是否需要打开端口 2377、7946、4789 来创建 docker swarm?
Is it necessary to open ports 2377, 7946, 4789 to create a docker swarm?
根据this link:
The following ports must be available. On some systems, these ports
are open by default.
TCP port 2377 for cluster management communications
TCP and UDP port
7946 for communication among nodes UDP port 4789 for overlay network
traffic If you plan on creating an overlay network with encryption
(--opt encrypted), you also need to ensure ip protocol 50 (ESP)
traffic is allowed
但我能够创建一个群并将节点加入其中,而无需打开以上端口,而且我认为它们在我的网络上默认情况下没有打开。所以我想了解以上文档是否不正确?
siddjain@goldenrwr-ca0:~$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
ub40pn2najtvkcnhewoilqboi * goldenrwr-ca0 Ready Active Leader 18.06.1-ce
quyiss2gl6036x6z4znagr6zl goldenrwr-orderer0 Ready Active 18.06.1-ce
y2kqrqoeaipjkflmyg1xq1pvu goldenrwr-peer0 Ready Active 18.06.1-ce
2hnhwb06dkbhlilpcuqnnbboc goldenrwr-peer1 Ready Active 18.06.1-ce
2377/tcp 必须在节点之间开放(这并不意味着对外部流量开放)才能达到这一点。如果您遇到覆盖网络问题,例如容器无法相互连接,或者仅当您访问容器恰好位于 运行 的同一节点时,访问入口发布端口才有效,那么问题很可能是其他端口未打开。
问题的答案是是。 docker 需要这些端口才能工作。我们可以通过节点上的 运行 netstat -tuplen 来验证这一点,以查看正在使用哪些端口。
例如,在主节点上我看到了这个:
$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 15135221 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 25361290 -
tcp6 0 0 :::2377 :::* LISTEN 0 1423965 -
tcp6 0 0 :::7946 :::* LISTEN 0 1423980 -
tcp6 0 0 :::22 :::* LISTEN 0 25361301 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 15135220 -
udp 0 0 10.2.0.4:68 0.0.0.0:* 100 15135187 -
udp 0 0 0.0.0.0:4789 0.0.0.0:* 0 1424168 -
udp6 0 0 :::7946 :::* 0 1423981 -
在工作节点上我看到了这个:
$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 234169 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 8088243 -
tcp6 0 0 :::7946 :::* LISTEN 0 61278 -
tcp6 0 0 :::22 :::* LISTEN 0 8088254 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 234168 -
udp 0 0 10.2.0.7:68 0.0.0.0:* 100 234114 -
udp 0 0 0.0.0.0:4789 0.0.0.0:* 0 61504 -
udp6 0 0 :::7946 :::* 0 61279 -
旁白:尽管我看到下面的配置拒绝 azure 中的所有入站网络流量,但它仍然可以正常工作
根据this link:
The following ports must be available. On some systems, these ports are open by default.
TCP port 2377 for cluster management communications TCP and UDP port 7946 for communication among nodes UDP port 4789 for overlay network traffic If you plan on creating an overlay network with encryption (--opt encrypted), you also need to ensure ip protocol 50 (ESP) traffic is allowed
但我能够创建一个群并将节点加入其中,而无需打开以上端口,而且我认为它们在我的网络上默认情况下没有打开。所以我想了解以上文档是否不正确?
siddjain@goldenrwr-ca0:~$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
ub40pn2najtvkcnhewoilqboi * goldenrwr-ca0 Ready Active Leader 18.06.1-ce
quyiss2gl6036x6z4znagr6zl goldenrwr-orderer0 Ready Active 18.06.1-ce
y2kqrqoeaipjkflmyg1xq1pvu goldenrwr-peer0 Ready Active 18.06.1-ce
2hnhwb06dkbhlilpcuqnnbboc goldenrwr-peer1 Ready Active 18.06.1-ce
2377/tcp 必须在节点之间开放(这并不意味着对外部流量开放)才能达到这一点。如果您遇到覆盖网络问题,例如容器无法相互连接,或者仅当您访问容器恰好位于 运行 的同一节点时,访问入口发布端口才有效,那么问题很可能是其他端口未打开。
问题的答案是是。 docker 需要这些端口才能工作。我们可以通过节点上的 运行 netstat -tuplen 来验证这一点,以查看正在使用哪些端口。
例如,在主节点上我看到了这个:
$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 15135221 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 25361290 -
tcp6 0 0 :::2377 :::* LISTEN 0 1423965 -
tcp6 0 0 :::7946 :::* LISTEN 0 1423980 -
tcp6 0 0 :::22 :::* LISTEN 0 25361301 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 15135220 -
udp 0 0 10.2.0.4:68 0.0.0.0:* 100 15135187 -
udp 0 0 0.0.0.0:4789 0.0.0.0:* 0 1424168 -
udp6 0 0 :::7946 :::* 0 1423981 -
在工作节点上我看到了这个:
$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 234169 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 8088243 -
tcp6 0 0 :::7946 :::* LISTEN 0 61278 -
tcp6 0 0 :::22 :::* LISTEN 0 8088254 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 234168 -
udp 0 0 10.2.0.7:68 0.0.0.0:* 100 234114 -
udp 0 0 0.0.0.0:4789 0.0.0.0:* 0 61504 -
udp6 0 0 :::7946 :::* 0 61279 -
旁白:尽管我看到下面的配置拒绝 azure 中的所有入站网络流量,但它仍然可以正常工作