×

完美解决 MacOS 下不能 ping Docker 容器的问题 | MacOS 使用 ssh 链接容器

96
阿波罗程序猿
2018.09.16 23:07* 字数 740

今天下午从docker hubpullCentOS。跑起来后装了ssh,然后在宿主机上ping不通CentOScontainer.....这是多么囧的事情...

  • 对于docker for mac不能ping容器官网给的解释是
    ....

    对于以上解释通过端口映射可以解决docker for mac连接容器的问题,但是有些情况下是不需要端口的怎么办?以上说法对我毫无卵用。带着问题,Google了下据说有个openVPN可以解决这个问题。
  • 解决问题
    搜了好一阵子,大多都没有详细说明,最后在GitHub上搜到一个叫 docker-mac-network 的项目。嗯,很是牛逼。

项目README大致翻译

使用OpenVPN来搞定。让你从macOS访问docker for mac

Quickstart

访问docker网络:

安装Tunnelblick 这个软件是OpenVPNmacOS的客户端。

  • 运行 docker-compose up 因为该项目需要生成一些keys,所以第一次启动会耗费点时间。
  • 双击生成的 docker-for-mac.ovpn 文件,或者直接在你的终端运行该文件把它添加到Tunnelblick。 该文件会在项目根目录生成。
  • 使用Tunnelblick链接你新添加的docker-for-mac

现在你可以从你的macOS访问doker里面的网络了。

Implementation notes

该配置由两个服务组成,它们都是基于Alpine

openvpn

使用OpenVPN docker镜像 kylemanna/openvpn.

服务端和客户端配置文件都自动的由helpers/run.sh来生成, 该脚本运行在镜像中,只能通过调整该脚本的配置来访问你docker for mac的网络。

该服务使用网络在TCP 1194端口上跑着,这说明它可以在vm上访问所有的docker网络。

只有172.16.0.0/20 私有网络被配置生成器路由到了Docker for Mac。主机上没有设置DNS服务。

镜像OpenVPN的配置在目录 (/etc/openvpn/*)中,对应宿主的文件系统的./config/,这样便于自定义。

proxy

自打有docker for mac开始,宿主机就不能访问容器的网络。我们使用TCP代理。此镜像使用socat将端口13194转发到OpenVPN容器上。

使用过程

  1. 把项目从GitHubClone下来,放到某个文件夹中。
  2. 修改run.sh脚本
#!/bin/sh

dest=${dest:-docker.ovpn}

if [ ! -f "/local/$dest" ]; then
    echo "*** REGENERATING ALL CONFIGS ***"
    set -ex
    #rm -rf /etc/openvpn/*
    ovpn_genconfig -u tcp://localhost
    sed -i 's|^push|#push|' /etc/openvpn/openvpn.conf
    echo localhost | ovpn_initpki nopass
    easyrsa build-client-full host nopass
    ovpn_getclient host | sed '
        s|localhost 1194|localhost 13194|;
    s|redirect-gateway.*|route 172.17.0.0 255.255.0.0|; # 这里要配置你container的ip和子网掩码
    ' > "/local/$dest"
fi

# Workaround for https://github.com/wojas/docker-mac-network/issues/6
/sbin/iptables -I FORWARD 1 -i tun+ -j ACCEPT

exec ovpn_run

  1. 运行docker-compose.yml。打开终端cd到项目的根目录。输入docker-compose up
    运行后自动创建两个容器,一个为代理容器一个为openvpn服务端容器
  2. 查看项目根目录,会发现有生成的docker-for-mac.ovpn文件
    docker-for-mac.ovpn
  3. 编辑docker-for-mac.ovpn文件,这里是个坑,需要加一个comp-lzo yes属性。

