首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Betsy
V2EX  ›  Docker

请教大家一个关于 docker 网络的问题

  •   
  •   Betsy · 161 天前 · 2287 次点击
    这是一个创建于 161 天前的主题,其中的信息可能已经有所发展或是发生改变。

    背景介绍

    现在有个物理机,IP 地址为 192.168.1.111

    在物理机上面装了一个 docker ,并且创建了一个 container ,其 IP 地址为 192.168.49.2

    问题说明

    现在想在物理机和 docker container 里面均可以成功执行下述命令。目前只有物理机中可以正确执行。

    curl -X GET https://registry-1.docker.io/v2/ -v

    执行命令结果

    物理机执行命令结果

    #> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'http://127.0.0.1:7890/'
*   Trying 127.0.0.1:7890...
* Connected to 127.0.0.1 (127.0.0.1) port 7890
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to registry-1.docker.io:443
> CONNECT registry-1.docker.io:443 HTTP/1.1
> Host: registry-1.docker.io:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Mar  5 00:00:00 2025 GMT
*  expire date: Apr  3 23:59:59 2026 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< content-type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Sat, 05 Jul 2025 10:23:42 GMT
< content-length: 87
< strict-transport-security: max-age=31536000
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host 127.0.0.1 left intact

    docker container 中执行命令结果

    #> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 154.85.102.30:443...
*   Trying 2600:1f18:2148:bc00:5cac:48a0:7f88:7266:443...
* Immediate connect fail for 2600:1f18:2148:bc00:5cac:48a0:7f88:7266: Network is unreachable
*   Trying 2600:1f18:2148:bc01:f43d:e203:cafd:8307:443...
* Immediate connect fail for 2600:1f18:2148:bc01:f43d:e203:cafd:8307: Network is unreachable
*   Trying 2600:1f18:2148:bc02:22:27bd:19a8:870c:443...
* Immediate connect fail for 2600:1f18:2148:bc02:22:27bd:19a8:870c: Network is unreachable
* connect to 154.85.102.30 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out

    物理机查询到的路由表

    #> ip route   
default via 192.168.1.1 dev wlo1 proto dhcp src 192.168.1.111 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.111 metric 600 
192.168.49.0/24 dev br-9123093efaea proto kernel scope link src 192.168.49.1
  • Docker
  • network
  • curl
    15 条回复    2025-12-01 00:40:23 +08:00
    Betsy
        1
    Betsy  
    OP
       161 天前
    **个人所做尝试**

    修改物理机 docker.service 配置,添加 proxy

    `/etc/systemd/system/docker.service.d/proxy.conf`


    ```ini
    [Service]
    Environment="HTTP_PROXY=http://localhost:7890/"
    Environment="HTTPS_PROXY=http://localhost:7890/"
    Environment="NO_PROXY=localhost,127.0.0.1"
    ```

    ```bash
    #> curl -X GET https://registry-1.docker.io/v2/ -v # 在 docker container 中执行
    Note: Unnecessary use of -X or --request, GET is already inferred.
    * Trying 64.13.192.74:443...
    * Trying 2a03:2880:f12c:83:face:b00c:0:25de:443...
    * Immediate connect fail for 2a03:2880:f12c:83:face:b00c:0:25de: Network is unreachable
    * connect to 64.13.192.74 port 443 failed: Connection timed out
    * Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out
    * Closing connection 0
    curl: (28) Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out

    ```

    修改 docker container 中的 proxy env


    ```bash
    #> ping 192.168.1.111
    PING 192.168.1.111 (192.168.1.111) 56(84) bytes of data.
    64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=0.109 ms
    64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=0.071 ms
    64 bytes from 192.168.1.111: icmp_seq=3 ttl=64 time=0.088 ms
    64 bytes from 192.168.1.111: icmp_seq=4 ttl=64 time=0.070 ms
    ^C
    --- 192.168.1.111 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3056ms
    rtt min/avg/max/mdev = 0.070/0.084/0.109/0.015 ms
    ```

