Docker群模式路由网格无法按预期工作 [英] Docker swarm mode routing mesh not work as expected

问题描述

我尝试通过遵循

然后创建部署服务，我在这里使用 jwilder/whoami 代替文档中的 nginx ， docker服务create --name my-web --publish Published = 8888，target = 8000 --replicas 2 jwilder/whoami

似乎成功启动了:

如文件所述:

当您在任何节点上访问端口8080时，Docker会将您的请求路由到一个活动的容器.

我认为

因此，我可以从任何节点访问 my-web 服务，但是我发现只有一个节点可以工作:

这是怎么回事?

解决方案

这可能是由于节点之间的端口被阻塞引起的.群集网状网络使用入口"网络将发布的端口连接到该服务的VIP.该入口网络是使用vxlan实现的覆盖网络.为此，您需要:

• 用于群集管理通信的TCP端口2377
• 用于节点之间通信的TCP和UDP端口7946
• 用于覆盖网络流量的UDP端口4789

参考: https://docs.docker.com/network/overlay/

这些端口有可能在许多级别被阻止，包括iptables，路由器上的防火墙，我什至已经看到VMware通过其NSX工具(也实现了vxlan)将其阻止.

对于iptables，我通常使用以下命令:

  iptables -A输入-p tcp -m tcp --dport 2376 -j接受iptables -A输入-p tcp -m tcp --dport 2377 -j接受iptables -A输入-p tcp -m tcp --dport 7946 -j接受iptables -A输入-p udp -m udp –dport 7946 -j接受iptables -A输入-p tcp -m udp –dport 4789 -j接受iptables -A输入-p 50 -j接受 

如果您使用Firewalld或需要更改网络路由器上的防火墙规则，以上内容将有所不同.

I tried to create services in docker swarm model by following this document

I created two nodes in the swarm:

Then create the deploy the service, I use jwilder/whoami here instead of nginx in the document, docker service create --name my-web --publish published=8888,target=8000 --replicas 2 jwilder/whoami

Seems like they started successfully:

As the document said:

When you access port 8080 on any node, Docker routes your request to an active container.

SO in my opinion, I can access the my-web service from any of the node, however I found that only one node work:

What's going on?

解决方案

This can be caused by ports being blocked between the nodes. The swarm mesh networking uses the "ingress" network to connect the published port to a VIP for the service. That ingress network is an overlay network implemented with vxlan. For that you need:

• TCP port 2377 for cluster management communications
• TCP and UDP port 7946 for communication among nodes
• UDP port 4789 for overlay network traffic

Reference: https://docs.docker.com/network/overlay/

It's possible for these ports to be blocked at many levels, including iptables, firewalls on the routers, and I've even seen VMware block this with their NSX tool that also implemented vxlan.

For iptables, I typically use the following commands:

iptables -A INPUT -p tcp -m tcp --dport 2376 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2377 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7946 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 7946 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 4789 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT

The above will differ if you use firewalld or need to change firewall rules on the network routers.

这篇关于Docker群模式路由网格无法按预期工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！