无法解析主机: github.com

你好，

./launcher rebuild app

fatal: 无法访问 ‘GitHub - discourse/discourse: A platform for community discussion. Free, open, simple.’：无法解析主机：github.com

但是

root@discourse:/var/discourse# host github.com
github.com has address 140.82.121.3
github.com mail is handled by 1 aspmx.l.google.com.
github.com mail is handled by 10 alt4.aspmx.l.google.com.
github.com mail is handled by 10 alt3.aspmx.l.google.com.
github.com mail is handled by 5 alt1.aspmx.l.google.com.
github.com mail is handled by 5 alt2.aspmx.l.google.com.

有什么想法吗？

谢谢

FAILED
--------------------
Pups::ExecError: cd /var/www/discourse && sudo -H -E -u discourse bash -c '
  set -o errexit
  if [ $(git rev-parse --is-shallow-repository) == "true" ]; then
      git remote set-branches --add origin main
      git remote set-branches origin tests-passed
      git fetch --depth 1 origin tests-passed
  else
      git fetch --tags --prune-tags --prune --force origin
  fi
' failed with return #<Process::Status: pid 144 exit 128>
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.2.1/lib/pups/exec_command.rb:132:in `spawn'
exec failed with the params {"cd"=>"$home", "hook"=>"code", "cmd"=>["sudo -H -E -u discourse git clean -f", "sudo -H -E -u discourse bash -c '\n  set -o errexit\n  if [ $(git rev-parse --is-shallow-repository) == \"true\" ]; then\n      git remote set-branches --add origin main\n      git remote set-branches origin $version\n      git fetch --depth 1 origin $version\n  else\n      git fetch --tags --prune-tags --prune --force origin\n  fi\n'", "sudo -H -E -u discourse bash -c '\n  set -o errexit\n  if [[ $(git symbolic-ref --short HEAD) == $version ]] ; then\n      git pull\n  else\n      git -c advice.detachedHead=false checkout $version\n  fi\n'", "sudo -H -E -u discourse git config user.discourse-version $version", "mkdir -p tmp", "chown discourse:www-data tmp", "mkdir -p tmp/pids", "mkdir -p tmp/sockets", "touch tmp/.gitkeep", "mkdir -p                    /shared/log/rails", "bash -c \"touch -a           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr,sidekiq}.log\"", "bash -c \"ln    -s           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr,sidekiq}.log $home/log\"", "bash -c \"mkdir -p           /shared/{uploads,backups}\"", "bash -c \"ln    -s           /shared/{uploads,backups} $home/public\"", "bash -c \"mkdir -p           /shared/tmp/{backups,restores}\"", "bash -c \"ln    -s           /shared/tmp/{backups,restores} $home/tmp\"", "chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups /shared/tmp\"", "[ ! -d public/plugins ] || find public/plugins/ -maxdepth 1 -xtype l -delete"]}
bootstrap failed with exit code 128

这在容器里面，所以可能是 Docker 网络问题，或者可能是临时问题？

容器默认是否使用主机的 /etc/resolv.conf？如果有一个本地解析器，例如 nameserver 127.0.0.1，我猜它在容器内可能不可用。Unbound 配置为允许来自所有保留 IP 地址范围的查询，包括 Docker 容器使用的 172.16.0.0/12，所以这不是问题。

然而，由于我们在重建时遇到了同样的问题，并且已经设置了自己的 Unbound，即使在删除该行后，使 /etc/resolv.conf 再次只包含 nameserver 1.1.1.1，重建仍然在同一点失败。所以也许它被缓存了？

从主机上，可以毫无问题地解析 github.com。

编辑：不，/etc/resolv.conf 现在不是问题。我添加了一些调试输出：

I, [2025-09-25T17:32:38.092043 #1]  INFO -- : cd /var/www/discourse && cat /etc/resolv.conf
I, [2025-09-25T17:32:38.093195 #1]  INFO -- : # Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 1.1.1.1

# Based on host file: '/etc/resolv.conf' (legacy)
# Overrides: []

I, [2025-09-25T17:32:38.093221 #1]  INFO -- : cd /var/www/discourse && getent hosts github.com
I, [2025-09-25T17:32:58.111177 #1]  INFO -- :
I, [2025-09-25T17:32:58.111456 #1]  INFO -- : Terminating async processes

编辑：apt update 也一直挂起，测试 curl 也失败，两者都是添加到 Discourse 模板以检查网络是否在线的测试。nameserver 9.9.9.9 也不起作用，所以看起来容器没有网络访问权限，但不知道为什么。

… 编辑 2：好的，在我们的案例中，Fail2Ban 由于尝试发送电子邮件到一个无效的用户帐户电子邮件地址而禁止了容器 IP，触发了 Fail2Ban Postfix 过滤器 。

因此，如果容器没有网络，检查 Fail2Ban 可以是其中一个调试步骤。

编辑 3：在 Fail2Ban 的 jail 配置中：

ignoreip = 127.0.0.1/8 172.16.0.0/12

以避免环回和 Docker IP 被禁止。