首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Betsy
V2EX  ›  Docker

请教大家一个关于 docker 网络的问题

  •   
  •   Betsy · 27 天前 · 1539 次点击

    背景介绍

    现在有个物理机,IP 地址为 192.168.1.111

    在物理机上面装了一个 docker ,并且创建了一个 container ,其 IP 地址为 192.168.49.2

    问题说明

    现在想在物理机和 docker container 里面均可以成功执行下述命令。目前只有物理机中可以正确执行。

    curl -X GET https://registry-1.docker.io/v2/ -v

    执行命令结果

    物理机执行命令结果

    #> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'http://127.0.0.1:7890/'
*   Trying 127.0.0.1:7890...
* Connected to 127.0.0.1 (127.0.0.1) port 7890
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to registry-1.docker.io:443
> CONNECT registry-1.docker.io:443 HTTP/1.1
> Host: registry-1.docker.io:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Mar  5 00:00:00 2025 GMT
*  expire date: Apr  3 23:59:59 2026 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< content-type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Sat, 05 Jul 2025 10:23:42 GMT
< content-length: 87
< strict-transport-security: max-age=31536000
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host 127.0.0.1 left intact

    docker container 中执行命令结果

    #> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 154.85.102.30:443...
*   Trying 2600:1f18:2148:bc00:5cac:48a0:7f88:7266:443...
* Immediate connect fail for 2600:1f18:2148:bc00:5cac:48a0:7f88:7266: Network is unreachable
*   Trying 2600:1f18:2148:bc01:f43d:e203:cafd:8307:443...
* Immediate connect fail for 2600:1f18:2148:bc01:f43d:e203:cafd:8307: Network is unreachable
*   Trying 2600:1f18:2148:bc02:22:27bd:19a8:870c:443...
* Immediate connect fail for 2600:1f18:2148:bc02:22:27bd:19a8:870c: Network is unreachable
* connect to 154.85.102.30 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out

    物理机查询到的路由表

    #> ip route   
default via 192.168.1.1 dev wlo1 proto dhcp src 192.168.1.111 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.111 metric 600 
192.168.49.0/24 dev br-9123093efaea proto kernel scope link src 192.168.49.1
  • Docker
  • network
  • curl
    14 条回复    2025-07-06 08:20:57 +08:00
    Betsy
        1
    Betsy  
    OP
       27 天前
    **个人所做尝试**

    修改物理机 docker.service 配置,添加 proxy

    `/etc/systemd/system/docker.service.d/proxy.conf`


    ```ini
    [Service]
    Environment="HTTP_PROXY=http://localhost:7890/"
    Environment="HTTPS_PROXY=http://localhost:7890/"
    Environment="NO_PROXY=localhost,127.0.0.1"
    ```

    ```bash
    #> curl -X GET https://registry-1.docker.io/v2/ -v # 在 docker container 中执行
    Note: Unnecessary use of -X or --request, GET is already inferred.
    * Trying 64.13.192.74:443...
    * Trying 2a03:2880:f12c:83:face:b00c:0:25de:443...
    * Immediate connect fail for 2a03:2880:f12c:83:face:b00c:0:25de: Network is unreachable
    * connect to 64.13.192.74 port 443 failed: Connection timed out
    * Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out
    * Closing connection 0
    curl: (28) Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out

    ```

    修改 docker container 中的 proxy env


    ```bash
    #> ping 192.168.1.111
    PING 192.168.1.111 (192.168.1.111) 56(84) bytes of data.
    64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=0.109 ms
    64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=0.071 ms
    64 bytes from 192.168.1.111: icmp_seq=3 ttl=64 time=0.088 ms
    64 bytes from 192.168.1.111: icmp_seq=4 ttl=64 time=0.070 ms
    ^C
    --- 192.168.1.111 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3056ms
    rtt min/avg/max/mdev = 0.070/0.084/0.109/0.015 ms
    ```