    ```bash
    #> export https_proxy=http://192.168.1.111:7890
    #> curl -X GET https://registry-1.docker.io/v2/ -v
    Note: Unnecessary use of -X or --request, GET is already inferred.
    * Uses proxy env variable https_proxy == 'http://192.168.1.111:7890'
    * Trying 192.168.1.111:7890...
    * connect to 192.168.1.111 port 7890 failed: Connection refused
    * Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
    * Closing connection 0
    curl: (7) Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
    ```
    512357301
        2
    512357301  
       161 天前 via Android
    不就是想拉镜像吗,去 1panel 官方文档,找找它的镜像地址,配置上就行,很稳定。
    也可以在物理机上面安装一个 docker tar image tool 相关的工具,具体去 github 搜,下载镜像的 tar 包,然后导入到 docker 里,但是这样也得配置镜像地址才行,单纯的配 https_proxy 行不通,放弃吧。
    docker 的代理配置很复杂,好像需要改很多地方,往往还不生效,建议放弃配置代理,直接用 1panel 的镜像源。
    sorz
        3
    sorz  
       161 天前
    看起来上面的问题是没走代理连接不上,下面的回答里的问题是这个 proxy 在容器内访问不到,具体是什么原因不是很清楚
    HUZHUANGZHUANG
        4
    HUZHUANGZHUANG  
       160 天前
    不知道你有没有问过 gemini,建议你去问问。
    Betsy
        5
    Betsy  
    OP
       160 天前
    搞定了,个人有两点弄错了。


    1. 物理机用户家目录配置 $HOME/.docker/config.json ,这样创建出来的 container 会自动把 proxy 配置到 Environment variables 里面

    {
    "proxies": {
    "default": {
    "httpProxy": "http://192.168.1.111:7890",
    "httpsProxy": "http://192.168.1.111:7890",
    "noProxy": "localhost, 127.0.0.0/8, ::1"
    }
    }
    }



    2. 个人用的的 Clash ,它有个开关叫做 allow-lan ,需要打开才行。
    Betsy
        6
    Betsy  
    OP
       160 天前 via iPhone
    @512357301 未来可能还有更多需要用到 proxy 的地方,只解决个镜像问题是不够的
    Betsy
        7
    Betsy  
    OP
       160 天前 via iPhone
    @sorz 事实上,在我最后一次尝试的时候,报错 Connection refused 已经很明显了。docker container 中访问 proxy url 连接不上,但因为物理机上面访问正常,所以导致我忽略了 proxy 本身可能有问题
    Betsy
        8
    Betsy  
    OP
       160 天前 via iPhone
    @HUZHUANGZHUANG 问过了,没给出正确的解决方法
    daisyfloor
        9
    daisyfloor  
       160 天前
    用 tun 就没这些毛病
    512357301
        10
    512357301  
       160 天前 via Android
    @Betsy 我目前下载了 100+的镜像,前前后后部署了小 200 个容器,真正用到科学上网的并不多,真用到了,在容器内配置 http_proxy 即可,容器内配置代理难度跟 docker 代理天壤之别。
    johnbobby
        11
    johnbobby  
       160 天前
    如果是容器内设置代理,容器运行的时候加上这个 `-e https_proxy=http://192.168.1.111:7890`


    如果是拉取镜像,dockerhub 官方的镜像地址

    宿主机执行下面命令


    `mkdir -p /etc/systemd/system/docker.service.d/`
    `vim /etc/systemd/system/docker.service.d/proxy.conf`
    输入下面内容

    ```
    [Service]
    Environment="HTTP_PROXY=http://192.168.1.111:7890/"
    Environment="HTTPS_PROXY=http://192.168.1.111:7890/"
    Environment="ALL_PROXY=socks5://192.168.1.111:7890"
    Environment="NO_PROXY=localhost,127.0.0.1"
    ```
    johnbobby
        12
    johnbobby  
       160 天前
    @johnbobby 设置好之后要重启 docker 和 daemon

    systemctl daemon-reload
    systemctl restart docker
    ik
        13
    ik  
       160 天前 via iPhone
    重启一下 docker 服务,可能是防火墙的问题
    YaakovZiv
        14
    YaakovZiv  
       160 天前
    宿主机若访问 127.0.0.1 提供的服务,容器内需访问宿主机的 IP ,在容器内配置代理。
    youtube6
        15
    youtube6  
       12 天前
    你可以把 clash 部署到另外一台机器上
    关于   ·   帮助文档   ·   自助推广系统   ·   博客   ·   API   ·   FAQ   ·   Solana   ·   2471 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 11:28 · PVG 19:28 · LAX 03:28 · JFK 06:28
    ♥ Do have faith in what you're doing.