expose port cannot reach
cospotato opened this issue · comments
Hi,
I installed docker-ce
and containerd
on my server.
Use nerdctl run -d -p 8080:80 nginx
to start a container.
Use docker run -d -p 8081:80 nginx
to start another container.
Try to curl
http://{server_ip}:8080
and http://{server_ip}:8081
from another server.
The container start by docker
can reach but the container start by nerdctl
cannot.
I found the rule in CNI-FORWARD
never matched.
Chain CNI-FORWARD (1 references)
pkts bytes target prot opt in out source destination
14 880 CNI-ADMIN all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI firewall plugin admin overrides */
0 0 ACCEPT all -- * * 0.0.0.0/0 10.4.0.11 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.4.0.11 0.0.0.0/0
3 192 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7
The kernel log:
Jun 21 14:13:07 dev kernel: [11340794.729521] IN=ens4 OUT=nerdctl0 MAC=52:54:00:58:22:11:00:50:56:9f:68:b3:08:00 SRC=192.168.1.1 DST=10.4.0.11 LEN=64 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=TCP SPT=53905 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Then i try add a rule like this:
iptables -I CNI-FORWARD 1 -d 10.4.0.11/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
The container started by nerdctl
can reach.
I found a issue on nerdctl
repo said that docker is conflict with nerdctl. But why ?