docker服务虚拟IP无法访问
我有一个单一节点的docker群。 我已经将图像registry部署为一项服务:
docker service create \ --name image-registry \ --hostname image-registry.localdomain.local \ --secret image-registry.crt \ --secret image-registry.key \ --constraint 'node.labels.registry==true' \ --mount type=bind,src=/var/image-registry/,dst=/var/lib/registry \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/image-registry.crt \ -e REGISTRY_HTTP_TLS_KEY=/run/secrets/image-registry.key \ --publish published=443,target=443 \ --replicas 1 \ registry:2 服务看起来很健康
$ docker service ls ID NAME MODE REPLICAS IMAGE PORTS ywt51zvik09s image-registry replicated 1/1 registry:2 *:443->443/tcp
我检查服务find虚拟IP
$ docker service inspect image-registry [ { "ID": "ywt51zvik09szz2jl9xgxbj8i", "Version": { "Index": 54378 }, "CreatedAt": "2017-11-29T02:01:04.063664587Z", "UpdatedAt": "2017-11-29T02:01:04.065183181Z", "Spec": { "Name": "image-registry", "Labels": {}, "TaskTemplate": { "ContainerSpec": { "Image": "registry:2@sha256:d837de65fd9bdb81d74055f1dc9cc9154ad5d8d5328f42f57f273000c402c76d", "Hostname": "image-registry.localdomain.local", "Env": [ "REGISTRY_HTTP_ADDR=0.0.0.0:443", "REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/image-registry.crt", "REGISTRY_HTTP_TLS_KEY=/run/secrets/image-registry.key" ], "Mounts": [ { "Type": "bind", "Source": "/var/image-registry/", "Target": "/var/lib/registry" } ], "StopGracePeriod": 10000000000, "DNSConfig": {}, "Secrets": [ { "File": { "Name": "image-registry.crt", "UID": "0", "GID": "0", "Mode": 292 }, "SecretID": "t88ee92s2sax4ewihbbrmwwyw", "SecretName": "image-registry.crt" }, { "File": { "Name": "image-registry.key", "UID": "0", "GID": "0", "Mode": 292 }, "SecretID": "srsaybf31lqpl942rfmlndm4h", "SecretName": "image-registry.key" } ] }, "Resources": { "Limits": {}, "Reservations": {} }, "RestartPolicy": { "Condition": "any", "Delay": 5000000000, "MaxAttempts": 0 }, "Placement": { "Constraints": [ "node.labels.registry==true" ], "Platforms": [ { "Architecture": "amd64", "OS": "linux" } ] }, "ForceUpdate": 0, "Runtime": "container" }, "Mode": { "Replicated": { "Replicas": 1 } }, "UpdateConfig": { "Parallelism": 1, "FailureAction": "pause", "Monitor": 5000000000, "MaxFailureRatio": 0, "Order": "stop-first" }, "RollbackConfig": { "Parallelism": 1, "FailureAction": "pause", "Monitor": 5000000000, "MaxFailureRatio": 0, "Order": "stop-first" }, "EndpointSpec": { "Mode": "vip", "Ports": [ { "Protocol": "tcp", "TargetPort": 443, "PublishedPort": 443, "PublishMode": "ingress" } ] } }, "Endpoint": { "Spec": { "Mode": "vip", "Ports": [ { "Protocol": "tcp", "TargetPort": 443, "PublishedPort": 443, "PublishMode": "ingress" } ] }, "Ports": [ { "Protocol": "tcp", "TargetPort": 443, "PublishedPort": 443, "PublishMode": "ingress" } ], "VirtualIPs": [ { "NetworkID": "d5pvc254jq5e1n0e16v8ecp1j", "Addr": "10.255.0.3/16" } ] } } ]
但是当我尝试从主机ping我得到的虚拟IP:
ping 10.255.0.3 PING 10.255.0.3 (10.255.0.3) 56(84) bytes of data. From 65.12.13.1 icmp_seq=1 Destination Host Unreachable From 65.12.13.1 icmp_seq=2 Destination Host Unreachable From 65.12.13.1 icmp_seq=3 Destination Host Unreachable From 65.12.13.1 icmp_seq=4 Destination Host Unreachable
当我做ifconfig我没有看到任何这些networking:
$ ifconfig docker0 Link encap:Ethernet HWaddr 02:42:47:e7:22:43 inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) docker_gwbridge Link encap:Ethernet HWaddr 02:42:ac:b9:0c:1c inet addr:172.18.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:feb9:c1c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:91 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:9348 (9.3 KB) enp3s0 Link encap:Ethernet HWaddr 1c:1b:0d:7e:ad:b2 inet addr:192.168.1.148 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fdfb:4eb5:df66:0:e0c0:4e3:83d2:63de/64 Scope:Global inet6 addr: fe80::66e0:994a:2ae7:8180/64 Scope:Link inet6 addr: fdfb:4eb5:df66:0:986b:be9b:687a:48d0/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:993615 errors:0 dropped:0 overruns:0 frame:0 TX packets:617970 errors:6 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1333226168 (1.3 GB) TX bytes:55076679 (55.0 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:165431 errors:0 dropped:0 overruns:0 frame:0 TX packets:165431 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:25958351 (25.9 MB) TX bytes:25958351 (25.9 MB) veth4bd29fc Link encap:Ethernet HWaddr c2:ef:1c:ba:6e:f3 inet6 addr: fe80::c0ef:1cff:feba:6ef3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:82 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:8059 (8.0 KB) vethb2889ca Link encap:Ethernet HWaddr c2:9d:1a:df:8f:a8 inet6 addr: fe80::c09d:1aff:fedf:8fa8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:150 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:15411 (15.4 KB)
有什么想法发生在这里?
您正在检查服务,而不是容器。 初学者错误:-) Docker有很多可以在各个领域使用的“检查”命令。
你想检查容器,这是:
-
docker inspect [container_id]或 -
docker container inspect [container_id]
要么工作; 然而新方法是第二种select; 随着子命令数量的增长 – Docker开始分裂它们。
注意您必须使用容器标识 – 而不是服务标识! 通过docker psfind这个。
举个例子:
➜ ~ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 28409910f4b2 nginx "nginx -g 'daemon ..." 47 hours ago Up 47 hours 80/tcp lucid_feynman ➜ ~ docker inspect --format '{{.NetworkSettings.IPAddress}}' 28409910f4b2 172.17.0.2