我有一个本地运行的 gitlab_ce 实例,版本 16.9.2。
Gitlab 无法通过我们的邮件服务器发送电子邮件。我很确定这在过去是有效的。这是我的配置:
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "mail.mycompany.de"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_domain'] = "mycompany.de"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_user_name'] = 'username'
gitlab_rails['smtp_password'] = 'passwd'
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = true
gitlab_rails['smtp_ssl'] = true
gitlab_rails['smtp_pool'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'none'
gitlab_rails['gitlab_email_enabled'] = true
由于 gitlab 不是唯一使用此邮件服务器的软件,因此我确信设置是正确的。身份验证应该是不必要的。 我添加这些设置是为了至少尝试一次。所有收件人都有一个由该服务器管理的邮箱。
现在,通过这些设置,我打开了一个控制台来发送邮件:
Notify.test_email('[email protected]', 'Message Subject', 'Message Body').deliver_now
Delivered mail [email protected] (30043.0ms)
/opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.3/lib/net/smtp.rb:645:in `rescue in tcp_socket': Timeout to open TCP connection to mail.mycompany.de:465 (exceeds 30 seconds) (Net::OpenTimeout)
/opt/gitlab/embedded/lib/ruby/3.1.0/socket.rb:61:in `connect_internal': Connection timed out - user specified timeout (Errno::ETIMEDOUT)
我从容器内部 ping 邮件服务器,并且 ping 返回回显。 -> ping 和 dns 有效
我尝试连接到端口 465,但没有得到答案(超时)。
openssl s_client -connect mail.mycompany.de:465 -crlf
如果我尝试在主机上进行连接,我会得到答案。
甚至卷曲也可以从容器内部进行,例如
curl https://www.google.de
这就是我启动容器的方式:
docker run --detach \
--hostname gitlab.mycompany.de \
-p 127.0.0.1:8443:443 \
--name gitlab \
--restart unless-stopped \
--volume /var/www/gitlab/config:/etc/gitlab \
--volume /var/www/gitlab/logs:/var/log/gitlab \
--volume /var/www/gitlab/data:/var/opt/gitlab \
--network plantuml-n \
--shm-size 256m \
gitlab/gitlab-ce:$1
其中
$1docker network create plantuml-n
这是一个桥接网络,对于传出流量应该没问题。
您对容器内部传出流量受阻的原因有什么想法吗?
操作系统容器和主机:
Ubuntu 22.04
防火墙
容器:无
主持人:ufw
iptables-save容器:
iptables-save: command not found
主持人
*filter
:INPUT DROP [433787:20575608]
:FORWARD ACCEPT [21:888]
:OUTPUT ACCEPT [6098:480927]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]1
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-79dd7e626a8f -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-79dd7e626a8f -j DOCKER
-A FORWARD -i br-79dd7e626a8f ! -o br-79dd7e626a8f -j ACCEPT
-A FORWARD -i br-79dd7e626a8f -o br-79dd7e626a8f -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-5d7297ff3a1b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5d7297ff3a1b -j DOCKER
-A FORWARD -i br-5d7297ff3a1b ! -o br-5d7297ff3a1b -j ACCEPT
-A FORWARD -i br-5d7297ff3a1b -o br-5d7297ff3a1b -j ACCEPT
-A FORWARD -o br-260e4a48fccf -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-260e4a48fccf -j DOCKER
-A FORWARD -i br-260e4a48fccf ! -o br-260e4a48fccf -j ACCEPT
-A FORWARD -i br-260e4a48fccf -o br-260e4a48fccf -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.19.0.2/32 ! -i br-5d7297ff3a1b -o br-5d7297ff3a1b -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8081 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-79dd7e626a8f -o br-79dd7e626a8f -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-79dd7e626a8f -o br-79dd7e626a8f -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-79dd7e626a8f -o br-79dd7e626a8f -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-79dd7e626a8f -o br-79dd7e626a8f -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-79dd7e626a8f -o br-79dd7e626a8f -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-79dd7e626a8f -o br-79dd7e626a8f -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-5d7297ff3a1b -o br-5d7297ff3a1b -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-79dd7e626a8f ! -o br-79dd7e626a8f -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-260e4a48fccf ! -o br-260e4a48fccf -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5d7297ff3a1b ! -o br-5d7297ff3a1b -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-79dd7e626a8f -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-260e4a48fccf -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5d7297ff3a1b -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -s 10.0.0.0/8 -j RETURN
