从 Docker 容器内访问 RDS 未通过安全组? [英] Accessing RDS from within a Docker container not getting through security group?
问题描述
我正在尝试在 docker 容器内运行一个使用带有 EC2 的 RDS 数据库的网络服务器.
I'm attempting to run a webserver that uses an RDS database with EC2 inside a docker container.
我已经设置了安全组,因此允许 EC2 主机的角色访问 RDS,如果我尝试直接从主机访问它,一切正常.
I've setup the security groups so the EC2 host's role is allowed to access the RDS and if I try to access it from the host machine directly everything works correctly.
但是,当我在主机上运行一个简单的容器并尝试访问 RDS 时,它被阻止,就好像安全组不允许它通过一样.经过一系列反复试验后,似乎容器请求确实似乎不是来自 EC2 主机,因此防火墙拒绝了.
However, when I run a simple container on the host and attempt to access the RDS, it get's blocked as if the security group weren't letting it through. After a bunch of trial and error it seemed that indeed the containers requests aren't appearing to come from the EC2 host so the firewall says no.
我可以通过在 docker 容器上设置 --net=host 在短期内解决这个问题,但是这破坏了很多很棒的 docker 网络功能,比如能够映射端口(即,现在我需要确保容器的每个实例手动侦听不同的端口).
I was able to work around this in the short-run by setting --net=host on the docker container, however this breaks a lot of great docker networking functionality like being able to map ports (ie, now I need to make sure each instance of the container listens on a different port by hand).
有没有人找到解决方法?如果您确实在使用任何 AWS 资源,那么在 AWS 中运行容器似乎是一个很大的限制.
Has anyone found a way around this? It seems like a pretty big limitation to running containers in AWS if you're actually using any AWS resources.
推荐答案
弄清楚发生了什么,张贴在此处以帮助其他人.
Figured out what was happening, posting here in case it helps anyone else.
来自容器内的请求访问的是 RDS 的公共 ip 而不是私有的(这就是安全组的工作方式).看起来 docker 容器内的 DNS 使用的是 8.8.8.8 google dns,这不会实现将 rds 端点转换为私有 ip 的 AWS 黑魔法.
Requests from within the container were hitting the public ip of the RDS rather than the private (which is how the security groups work). It looks like the DNS inside the docker container was using the 8.8.8.8 google dns and that wouldn't do the AWS black magic of turning the rds endpoint into the private ip.
例如:
DOCKER_OPTS="--dns 10.0.0.2 -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock -g /mnt/docker"
这篇关于从 Docker 容器内访问 RDS 未通过安全组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
