0 frame:0
TX packets:1881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19190911 (19.1 MB) TX bytes:169266 (169.2 KB)
ens192 Link encap:Ethernet HWaddr aa:bb:cc:9b:be:fc
inet addr:10.2.2.22 Bcast:10.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::bb15:267d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:294 errors:0 dropped:10 overruns:0 frame:0
TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57996 (57.9 KB) TX bytes:63258 (63.2 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2637 errors:0 dropped:0 overruns:0 frame:0
TX packets:2637 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:204727 (204.7 KB) TX bytes:204727 (204.7 KB)
host$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.2.1 0.0.0.0 UG 100 0 0 ens192
0.0.0.0 10.1.1.1 0.0.0.0 UG 101 0 0 ens160
10.1.1.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
10.2.2.0 0.0.0.0 255.255.255.0 U 100 0 0 ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ens192
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
Switching to the Docker container, and details there: 切换到Docker容器,并在那里详细说明:
host$ sudo docker run --net=pub_net -it alpine /bin/sh
container$ ifconfig
eth0 Link encap:Ethernet HWaddr AA:BB:CC:01:01:A0
inet addr:10.1.1.160 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::42:1a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1789 (1.7 KiB) TX bytes:634 (634.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:224 (224.0 B) TX bytes:224 (224.0 B)
container$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
As mentioned, if I ping 10.1.1.1 (or any other external IP) from within the container I get no response. 如上所述,如果我从容器中ping 10.1.1.1 (或任何其他外部IP),我得不到任何响应。 If I ping another Docker container on the same host I do get a response. 如果我在同一主机上ping另一个Docker容器,我会收到响应。
What do I need to change so that the container can reach the WAN? 我需要更改哪些容器才能到达WAN?
1 个解决方案
解决方案1
3 2017-11-08 06:34:07
You need to turn on promiscuous mode and allow forged transmits for your LAN vSwitch. 您需要打开混杂模式并允许LAN vSwitch进行伪造传输。 This is because macvlan mode requires the guest to be listening for the falsified MAC addresses as well as be able to falsify MAC addresses. 这是因为macvlan模式要求guest虚拟机监听伪造的MAC地址以及能够伪造MAC地址。
VMware Knowledge Base article on promiscuous mode 关于混杂模式的VMware知识库文章
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.