在kubernetes内运行的docker容器内没有互联网连接,编织为网络
[英]No internet connectivity inside docker container running inside kubernetes with weave as networking
问题描述
I have a kubernetes cluster that is running on AWS EC2 instances and weave as networking(cni). 
我有一个在AWS EC2实例上运行的kubernetes集群,并编织为网络(cni)。 I have disabled the docker networking(ipmask and iptables) as it is managed by weave(to avoid network conflicts). 我已经禁用了docker网络(ipmask和iptables),因为它是由weave管理的(以避免网络冲突)。
I have deployed my Jenkins on this cluster as K8s pod and this jenkins uses jenkins kubernetes plugin to spawn dynamic slaves based on pod and container template which I have defined. 我已经在这个集群上部署了我的Jenkins作为K8s pod,这个jenkins使用jenkins kubernetes插件根据我已定义的pod和容器模板生成动态从属。 These slaves container have docker client in it which connects to the host docker engine via docker.sock 这些从属容器中有docker client,它通过docker.sock连接到主机docker引擎
So when I run any job in Jenkins it starts a slave and on this it clones a git repo and starts building the Dockerfile present inside the repo. 因此,当我在Jenkins中运行任何作业时,它会启动一个奴隶,并在此基础上克隆一个git repo并开始构建repo中存在的Dockerfile。
My sample dockerfile looks like this: 我的示例dockerfile如下所示:
FROM abc:123
RUN yum update
So when container starts building this it tries connecting to redhat repo to update the local repo and fails here. 因此,当容器开始构建时,它会尝试连接到redhat repo以更新本地存储库并在此处失败。 To debug I logged in to this container and try wget/CURL some packages and finds that there is no internet connectivity in this container. 要调试我登录到此容器并尝试wget / CURL一些包,并发现此容器中没有Internet连接。
I suspect that while building docker starts intermediate containers and those containers are not managed by weave so they do not have internet connectivity. 我怀疑构建docker时会启动中间容器,而这些容器不能通过编织来管理,因此它们没有互联网连接。
Need suggestions. 需要建议。
Related question: Internet connection inside Docker container in Kubernetes 相关问题: Kubernetes中Docker容器内的Internet连接
3 个解决方案
解决方案1
5 已采纳 2018-03-21 14:10:14
Ok finally after lot of struggle I find the solution. 好吧,经过多次努力,我找到了解决方案。
So when ever K8s starts a pod it starts a sidecart container whose role is basically to provide network to pod containers. 因此,当K8s启动一个pod时,它会启动一个sidecart容器,其作用基本上是为pod容器提供网络。
So while running docker build if I pass it's container ID as network then my intermediate contexts start getting internet connectivity via this container. 因此,当我运行docker build时,如果我将它的容器ID作为网络传递,那么我的中间上下文开始通过此容器获得Internet连接。 So changes looks something like this: 所以变化看起来像这样:
docker build -t "some name" --network container:\$(docker ps | grep \$(hostname) | grep k8s_POD | cut -d\" \" -f1) -f infra/docker/Dockerfile .
Hope this helps. 希望这可以帮助。 :D :d
解决方案2
1 2018-03-15 15:20:27
You can try to attach weave networking dynamically as a part of your build job. 您可以尝试动态地附加编织网络作为构建作业的一部分。 Is it definitely possible to change active network of container on the flight with weave. 是否有可能通过编织改变航班上的活动集装箱网络。
Maybe you will need to use some additional container with Weave Docker Api Proxy or you can use a different way to communicate with Weave network on your nodes. 也许您需要使用Weave Docker Api Proxy的一些额外容器,或者您可以使用不同的方式与节点上的Weave网络进行通信。
So, the main idea is just attach your containers where you running builds to the Kubernetes pods network, where you have an external access. 因此,主要的想法是将运行构建的容器附加到Kubernetes pods网络,在那里您可以进行外部访问。
Also, and maybe it will be better, you can create another one Weave virtual network with access to the Internet and attach your contenders to it. 此外,也许它会更好,您可以创建另一个Weave虚拟网络,可以访问Internet并将您的竞争者附加到它。
解决方案3
0 2018-03-15 16:17:12
You're right - the docker build process runs in a different context, and Weave Net doesn't attach those automatically. 你是对的 - docker build过程在不同的上下文中运行,Weave Net不会自动附加它们。
Even more complicated, Kubernetes will connect via CNI whereas Docker has its own plugin API. 更复杂的是,Kubernetes将通过CNI连接,而Docker拥有自己的插件API。 I believe it's possible to have both on a machine at the same time, but rather complicated. 我相信可以同时在机器上同时使用,但相当复杂。
Maybe look at some of the ways to build images without using Docker ? 也许看看一些不使用Docker构建图像的方法 ?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.