Я создал небольшой docker -компонентный проект для воспроизведения этого поведения. Контейнер с network_mode: bridge может разрешить домен, но другой с пользовательской сетью приведет к ошибке неверный адрес . Я добавил проверку обеих сетей. Они выглядят одинаково, но почему фильтр не работает в пользовательской сети и как заставить его работать? Это по замыслу или это может быть ошибка docker? Заранее спасибо!
docker -compose.yml
version: "3.4"
x-iptables:
&default-iptables
image: vimagick/iptables
cap_add:
- NET_ADMIN
command: >
sh -c '
adduser -D admin
iptables -P OUTPUT DROP &&
iptables -A OUTPUT -p udp -m owner --gid-owner admin -j ACCEPT &&
iptables -A OUTPUT -p udp -m owner --uid-owner admin -j ACCEPT &&
echo options timeout:1>>/etc/resolv.conf &&
su -c "ping stackoverflow.com" - admin
'
services:
iptables_bridge:
<< : *default-iptables
network_mode: bridge
iptables_custom:
<< : *default-iptables
networks:
- custom
networks:
custom:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_ip_masquerade: "true"
com.docker.network.bridge.enable_icc: "true"
docker сетевой мост проверки
[
{
"Name": "bridge",
"Id": "487d2b1d5e1e514aded43adee8678125b1b9fb340fcf6f4e643198d0ea94f45d",
"Created": "2020-02-13T13:05:41.695016429+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.25.0.0/16",
"Gateway": "172.25.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
docker проверка сети net_custom
[
{
"Name": "net_custom",
"Id": "d898866753a16e360d440e4fcacdf8c92eb12f1a443bcc86a3f2be240b853400",
"Created": "2020-02-13T14:43:17.744258173+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true"
},
"Labels": {
"com.docker.compose.network": "custom",
"com.docker.compose.project": "net",
"com.docker.compose.version": "1.25.4"
}
}
]
Информация о системе:
docker --version
Docker version 19.03.5, build 633a0ea838
docker-compose --version
docker-compose version 1.25.4, build 8d51620a
uname -a
Linux v22019058359789001 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
docker info
Client:
Debug Mode: false
Server:
Containers: 30
Running: 3
Paused: 0
Stopped: 27
Images: 100
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.19.0-6-amd64
Operating System: Debian GNU/Linux 10 (buster)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.948GiB
Name: v22019058359789001
ID: QWPC:PGAF:5G72:QJGW:IIW7:3RV3:ESMO:ZYLX:UHZP:U372:RIGW:XG5Q
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support