我有一个Dockernetworking,里面有两个容器。 当我使用假的目标IP地址和第二个容器的真实MAC地址运行nping时,数据包出现在具有不同源地址(MAC和IP)的tcpdump -eni eth0输出中,并且具有相当大的延迟(〜10s) 。
这是一个docker错误,或者我错过了什么?
这里是你如何重现这个问题。
运行这个脚本:
docker network create --driver=bridge --subnet=10.16.17.0/24 so_con docker run -itd --name=con_A --net=so_con debian /bin/bash docker run -itd --name=con_B --net=so_con debian /bin/bash docker exec con_A sh -c 'apt-get update && apt-get install -y tcpdump' docker exec con_B sh -c 'apt-get update && apt-get install -y nmap' export A_MAC=`docker inspect -f '{{.NetworkSettings.Networks.so_con.MacAddress}}' con_A` docker exec con_B nping -c 100 --rate 1 --dest-mac $A_MAC 2.15.9.20 & docker exec con_A tcpdump -eni eth0
apt-get完成数据包安装后,会看到nping和tcpdump混合输出:
Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2016-01-07 16:35 UTC SENT (0.0331s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=1] IP [ttl=64 id=3571 iplen=28 ] tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes SENT (1.0336s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=3] IP [ttl=64 id=3571 iplen=28 ] SENT (2.0351s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=3] IP [ttl=64 id=3571 iplen=28 ] SENT (3.0366s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=4] IP [ttl=64 id=3571 iplen=28 ] SENT (4.0381s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=5] IP [ttl=64 id=3571 iplen=28 ] SENT (5.0396s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=6] IP [ttl=64 id=3571 iplen=28 ] SENT (6.0410s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=7] IP [ttl=64 id=3571 iplen=28 ] SENT (7.0419s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=8] IP [ttl=64 id=3571 iplen=28 ] SENT (8.0433s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=9] IP [ttl=64 id=3571 iplen=28 ] SENT (9.0447s) ICMP [10.16.17.3 > 2.15.9.20 Echo request (type=8/code=0) id=6585 seq=10] IP [ttl=64 id=3571 iplen=28 ] 16:36:00.699670 02:42:0a:10:11:03 > 02:42:0a:10:11:02, ethertype IPv4 (0x0800), length 42: 10.16.17.1 > 2.15.9.20: ICMP echo request, id 6585, seq 3, length 8 16:36:00.699764 02:42:0a:10:11:02 > 02:42:1b:a1:db:5a, ethertype IPv4 (0x0800), length 70: 10.16.17.2 > 10.16.17.1: ICMP redirect 2.15.9.20 to host 10.16.17.1, length 36 16:36:00.699809 02:42:0a:10:11:02 > 02:42:1b:a1:db:5a, ethertype IPv4 (0x0800), length 42: 10.16.17.1 > 2.15.9.20: ICMP echo request, id 6585, seq 3, length 8 16:36:01.701244 02:42:0a:10:11:03 > 02:42:0a:10:11:02, ethertype IPv4 (0x0800), length 42: 10.16.17.1 > 2.15.9.20: ICMP echo request, id 6585, seq 3, length 8
这里有两点意见:
tcpdump只有一段时间(9s)才能收到第一个包。 收到的包来自Docker特殊的桥接口,连接到主机,在我的情况下是:
br-436234216b46 Link encap:Ethernet HWaddr 02:42:1b:a1:db:5a inet addr:10.16.17.1 Bcast:0.0.0.0 Mask:255.255.255.0
另外,如果你在提到的主机绑定的接口br-436234216b46运行tcpdump ,它将显示来自con_B的原始nping包,由于某种原因而不是con_A 。
我在64位Ubuntu 14.04上使用Docker 1.9.1 。