Linux 码头工人蜂拥而至,在集装箱内倾听,但不在集装箱外
我们有许多docker图像以swarm模式运行,很难让其中一个图像从外部收听 如果我执行到容器,我可以将URL卷曲到0.0.0.0:8080 当我查看主机上的网络时,我看到该侦听端口的Linux 码头工人蜂拥而至,在集装箱内倾听,但不在集装箱外,linux,networking,docker,docker-swarm,Linux,Networking,Docker,Docker Swarm,我们有许多docker图像以swarm模式运行,很难让其中一个图像从外部收听 如果我执行到容器,我可以将URL卷曲到0.0.0.0:8080 当我查看主机上的网络时,我看到该侦听端口的Recv-Q中有一个数据包被卡住(但其他正常工作的端口除外) 看看NAT规则,我实际上可以在docker主机(docker_gwbridge)上卷曲172.19.0.2:8084,但在实际的docker主机IP上卷曲172.31.105.59 我尝试了许多不同的观点(7080848085),也停止了docker,做
Recv-Q
中有一个数据包被卡住(但其他正常工作的端口除外)
看看NAT规则,我实际上可以在docker主机(docker_gwbridge)上卷曲172.19.0.2:8084,但在实际的docker主机IP上卷曲172.31.105.59
我尝试了许多不同的观点(7080848085),也停止了docker,做了一个rm-rf/var/lib/docker,然后尝试只运行这个容器,但没有运气。你知道为什么这对一个容器映像不起作用,但其他5个容器映像可以正常工作吗
码头服务
docker service create --with-registry-auth --replicas 1 --network myoverlay \
--publish 8084:8080 \
--name containerimage \
docker.repo.net/containerimage
ss-ltn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 172.31.105.59:7946 *:*
LISTEN 0 128 *:ssh *:*
LISTEN 0 128 127.0.0.1:smux *:*
LISTEN 0 128 172.31.105.59:2377 *:*
LISTEN 0 128 :::webcache :::*
LISTEN 0 128 :::tproxy :::*
LISTEN 0 128 :::us-cli :::*
LISTEN 0 128 :::us-srv :::*
LISTEN 0 128 :::4243 :::*
LISTEN 1 128 :::8084 :::*
LISTEN 0 128 :::ssh :::*
LISTEN 0 128 :::cslistener :::*
iptables-n-L-t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER-INGRESS all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER-INGRESS all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-INGRESS (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8084 to:172.19.0.2:8084
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.19.0.2:9000
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083 to:172.19.0.2:8083
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.19.0.2:8080
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.19.0.2:8081
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:172.19.0.2:8082
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ip a|grep 172.19
inet 172.19.0.1/16 scope global docker_gwbridge
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP qlen 1000
link/ether 12:d1:da:a7:1d:1a brd ff:ff:ff:ff:ff:ff
inet 172.31.105.59/24 brd 172.31.105.255 scope global dynamic eth0
valid_lft 3088sec preferred_lft 3088sec
inet6 fe80::10d1:daff:fea7:1d1a/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:55:ae:ff:f5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
4: docker_gwbridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ce:b5:27:49 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 scope global docker_gwbridge
valid_lft forever preferred_lft forever
inet6 fe80::42:ceff:feb5:2749/64 scope link
valid_lft forever preferred_lft forever
23: vethe2712d7@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether 92:58:81:03:25:20 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::9058:81ff:fe03:2520/64 scope link
valid_lft forever preferred_lft forever
34: vethc446bc2@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether e2:a7:0f:d4:aa:1d brd ff:ff:ff:ff:ff:ff link-netnsid 4
inet6 fe80::e0a7:fff:fed4:aa1d/64 scope link
valid_lft forever preferred_lft forever
40: vethf1238ff@if39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether e6:1a:87:a4:18:2a brd ff:ff:ff:ff:ff:ff link-netnsid 5
inet6 fe80::e41a:87ff:fea4:182a/64 scope link
valid_lft forever preferred_lft forever
46: vethe334e2d@if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether a2:5f:2c:98:10:42 brd ff:ff:ff:ff:ff:ff link-netnsid 6
inet6 fe80::a05f:2cff:fe98:1042/64 scope link
valid_lft forever preferred_lft forever
58: vethda32f8d@if57: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether ea:40:a2:68:d3:89 brd ff:ff:ff:ff:ff:ff link-netnsid 7