-A DOCKER-USER -d 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A DOCKER-USER -d 10.0.0.0/8 -p udp -m udp --dport 0:32767 -j DROP
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "\'dapp_Nginx%20Full\'" -j ACCEPT
-A ufw-user-input -s 172.17.0.0/16 -p tcp -m tcp --dport 3306 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 51821 -j ACCEPT
-A ufw-user-input -s 10.8.1.0/24 -p tcp -m tcp --dport 3333 -j ACCEPT
-A ufw-user-input -s 10.8.1.0/25 -p tcp -m tcp --dport 3306 -j ACCEPT
-A ufw-user-input -s 10.8.1.0/25 -p tcp -m tcp --dport 1433 -j ACCEPT
-A ufw-user-input -s 10.8.1.0/25 -p tcp -m tcp --dport 3389 -j ACCEPT
-A ufw-user-input -s 10.8.1.0/25 -p udp -m udp --dport 3389 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Mar 20 08:31:48 2024
# Generated by iptables-save v1.8.7 on Wed Mar 20 08:31:48 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.21.0.0/16 ! -o br-79dd7e626a8f -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-5d7297ff3a1b -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-260e4a48fccf -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8081 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A POSTROUTING -s 172.19.0.3/32 -d 172.19.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A DOCKER -i br-79dd7e626a8f -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-260e4a48fccf -j RETURN
-A DOCKER -i br-5d7297ff3a1b -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-5d7297ff3a1b -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.19.0.2:8080
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 3001 -j DNAT --to-destination 172.17.0.2:3000
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 5006 -j DNAT --to-destination 172.17.0.3:8081
-A DOCKER ! -i br-79dd7e626a8f -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.21.0.2:995
-A DOCKER ! -i br-79dd7e626a8f -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.21.0.2:993
-A DOCKER ! -i br-79dd7e626a8f -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.21.0.2:587
-A DOCKER ! -i br-79dd7e626a8f -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.21.0.2:465
-A DOCKER ! -i br-79dd7e626a8f -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.21.0.2:143
-A DOCKER ! -i br-79dd7e626a8f -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.21.0.2:25
-A DOCKER -d 127.0.0.1/32 ! -i br-5d7297ff3a1b -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.19.0.3:443
COMMIT
ip route list集装箱
172.19.0.0/16 dev eth0 scope link src 172.19.0.3
主持人
default via a.b.c.d dev enp0s31f6 proto static onlink
10.8.1.0/24 dev wg0 proto kernel scope link src 10.8.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-260e4a48fccf proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-5d7297ff3a1b proto kernel scope link src 172.19.0.1
172.21.0.0/16 dev br-79dd7e626a8f proto kernel scope link src 172.21.0.1
> "/opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.3/lib/net/smtp.rb:645:in
> `rescue in tcp_socket': Timeout to open TCP connection to
> mail.mycompany.de:465 (exceeds 30 seconds) (Net::OpenTimeout)
> /opt/gitlab/embedded/lib/ruby/3.1.0/socket.rb:61:in
> `connect_internal': Connection timed out - user specified timeout
> (Errno::ETIMEDOUT)
我建议在发送方和接收方上使用 tcpdump 检查是否实际收到流量。因为它说 tcp 连接超时。你说 ping 有效。这意味着要么没有发送任何内容,也没有接收任何内容,或者 TCP 连接只是被拒绝/丢弃。 有了这些信息,可能有助于找出问题所在。