docker version
åºåïŒ
Client:
Version: 1.12.0
API version: 1.24
Go version: go1.6.3
Git commit: 8eab29e
Built: Thu Jul 28 22:00:36 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.0
API version: 1.24
Go version: go1.6.3
Git commit: 8eab29e
Built: Thu Jul 28 22:00:36 2016
OS/Arch: linux/amd64
docker info
åºåïŒ
Containers: 155
Running: 65
Paused: 0
Stopped: 90
Images: 57
Server Version: 1.12.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 868
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: host overlay null bridge
Swarm: active
NodeID: 0ddz27v59pwh2g5rr1k32d9bv
Is Manager: true
ClusterID: 32c5sn0lgxoq9gsl1er0aucsr
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot interval: 10000
Heartbeat tick: 1
Election tick: 3
Dispatcher:
Heartbeat period: 5 seconds
CA configuration:
Expiry duration: 3 months
Node Address: 172.31.24.209
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 3.13.0-92-generic
Operating System: Ubuntu 14.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.42 GiB
Name: ip-172-31-24-209
ID: 4LDN:RTAI:5KG5:KHR2:RD4D:MV5P:DEXQ:G5RE:AZBQ:OPQJ:N4DK:WCQQ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: panj
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
è¿œå ã®ç°å¢ã®è©³çŽ°ïŒAWSãVirtualBoxãç©çãªã©ïŒïŒ
åé¡ãåçŸããæé ïŒ
docker service create \
--name debugging-simple-server \
--publish 80:3000 \
panj/debugging-simple-server
http://<public-ip>/
æ¥ç¶ããŠã¿ãŠãã ãããåãåã£ãçµæã説æããŠãã ããã
ip
ãheader.x-forwarded-for
ãæ£ãããŠãŒã¶ãŒã®IPã¢ãã¬ã¹ã§ã¯ãããŸããã
æåŸ
ããçµæã説æããŠãã ããã
ip
ãŸãã¯header.x-forwarded-for
ã¯ãŠãŒã¶ãŒã®IPã¢ãã¬ã¹ã§ããå¿
èŠããããŸãã æåŸ
ãããçµæã¯ãã¹ã¿ã³ãã¢ãã³ã®Dockerã³ã³ãããŒdocker run -d -p 80:3000 panj/debugging-simple-server
ã䜿çšããŠã¢ãŒã«ã€ãã§ããŸãã 次ã®ãªã³ã¯ããäž¡æ¹ã®çµæã確èªã§ããŸãã
http://swarm.issue-25526.docker.takemetour.comïŒ81 /
http://container.issue-25526.docker.takemetour.comïŒ82 /
éèŠãšæãããè¿œå æ
å ±ïŒããšãã°ãåé¡ãçºçããã®ã¯ããŸã«ãããããŸããïŒïŒ
ããã¯ã global
ã¢ãŒããšreplicated
