自从部署了open-webui和searxng,每天都提心吊胆,open-webui的模型访问时灵时不灵,searxng则一直处于不可用的状态。今天调试了一个下午+晚上,终于找到了问题的根源所在
问题就在于系统未开启NAT转发
一开始的症状
中度患病症状
open-webui能够通过api获得模型服务,但是无法访问searxng返回的链接地址。查询日志发现是dns寄,下面是报错节选
File "/app/backend/open_webui/main.py", line 1263, in chat_completion form_data, metadata, events = await process_chat_payload( │ │ └ <function process_chat_payload at 0x7a094b3f4900> │ └ {'user_id': '88809597-0b64-42bc-8051-f3a2762f16f5', 'chat_id': 'fa6e9087-cd55-4a3f-9b68-7fb1c1bedf0f', 'message_id': '1128f12... └ {'stream': True, 'model': 'deepseek-ai/DeepSeek-V3', 'messages': [{'role': 'user', 'content': '量子力学都讲了什么?'}], 'stream_options... File "/app/backend/open_webui/utils/middleware.py", line 837, in process_chat_payload form_data = await chat_web_search_handler( └ <function chat_web_search_handler at 0x7a094b3f4540> File "/app/backend/open_webui/utils/middleware.py", line 418, in chat_web_search_handler results = await process_web_search( └ <function process_web_search at 0x7a094e988400> File "/app/backend/open_webui/routers/retrieval.py", line 1903, in process_web_search raise HTTPException( └ <class 'fastapi.exceptions.HTTPException'> fastapi.exceptions.HTTPException: 400: [ERROR: [Errno -3] Temporary failure in name resolution]
注意到最后一行明确说域名解析出错
searxng彻底寄了,再也没有返回搜索结果
重度患病症状
不过非常奇怪的是居然wget可以而ping不行,太奇妙了...... 鉴于应用容器里可能并没有网络工具可以用,利用共享网络可以进行排查
sh# Ping测试(测试基础网络连通性)
docker run -it --rm --network container:open-webui busybox ping www.google.com
# DNS解析测试(检查DNS是否正常)
docker run -it --rm --network container:open-webui --dns 223.6.6.6 busybox nslookup www.google.com
# HTTP/HTTPS测试(检查Web访问)
docker run -it --rm --network container:open-webui curlimages/curl -v https://www.google.com
其中container冒号后面的可以替换为你想要排查的容器
出现这种问题的原因是宿主机没有开启NAT转发这是因为docker的桥接模式相当于在内部开启了很多子网,通过NAT访问外部网络,如果没有设置NAT转发表,那自然什么包都发不出去
查看 NAT 表和转发规则
shsudo iptables -t nat -L -n
如果发现输出空空如也,就像这样
shChain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
那么恭喜你,遇到了同样的问题,只需要更新转发表就可以解决了
shsudo iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
其中的172.17.0.0/16是子网网段,查看可以使用
shsudo docker network ls
输出可能如下
shNETWORK ID NAME DRIVER SCOPE
a75edbc74b8d bridge bridge local
5d8c3bc411e6 gitea_network bridge local
35b3d93a3e07 host host local
f57a8a296aed none null local
cf99908db9ed openwebui_network bridge local
4342734b5b0b searxng-docker_searxng bridge local
55a3f3ff8c8a vanblog-docker_vanblog_net bridge local
然后就可以挑其中出问题的网络,比如openwebui_network,查看它的具体网段
shsudo docker inspect openwebui_network
输出可能会长这样子
sh[
{
"Name": "openwebui_network",
"Id": "cf99908db9ed89908c479a43488d384175e18f1235d381609472ccff30508310",
"Created": "2025-05-31T12:15:30.632791272Z",
"Scope": "local",
"Driver": "bridge",
"EnableIPv4": true,
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.20.0.0/24",
"Gateway": "172.20.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"2fdc42d8b5a0b4a4749b8e008adacb3a26bfbee79b49b3c56f4012d763f29946": {
"Name": "open-webui",
"EndpointID": "b760eba143788b3f8d0f8f222318a2f6fc5b13c55530c31e4fcfe7126ff86fe2",
"MacAddress": "86:40:da:4a:d8:fc",
"IPv4Address": "172.20.0.2/24",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {
"com.docker.compose.config-hash": "0fc5495dcbf807ab9ff256763ac3e1205637af01bb04915ff76c9cfb8ec5f0a8",
"com.docker.compose.network": "openwebui_net",
"com.docker.compose.project": "open-webui",
"com.docker.compose.version": "2.36.2"
}
}
]
注意到其中Subnet字段,这正是需要添加进转发表的网段,完成后就可以愉快地玩耍了
本文作者:GBwater
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!