본문 바로가기
기타

docker 에서 github.com 접근 못하는 문제

by Joseph.Lee 2022. 11. 22.

Kubernetes 에 Kata-containers 런타임을 통해 dind 으로 dockerd 를 올렸다.

- Kubernetes : v1.19.14

- CNI : Calico v3.14.0

- Kata-containers : 3.0.0

 

그런데 해당 dockerd 를 통해 실행한 docker container 안에서 이상하게 github.com 를 접근하지 못하는 문제가 발생했다.

그 외 다른 사이트들은 대체로 동작했다.

확인해 보니 HTTPS 연결을 맺지 못한다. 이유가 무엇일까...

 

잘 되는 연결:

 echo "" | openssl s_client -connect dl-cdn.alpinelinux.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dl-cdn.alpinelinux.org
verify return:1
---
Certificate chain
 0 s:CN = dl-cdn.alpinelinux.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = dl-cdn.alpinelinux.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4687 bytes and written 417 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B6268FDEB63D337DE6E7081D85ECE5DE46B34553BF4619E73619FB7005A4B834
    Session-ID-ctx: 
    Master-Key: 311E9078267FB84B90A44F1561EE4121EE5BCF4D51C275ED128CFAC01C1810D32B5B3B29C28E058B17D54F5ED27167DB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    ...

    Start Time: 1669078691
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

 

 

문제가 있는 github.com:

# echo "" | openssl s_client -connect github.com:443 -state
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello

 

해당 dockerd calico interface 의 패킷을 보니

 

아무래도 패킷이 잘린거 같다.

 

 

[Dockerd Container] # ifconfig
eth0      Link encap:Ethernet  HWaddr 62:B5:76:9D:CF:96  
          inet addr:172.30.1.228  Bcast:172.30.1.228  Mask:255.255.255.255
          inet6 addr: fe80::60b5:76ff:fe9d:cf96/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:1255072 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703606 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6684734820 (6.2 GiB)  TX bytes:4655809637 (4.3 GiB)

[In-Docker] # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3719123 (3.5 MiB)  TX bytes:27167 (26.5 KiB)

dockerd 의 eth0 은 mtu 가 1450 인데..

docker container 의 mtu 는 1500 으로 더 크다.

 

dockerd 의 arguments 에 --mtu=1450 을 추가하니 해결되었다.

반응형

댓글0