inet6 fe80::e840:a2ff:fe68:d389/64 scope link
valid_lft forever preferred_lft forever
41596: veth9eddb38@if41595: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether fa:99:eb:48:be:b0 brd ff:ff:ff:ff:ff:ff link-netnsid 9
inet6 fe80::f899:ebff:fe48:beb0/64 scope link
valid_lft forever preferred_lft forever
41612: veth161a89a@if41611: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP
link/ether b6:33:62:08:da:c4 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::b433:62ff:fe08:dac4/64 scope link
valid_lft forever preferred_lft forever
1:lo:mtu 65536 qdisc noqueue状态未知
链接/环回00:00:00:00:00 brd 00:00:00:00:00:00:00
inet 127.0.0.1/8范围主机lo
永远有效\u lft首选\u lft永远有效
inet6::1/128作用域主机
永远有效\u lft首选\u lft永远有效
2:eth0:mtu 9001 qdisc pfifo_快速状态升级qlen 1000
链路/以太网12:d1:da:a7:1d:1a brd ff:ff:ff:ff:ff:ff:ff:ff
inet 172.31.105.59/24 brd 172.31.105.255范围全局动态eth0
有效\u lft 3088秒优先\u lft 3088秒
inet6 fe80::10d1:daff:fea7:1d1a/64范围链接
永远有效\u lft首选\u lft永远有效
3:docker0:mtu 1500 qdisc noqueue状态已关闭
链接/以太02:42:55:ae:ff:f5 brd ff:ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16范围全局docker0
永远有效\u lft首选\u lft永远有效
4:docker_gwbridge:mtu 1500 qdisc noqueue state UP
链接/以太02:42:ce:b5:27:49 brd ff:ff:ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16范围全局docker_gwbridge
永远有效\u lft首选\u lft永远有效
inet6-fe80::42:ceff:feb5:2749/64范围链接
永远有效\u lft首选\u lft永远有效
23: vethe2712d7@if22:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链接/以太92:58:81:03:25:20 brd ff:ff:ff:ff:ff:ff:ff链接网络ID 1
inet6 fe80::9058:81ff:fe03:2520/64范围链接
永远有效\u lft首选\u lft永远有效
34: vethc446bc2@if33:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链路/以太e2:a7:0f:d4:aa:1d brd ff:ff:ff:ff:ff:ff:ff链路网络ID 4
inet6 fe80::e0a7:fff:fed4:aa1d/64范围链接
永远有效\u lft首选\u lft永远有效
40: vethf1238ff@if39:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链路/以太网e6:1a:87:a4:18:2a brd ff:ff:ff:ff:ff:ff:ff链路网络ID 5
inet6 fe80::e41a:87ff:fea4:182a/64范围链接
永远有效\u lft首选\u lft永远有效
46: vethe334e2d@if45:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链路/以太网a2:5f:2c:98:10:42 brd ff:ff:ff:ff:ff:ff:ff:ff链路网络ID 6
inet6 fe80::a05f:2cff:fe98:1042/64范围链接
永远有效\u lft首选\u lft永远有效
58: vethda32f8d@if57:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链路/以太ea:40:a2:68:d3:89 brd ff:ff:ff:ff:ff:ff:ff链路网络ID 7
inet6 fe80::e840:a2ff:fe68:d389/64范围链接
永远有效\u lft首选\u lft永远有效
41596: veth9eddb38@if41595:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链路/以太fa:99:eb:48:be:b0 brd ff:ff:ff:ff:ff:ff链路网络ID 9
inet6 fe80::f899:ebff:fe48:beb0/64范围链接
永远有效\u lft首选\u lft永远有效
41612: veth161a89a@if41611:mtu 1500 qdisc noqueue master docker\U gwbridge state UP
链路/以太b6:33:62:08:da:c4 brd ff:ff:ff:ff:ff:ff链路网络ID 3
inet6 fe80::b433:62ff:fe08:dac4/64范围链接
永远有效\u lft首选\u lft永远有效
好,这是容器的正常行为,端口映射仅可用于主机IP。
因此,如果使用容器IP,则必须到达端口8080(应用程序的实际端口)
由于您使用了
--publish
,容器的端口8080映射到主机IP上的端口8084确定,因此这是容器的正常行为,端口映射仅可用于主机IP。
因此,如果使用容器IP,则必须到达端口8080(应用程序的实际端口)
由于您使用了
--publish
,您容器的端口8080映射到主机IP上的端口8084只是为了确保,当您尝试通过容器的内部IP访问容器时,您使用的是端口8080而不是8084,对吗?正确,下面是我们得到的结果(需要验证消息)curl172.19.0.2:8084/about
关于资源需要身份验证,这不是随需求提供的所以基本上这是可行的curl172.19.0.2:8084/about
而这不是curl172.31.105.59:8080/about
不完全可行,curl172.19.0.2:8084/about
有效,但curl172.31.105.59:8084/about
不起作用(都是8084)。这是容器的正常行为,端口映射只对主机IP可用。所以8080与容器一起使用,8084在外部使用,因为您的发布只是为了确保,当您尝试通过容器的内部IP访问容器时,您使用的是端口8080而不是8084,对吗?正确,下面是我们得到的结果(需要验证消息)curl172.19.0.2:8084/about
关于资源需要身份验证,这不是随需求提供的所以基本上这是可行的curl172.19.0.2:8084/about
而这不是curl172.31.105.59:8080/about
不完全可行,curl172.19.0.2:8084/about
有效,但curl172.31.105.59:8084/about
不起作用(都是8084)。好的,这是容器的正常行为,端口映射仅对主机IP可用。8080对容器可用,8084对外部可用,因为您的--publish不起作用。如果