请教大家一个关于 docker 网络的问题

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

Docker Engine Quickstart

Boot2docker

这是一个创建于 96 天前的主题，其中的信息可能已经有所发展或是发生改变。

背景介绍

现在有个物理机，IP 地址为 192.168.1.111

在物理机上面装了一个 docker ，并且创建了一个 container ，其 IP 地址为 192.168.49.2

问题说明

现在想在物理机和 docker container 里面均可以成功执行下述命令。目前只有物理机中可以正确执行。

curl -X GET https://registry-1.docker.io/v2/ -v

执行命令结果

物理机执行命令结果

#> curl -X GET https://registry-1.docker.io/v2/ -v Note: Unnecessary use of -X or --request, GET is already inferred. * Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1' * Uses proxy env variable https_proxy == 'http://127.0.0.1:7890/' * Trying 127.0.0.1:7890... * Connected to 127.0.0.1 (127.0.0.1) port 7890 * CONNECT tunnel: HTTP/1.1 negotiated * allocate connect buffer * Establish HTTP proxy tunnel to registry-1.docker.io:443 > CONNECT registry-1.docker.io:443 HTTP/1.1 > Host: registry-1.docker.io:443 > User-Agent: curl/8.5.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * CONNECT phase completed * CONNECT tunnel established, response 200 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS * ALPN: server did not agree on a protocol. Uses default. * Server certificate: * subject: CN=*.docker.com * start date: Mar 5 00:00:00 2025 GMT * expire date: Apr 3 23:59:59 2026 GMT * subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io" * issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03 * SSL certificate verify ok. * Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/1.x > GET /v2/ HTTP/1.1 > Host: registry-1.docker.io > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 401 Unauthorized < content-type: application/json < docker-distribution-api-version: registry/2.0 < www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io" < date: Sat, 05 Jul 2025 10:23:42 GMT < content-length: 87 < strict-transport-security: max-age=31536000 < {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]} * Connection #0 to host 127.0.0.1 left intact

docker container 中执行命令结果

#> curl -X GET https://registry-1.docker.io/v2/ -v Note: Unnecessary use of -X or --request, GET is already inferred. * Trying 154.85.102.30:443... * Trying 2600:1f18:2148:bc00:5cac:48a0:7f88:7266:443... * Immediate connect fail for 2600:1f18:2148:bc00:5cac:48a0:7f88:7266: Network is unreachable * Trying 2600:1f18:2148:bc01:f43d:e203:cafd:8307:443... * Immediate connect fail for 2600:1f18:2148:bc01:f43d:e203:cafd:8307: Network is unreachable * Trying 2600:1f18:2148:bc02:22:27bd:19a8:870c:443... * Immediate connect fail for 2600:1f18:2148:bc02:22:27bd:19a8:870c: Network is unreachable * connect to 154.85.102.30 port 443 failed: Connection timed out * Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out * Closing connection 0 curl: (28) Failed to connect to registry-1.docker.io port 443 after 133144 ms: Connection timed out

物理机查询到的路由表

#> ip route default via 192.168.1.1 dev wlo1 proto dhcp src 192.168.1.111 metric 600 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.111 metric 600 192.168.49.0/24 dev br-9123093efaea proto kernel scope link src 192.168.49.1

Docker

network

curl

14 条回复 2025-07-06 08:20:57 +08:00

Betsy

96 天前

**个人所做尝试**

修改物理机 docker.service 配置，添加 proxy

`/etc/systemd/system/docker.service.d/proxy.conf`

```ini
[Service]
EnvirOnment="HTTP_PROXY=http://localhost:7890/"
EnvirOnment="HTTPS_PROXY=http://localhost:7890/"
EnvirOnment="NO_PROXY=localhost,127.0.0.1"
```

```bash
#> curl -X GET https://registry-1.docker.io/v2/ -v # 在 docker container 中执行
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 64.13.192.74:443...
* Trying 2a03:2880:f12c:83:face:b00c:0:25de:443...
* Immediate connect fail for 2a03:2880:f12c:83:face:b00c:0:25de: Network is unreachable
* connect to 64.13.192.74 port 443 failed: Connection timed out
* Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to registry-1.docker.io port 443 after 134931 ms: Connection timed out

