[英]Docker swarm mode on RHEL
我一直在尝试运行单个节点 docker 群以在 RHEL 7.6 上进行测试。 firewalld
已禁用且未运行。 服务在overlay
网络上运行。 我注意到我无法从主机或外部连接到已发布的端口。 对于我尝试过的几个 RHEL 实例,这种行为是一致的。 我确实在 Ubuntu 16.04LTS 和 18.04LTS 上使用 docker 群,没有任何故障。
下面给出的是我的docker info
Client:
Debug Mode: false
Server:
Containers: 14
Running: 3
Paused: 0
Stopped: 11
Images: 4
Server Version: 19.03.3
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: active
NodeID: fhewk7l15g42o36henpfigwjk
Is Manager: true
ClusterID: kegypzam66ehi6s50utrsff1l
Managers: 1
Nodes: 1
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Data Path Port: 4789
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 10.0.1.125
Manager Addresses:
10.0.1.125:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-957.5.1.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.33GiB
Name: rhel-test.dev.koopid.io
ID: IM3X:THRY:FYUO:L7XI:VJW6:5B4Y:VZOX:YL43:E7WR:U5GM:3BQK:NLKP
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
还有我的overlaynet
[
{
"Name": "overlaynet",
"Id": "4g4dphekzyshqpcp0fjfmc877",
"Created": "2019-10-18T14:29:06.284905975Z",
"Scope": "swarm",
"Driver": "overlay",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.20.0.0/24",
"Gateway": "172.20.0.1"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"142c22a7e517f463f37c89cfb58dcde37f9529c9b469357b37868057be044e48": {
"Name": "dbsvcs_redis.1.0lsxkr88eq89igid7w7ifk3wq",
"EndpointID": "167fbdfb2146f09bb20c258fea52d9f8ca886cf1d264b1d8cd9169532c26b9db",
"MacAddress": "02:42:ac:14:00:03",
"IPv4Address": "172.20.0.3/24",
"IPv6Address": ""
},
"2e70a7589f13c74be66149d5bbf9504b5b74aee1ad6711f82ec4b02011c00cc1": {
"Name": "dbpg_postgresql-rw.1.9keeuowk9zk5e6f8bq5a0itij",
"EndpointID": "44a2376b4d0d2bdb8787c9cc18726da140ca0f9a8e97e54a6a78b2206e10a13b",
"MacAddress": "02:42:ac:14:00:06",
"IPv4Address": "172.20.0.6/24",
"IPv6Address": ""
},
"d9119bb3d605aa9b2df23985cd884afa941499d888937e3c34f4ec08dac14c73": {
"Name": "dbsvcs_influxdb.1.ap5cg0se1rntdbsopxbm7whma",
"EndpointID": "d2a5c093a0721291a114309ef1fd690510b03007fdaf83c8d77e00870a1568cd",
"MacAddress": "02:42:ac:14:00:04",
"IPv4Address": "172.20.0.4/24",
"IPv6Address": ""
},
"lb-overlaynet": {
"Name": "overlaynet-endpoint",
"EndpointID": "2bdf0d2370856d9a4b2da1e86d65521585ffc89c778f5db1d3f4b2fd39da7c8b",
"MacAddress": "02:42:ac:14:00:08",
"IPv4Address": "172.20.0.8/24",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.driver.overlay.vxlanid_list": "4097"
},
"Labels": {},
"Peers": [
{
"Name": "80ab8f4e3bcd",
"IP": "10.0.1.125"
}
]
}
]
我有以下服务,正如你所注意到的,它们都发布了一个或两个端口。
4j7p43udxkoc dbpg_postgresql-rw replicated 1/1 myregistry/postgres *:5432->5432/tcp
hu0wkspwc7j3 dbsvcs_influxdb replicated 1/1 myregistry/influxdb *:8086->8086/tcp
dlte2nzg226x dbsvcs_redis replicated 1/1 myregistry/redis *:6379->6379/tcp
你可以看到主机上的 INADDR_ANY 端口 5432 是开放的
tcp6 1 0 :::5432 :::* LISTEN
但是,我无法从外部主机连接到端口 5432。 psql
客户端超时,好像某些防火墙阻止了连接。
如果启用firewalld
,我会看到以下错误
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
这是我应该担心的事情吗? 我是否需要在 RHEL 上摆弄iptables
才能让 docker 群工作。 有一些报告将 docker 控制端口添加到iptables
以进行多节点集群配置。 我的iptable
配置是这样的......
$ iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 82507 packets, 8110K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 30 5664 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
2 30 5664 DOCKER-INGRESS all -- * * 0.0.0.0/0 0.0.0.0/0
3 30 5664 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
5 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
8 14 4064 ACCEPT all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 0 0 DOCKER all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0
10 16 1600 ACCEPT all -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
11 0 0 DROP all -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 82105 packets, 8106K bytes)
num pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
Chain DOCKER-INGRESS (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:5432
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6379
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:6379
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8086
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp spt:8086
7 30 5664 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 16 1600 DOCKER-ISOLATION-STAGE-2 all -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
3 30 5664 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0
3 16 1600 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 30 5664 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
感谢一些帮助/指导,以使其在 RHEL 上运行,因为我在过去几周一直坚持这一点。 在 Ubuntu 上配置和运行docker swarm
是轻而易举的事!!!
这是我最终如何让它工作的。 我对所有步骤都没有理由。 我还注意到我无法连接到localhost
服务发布的端口,并且firewalld
规则有时会变得混乱,需要重新启动。 我仍在调查这些问题。 我按照Bertrand_Szoghy 的回答首先安装了docker-ce
和相关软件包。
firewalld
或ipchain
。 建议在 RHEL 7 或更高版本上使用firewalld
。docker swarm
端口。 按照这里的教程。 此外,请确保打开您的服务所需的端口。 重新加载防火墙规则( firewall-cmd --reload
)docker swarm init
)docker network create --subnet 172.20.1.0/24 --driver overlay --attachable overlaynet
) 我注意到在初始化docker swarm
之前防火墙配置很重要。 在初始化docker swarm
后更新 firewalld 配置时,我无法从 localhost 或使用主机 IP 连接到已发布的端口。 我不确定为什么这个顺序很重要。
目前,我可以通过集群管理器本身或主机外部的集群swarm manager
IP 地址连接到已发布的服务端口。 我仍在研究要添加哪些防火墙规则以通过localhost
进行连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.