Docker Swarm Overlay - 加密網絡和防火牆

Question

我使用5臺Ubuntu 16.04服務器在Digital Ocean上建立了一個羣集。他們都使用相同的Docker引擎版本和防火牆規則。它被設置爲使用3名經理。

Client: 
Version:  17.03.0-ce 
API version: 1.26 
Go version: go1.7.5 
Git commit: 3a232c8 
Built:  Tue Feb 28 08:01:32 2017 
OS/Arch:  linux/amd64 

Server: 
Version:  17.03.0-ce 
API version: 1.26 (minimum version 1.12) 
Go version: go1.7.5 
Git commit: 3a232c8 
Built:  Tue Feb 28 08:01:32 2017 
OS/Arch:  linux/amd64 
Experimental: false 

22       ALLOW  Anywhere     
Anywhere/esp on eth1  ALLOW  Anywhere/esp    
2377/tcp on eth1   ALLOW  Anywhere     
7946 on eth1    ALLOW  Anywhere     
4789 on eth1    ALLOW  Anywhere     
2376/tcp     ALLOW  Anywhere     
22 (v6)     ALLOW  Anywhere (v6)    
Anywhere/esp (v6) on eth1 ALLOW  Anywhere/esp (v6)   
2377/tcp (v6) on eth1  ALLOW  Anywhere (v6)    
7946 (v6) on eth1   ALLOW  Anywhere (v6)    
4789 (v6) on eth1   ALLOW  Anywhere (v6)    
2376/tcp (v6)    ALLOW  Anywhere (v6)    

app01  Ready Active   
app04  Ready Active  Reachable 
app03  Ready Active  Reachable 
app06  Ready Active  Leader 
app05  Ready Active  

我正在爲我的服務使用加密網絡。

[ 
    { 
     "Name": "jupiter", 
     "Id": "en4gdr54yw4w2xmo34fttdbvg", 
     "Created": "0001-01-01T00:00:00Z", 
     "Scope": "swarm", 
     "Driver": "overlay", 
     "EnableIPv6": false, 
     "IPAM": { 
      "Driver": "default", 
      "Options": null, 
      "Config": [] 
     }, 
     "Internal": false, 
     "Attachable": false, 
     "Containers": null, 
     "Options": { 
      "com.docker.network.driver.overlay.vxlanid_list": "4097", 
      "encrypted": "true" 
     }, 
     "Labels": null 
    } 
] 

我創建了我的羣居住在eth1。例如：docker swarm init --listen-addr eth1:2377 --advertise-addr eth1:2377。

儘管設置了我的3個服務不能看到對方。就好像DNS在羣內不起作用一樣。我發現this link on github描述了發生在我身上的事情。

我的一個服務嘗試使用mongo servicename：port連接到mongo服務。但由於連接服務無法達到mongo，因此失敗。現在我試圖通過使用https://hub.docker.com/r/nicolaka/netshoot/連接內部容器來解決問題，並顯示容器可以互動。 （但我不認爲它通過爲它設置的加密連接。）

我認爲它一定是防火牆，但我不是網絡安全方面的專家，所以我想知道如果我失去了一些東西。我試圖比較我在26523版中寫的關於防火牆的內容。

無論如何，我決定創建另一個未加密的網絡，並將其服務放置在其上。

現在蒙戈正在接收連接：

2017-07-17T14:17:53.267+0000 I NETWORK [conn8] received client metadata from 10.0.1.7:33424 conn8: { driver: { name: "nodejs", version: "2.2.29" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.4.0-62-generic" }, platform: "Node.js v6.11.1, LE, mongodb-core: 2.1.13" } 
2017-07-17T14:17:53.369+0000 I NETWORK [thread1] connection accepted from 10.0.1.7:33426 #9 (3 connections now open) 
2017-07-17T14:17:53.373+0000 I NETWORK [conn9] received client metadata from 10.0.1.7:33426 conn9: { driver: { name: "nodejs", version: "2.2.29" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.4.0-62-generic" }, platform: 

我想弄清楚如何得到加密的網絡工作。它是防火牆，在我看來，還是Ubuntu服務器丟失了一個包？ ; <

Answer 1

經過一段時間後，我決定再次訪問。有時離開幫助。

我現在工作了。我決定在esp中添加一條附加規則。

ufw allow to <local host eth1 ip> proto esp

ufw status

Anywhere/esp on eth1  ALLOW  Anywhere/esp 
2377/tcp on eth1   ALLOW  Anywhere 
7946 on eth1    ALLOW  Anywhere 
4789 on eth1    ALLOW  Anywhere 
2375/tcp on eth1   ALLOW  Anywhere 
10.xx.xx.xx/esp   ALLOW  Anywhere 
2376/tcp on eth1   ALLOW  Anywhere 
22 (v6)     ALLOW  Anywhere (v6) 
Anywhere/esp (v6) on eth1 ALLOW  Anywhere/esp (v6) 
2377/tcp (v6) on eth1  ALLOW  Anywhere (v6) 
7946 (v6) on eth1   ALLOW  Anywhere (v6) 
4789 (v6) on eth1   ALLOW  Anywhere (v6) 
2375/tcp (v6) on eth1  ALLOW  Anywhere (v6) 
2376/tcp (v6) on eth1  ALLOW  Anywhere (v6)