请教大家一个关于 docker 网络的问题

62 天前
 Betsy

背景介绍

现在有个物理机,IP 地址为 192.168.1.111

在物理机上面装了一个 docker ,并且创建了一个 container ,其 IP 地址为 192.168.49.2

问题说明

现在想在物理机和 docker container 里面均可以成功执行下述命令。目前只有物理机中可以正确执行。

curl -X GET https://registry-1.docker.io/v2/ -v

执行命令结果

物理机执行命令结果

#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'http://127.0.0.1:7890/'
*   Trying 127.0.0.1:7890...
* Connected to 127.0.0.1 (127.0.0.1) port 7890
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to registry-1.docker.io:443
> CONNECT registry-1.docker.io:443 HTTP/1.1
> Host: registry-1.docker.io:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Mar  5 00:00:00 2025 GMT
*  expire date: Apr  3 23:59:59 2026 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< content-type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Sat, 05 Jul 2025 10:23:42 GMT
< content-length: 87
< strict-transport-security: max-age=31536000
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host 127.0.0.1 left intact

docker container 中执行命令结果

#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 154.85.102.30:443...
*   Trying 2600:1f18:2148:bc00:5cac:48a0:7f88:7266:443...
* Immediate connect fail for 2600:1f18:2148:bc00:5cac:48a0:7f88:7266: Network is unreachable
*   Trying 2600:1f18:2148:bc01:f43d:e203:cafd:8307:443...
* Immediate connect fail for 2600:1f18:2148:bc01:f43d:e203:cafd:8307: Network is unreachable
*   Trying 2600:1f18:2148:bc02:22:27bd:19a8:870c:443...
* Immediate connect fail for 2600:1f18:2148:bc02:22:27bd:19a8:870c: Network is unreachable
* connect to 154.85.102.30 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out

物理机查询到的路由表

#> ip route   
default via 192.168.1.1 dev wlo1 proto dhcp src 192.168.1.111 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.111 metric 600 
192.168.49.0/24 dev br-9123093efaea proto kernel scope link src 192.168.49.1
1784 次点击
所在节点    Docker
14 条回复
Betsy
62 天前
**个人所做尝试**

修改物理机 docker.service 配置,添加 proxy

`/etc/systemd/system/docker.service.d/proxy.conf`


```ini
[Service]
Environment="HTTP_PROXY=http://localhost:7890/"
Environment="HTTPS_PROXY=http://localhost:7890/"
Environment="NO_PROXY=localhost,127.0.0.1"
```

```bash
#> curl -X GET https://registry-1.docker.io/v2/ -v # 在 docker container 中执行
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 64.13.192.74:443...
* Trying 2a03:2880:f12c:83:face:b00c:0:25de:443...
* Immediate connect fail for 2a03:2880:f12c:83:face:b00c:0:25de: Network is unreachable
* connect to 64.13.192.74 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out

```

修改 docker container 中的 proxy env


```bash
#> ping 192.168.1.111
PING 192.168.1.111 (192.168.1.111) 56(84) bytes of data.
64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=0.109 ms
64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 192.168.1.111: icmp_seq=3 ttl=64 time=0.088 ms
64 bytes from 192.168.1.111: icmp_seq=4 ttl=64 time=0.070 ms
^C
--- 192.168.1.111 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.070/0.084/0.109/0.015 ms
```

```bash
#> export https_proxy=http://192.168.1.111:7890
#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Uses proxy env variable https_proxy == 'http://192.168.1.111:7890'
* Trying 192.168.1.111:7890...
* connect to 192.168.1.111 port 7890 failed: Connection refused
* Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
```
512357301
62 天前
不就是想拉镜像吗,去 1panel 官方文档,找找它的镜像地址,配置上就行,很稳定。
也可以在物理机上面安装一个 docker tar image tool 相关的工具,具体去 github 搜,下载镜像的 tar 包,然后导入到 docker 里,但是这样也得配置镜像地址才行,单纯的配 https_proxy 行不通,放弃吧。
docker 的代理配置很复杂,好像需要改很多地方,往往还不生效,建议放弃配置代理,直接用 1panel 的镜像源。
sorz
62 天前
看起来上面的问题是没走代理连接不上,下面的回答里的问题是这个 proxy 在容器内访问不到,具体是什么原因不是很清楚
HUZHUANGZHUANG
62 天前
不知道你有没有问过 gemini,建议你去问问。
Betsy
62 天前
搞定了,个人有两点弄错了。


1. 物理机用户家目录配置 $HOME/.docker/config.json ,这样创建出来的 container 会自动把 proxy 配置到 Environment variables 里面

{
"proxies": {
"default": {
"httpProxy": "http://192.168.1.111:7890",
"httpsProxy": "http://192.168.1.111:7890",
"noProxy": "localhost, 127.0.0.0/8, ::1"
}
}
}



2. 个人用的的 Clash ,它有个开关叫做 allow-lan ,需要打开才行。
Betsy
62 天前
@512357301 未来可能还有更多需要用到 proxy 的地方,只解决个镜像问题是不够的
Betsy
62 天前
@sorz 事实上,在我最后一次尝试的时候,报错 Connection refused 已经很明显了。docker container 中访问 proxy url 连接不上,但因为物理机上面访问正常,所以导致我忽略了 proxy 本身可能有问题
Betsy
62 天前
@HUZHUANGZHUANG 问过了,没给出正确的解决方法
daisyfloor
62 天前
用 tun 就没这些毛病
512357301
62 天前
@Betsy 我目前下载了 100+的镜像,前前后后部署了小 200 个容器,真正用到科学上网的并不多,真用到了,在容器内配置 http_proxy 即可,容器内配置代理难度跟 docker 代理天壤之别。
johnbobby
62 天前
如果是容器内设置代理,容器运行的时候加上这个 `-e https_proxy=http://192.168.1.111:7890`


如果是拉取镜像,dockerhub 官方的镜像地址

宿主机执行下面命令


`mkdir -p /etc/systemd/system/docker.service.d/`
`vim /etc/systemd/system/docker.service.d/proxy.conf`
输入下面内容

```
[Service]
Environment="HTTP_PROXY=http://192.168.1.111:7890/"
Environment="HTTPS_PROXY=http://192.168.1.111:7890/"
Environment="ALL_PROXY=socks5://192.168.1.111:7890"
Environment="NO_PROXY=localhost,127.0.0.1"
```
johnbobby
62 天前
@johnbobby 设置好之后要重启 docker 和 daemon

systemctl daemon-reload
systemctl restart docker
ik
62 天前
重启一下 docker 服务,可能是防火墙的问题
YaakovZiv
61 天前
宿主机若访问 127.0.0.1 提供的服务,容器内需访问宿主机的 IP ,在容器内配置代理。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1143231

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX