RHEL 上的 Docker 集群模式

【问题标题】:Docker swarm mode on RHELRHEL 上的 Docker 集群模式
【发布时间】:2019-10-19 04:41:32
【问题描述】:

我一直在尝试运行单节点 docker swarm 以在 RHEL 7.6 上进行测试。 firewalld 已禁用且未运行。服务在overlay 网络上运行。我注意到我无法从主机或外部连接到已发布的端口。对于我尝试过的几个 RHEL 实例,这种行为是一致的。我确实在 Ubuntu 16.04LTS 和 18.04LTS 上使用 docker swarm,没有任何故障。

下面是我的docker info

Client:
 Debug Mode: false

Server:
 Containers: 14
  Running: 3
  Paused: 0
  Stopped: 11
 Images: 4
 Server Version: 19.03.3
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: fhewk7l15g42o36henpfigwjk
  Is Manager: true
  ClusterID: kegypzam66ehi6s50utrsff1l
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.0.1.125
  Manager Addresses:
   10.0.1.125:2377
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
 runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-957.5.1.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.33GiB
 Name: rhel-test.dev.koopid.io
 ID: IM3X:THRY:FYUO:L7XI:VJW6:5B4Y:VZOX:YL43:E7WR:U5GM:3BQK:NLKP
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

还有我的overlaynet

[
    {
        "Name": "overlaynet",
        "Id": "4g4dphekzyshqpcp0fjfmc877",
        "Created": "2019-10-18T14:29:06.284905975Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/24",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "142c22a7e517f463f37c89cfb58dcde37f9529c9b469357b37868057be044e48": {
                "Name": "dbsvcs_redis.1.0lsxkr88eq89igid7w7ifk3wq",
                "EndpointID": "167fbdfb2146f09bb20c258fea52d9f8ca886cf1d264b1d8cd9169532c26b9db",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/24",
                "IPv6Address": ""
            },
            "2e70a7589f13c74be66149d5bbf9504b5b74aee1ad6711f82ec4b02011c00cc1": {
                "Name": "dbpg_postgresql-rw.1.9keeuowk9zk5e6f8bq5a0itij",
                "EndpointID": "44a2376b4d0d2bdb8787c9cc18726da140ca0f9a8e97e54a6a78b2206e10a13b",
                "MacAddress": "02:42:ac:14:00:06",
                "IPv4Address": "172.20.0.6/24",
                "IPv6Address": ""
            },
            "d9119bb3d605aa9b2df23985cd884afa941499d888937e3c34f4ec08dac14c73": {
                "Name": "dbsvcs_influxdb.1.ap5cg0se1rntdbsopxbm7whma",
                "EndpointID": "d2a5c093a0721291a114309ef1fd690510b03007fdaf83c8d77e00870a1568cd",
                "MacAddress": "02:42:ac:14:00:04",
                "IPv4Address": "172.20.0.4/24",
                "IPv6Address": ""
            },
            "lb-overlaynet": {
                "Name": "overlaynet-endpoint",
                "EndpointID": "2bdf0d2370856d9a4b2da1e86d65521585ffc89c778f5db1d3f4b2fd39da7c8b",
                "MacAddress": "02:42:ac:14:00:08",
                "IPv4Address": "172.20.0.8/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097"
        },
        "Labels": {},
        "Peers": [
            {
                "Name": "80ab8f4e3bcd",
                "IP": "10.0.1.125"
            }
        ]
    }
]

我有以下服务,正如你所注意到的,它们都发布了一个或两个端口。

4j7p43udxkoc        dbpg_postgresql-rw   replicated          1/1                 myregistry/postgres   *:5432->5432/tcp
hu0wkspwc7j3        dbsvcs_influxdb      replicated          1/1                 myregistry/influxdb   *:8086->8086/tcp
dlte2nzg226x        dbsvcs_redis         replicated          1/1                 myregistry/redis      *:6379->6379/tcp

您可以看到主机上的 INADDR_ANY 端口 5432 是开放的

tcp6       1      0 :::5432                 :::*                    LISTEN

但是,我无法从外部主机连接到端口 5432。 psql 客户端超时,好像某些防火墙阻止了连接。

如果启用firewalld,我会看到以下错误

firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.

这是我应该担心的事情吗?我是否需要在 RHEL 上摆弄iptables 才能让 docker swarm 工作。有一些报告将 docker 控制端口添加到 iptables 以进行多节点集群配置。我的iptable 配置是这样的......

$ iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 82507 packets, 8110K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       30  5664 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       30  5664 DOCKER-INGRESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       30  5664 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
5        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
8       14  4064 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
9        0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0
10      16  1600 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0
11       0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 82105 packets, 8106K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-INGRESS (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5432
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:5432
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:6379
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:8086
7       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       16  1600 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0
3       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2        0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0
3       16  1600 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

感谢一些帮助/指导,以使其在 RHEL 上运行,因为我在过去几周一直坚持这一点。在 Ubuntu 上配置和运行 docker swarm 轻而易举!!!

【问题讨论】:

    标签: docker docker-swarm rhel7 docker-swarm-mode


    【解决方案1】:

    这就是我最终得到它的方法。我对所有步骤都没有理由。我还注意到我无法连接到由localhostfirewalld 服务发布的端口,规则有时会搞砸,需要重新启动。我仍在调查这些问题。我按照answer by Bertrand_Szoghy先安装docker-ce及相关包。

    1. 需要在服务器上安装firewalldipchain。建议在 RHEL 7 或更高版本上使用 firewalld
    2. 使用firewalld打开docker swarm端口。关注tutorial here。此外,请确保打开您的服务所需的端口。重新加载防火墙规则 (firewall-cmd --reload)
    3. 初始化群 (docker swarm init)
    4. 创建覆盖网络 (docker network create --subnet 172.20.1.0/24 --driver overlay --attachable overlaynet)
    5. 将其他节点加入集群管理器。

    我注意到在初始化docker swarm 之前防火墙配置很重要。在初始化 docker swarm 后更新 firewalld 配置时,我无法从 localhost 连接到已发布的端口或使用主机 IP。我不确定为什么这个顺序很重要。

    目前,我可以通过 swarm manager 本身或主机外部的swarm manager IP 地址连接到已发布的服务端口。我仍在研究要添加哪些防火墙规则以通过localhost 进行连接。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2021-12-13
      • 2018-11-28
      • 1970-01-01
      • 1970-01-01
      • 2018-05-03
      • 1970-01-01
      • 2018-09-09
      • 2017-11-06
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode