dockerWhen the container is applied, it is necessary to connect the host’s
3306Port. It is found that it cannot be connected,
dockerThe container cannot access the host’s
mysqlDatabase. However, it is possible to access the external network within the container
pingIt’s all right.
dockerContainer, whose network mode is
dockerThe process creates a
docker0Virtual bridge for communication between host and container. When starting a
dockerWhen the container is empty,
dockerThe container will be attached to the virtual bridge, and the messages in the container will pass through the virtual bridge
docker0Forward to the outside.
dockerIf the container accesses the host, then
docker0The bridge forwards the message directly to the local machine. The source address of the message is
docker0The address of the network segment. And if
dockerThe container accesses machines other than the host,
SNATThe bridge will translate the source address of the message into the address of the host, and send it out through the host’s network card.
dockerWhen the container accesses the host computer, if the service port of the host computer is blocked by the firewall, it will not be able to connect to the host computer
No route to hostMy mistake.
When visiting other machines in the local area network where the host is located, the source address of the message is the host
ipTherefore, it will not be blocked by the firewall of the destination machine, so it can be accessed.
solve the problem
First set up the
mysqlConfiguration file, guaranteed
mysqlIt can be used by anyone
[mysqld] bind-address = 0.0.0.0
After modifying the configuration file, the restart will take effect.
But for the sake of security, the firewall is very important
3306The port is still not open to Internet access.
Address usage of container access host
eth0The address of the host is the intranet
ipconfigCommand to view the virtual bridge information of the network.
Note: the host opportunity to put the container
ipAddress segment as Internet
ip. (the current description is
Edit firewall file
/etc/firewalld/zones/public.xml, add the following
docker0Address segment to configuration:
<rule family="ipv4"> <source address="172.18.0.0/16"/> <accept/> </rule>
Restart the firewall,
dockerThe container can access the host port normally.
service firewalld restart
If it works
br-"docker network id"Virtual bridge of.
At this time, you also need to configure the virtual bridge address segment to the firewall white list for normal access
<rule family="ipv4"> <source address="172.20.0.0/16"/> <accept/> </rule>
To test whether the host port can be connected in the container, you can use the
WGet intranet IP: PortOrders.
$ wget 172.17.25.162:3306 WGet: can not connect to remote host (172.17.25.162): host is unreachable $ wget 172.17.25.162:3306 WGet: bad header line: 5.7.29-log # can be connected