Windows Container swarm publish port and not acces

2019-07-26 21:42发布

问题:

I use windows container and try to create docker swarm ,I create three virtual machine use hyper-v , and each OS is windows server 2016.There machines ip is :

windocker211    192.168.1.211
windocker212    192.168.1.212
windocker219    192.168.1.219

The docker swarm node is :

PS C:\ConsoleZ> docker node ls
ID                            HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS
4c0g0o0uognheugw4do1a1h7y     windocker212          Ready               Active
bbxot0c8zijq7xw4lm86svgwp *   windocker219          Ready               Active              Leader
wftwpiqpqpbqfdvgenn787psj     windocker211          Ready               Active

I create use command:

docker service create --name=demo5 -p 5005:5005 --replicas 6 192.168.1.245/cqgis/wintestcore:0.6

The docker image is asp.net core app , the Dockerfile is:

FROM  192.168.1.245/win/aspnetcore-runtime:1.1.2
COPY . /app
WORKDIR /app

ENV ASPNETCORE_URLS http://*:5005

EXPOSE 5005/tcp

ENTRYPOINT ["dotnet", "dotnetcore.dll"]

then it create success:

PS C:\ConsoleZ> docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE                                 PORTS
omhu7e0vo96s        demo5               replicated          6/6                 192.168.1.245/cqgis/wintestcore:0.6   *:5005->5005/tcp


PS C:\ConsoleZ> docker service ps demo5
ID                  NAME                IMAGE                                 NODE                DESIRED STATE       CURRENT STATE                ERROR               PORTS
8pihnak9a2ei        demo5.1             192.168.1.245/cqgis/wintestcore:0.6   windocker212          Running             Running 59 seconds ago
ut3f3b9giu4w        demo5.2             192.168.1.245/cqgis/wintestcore:0.6   windocker219          Running             Running 47 seconds ago
iy1xjevt67yl        demo5.3             192.168.1.245/cqgis/wintestcore:0.6   windocker211          Running             Running about a minute ago
q7f1gnbwslr3        demo5.4             192.168.1.245/cqgis/wintestcore:0.6   windocker212          Running             Running about a minute ago
8zewaktcu32h        demo5.5             192.168.1.245/cqgis/wintestcore:0.6   windocker219          Running             Running about a minute ago
xq820kqwf3v9        demo5.6             192.168.1.245/cqgis/wintestcore:0.6   windocker211          Running             Running 55 seconds ago

but my question is I cann't accessing The Site each by

http://192.168.1.219:5005/
http://192.168.1.219:5005/
http://192.168.1.219:5005/

When I use command

docker run -it -p 5010:5005 192.168.1.245/cqgis/wintestcore:0.6

I can use http://192.168.1.219:5010/ get the right result

my docker info is

PS C:\ConsoleZ> docker info
Containers: 4
 Running: 3
 Paused: 0
 Stopped: 1
Images: 5
Server Version: 17.06.0-ce-rc1
Storage Driver: windowsfilter
 Windows:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd json-file logentries splunk syslog
Swarm: active
 NodeID: bbxot0c8zijq7xw4lm86svgwp
 Is Manager: true
 ClusterID: 32vsgwrbn6ihvpevly71gkgxk
 Managers: 1
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Root Rotation In Progress: false
 Node Address: 192.168.1.219
 Manager Addresses:
  192.168.1.219:2377
Default Isolation: process
Kernel Version: 10.0 14393 (14393.1198.amd64fre.rs1_release_sec.170427-1353)
Operating System: Windows Server 2016 Datacenter
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 2.89GiB
Name: windock219
ID: 7AOY:OT6V:BTJV:NCHA:3OF5:5WR5:K2YR:CFG3:VXLD:QTMD:GA3D:ZFJ2
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: -1
 Goroutines: 297
 System Time: 2017-06-04T19:58:20.7582294+08:00
 EventsListeners: 2
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
 192.168.1.245
 127.0.0.0/8
Live Restore Enabled: false

回答1:

I beleive you need to publish port in "host" mode (docs.microsoft.com/en-us/virtualization/windowscontainers/…‌​). Also it will be one to one port mapping between running container and host and hence you will not be able to run several containers on the same port. Routing mesh is not working on Windows yet.



回答2:

There are some differences in the network between Docker for windows container and Docker for Linux. Windows Containers uses the HyperV Network technologies to provide the virtual networking features that docker uses. From there are some restrictions that are not work like you would expect or maybe found in standard Docker Documentation.

  • First you cannot access the web side running inside your container by using the lookback address (127.0.0.1) or the host address (192.168.1.xxx) You have to call it always from a remote machine.
  • I saw you are using the expose command in your Dockerfile. It is not so self-explaining but expose is to expose a port in any other network then the host or ingress network. It’s not a problem if you do that in a non swarm configuration but it does not work in a swarm. I Suggest to remove the Expose command.
  • There are some unsolved problems with windows networking. Sometimes the port stays in use after the container gets restarted. For example, after a reboot of the host system. [https://github.com/moby/moby/issues/21558][1]

With this scrip you can remove the all virtual network settings:

Stop-Service docker
Get-ContainerNetwork | Remove-ContainerNetwork
Get-NetNat | Remove-NetNat
Get-VMSwitch | Remove-VMSwitch
Start-Service docker


回答3:

You cannot reach a container's published port from the same machine because of a limitation of the WinNAT networking. But you can reach the required port using an external request.

In your example, from a machine other than 192.168.1.219, accessing using the url http://192.168.1.219:5005/ will succeed. The url's http://192.168.1.211:5005/ and http://192.168.1.212:5005/ will also succeed provided the requests originate from outside those machines.

Using the 'host' mode will succeed: however, you are not getting the advantage of the 'routing mesh' feature which allows the service to be reachable from any of the services' nodes - only from that one single node.