```

修改 docker container 中的 proxy env

```bash
#> ping 192.168.1.111
PING 192.168.1.111 (192.168.1.111) 56(84) bytes of data.
64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=0.109 ms
64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 192.168.1.111: icmp_seq=3 ttl=64 time=0.088 ms
64 bytes from 192.168.1.111: icmp_seq=4 ttl=64 time=0.070 ms
^C
--- 192.168.1.111 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.070/0.084/0.109/0.015 ms
```

```bash
#> export https_proxy=http://192.168.1.111:7890
#> curl -X GET https://registry-1.docker.io/v2/ -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* ses proxy env variable https_proxy == 'http://192.168.1.111:7890'
* Trying 192.168.1.111:7890...
* connect to 192.168.1.111 port 7890 failed: Connection refused
* Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.1.111 port 7890 after 0 ms: Connection refused
```

512357301

96 天前 via Android

不就是想拉镜像吗，去 1panel 官方文档，找找它的镜像地址，配置上就行，很稳定。
也可以在物理机上面安装一个 docker tar image tool 相关的工具，具体去 github 搜，下载镜像的 tar 包，然后导入到 docker 里，但是这样也得配置镜像地址才行，单纯的配 https_proxy 行不通，放弃吧。
docker 的代理配置很复杂，好像需要改很多地方，往往还不生效，建议放弃配置代理，直接用 1panel 的镜像源。

sorz

96 天前

看起来上面的问题是没走代理连接不上，下面的回答里的问题是这个 proxy 在容器内访问不到，具体是什么原因不是很清楚

HUZHUANGZHUANG

96 天前

不知道你有没有问过 gemini,建议你去问问。

Betsy

96 天前

搞定了，个人有两点弄错了。

1. 物理机用户家目录配置 $HOME/.docker/config.json ，这样创建出来的 container 会自动把 proxy 配置到 Environment variables 里面

{
"proxies": {
"default": {
"httpProxy": "http://192.168.1.111:7890",
"httpsProxy": "http://192.168.1.111:7890",
"noProxy": "localhost, 127.0.0.0/8, ::1"
}
}
}

2. 个人用的的 Clash ，它有个开关叫做 allow-lan ，需要打开才行。

Betsy

96 天前 via iPhone

@512357301 未来可能还有更多需要用到 proxy 的地方，只解决个镜像问题是不够的

Betsy

96 天前 via iPhone

@sorz 事实上，在我最后一次尝试的时候，报错 Connection refused 已经很明显了。docker container 中访问 proxy url 连接不上，但因为物理机上面访问正常，所以导致我忽略了 proxy 本身可能有问题

Betsy

96 天前 via iPhone

@HUZHUANGZHUANG 问过了，没给出正确的解决方法

daisyfloor

95 天前

用 tun 就没这些毛病

512357301

95 天前 via Android

@Betsy 我目前下载了 100+的镜像，前前后后部署了小 200 个容器，真正用到科学上网的并不多，真用到了，在容器内配置 http_proxy 即可，容器内配置代理难度跟 docker 代理天壤之别。

johnbobby

95 天前

如果是容器内设置代理，容器运行的时候加上这个 `-e https_proxy=http://192.168.1.111:7890`

如果是拉取镜像，dockerhub 官方的镜像地址

宿主机执行下面命令

`mkdir -p /etc/systemd/system/docker.service.d/`
`vim /etc/systemd/system/docker.service.d/proxy.conf`
输入下面内容

```
[Service]
EnvirOnment="HTTP_PROXY=http://192.168.1.111:7890/"
EnvirOnment="HTTPS_PROXY=http://192.168.1.111:7890/"
EnvirOnment="ALL_PROXY=socks5://192.168.1.111:7890"
EnvirOnment="NO_PROXY=localhost,127.0.0.1"
```

johnbobby

95 天前

@johnbobby 设置好之后要重启 docker 和 daemon

systemctl daemon-reload
systemctl restart docker

95 天前 via iPhone

重启一下 docker 服务，可能是防火墙的问题

YaakovZiv

95 天前

宿主机若访问 127.0.0.1 提供的服务，容器内需访问宿主机的 IP ，在容器内配置代理。