client
nobind
dev tun
remote-cert-tls server

remote localhost 13194 tcp

<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6AzE2XEmBxBkX
0PajWJQkLOFTb6pgydCrzpV5/9wSL1mgOGg7X2pA080LgGB8GVoSj+hyOdnPc5SQ
P/JKuEqHDeGmNR3mdROXPBJzEheFtpQP+01bmQgTi8aEFllof+M8N6XdZKbWCMIr
Oa6kHFJTM7S5lC7zqZCQ/Pg0yi81EZWdzanCYT/orB90RTvBMa4R8Y/YOFdtKZip
YVPAokNVu/Vb7Lvwmqhu84RBqeJ9BPsAZuFuSLu9l0HsqZZisAzer05aOAld5SgU
6YsaimXLsff+wuOssM2LXohbHdE11bEN286SvOvecDj3/QfYDzLlVMq9OLX3TPep
dQ2WPZ0zAgMBAAECggEAB3NTSEsgApuZKbQL/PTyUhSeHdpuJ5xNyGPo5s8RwIS3
AUzhF+e1eM1C/D/zHWVijzXGaLTafY2ymKiHCukgyxIKRL8B6JYt57PXRVanLIro
mU9GhPG3OhkyJV5DzIS61FGiSiDa8d298T9JOHeN8Jk0lu5Rhx72lGgdhPfINkbh
i+fcPXTuPpeNKxwcOcV7MQdJOCir1gVwRaHoh3b/1/hBfllUMla0IcVDrOByq5j9
NFvFXp3cIwHtpxXi9HIXjYg50tIpKsZVA1My1X7zSgw4Uy3DkYOCtGfTd3ZPkAZg
M49WrkXzwfS4xCGlptYcXKpMuRK+4CGn3DY62/TuwQKBgQDfTcdCSEjp9XBpp15v
qlfWiHCm2w9qqQj30Bu78vflvJRLHEXgAK5jn5i/oKBDn9P65XT5iMG73IilBtDr
ZqLHxf6bii+3giNk1r7Ij8dABea2DZoDAiXw7gBYeWrShwFoEK1sAOQLpXfKyahg
D5Ri73MzWB6X8NgonTSWgMLCEwKBgQDVP5nxiit6w15ztlisHO0OyI4NOXCz8JJP
/psbCLafn/jO9MVUtD+CGzB/LaenPyN2wgFwS2rW1aP0eQ4CblhdBsR2DPyFQn+Q
kFvlfECViPyqctuQ3Vg5whUnd2uB6s/41Kf5SCesDmc+moq0agCYfcPPC26T8YjN
TitLqugcYQKBgQCLHO1Rwa6K8jjB2V7fugNWx1FG4ZnNHNlVaPSeNlNxb/YChO6T
ClmZ/scuOmcdOejZmTEyc5wd6NnH1WM6A4rNYe+n/oKTlCNwosfgMpIytHpyWC7m
SORSIDNe6uU9mpWpuxoO+s8W4lKqps6aaZpLuFjQV8lXZteDFcy5JiYuuQKBgQCL
JfFB1zL/7DPZtYau6EEXgG6Q2oZcJAKVCEIVpd3k0vH7uWR6HRPDxhIjKptXWq+9
cmKV7+BLRySxBbzKgU5PhXb0wQyVuAqdPlV4rVdHPBgC8Oes44IKTkaXdilEoQAM
Eld5Jkgc0Vk1VIplpzW0S3xVwdPp3ZWywesmeOL0gQKBgHVjNnrAM6KnmtcC2ESt
JanCQtU3IHtBE9ReCGBEZ9lR0jCqvFbivv3CNhOr5O+S1V3kgIKQPB76+zmYl/0C
RYwauaLkzOEbi6UunmNT39Mqdcr7PyoaPp2Wk9PD0tM2/ehNu6MLh41MX1w1Fd46
O77pYRHWuGOfZTPdshxOfPgf
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQMH0suH0s9/Tt3dojdz/UTDANBgkqhkiG9w0BAQsFADAU
MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTgwOTE2MTEwMTA3WhcNMjgwOTEzMTEw
MTA3WjAPMQ0wCwYDVQQDDARob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAugMxNlxJgcQZF9D2o1iUJCzhU2+qYMnQq86Vef/cEi9ZoDhoO19qQNPN
C4BgfBlaEo/ocjnZz3OUkD/ySrhKhw3hpjUd5nUTlzwScxIXhbaUD/tNW5kIE4vG
hBZZaH/jPDel3WSm1gjCKzmupBxSUzO0uZQu86mQkPz4NMovNRGVnc2pwmE/6Kwf
dEU7wTGuEfGP2DhXbSmYqWFTwKJDVbv1W+y78JqobvOEQanifQT7AGbhbki7vZdB
7KmWYrAM3q9OWjgJXeUoFOmLGoply7H3/sLjrLDNi16IWx3RNdWxDdvOkrzr3nA4
9/0H2A8y5VTKvTi190z3qXUNlj2dMwIDAQABo4GVMIGSMAkGA1UdEwQCMAAwHQYD
VR0OBBYEFA3QP+B02XYogxyjbFYYGBfhHqj5MEQGA1UdIwQ9MDuAFB8KyCaZfFiQ
