IP configuration of centos7 docker container accessing host

Time:2021-1-25

Scene description

staycentos7functiondockerWhen the container is applied, it is necessary to connect the host’smysqlOf3306Port. It is found that it cannot be connected,dockerThe container cannot access the host’smysqlDatabase. However, it is possible to access the external network within the containerpingIt’s all right.

Cause analysis

staycentos7Upper DepartmentdockerContainer, whose network mode isbridgepattern.
start-updockerWhen,dockerThe process creates adocker0Virtual bridge for communication between host and container. When starting adockerWhen the container is empty,dockerThe container will be attached to the virtual bridge, and the messages in the container will pass through the virtual bridgedocker0Forward to the outside.

IfdockerIf the container accesses the host, thendocker0The bridge forwards the message directly to the local machine. The source address of the message isdocker0The address of the network segment. And ifdockerThe container accesses machines other than the host,dockerOfSNATThe bridge will translate the source address of the message into the address of the host, and send it out through the host’s network card.

So, whendockerWhen the container accesses the host computer, if the service port of the host computer is blocked by the firewall, it will not be able to connect to the host computerNo route to hostMy mistake.

When visiting other machines in the local area network where the host is located, the source address of the message is the hostipTherefore, it will not be blocked by the firewall of the destination machine, so it can be accessed.

solve the problem

First set up themysqlConfiguration file, guaranteedmysqlIt can be used by anyoneipvisit:

[mysqld]
bind-address = 0.0.0.0

After modifying the configuration file, the restart will take effect.
But for the sake of security, the firewall is very important3306The port is still not open to Internet access.

Address usage of container access hosteth0The address of the host is the intranetipAddress.
functionipconfigCommand to view the virtual bridge information of the network.

Note: the host opportunity to put the containeripAddress segment as Internetip. (the current description iscentos7Environment)

Edit firewall file/etc/firewalld/zones/public.xml, add the followingdocker0Address segment to configuration:

<rule family="ipv4">
  <source address="172.18.0.0/16"/>
  <accept/>
</rule>

Restart the firewall,dockerThe container can access the host port normally.

service firewalld restart

If it worksdocker-composeCommand, anbr-"docker network id"Virtual bridge of.
At this time, you also need to configure the virtual bridge address segment to the firewall white list for normal access

<rule family="ipv4">
  <source address="172.20.0.0/16"/>
  <accept/>
</rule>

IP configuration of centos7 docker container accessing host

Test port

To test whether the host port can be connected in the container, you can use theWGet intranet IP: PortOrders.

$ wget 172.17.25.162:3306  
WGet: can not connect to remote host (172.17.25.162): host is unreachable

$ wget 172.17.25.162:3306
WGet: bad header line: 5.7.29-log # can be connected