有这么多张贴的问题在这个领域,但我的情况是相反的:我有一个码头容器与一个暴露的端口,做工作使用外部IP地址,但不通过localhost或127.0.0.1工作。我不知道为什么。我认为原因可能与导致我的真正的问题相同,那就是我的docker-compose容器网络无法相互通信。这是在Ubuntu 22.10。
version: '3.1'
services:
zcashd:
image: electriccoinco/zcashd
restart: unless-stopped
ports:
- 8232:8232 # RPC (security sensitive)
- 8233:8233 # Zcash network (public)
volumes:
- data:/srv/zcashd/.zcash
- params:/srv/zcashd/.zcash-params
当容器运行时,事情看起来很好:
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
73cbbeb622e2 electriccoinco/zcashd "/entrypoint.sh" 9 hours ago Up About an hour 0.0.0.0:8232-8233->8232-8233/tcp, :::8232-8233->8232-8233/tcp zcash_zcashd_1
但是在容器之外,我只能通过docker主机自己的IP地址访问端口8232。注意使用localhost是如何失败的:
curl --user zecwallet -d '{"jsonrpc":"1.0","id":1,"method":"getblockchaininfo","params":[]}' -H 'Content-Type:text/plain' http://localhost:8232 -v
Enter host password for user 'zecwallet':
* Trying 127.0.0.1:8232...
* Connected to localhost (127.0.0.1) port 8232 (#0)
* Server auth using Basic with user 'zecwallet'
> POST / HTTP/1.1
> Host: localhost:8232
> Authorization: Basic *redacted*
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Type:text/plain
> Content-Length: 65
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Tue, 13 Dec 2022 14:42:48 GMT
< Content-Length: 0
< Content-Type: text/html; charset=ISO-8859-1
<
* Connection #0 to host localhost left intact
并且注意它是如何在相同的shell中使用主机的IP地址成功的:
curl --user zecwallet -d '{"jsonrpc":"1.0","id":1,"method":"getblockchaininfo","params":[]}' -H 'Content-Type:text/plain' http://192.168.0.118:8232 -v
Enter host password for user 'zecwallet':
* Trying 192.168.0.118:8232...
* Connected to 192.168.0.118 (192.168.0.118) port 8232 (#0)
* Server auth using Basic with user 'zecwallet'
> POST / HTTP/1.1
> Host: 192.168.0.118:8232
> Authorization: Basic *redacted*
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Type:text/plain
> Content-Length: 65
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Tue, 13 Dec 2022 14:45:56 GMT
< Content-Length: 2106
<
{"result":{...},"error":null,"id":1}
当HTTP请求来自另一台机器时,当然也使用主机的IP地址,
所以,localhost不工作,这很奇怪,有点令人恼火。但真正阻止我的是当我添加另一个服务到我的docker-compose.yml文件。它试图通过该主机名访问我的zcashd服务,并获得相同的403禁止响应,我在使用localhost时从容器外部获得。这些容器应该是可以相互通信的,那为什么不工作呢?
我没有在这台机器上设置ufw或任何其他防火墙。这里有更多的信息:
# docker inspect zcash_zcashd_1
...
"NetworkSettings": {
"Bridge": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"8232/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "8232"
},
{
"HostIp": "::",
"HostPort": "8232"
}
],
"8233/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "8233"
},
{
"HostIp": "::",
"HostPort": "8233"
}
]
},
...
"Networks": {
"zcash_default": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"73cbbeb622e2",
"zcashd"
],
"NetworkID": "...",
"EndpointID": "...",
"Gateway": "172.25.0.1",
"IPAddress": "172.25.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "...",
"DriverOpts": null
}
}
原来这不是docker的问题。这是容器本身的zcash.conf配置文件的问题。它有一个基于IP地址拒绝传入请求的allowdips列表。它应该是基于源的IP地址进行过滤,但很明显,源用来与之通信的IP地址也会影响目标如何看待源IP。
将此添加到我的zcash.conf文件解决了这个问题:
rpcallowip=172.0.0.0/255.0.0.0
rpcallowip=127.0.0.1/255.255.255.255
Docker总是分配以172开头的IP地址,所以第一行允许从其他容器访问,第二行也可以通过主机上的localhost访问。