我在這裡完全不知所措。在 Leaseweb 虛擬伺服器上從 14.04 升級到 Ubuntu 16.04 後,docker 不再接受與 localhost 的連線。使用原始的 CouchBase 伺服器映像,在我的筆記型電腦上執行以下命令完美運行(Docker 版本 1.12.1,建置 23cf638):
$ docker run --rm -ti --name couchbase-server -p 127.0.0.1:8091:8091 couchbase/server:community-4.5.0
Starting Couchbase Server -- Web UI available at http://<ip>:8091 and logs available in /opt/couchbase/var/lib/couchbase/logs
$ curl localhost:8091
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://localhost:8091/ui/index.html>here</a>.</p></body></html>
然而,當我在 Leaseweb 上託管的 Ubuntu 16.04 VM(完全相同的 docker Docker 版本 1.12.1,內部版本 23cf638)上運行完全相同的命令時,它失敗了:
# curl localhost:8091
curl: (7) Failed to connect to localhost port 8091: Connection refused
# netstat -tnlp|grep 8091
tcp 0 0 127.0.0.1:8091 0.0.0.0:* LISTEN 7387/docker-proxy
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.18.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8091
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere localhost tcp dpt:8091 to:172.17.0.2:8091
但是,當我向公眾開放端口時,它開始工作:
# docker run --rm -ti --name couchbase-server -p 8091:8091 couchbase/server:community-4.5.0
# netstat -tnlp|grep 8091
tcp6 0 0 :::8091 :::* LISTEN 15434/docker-proxy
# curl localhost:8091
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://localhost:8091/ui/index.html>here</a>.</p></body></html>
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.18.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8091
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:8091 to:172.17.0.2:8091
唯一的差別在於最後一行destination anywhereVS localhost。然而,在我的家用機器上,相關的 iptables 規則localhost也說明了這一點,而且它有效。事實上,在我的家用機器上,iptables 規則完全相同,但它們有效。家用電腦使用較新的核心(VM 上的 4.8.0-34-generic 與 4.4.0-59-generic)並在裸機上運行,而不是在 VM 上運行半虛擬化。或許是這樣呢?支援人員表示上述內容在 Ubuntu 14.04 VM 上完美運行,也許我不應該升級...