curl: (7) Failed connect to 192.168.0.19:2375; 没有到主机的路由
使用Remote API
访问docker的时候,遇到上面的这个问题
[root@localhost ~]# curl http://192.168.0.19:2375/info
curl: (7) Failed connect to 192.168.0.19:2375; 没有到主机的路由
如果你熟悉网络协议的话,那你一定会知道这是一个特定ICMP响应造成的。使用tcpump抓包发现ICMP内容如下
21:31:33.638418 IP 192.168.0.19 > localhost.localdomain: \
ICMP host 192.168.0.19 unreachable - admin prohibited, length 68
这样的问题,一般都是防火墙造成的,来看一下192.168.0.19
这台主机上的防火墙规则
[root@localhost ~]# iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 INPUT_direct all -- anywhere anywhere
4 INPUT_ZONES_SOURCE all -- anywhere anywhere
5 INPUT_ZONES all -- anywhere anywhere
6 DROP all -- anywhere anywhere ctstate INVALID
7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
尽管防火墙规则不是看的太懂,但是可以看出,我们的请求触发了最后一条规则,然后收到了没有到主机的路由
这样的错误信息。实际上,再局域网内的通信,是不应该收到这样的ICMP响应的。
发现问题了,就好办了,加一条规则不就行了
iptables -A INPUT -p tcp --dport 2375 -j ACCEPT
添加完之后,问题还是依旧没有解决,郁闷啊。再看一下防火墙规则
[root@localhost ~]# iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 INPUT_direct all -- anywhere anywhere
4 INPUT_ZONES_SOURCE all -- anywhere anywhere
5 INPUT_ZONES all -- anywhere anywhere
6 DROP all -- anywhere anywhere ctstate INVALID
7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
8 ACCEPT tcp -- anywhere anywhere tcp dpt:2375
一看就明白了,新加的规则被插入到规则连的最后一条了,实际上根本没有生效。应该把新加的规则插入到最前面,下面是正确的命令
iptables -I INPUT -p tcp --dport 2375 -j ACCEPT
试一下,问题解决了,啊哈哈。再看一下防火墙规则
[root@localhost ~]# iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:2375
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ACCEPT all -- anywhere anywhere
4 INPUT_direct all -- anywhere anywhere
5 INPUT_ZONES_SOURCE all -- anywhere anywhere
6 INPUT_ZONES all -- anywhere anywhere
7 DROP all -- anywhere anywhere ctstate INVALID
8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
9 ACCEPT tcp -- anywhere anywhere tcp dpt:2375
这样一看,新加的规则确实生效了。