How to solve the problem that docker cannot access the host inside

When the firewall is turned on, the host service cannot be accessed inside the docker container (services that can access other LAN computers other than the host). Solution:

1. 配置防火墙规则firewall-cmd --zone=public --add-port={port}/tcp --permanent，并重载防火墙规则firewall-cmd --reload
2. 启动容器时使用--net host模式
3. 关闭防火墙

_Supplement: Since the source address requested in the container is the internal network address of the docker0 network segment used, the host firewall cannot identify the request for the internal network address of the docker0 network segment that is not the host network segment and marks it. The source is unknown, so the request is intercepted. It can be solved by adding firewall source rules (the default intranet segment of the docker container is 172.17.0.0/16):

<rule family="ipv4">
<source address="172.17.0.0/16" />
<accept /></rule>

or directly changing the firewall open port rules. That is to solve the first point in the solution. Of course, for the sake of convenience, especially when the number of services is particularly large and the ports change quickly, in order to reduce maintenance costs, it is recommended to use the second or third point while ensuring the security of the server. Solution

This is also a common pitfall when deploying microservice docker containers. Service A accesses service B. When services A and B are located on the same host at the same time, they cannot access it. When the services are located on different hosts, access is normal. The case is as follows:

同一宿主机微服务之间通信异常的血案：
微服务A能够正常请求AR
微服务B能够正常请求BR
但是微服务A某请求OR，内部访问BR，始终无法调用成功
原因：
    centos的firewalld为开启状态时，微服务A内部发起请求时，请求无法从容器发出，即出现了调用不成功的情况（No route to host）
矛盾点：
    spring cloud config 启动缓慢导致在测试的时候config服务启动后的一段时间内无法访问，让我们误以为关闭firewalld后无法接收请求，但又和其他服务又能正常访问出现了矛盾
验证：
    docker创建四个nginx（8120、8787、8083、8084）容器，并创建ubuntu容器安装curl。
    开启iptables，关闭firewalld，重启docker，启动五个容器，外部四个nginx访问成功，进入ubuntu容器使用curl访问，均成功
    开启iptables，开启firewalld，重启docker，启动五个容器，外部四个nginx访问成功，进入ubuntu容器使用curl访问，均不成功
    开启iptables，开启firewalld，重启docker，启动五个容器，外部四个nginx访问成功，宿主机配置firewall-cmd --zone=public --add-port=8120/tcp --permanent，进入ubuntu容器使用curl访问，8120访问，其他均不成功
    宿主机配置端口使用iptables转发规则配置无效：
        iptables -A INPUT -p tcp --dport 8120 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 8120 -j ACCEPT
        iptables -A FORWARD -p tcp --dport 8120 -j ACCEPT
结论：
    无论firewalld开启还是关闭，均不影响外部访问，宿主机需配置firewall-cmd --zone=public --add-port=8120/tcp --permanent（删除端口去掉--zone=public）同一宿主机才能相互访问成功
生产解决方案：
    开启iptables，关闭firewalld
    开启iptables，开启firewalld并配置开放端口
    （开启或关闭firewalld后，需要重启docker）
iptables->ufw(ubuntu)iptables->firewalld(centos)

Related recommendations: docker tutorial

The above is the detailed content of How to solve the problem that docker cannot access the host inside. For more information, please follow other related articles on the PHP Chinese website!