请教大家一个关于 docker 网络的问题

161 天前
 Betsy

背景介绍

现在有个物理机,IP 地址为 192.168.1.111

在物理机上面装了一个 docker ,并且创建了一个 container ,其 IP 地址为 192.168.49.2

问题说明

现在想在物理机和 docker container 里面均可以成功执行下述命令。目前只有物理机中可以正确执行。

curl -X GET https://registry-1.docker.io/v2/ -v

执行命令结果

物理机执行命令结果

#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'http://127.0.0.1:7890/'
*   Trying 127.0.0.1:7890...
* Connected to 127.0.0.1 (127.0.0.1) port 7890
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to registry-1.docker.io:443
> CONNECT registry-1.docker.io:443 HTTP/1.1
> Host: registry-1.docker.io:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Mar  5 00:00:00 2025 GMT
*  expire date: Apr  3 23:59:59 2026 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< content-type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Sat, 05 Jul 2025 10:23:42 GMT
< content-length: 87
< strict-transport-security: max-age=31536000
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host 127.0.0.1 left intact

docker container 中执行命令结果

#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 154.85.102.30:443...
*   Trying 2600:1f18:2148:bc00:5cac:48a0:7f88:7266:443...
* Immediate connect fail for 2600:1f18:2148:bc00:5cac:48a0:7f88:7266: Network is unreachable
*   Trying 2600:1f18:2148:bc01:f43d:e203:cafd:8307:443...
* Immediate connect fail for 2600:1f18:2148:bc01:f43d:e203:cafd:8307: Network is unreachable
*   Trying 2600:1f18:2148:bc02:22:27bd:19a8:870c:443...
* Immediate connect fail for 2600:1f18:2148:bc02:22:27bd:19a8:870c: Network is unreachable
* connect to 154.85.102.30 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out

物理机查询到的路由表

#> ip route   
default via 192.168.1.1 dev wlo1 proto dhcp src 192.168.1.111 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.111 metric 600 
192.168.49.0/24 dev br-9123093efaea proto kernel scope link src 192.168.49.1
2287 次点击
所在节点    Docker
15 条回复
Betsy
161 天前
**个人所做尝试**

修改物理机 docker.service 配置,添加 proxy

`/etc/systemd/system/docker.service.d/proxy.conf`


```ini
[Service]
Environment="HTTP_PROXY=http://localhost:7890/"
Environment="HTTPS_PROXY=http://localhost:7890/"
Environment="NO_PROXY=localhost,127.0.0.1"
```

```bash
#> curl -X GET https://registry-1.docker.io/v2/ -v # 在 docker container 中执行
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 64.13.192.74:443...
* Trying 2a03:2880:f12c:83:face:b00c:0:25de:443...
* Immediate connect fail for 2a03:2880:f12c:83:face:b00c:0:25de: Network is unreachable
* connect to 64.13.192.74 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out

```

修改 docker container 中的 proxy env


```bash
#> ping 192.168.1.111
PING 192.168.1.111 (192.168.1.111) 56(84) bytes of data.
64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=0.109 ms
64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 192.168.1.111: icmp_seq=3 ttl=64 time=0.088 ms
64 bytes from 192.168.1.111: icmp_seq=4 ttl=64 time=0.070 ms
^C
--- 192.168.1.111 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.070/0.084/0.109/0.015 ms
```

```bash
#> export https_proxy=http://192.168.1.111:7890
#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Uses proxy env variable https_proxy == 'http://192.168.1.111:7890'
* Trying 192.168.1.111:7890...
* connect to 192.168.1.111 port 7890 failed: Connection refused
* Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
```
512357301
161 天前
不就是想拉镜像吗,去 1panel 官方文档,找找它的镜像地址,配置上就行,很稳定。
也可以在物理机上面安装一个 docker tar image tool 相关的工具,具体去 github 搜,下载镜像的 tar 包,然后导入到 docker 里,但是这样也得配置镜像地址才行,单纯的配 https_proxy 行不通,放弃吧。
docker 的代理配置很复杂,好像需要改很多地方,往往还不生效,建议放弃配置代理,直接用 1panel 的镜像源。
sorz
161 天前
看起来上面的问题是没走代理连接不上,下面的回答里的问题是这个 proxy 在容器内访问不到,具体是什么原因不是很清楚
HUZHUANGZHUANG
160 天前
不知道你有没有问过 gemini,建议你去问问。
Betsy
160 天前
搞定了,个人有两点弄错了。


1. 物理机用户家目录配置 $HOME/.docker/config.json ,这样创建出来的 container 会自动把 proxy 配置到 Environment variables 里面

{
"proxies": {
"default": {
"httpProxy": "http://192.168.1.111:7890",
"httpsProxy": "http://192.168.1.111:7890",
"noProxy": "localhost, 127.0.0.0/8, ::1"
}
}
}



2. 个人用的的 Clash ,它有个开关叫做 allow-lan ,需要打开才行。
Betsy
160 天前
@512357301 未来可能还有更多需要用到 proxy 的地方,只解决个镜像问题是不够的
Betsy
160 天前
@sorz 事实上,在我最后一次尝试的时候,报错 Connection refused 已经很明显了。docker container 中访问 proxy url 连接不上,但因为物理机上面访问正常,所以导致我忽略了 proxy 本身可能有问题
Betsy
160 天前
@HUZHUANGZHUANG 问过了,没给出正确的解决方法
daisyfloor
160 天前
用 tun 就没这些毛病
512357301
160 天前
@Betsy 我目前下载了 100+的镜像,前前后后部署了小 200 个容器,真正用到科学上网的并不多,真用到了,在容器内配置 http_proxy 即可,容器内配置代理难度跟 docker 代理天壤之别。
johnbobby
160 天前
如果是容器内设置代理,容器运行的时候加上这个 `-e https_proxy=http://192.168.1.111:7890`


如果是拉取镜像,dockerhub 官方的镜像地址

宿主机执行下面命令


`mkdir -p /etc/systemd/system/docker.service.d/`
`vim /etc/systemd/system/docker.service.d/proxy.conf`
输入下面内容

```
[Service]
Environment="HTTP_PROXY=http://192.168.1.111:7890/"
Environment="HTTPS_PROXY=http://192.168.1.111:7890/"
Environment="ALL_PROXY=socks5://192.168.1.111:7890"
Environment="NO_PROXY=localhost,127.0.0.1"
```
johnbobby
160 天前
@johnbobby 设置好之后要重启 docker 和 daemon

systemctl daemon-reload
systemctl restart docker
ik
160 天前
重启一下 docker 服务,可能是防火墙的问题
YaakovZiv
160 天前
宿主机若访问 127.0.0.1 提供的服务,容器内需访问宿主机的 IP ,在容器内配置代理。
youtube6
12 天前
你可以把 clash 部署到另外一台机器上

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1143231

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX