目前有四台机器,其中一台按照上次的全流程配置之后,容器可以正确获取到动态IP:
https://www.machunjie.com/linux/1881.html
但是其他三台都不行,死活获取不到:
一度以为是上游路由器的问题,因为DHCP一直没有答复:
(base) mcj@ubuntu:~$ sudo tcpdump -i br0 -n 'port 67 or port 68' [sudo] password for mcj: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:44:58.805534 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:45:02.358795 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:45:07.290035 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:45:14.308262 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:45:30.288421 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:45:30.937214 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 300 10:45:33.960407 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 300 10:46:02.502683 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:47:06.644200 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296
经过多方查询之后,发现是系统把二层桥转到 iptables/nft 处理,这就可能把 DHCP 吃掉,所以,临时关闭 bridge→iptables 钩子:
sudo sysctl -w net.bridge.bridge-nf-call-iptables=0
sudo sysctl -w net.bridge.bridge-nf-call-ip6tables=0
然后重新测试DHCP:
(base) mcj@ubuntu:~$ sudo tcpdump -i br0 -n 'port 67 or port 68' tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:47:59.440982 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 300 10:48:00.580822 IP 10.170.255.254.67 > 10.170.2.249.68: BOOTP/DHCP, Reply, length 328 10:48:00.581125 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 300 10:48:00.620553 IP 10.170.255.254.67 > 10.170.2.249.68: BOOTP/DHCP, Reply, length 328 10:48:11.470548 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 296 10:48:11.478544 IP 10.170.255.254.67 > 10.170.2.249.68: BOOTP/DHCP, Reply, length 328 10:48:11.478752 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:51:ff:ab, length 308 10:48:11.487062 IP 10.170.255.254.67 > 10.170.2.249.68: BOOTP/DHCP, Reply, length 328 10:48:30.599298 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:30:13:68, length 300 10:48:30.728204 IP 10.170.255.254.67 > 10.170.3.143.68: BOOTP/DHCP, Reply, length 328 10:49:22.872627 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:49:91:ec, length 295 10:49:23.994176 IP 10.170.255.254.67 > 10.170.3.42.68: BOOTP/DHCP, Reply, length 328 10:49:23.994446 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:49:91:ec, length 307 10:53:53.465790 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9c:7b:ef:4e:9e:8a, length 322 10:53:53.478028 IP 10.170.255.254.67 > 10.170.2.30.68: BOOTP/DHCP, Reply, length 328
可以看到,DHCP已经成功,容器可以正确获取IP了~
但是目前还只是临时生效,若要重启之后依然生效,需要进行持久化操作,如下:
让内核在早期就加载 br_netfilter:
echo br_netfilter | sudo tee /etc/modules-load.d/br_netfilter.conf
sudo modprobe br_netfilter
然后保留 sysctl 配置为 0,并立即应用:
printf "net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-ip6tables=0
" | sudo tee /etc/sysctl.d/99-bridge-nf.conf
sudo systemctl restart systemd-modules-load
sudo systemctl restart systemd-sysctl
sysctl net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-ip6tables
输出应该都为0~