我的 Docker 守护进程似乎/etc/docker/daemon.json在启动时忽略了。
与这个问题类似,我在告诉 Docker 守护进程它不应该使用默认172.17.*范围时遇到了一些麻烦。该范围已被我们的 VPN 占用,并阻止通过该 VPN 连接的人员连接到运行 Docker 的服务器。
非常烦人的事情是,每次我重新启动服务器时,Docker 都会再次从 VPN 的范围内申请一个 IP,而不管我输入了什么/etc/docker/daemon.json。我必须手动发出
# systemctl restart docker
启动后直接在172.17.*网络上的人可以再次访问服务器之前。
这显然经常被遗忘,并导致许多问题票。
我的/etc/docker/daemon.json样子是这样的:
{
"default-address-pools": [
{
"base": "172.20.0.0/16",
"size": 24
}
]
}
并获得这样的许可:
-rw-r--r-- 1 root root 123 Dec 8 10:43 daemon.json
我什至不知道如何开始诊断这个问题;有任何想法吗?
为了完整性:
- Ubuntu 18.04.5 LTS
- Docker 版本 19.03.6,构建 369ce74a3c
编辑:输出systemctl cat docker:
# /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
Wants=containerd.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
[Install]
WantedBy=multi-user.target
sudo docker info(之后systemctl restart docker)的输出:
Client:
Debug Mode: false
Server:
Containers: 34
Running: 19
Paused: 0
Stopped: 15
Images: 589
Server Version: 19.03.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version:
init version:
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-140-generic
Operating System: Ubuntu 18.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 47.16GiB
Name: linuxsrv
ID: <redacted>
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: <redacted>
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
http://172.16.30.33:6000/
Live Restore Enabled: false
WARNING: No swap limit support
docker 使用了多个地址池。
default-address-pools适用于所有新用户创建的桥接网络。更改此设置后,您可能需要删除并重新创建这些网络。还有
bip, 在daemon.json文件中设置如下行:该
bip设置适用于名为的默认桥接网络bridge,并且需要设置为该桥接网络上网关的 CIDR(因此您不能将其定义为192.168.63.0/24,尾随.1很重要)。如果您使用的是 swarm 模式,则覆盖网络有自己的地址池,在覆盖网络中的节点之间共享。这需要在
docker swarm init使用--default-addr-pool标志期间进行配置。最后,如果您通过 snap 运行 docker,此文件的位置是
/var/snap/docker/current/etc/docker/daemon.json并且不会出现在更新中保留,因此您需要在更新后再次替换此文件。虽然我认为我使用 BMitch 的答案解决了问题,但我错了 -引导后
docker0地址仍然在错误的范围内。172.17.*.*经过更多的挖掘,结果发现,不知何故,我
dockerd安装了多个版本:显然,来自 Snap 的那个是启动时启动的,而另一个是运行时启动的
sudo systemctl restart docker。从 Snap 中卸载并清除逃脱(...逃避?)我的注意力终于解决了这个讨厌的问题。