    ```bash
    #> export https_proxy=http://192.168.1.111:7890
    #> curl -X GET https://registry-1.docker.io/v2/ -v
    Note: Unnecessary use of -X or --request, GET is already inferred.
    * Uses proxy env variable https_proxy == 'http://192.168.1.111:7890'
    * Trying 192.168.1.111:7890...
    * connect to 192.168.1.111 port 7890 failed: Connection refused
    * Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
    * Closing connection 0
    curl: (7) Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
    ```
    512357301
        2
    512357301  
       27 天前 via Android
    不就是想拉镜像吗,去 1panel 官方文档,找找它的镜像地址,配置上就行,很稳定。
    也可以在物理机上面安装一个 docker tar image tool 相关的工具,具体去 github 搜,下载镜像的 tar 包,然后导入到 docker 里,但是这样也得配置镜像地址才行,单纯的配 https_proxy 行不通,放弃吧。
    docker 的代理配置很复杂,好像需要改很多地方,往往还不生效,建议放弃配置代理,直接用 1panel 的镜像源。
    sorz
        3
    sorz  
       27 天前
    看起来上面的问题是没走代理连接不上,下面的回答里的问题是这个 proxy 在容器内访问不到,具体是什么原因不是很清楚
    HUZHUANGZHUANG
        4
    HUZHUANGZHUANG  
       27 天前
    不知道你有没有问过 gemini,建议你去问问。
    Betsy
        5
    Betsy  
    OP
       27 天前
    搞定了,个人有两点弄错了。


    1. 物理机用户家目录配置 $HOME/.docker/config.json ,这样创建出来的 container 会自动把 proxy 配置到 Environment variables 里面

    {
    "proxies": {
    "default": {
    "httpProxy": "http://192.168.1.111:7890",
    "httpsProxy": "http://192.168.1.111:7890",
    "noProxy": "localhost, 127.0.0.0/8, ::1"
    }
    }
    }



    2. 个人用的的 Clash ,它有个开关叫做 allow-lan ,需要打开才行。
    Betsy
        6
    Betsy  
    OP
       27 天前 via iPhone
    @512357301 未来可能还有更多需要用到 proxy 的地方,只解决个镜像问题是不够的
    Betsy
        7
    Betsy  
    OP
       27 天前 via iPhone
    @sorz 事实上,在我最后一次尝试的时候,报错 Connection refused 已经很明显了。docker container 中访问 proxy url 连接不上,但因为物理机上面访问正常,所以导致我忽略了 proxy 本身可能有问题
    Betsy
        8
    Betsy  
    OP
       27 天前 via iPhone
    @HUZHUANGZHUANG 问过了,没给出正确的解决方法
    daisyfloor
        9
    daisyfloor  
       27 天前
    用 tun 就没这些毛病
    512357301
        10
    512357301  
       27 天前 via Android
    @Betsy 我目前下载了 100+的镜像,前前后后部署了小 200 个容器,真正用到科学上网的并不多,真用到了,在容器内配置 http_proxy 即可,容器内配置代理难度跟 docker 代理天壤之别。
    johnbobby
        11
    johnbobby  
       27 天前
    如果是容器内设置代理,容器运行的时候加上这个 `-e https_proxy=http://192.168.1.111:7890`


    如果是拉取镜像,dockerhub 官方的镜像地址

    宿主机执行下面命令


    `mkdir -p /etc/systemd/system/docker.service.d/`
    `vim /etc/systemd/system/docker.service.d/proxy.conf`
    输入下面内容

    ```
    [Service]
    Environment="HTTP_PROXY=http://192.168.1.111:7890/"
    Environment="HTTPS_PROXY=http://192.168.1.111:7890/"
    Environment="ALL_PROXY=socks5://192.168.1.111:7890"
    Environment="NO_PROXY=localhost,127.0.0.1"
    ```
    johnbobby
        12
    johnbobby  
       27 天前
    @johnbobby 设置好之后要重启 docker 和 daemon

    systemctl daemon-reload
    systemctl restart docker
    ik
        13
    ik  
       27 天前 via iPhone
    重启一下 docker 服务,可能是防火墙的问题
    YaakovZiv
        14
    YaakovZiv  
       27 天前
    宿主机若访问 127.0.0.1 提供的服务,容器内需访问宿主机的 IP ,在容器内配置代理。
    关于   ·   帮助文档   ·   自助推广系统   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2620 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 04:59 · PVG 12:59 · LAX 21:59 · JFK 00:59
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.