功能
- 外部访问的负载均衡
- 服务端口被暴露到各个swarm节点
- 内部通过IPVS进行负载均衡
端口暴露
# 服务列表,注意端口转发` *:8000->8000/tcp `里面的这个*号
[vagrant@swarm-manager ~]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zq7ulpxk83nq busybox replicated 1/1 busybox:latest
q1j2ddophtom whoami replicated 1/1 jwilder/whoami:latest *:8000->8000/tcp
# 服务分布
[vagrant@swarm-manager ~]$ docker service ps whoami
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1diq1k8h38o5 whoami.1 jwilder/whoami:latest swarm-work1 Running Running about an hour ago
# 服务测试,whoami只分布在了swarm-work1这个节点上,但是我们curl swarm-manager这个节点上的8000端口,也能正常访问
[vagrant@swarm-manager ~]$ curl 127.0.0.1:8000
I'm 299a5ba408cd至于为啥可以,我们可以看一下iptables的内容
[vagrant@swarm-manager ~]$ sudo iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER-INGRESS all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER-INGRESS all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-INGRESS (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.18.0.2:8000
RETURN all -- 0.0.0.0/0 0.0.0.0/0 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.18.0.2:8000 就是关键了
获取到当前的主机ip在docker_gwbridge网络上是172.18.0.1,而172.18.0.2肯定与当前主机是在同一个网络上的,因此我们执行如下语句即可证实172.18.0.2就是ingress-sbox容器的ip了
docker network inspect docker_gwbridge
{
"Containers": {
"ingress-sbox": {
"Name": "gateway_ingress-sbox",
"EndpointID": "ac6e9807282e4884f07f6ebeefa2fa5d836a98b09f57efb2d147862c46ff1cc7",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
}
}
}Routing Mesh的两种体现
- Internal 容器和容器之间的访问通过overlay网络(vip)
- Ingress 如果服务有绑定接口,则服务可以通过任一swarm节点的相应接口去访问
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。