我需要从Docker容器连接到MongoDB Docker容器。
这是我对mongo容器的设置(它是副本集的一部分,这是我启动节点的方式):
docker run -d \
--restart always \
-p $PORT_START_INDEX:$PORT_START_INDEX \
--log-driver json-file \
-v $CLUSTERNAME-00-db:/data/db \
-v $CLUSTERNAME-00-assets:/opt/mongo \
--name $CLUSTERNAME-my.domain.com \
--hostname $CLUSTERNAME-my.domain.com \
--network $CLUSTERNAME-cluster \
mongo:4.1.13 \
-wiredTigerCacheSizeGB 2 \
--port $PORT_START_INDEX \
--sslMode requireSSL \
--sslPEMKeyFile /opt/mongo/ssl/mongodb.pem \
--bind_ip_all \
--keyFile /opt/mongo/keyfile/cluster-keyfile \
--replSet $CLUSTERNAME
这就是我从另一个容器连接的方式
docker run --network my-cluster-name -v --rm mongo:4.1.13 mongo "mongodb://server:$PWD@node00-my.domain.com:30010,node00-my.domain.com:30011,node03-my.domain.com:30012/mydb?ssl=true&replicaSet=my-replica-name"
当iptable不活动时,一切都很好。但是,一旦激活它,我将无法再连接到MongoDB集群:
2019-10-10T11:47:22.954+0000 I NETWORK [js] Starting new replica set monitor for ***
2019-10-10T11:47:22.955+0000 I CONNPOOL [ReplicaSetMonitor-TaskExecutor] Connecting to ***
2019-10-10T11:47:22.955+0000 I CONNPOOL [ReplicaSetMonitor-TaskExecutor] Connecting to ***
2019-10-10T11:47:22.955+0000 I CONNPOOL [ReplicaSetMonitor-TaskExecutor] Connecting to ***
2019-10-10T11:47:27.954+0000 W NETWORK [ReplicaSetMonitor-TaskExecutor] Unable to reach primary for set ***
2019-10-10T11:47:27.955+0000 I NETWORK [ReplicaSetMonitor-TaskExecutor] Cannot reach any nodes for set ***. Please check network connectivity and the status of the set. This has happened for 1 checks in a row.
2019-10-10T11:47:32.955+0000 W NETWORK [ReplicaSetMonitor-TaskExecutor] Unable to reach primary for set ***
2019-10-10T11:47:32.955+0000 I NETWORK [ReplicaSetMonitor-TaskExecutor] Cannot reach any nodes for set ***. Please check network connectivity and the status of the set. This has happened for 2 checks in a row.
这是我的iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT all -- anywhere anywhere /* local trafic */
ACCEPT tcp -- anywhere anywhere tcp dpt:94 /* ssh access */
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* web trafic */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* ssl web trafic */
ACCEPT icmp -- anywhere anywhere /* monitoring: ping */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED /* monitoring: ping */
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:30001
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:30011
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:30000
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:30010
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:30012
ACCEPT tcp -- anywhere 172.18.0.4 tcp dpt:30002
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere