我使用5台Ubuntu 16.04服务器在Digital Ocean上建立了一个群。它们都使用相同的Docker Engine版本和防火墙规则。它设置为使用3位经理。
Client:
Version: 17.03.0-ce
API version: 1.26
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 08:01:32 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.0-ce
API version: 1.26 (minimum version 1.12)
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 08:01:32 2017
OS/Arch: linux/amd64
Experimental: false
22 ALLOW Anywhere
Anywhere/esp on eth1 ALLOW Anywhere/esp
2377/tcp on eth1 ALLOW Anywhere
7946 on eth1 ALLOW Anywhere
4789 on eth1 ALLOW Anywhere
2376/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Anywhere/esp (v6) on eth1 ALLOW Anywhere/esp (v6)
2377/tcp (v6) on eth1 ALLOW Anywhere (v6)
7946 (v6) on eth1 ALLOW Anywhere (v6)
4789 (v6) on eth1 ALLOW Anywhere (v6)
2376/tcp (v6) ALLOW Anywhere (v6)
app01 Ready Active
app04 Ready Active Reachable
app03 Ready Active Reachable
app06 Ready Active Leader
app05 Ready Active
我正在使用加密网络来提供服务。
[
{
"Name": "jupiter",
"Id": "en4gdr54yw4w2xmo34fttdbvg",
"Created": "0001-01-01T00:00:00Z",
"Scope": "swarm",
"Driver": "overlay",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": []
},
"Internal": false,
"Attachable": false,
"Containers": null,
"Options": {
"com.docker.network.driver.overlay.vxlanid_list": "4097",
"encrypted": "true"
},
"Labels": null
}
]
我创建了我的swarm驻留在eth1上。例如:docker swarm init --listen-addr eth1:2377 --advertise-addr eth1:2377。
尽管如此设置,我的3项服务仍然无法见到彼此。好像DNS不在群内工作。我发现this link on github描述了我发生的事情。
我的一个服务尝试使用mongo servicename:port连接到mongo服务。但由于连接的服务无法到达mongo,因此失败了。现在我试图通过使用https://hub.docker.com/r/nicolaka/netshoot/连接内部来解决容器问题,并且它显示容器可以相互作用。 (但我不认为它是通过加密设置连接的。)
我认为它必须是防火墙,但我不是网络安全方面的专家,所以我想知道我是否遗漏了一些东西。我试图将我所拥有的内容与问题26523中关于防火墙的内容进行比较。
无论如何,我决定创建另一个没有加密的网络并将我的服务放在上面。
现在mongo正在接收连接:
2017-07-17T14:17:53.267+0000 I NETWORK [conn8] received client metadata from 10.0.1.7:33424 conn8: { driver: { name: "nodejs", version: "2.2.29" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.4.0-62-generic" }, platform: "Node.js v6.11.1, LE, mongodb-core: 2.1.13" }
2017-07-17T14:17:53.369+0000 I NETWORK [thread1] connection accepted from 10.0.1.7:33426 #9 (3 connections now open)
2017-07-17T14:17:53.373+0000 I NETWORK [conn9] received client metadata from 10.0.1.7:33426 conn9: { driver: { name: "nodejs", version: "2.2.29" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.4.0-62-generic" }, platform:
我想弄清楚如何使加密网络正常工作。它是防火墙,它在我看来,还是Ubuntu服务器缺少一个包? ;<
答案 0 :(得分:1)
在离开这一段时间后,我决定再次重访。有时离开会有所帮助。
我现在就开始工作了。我决定用esp。
添加一个额外的规则 ufw allow to <local host eth1 ip> proto esp
ufw status
Anywhere/esp on eth1 ALLOW Anywhere/esp
2377/tcp on eth1 ALLOW Anywhere
7946 on eth1 ALLOW Anywhere
4789 on eth1 ALLOW Anywhere
2375/tcp on eth1 ALLOW Anywhere
10.xx.xx.xx/esp ALLOW Anywhere
2376/tcp on eth1 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Anywhere/esp (v6) on eth1 ALLOW Anywhere/esp (v6)
2377/tcp (v6) on eth1 ALLOW Anywhere (v6)
7946 (v6) on eth1 ALLOW Anywhere (v6)
4789 (v6) on eth1 ALLOW Anywhere (v6)
2375/tcp (v6) on eth1 ALLOW Anywhere (v6)
2376/tcp (v6) on eth1 ALLOW Anywhere (v6)