是否需要打开端口 2377、7946、4789 来创建 docker swarm?

Is it necessary to open ports 2377, 7946, 4789 to create a docker swarm?

根据this link:

The following ports must be available. On some systems, these ports are open by default.

TCP port 2377 for cluster management communications TCP and UDP port 7946 for communication among nodes UDP port 4789 for overlay network traffic If you plan on creating an overlay network with encryption (--opt encrypted), you also need to ensure ip protocol 50 (ESP) traffic is allowed

但我能够创建一个群并将节点加入其中,而无需打开以上端口,而且我认为它们在我的网络上默认情况下没有打开。所以我想了解以上文档是否不正确?

siddjain@goldenrwr-ca0:~$ docker node ls
ID                            HOSTNAME             STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
ub40pn2najtvkcnhewoilqboi *   goldenrwr-ca0        Ready               Active              Leader              18.06.1-ce
quyiss2gl6036x6z4znagr6zl     goldenrwr-orderer0   Ready               Active                                  18.06.1-ce
y2kqrqoeaipjkflmyg1xq1pvu     goldenrwr-peer0      Ready               Active                                  18.06.1-ce
2hnhwb06dkbhlilpcuqnnbboc     goldenrwr-peer1      Ready               Active                                  18.06.1-ce

2377/tcp 必须在节点之间开放(这并不意味着对外部流量开放)才能达到这一点。如果您遇到覆盖网络问题,例如容器无法相互连接,或者仅当您访问容器恰好位于 运行 的同一节点时,访问入口发布端口才有效,那么问题很可能是其他端口未打开。

问题的答案是。 docker 需要这些端口才能工作。我们可以通过节点上的 运行 netstat -tuplen 来验证这一点,以查看正在使用哪些端口。

例如,在主节点上我看到了这个:

$ netstat -tuplen
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      101        15135221   -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          25361290   -                   
tcp6       0      0 :::2377                 :::*                    LISTEN      0          1423965    -                   
tcp6       0      0 :::7946                 :::*                    LISTEN      0          1423980    -                   
tcp6       0      0 :::22                   :::*                    LISTEN      0          25361301   -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        15135220   -                   
udp        0      0 10.2.0.4:68             0.0.0.0:*                           100        15135187   -                   
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           0          1424168    -                   
udp6       0      0 :::7946                 :::*                                0          1423981    -  

在工作节点上我看到了这个:

$ netstat -tuplen
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      101        234169     -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          8088243    -                   
tcp6       0      0 :::7946                 :::*                    LISTEN      0          61278      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      0          8088254    -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        234168     -                   
udp        0      0 10.2.0.7:68             0.0.0.0:*                           100        234114     -                   
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           0          61504      -                   
udp6       0      0 :::7946                 :::*                                0          61279      - 

旁白:尽管我看到下面的配置拒绝 azure 中的所有入站网络流量,但它仍然可以正常工作