从Docker容器中访问RDS不能通过安全组? [英] Accessing RDS from within a Docker container not getting through security group?
问题描述
我正在尝试运行在Docker容器中使用带有EC2的RDS数据库的网络服务器。
我已经设置了安全组,因此允许EC2主机角色访问RDS,并且如果我尝试直接从主机访问它,则一切正常。 / p>
但是,当我在主机上运行一个简单的容器并尝试访问RDS时,它被阻止了,就像安全组不允许它通过一样。经过一连串的反复试验,似乎容器请求似乎并非来自EC2主机,因此防火墙拒绝了。
我能够在短期内通过在Docker容器上设置--net = host来解决此问题,但这打破了很多很棒的Docker网络功能,例如能够映射端口(即,现在我需要确保容器的每个实例都在手工侦听不同的端口)。
有没有人找到解决此问题的方法?如果您实际上正在使用任何AWS资源,在AWS中运行容器似乎是一个很大的限制。
找出了什么
容器中的请求正在访问RDS的公共ip,而不是私有(这就是安全性的方式)。小组工作)。看起来docker容器中的DNS使用的是8.8.8.8 google dns,这不会使将rds端点转换为私有ip的AWS魔术。
例如:
DOCKER_OPTS =-dns 10.0.0.2 -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock -g / mnt / docker
I'm attempting to run a webserver that uses an RDS database with EC2 inside a docker container.
I've setup the security groups so the EC2 host's role is allowed to access the RDS and if I try to access it from the host machine directly everything works correctly.
However, when I run a simple container on the host and attempt to access the RDS, it get's blocked as if the security group weren't letting it through. After a bunch of trial and error it seemed that indeed the containers requests aren't appearing to come from the EC2 host so the firewall says no.
I was able to work around this in the short-run by setting --net=host on the docker container, however this breaks a lot of great docker networking functionality like being able to map ports (ie, now I need to make sure each instance of the container listens on a different port by hand).
Has anyone found a way around this? It seems like a pretty big limitation to running containers in AWS if you're actually using any AWS resources.
Figured out what was happening, posting here in case it helps anyone else.
Requests from within the container were hitting the public ip of the RDS rather than the private (which is how the security groups work). It looks like the DNS inside the docker container was using the 8.8.8.8 google dns and that wouldn't do the AWS black magic of turning the rds endpoint into the private ip.
So for instance:
DOCKER_OPTS="--dns 10.0.0.2 -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock -g /mnt/docker"
这篇关于从Docker容器中访问RDS不能通过安全组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
