Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/docker/10.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/5/excel/25.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Docker Swarm Overlay-加密网络和防火墙_Docker_Docker Swarm - Fatal编程技术网
Fatal编程技术网
  • docker/
  • Docker Swarm Overlay-加密网络和防火墙

Docker Swarm Overlay-加密网络和防火墙

docker

Docker Swarm Overlay-加密网络和防火墙,docker,docker-swarm,Docker,Docker Swarm,我使用5台Ubuntu 16.04服务器在数字海洋上建立了一个swarm。它们都使用相同的Docker引擎版本和防火墙规则。设置为使用3个管理器 Client: Version: 17.03.0-ce API version: 1.26 Go version: go1.7.5 Git commit: 3a232c8 Built: Tue Feb 28 08:01:32 2017 OS/Arch: linux/amd64 Server:

我使用5台Ubuntu 16.04服务器在数字海洋上建立了一个swarm。它们都使用相同的Docker引擎版本和防火墙规则。设置为使用3个管理器

Client:
 Version:      17.03.0-ce
 API version:  1.26
 Go version:   go1.7.5
 Git commit:   3a232c8
 Built:        Tue Feb 28 08:01:32 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.03.0-ce
 API version:  1.26 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   3a232c8
 Built:        Tue Feb 28 08:01:32 2017
 OS/Arch:      linux/amd64
 Experimental: false

22                         ALLOW       Anywhere                  
Anywhere/esp on eth1       ALLOW       Anywhere/esp               
2377/tcp on eth1           ALLOW       Anywhere                  
7946 on eth1               ALLOW       Anywhere                  
4789 on eth1               ALLOW       Anywhere                  
2376/tcp                   ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
Anywhere/esp (v6) on eth1  ALLOW       Anywhere/esp (v6)          
2377/tcp (v6) on eth1      ALLOW       Anywhere (v6)              
7946 (v6) on eth1          ALLOW       Anywhere (v6)              
4789 (v6) on eth1          ALLOW       Anywhere (v6)             
2376/tcp (v6)              ALLOW       Anywhere (v6)             

 app01     Ready   Active        
 app04     Ready   Active        Reachable
 app03     Ready   Active        Reachable
 app06     Ready   Active        Leader
 app05     Ready   Active
我正在使用加密网络提供服务

[
    {
        "Name": "jupiter",
        "Id": "en4gdr54yw4w2xmo34fttdbvg",
        "Created": "0001-01-01T00:00:00Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": null,
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097",
            "encrypted": "true"
        },
        "Labels": null
    }
]
我创建了我的swarm以驻留在
eth1
上。例如:
docker swarm init--listen addr eth1:2377--advision addr eth1:2377

尽管这样设置,我的3个服务无法看到对方。就好像DNS在群中不起作用一样。我找到了描述发生在我身上的事情

我的一个服务尝试使用mongo servicename:port连接到mongo服务。但由于服务无法连接到mongo,因此它失败了。现在我试图通过使用连接容器内部来排除容器故障,结果表明容器可以交互。(但我不认为它是通过为其设置的加密连接的。)

我想一定是防火墙,但我不是网络安全方面的专家,所以我想知道我是否遗漏了什么。我试图将我所拥有的与26523期中有关他们防火墙的内容进行比较

无论如何,我决定创建另一个未加密的网络,并将我的服务放在上面

现在mongo正在接收连接:

2017-07-17T14:17:53.267+0000 I NETWORK  [conn8] received client metadata from 10.0.1.7:33424 conn8: { driver: { name: "nodejs", version: "2.2.29" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.4.0-62-generic" }, platform: "Node.js v6.11.1, LE, mongodb-core: 2.1.13" }
2017-07-17T14:17:53.369+0000 I NETWORK  [thread1] connection accepted from 10.0.1.7:33426 #9 (3 connections now open)
2017-07-17T14:17:53.373+0000 I NETWORK  [conn9] received client metadata from 10.0.1.7:33426 conn9: { driver: { name: "nodejs", version: "2.2.29" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.4.0-62-generic" }, platform:
我想弄清楚如何让加密网络工作。在我看来,是防火墙,还是Ubuntu服务器缺少一个包

离开这一点一段时间后,我决定再次回顾这一点。有时候逃避会有帮助

我现在让它工作了。我决定在esp中添加一条附加规则

ufw允许协议esp

ufw状态

Anywhere/esp on eth1       ALLOW       Anywhere/esp
2377/tcp on eth1           ALLOW       Anywhere
7946 on eth1               ALLOW       Anywhere
4789 on eth1               ALLOW       Anywhere
2375/tcp on eth1           ALLOW       Anywhere
10.xx.xx.xx/esp            ALLOW       Anywhere
2376/tcp on eth1           ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
Anywhere/esp (v6) on eth1  ALLOW       Anywhere/esp (v6)
2377/tcp (v6) on eth1      ALLOW       Anywhere (v6)
7946 (v6) on eth1          ALLOW       Anywhere (v6)
4789 (v6) on eth1          ALLOW       Anywhere (v6)
2375/tcp (v6) on eth1      ALLOW       Anywhere (v6)
2376/tcp (v6) on eth1      ALLOW       Anywhere (v6)
离开这里一段时间后,我决定再次访问这里。有时候逃避会有帮助

我现在让它工作了。我决定在esp中添加一条附加规则

ufw允许协议esp

ufw状态

Anywhere/esp on eth1       ALLOW       Anywhere/esp
2377/tcp on eth1           ALLOW       Anywhere
7946 on eth1               ALLOW       Anywhere
4789 on eth1               ALLOW       Anywhere
2375/tcp on eth1           ALLOW       Anywhere
10.xx.xx.xx/esp            ALLOW       Anywhere
2376/tcp on eth1           ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
Anywhere/esp (v6) on eth1  ALLOW       Anywhere/esp (v6)
2377/tcp (v6) on eth1      ALLOW       Anywhere (v6)
7946 (v6) on eth1          ALLOW       Anywhere (v6)
4789 (v6) on eth1          ALLOW       Anywhere (v6)
2375/tcp (v6) on eth1      ALLOW       Anywhere (v6)
2376/tcp (v6) on eth1      ALLOW       Anywhere (v6)