aSxHMmMj00QD1kqioRikFjAUMRIwEAYDVQQDDAlsb2NhbGhvc3SCCQCGOlhuj5Vr
KzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEL
BQADggEBALhv25L/dmTOszEwYn0pDtdkTwzIsCoD5tx1bQutlkvWHjG65md32Mfx
B60Sqo5f/Rc7ZwB4+4kKW/3gt0KaqLPbyWGLeH9yJNu/6VDMwvHJC07YxpzhLyHL
taq9VQDWS5FQUkC9oYsEZzxeaadcCQpNp1fdx4586fVYGJ2/dGDeqE52ZqMDNRSF
I1DurZlaKVsbkFdrm0UAlqBWZDDHlSImkd+uKwXwqQdnkxiPzCoW0dpMfw+7DvuV
Muq3759LtYmZbDFh8dUDRZ830WAwGzv9yhPpOg58G0dNyMTQJo59/p2Ea4NHHlBv
TqfXQM1at9leSpR5ZFkqDbIbYoxUuxk=
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIJAIY6WG6PlWsrMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCWxvY2FsaG9zdDAeFw0xODA5MTYxMTAwMDhaFw0yODA5MTMxMTAwMDhaMBQx
EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAOvgs+KzBgg5Bz+dALH8uFsfBk2QklaeeK0O5H63qjXqujICy/MGxXAiqdo6
UqLTca9psvhhR0QeXEnZ2daBrw3XuGZ/nw9lmJZ/S/MOfJWTerYaj1ZttPjnlOFS
muWKouNam33mJF2vkGbYUoEdb3qqEoZTd3DBEnRAKLzE0v7evAbv7XW7kh+w7W+D
4RsalXLaUqquP/BYcOAWB733ZBIjpmEglA0u2ZtF9tXK/HT2d3dkxbrdRrF2WLwg
fcE53mb8/ayf3qu7nRj0NaqqYb8R9R5fcQnzMCi5ZZ/Dudbcc5/6NEu5G1PTCyTs
Z9o/FZO1KF3q7TR0FzYMkTMGF20CAwEAAaOBgzCBgDAdBgNVHQ4EFgQUHwrIJpl8
WJBpLEcyYyPTRAPWSqIwRAYDVR0jBD0wO4AUHwrIJpl8WJBpLEcyYyPTRAPWSqKh
GKQWMBQxEjAQBgNVBAMMCWxvY2FsaG9zdIIJAIY6WG6PlWsrMAwGA1UdEwQFMAMB
Af8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQC2APlsYTKtque4IF/C
nFRcY5J5Btj7SuyLUjkVp6HxengmwI5pDeubMvv9EeVZ0lAzobQ988P4vGkNGRde
QKGNkwjpsvNj+kyYCWhke8eYuxOXRZCNwp19kJjxhCN/i/adLhff0cXDfrMbX0Zv
W5WNgbrPBlk3TEn5XRHR/yp+UFNwL4e2ZovYFy3hBAuRfIdUF1wdZIdrjsHEMGBe
vHfKSebhvyPgAGAi91vU14M99xERqrvM09pMfMHF9xYhiiQkcZtVzaauZE0d3m+o
VK4HQZg2UjxfLUo5kU1Ou0E3cYHkDx3eEF/X/F5SyoWPTa2FfrK0j5/CE32vhlck
szzU
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e33646344fdba3b929ea6e07f1558bdb
080136f61bd0a0611bb1a952802d47b2
eb14d5aae9d25c4ab3614d495876e815
3ce7c2f9f67dda2183bec7928dfb792f
003cb36d5a57fd9e0df23c2fd4c7ae05
6a8b1ecb6c3697a78d3c3a67c16b98ad
167258c57aa3dd674c5a735d3df4b5ab
1610a676bd97beaadab10fd82f82c9e7
2b1efe35f96ff237b366e057d20b3a18
cdc095510df43bcfa638853efde91a67
93507615eceb77f2de619d614ca64901
2273a9074153b531dde8ac10f6d2cdd9
f73e8cba9548f2dc853b8c4178beed68
5d15b81da6121f7dc3c0f25c7008955d
5f9c6264d47bac43f6983ad8af8aba5b
8fa4ac4611109613e1a9d876620bdd83
-----END OpenVPN Static key V1-----
</tls-auth>
comp-lzo yes
route 172.17.0.0 255.255.0.0
  1. 把该文件添加到Tunnelblick,然后连接该网络。
    连接后的样子
  2. 测试


    docker container centos 网络
宿主机,完美搞定
玩技术(后端)
Web note ad 1