文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >RHEL上的码头群模式

RHEL上的码头群模式
EN

Stack Overflow用户
提问于 2019-10-19 04:41:32
回答 1查看 1.5K关注 0票数 0

我一直试图运行一个单一节点码头群,以测试RHEL 7.6。firewalld已禁用,且未运行。服务在overlay网络上运行。我注意到,无论是从主机还是外部,我都无法连接到发布的端口。对于我尝试过的一些RHEL实例来说,这种行为是一致的。我确实在Ubuntu 16.04LTS和18.04LTS上使用了坞群,没有任何故障。

下面是我的docker info

代码语言:javascript
复制
Client:
 Debug Mode: false

Server:
 Containers: 14
  Running: 3
  Paused: 0
  Stopped: 11
 Images: 4
 Server Version: 19.03.3
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: fhewk7l15g42o36henpfigwjk
  Is Manager: true
  ClusterID: kegypzam66ehi6s50utrsff1l
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.0.1.125
  Manager Addresses:
   10.0.1.125:2377
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
 runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-957.5.1.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.33GiB
 Name: rhel-test.dev.koopid.io
 ID: IM3X:THRY:FYUO:L7XI:VJW6:5B4Y:VZOX:YL43:E7WR:U5GM:3BQK:NLKP
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

还有我的overlaynet

代码语言:javascript
复制
[
    {
        "Name": "overlaynet",
        "Id": "4g4dphekzyshqpcp0fjfmc877",
        "Created": "2019-10-18T14:29:06.284905975Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/24",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "142c22a7e517f463f37c89cfb58dcde37f9529c9b469357b37868057be044e48": {
                "Name": "dbsvcs_redis.1.0lsxkr88eq89igid7w7ifk3wq",
                "EndpointID": "167fbdfb2146f09bb20c258fea52d9f8ca886cf1d264b1d8cd9169532c26b9db",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/24",
                "IPv6Address": ""
            },
            "2e70a7589f13c74be66149d5bbf9504b5b74aee1ad6711f82ec4b02011c00cc1": {
                "Name": "dbpg_postgresql-rw.1.9keeuowk9zk5e6f8bq5a0itij",
                "EndpointID": "44a2376b4d0d2bdb8787c9cc18726da140ca0f9a8e97e54a6a78b2206e10a13b",
                "MacAddress": "02:42:ac:14:00:06",
                "IPv4Address": "172.20.0.6/24",
                "IPv6Address": ""
            },
            "d9119bb3d605aa9b2df23985cd884afa941499d888937e3c34f4ec08dac14c73": {
                "Name": "dbsvcs_influxdb.1.ap5cg0se1rntdbsopxbm7whma",
                "EndpointID": "d2a5c093a0721291a114309ef1fd690510b03007fdaf83c8d77e00870a1568cd",
                "MacAddress": "02:42:ac:14:00:04",
                "IPv4Address": "172.20.0.4/24",
                "IPv6Address": ""
            },
            "lb-overlaynet": {
                "Name": "overlaynet-endpoint",
                "EndpointID": "2bdf0d2370856d9a4b2da1e86d65521585ffc89c778f5db1d3f4b2fd39da7c8b",
                "MacAddress": "02:42:ac:14:00:08",
                "IPv4Address": "172.20.0.8/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097"
        },
        "Labels": {},
        "Peers": [
            {
                "Name": "80ab8f4e3bcd",
                "IP": "10.0.1.125"
            }
        ]
    }
]

我有以下服务,正如您注意到的,它们都发布一个或两个端口。

代码语言:javascript
复制
4j7p43udxkoc        dbpg_postgresql-rw   replicated          1/1                 myregistry/postgres   *:5432->5432/tcp
hu0wkspwc7j3        dbsvcs_influxdb      replicated          1/1                 myregistry/influxdb   *:8086->8086/tcp
dlte2nzg226x        dbsvcs_redis         replicated          1/1                 myregistry/redis      *:6379->6379/tcp

您可以看到端口5432在主机上为INADDR_ANY打开。

代码语言:javascript
复制
tcp6       1      0 :::5432                 :::*                    LISTEN

但是,我无法从主机外部连接到端口5432。psql客户端超时,就像防火墙阻塞了连接一样。

如果启用firewalld,我可以看到以下错误

代码语言:javascript
复制
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.

我该担心什么吗?为了让码头群工作,我需要在RHEL上摆弄iptables吗?有一些报告可以为多节点集群配置向iptables添加坞控制端口.我的iptable配置是这样的。

代码语言:javascript
复制
$ iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 82507 packets, 8110K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       30  5664 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       30  5664 DOCKER-INGRESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       30  5664 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
5        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
8       14  4064 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
9        0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0
10      16  1600 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0
11       0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 82105 packets, 8106K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-INGRESS (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5432
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:5432
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:6379
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:8086
7       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       16  1600 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0
3       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2        0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0
3       16  1600 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

感谢一些帮助/指导,以使这个工作在RHEL,因为我在过去几个星期被困在这个。在Ubuntu上配置和运行docker swarm很容易!

docker
docker-swarm
rhel7
docker-swarm-mode
EN

回答 1

Stack Overflow用户

发布于 2019-10-24 11:01:03

这就是我最后是如何让它发挥作用的。我对所有的步骤都没有理由。我还注意到,我无法连接到由localhost发布的服务发布的端口,而且firewalld规则有时也会出错,这需要重新启动。我还在调查这些问题。我首先按照索吉安装了docker-ce和相关的软件包。

  1. 需要在服务器上安装firewalldipchain。建议在RHEL 7或更高版本上使用firewalld
  2. 使用firewalld打开docker swarm端口。跟着这里的教程。此外,请确保打开服务所需的端口。重新加载防火墙规则(firewall-cmd --reload)
  3. 初始化群(docker swarm init)
  4. 创建覆盖网络(docker network create --subnet 172.20.1.0/24 --driver overlay --attachable overlaynet)
  5. 加入其他节点到群集管理器。

我注意到,在初始化docker swarm之前,防火墙配置非常重要。初始化docker swarm后,我无法从本地主机或使用主机IP连接到已发布的端口,无法更新firewalld配置。我不知道为什么这个命令重要。

目前,我能够通过swarm manager IP地址从群集管理器本身或从主机外部连接到已发布的服务端口。我仍然在调查通过localhost连接需要添加哪些防火墙规则。

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/58460565

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档