ã¢ãŒãã®äž¡æ¹ã§çºçããŸãã
ãã®åé¡ãç°¡åã«è§£æ±ºã§ãããã®ãèŠéãããã©ããã¯ããããŸããã
ãããŸã§ã®éãã¹ãŠã©ãŒã ã¢ãŒãã®å€ã§ãããã·ã³ã³ãããå®è¡ããã¹ãŠã©ãŒã ã¢ãŒãã§å ¬éããŒãã«è»¢éãããšããåé¿çãå®è¡ããå¿ èŠããããšæããŸãïŒSSLçµäºã¯ãã®ã³ã³ããã§ãå®è¡ããå¿ èŠããããŸãïŒãããã«ãããã¹ãŠã©ãŒã ã®ç®çãæãªãããŸããèªå·±ä¿®åŸ©ãšãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã®ããã®ã¢ãŒãã
/ cc @ aluzzardi @ mrjanaãå°ãã
@ PanJdebugging -simple-serverãip
決å®ããæ¹æ³ã®è©³çŽ°ãæããŠãã ããã ãŸãããµãŒãã¹ãè€æ°ã®ãã¹ãïŒãŸãã¯ã°ããŒãã«ã¢ãŒãïŒã«ããã£ãŠè€æ°ã®ã¬ããªã«ã«ã¹ã±ãŒãªã³ã°ãããå Žåãã©ã®ãããªæåŸ
ããããŸããïŒ
@mavenugoããã¯ã net
ã¢ãžã¥ãŒã«ããã®ããŒãã®remoteAddress
ã䜿çšããkoaã®ãªã¯ãšã¹ããªããžã§ã¯ãã§ãã çµæã¯ããªã¢ãŒãã¢ãã¬ã¹ãååŸã§ããä»ã®ã©ã€ãã©ãªã§ãåãã§ããã¯ãã§ãã
ip
ãã£ãŒã«ãã¯ãæ§æã«é¢ä¿ãªãåžžã«ãªã¢ãŒãã¢ãã¬ã¹ã§ããå¿
èŠããããŸãã
@PanJããªãã¯ãŸã ããªãã®åé¿çã䜿çšããŠããŸããããããšãããã€ãã®ããè¯ã解決çãèŠã€ããŸãããïŒ
@PanJã¢ããªãã¹ã¿ã³ãã¢ãã³ã³ã³ãããšããŠå®è¡ããå Žåã
docker run -it --rm -p 80:3000 --name test panj/debugging-simple-server
å¥ã®ãã¹ãããå ¬éãããããŒãã«ã¢ã¯ã»ã¹ããŸããããååŸããŸã
vagrant@net-1:~$ curl 192.168.33.12
{"method":"GET","url":"/","header":{"user-agent":"curl/7.38.0","host":"192.168.33.12","accept":"*/*"},"ip":"::ffff:192.168.33.11","ips":[]}
vagrant@net-1:~$
192.168.33.11ã¯ãcurlãå®è¡ããŠãããã¹ãã®IPã§ãã ããã¯äºæ³ãããåäœã§ããïŒ
@sanimejã¯ããã¹ãŠã©ãŒã ã¢ãŒãã§ãåæ§ã«åäœããã¯ãã§ãã
@marechåé¿çãšããŠã¹ã¿ã³ãã¢ãã³ã³ã³ããã䜿çšããŠããŸãããããã¯æ£åžžã«æ©èœããŸãã
ç§ã®å Žåãã¹ã¿ã³ãã¢ãã³ã€ã³ã¹ã¿ã³ã¹ãšã¹ãŠã©ãŒã ã€ã³ã¹ã¿ã³ã¹ã®2ã€ã®nginxã€ã³ã¹ã¿ã³ã¹ããããŸãã SSLã¿ãŒãããŒã·ã§ã³ãšãªããŒã¹ãããã·ã¯ã¹ã¿ã³ãã¢ãã³ã®nginxã§å®è¡ãããŸãã Swarmã€ã³ã¹ã¿ã³ã¹ã¯ããªã¯ãšã¹ããã¹ãã«åºã¥ããŠä»ã®ãµãŒãã¹ã«ã«ãŒãã£ã³ã°ããããã«äœ¿çšãããŸãã
@PanJã³ã³ããã®å
¬éããŒããžã®ã¢ã¯ã»ã¹æ¹æ³ã¯ãã¹ãŠã©ãŒã ã¢ãŒãã§ã¯ç°ãªããŸãã ã¹ãŠã©ãŒã ã¢ãŒãã§ã¯ãã¯ã©ã¹ã¿ãŒå
ã®ä»»æã®ããŒããããµãŒãã¹ã«ã¢ã¯ã»ã¹ã§ããŸãã ããã容æã«ããããã«ã ingress
ãããã¯ãŒã¯ãä»ããŠã«ãŒãã£ã³ã°ããŸãã 10.255.0.x
ã¯ãå
¬éãããããŒãã«å°éããããšããã¯ã©ã¹ã¿ãŒå
ã®ãã¹ãäžã®ingress
ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ã€ã¹ã®ã¢ãã¬ã¹ã§ãã
@sanimejãã®åé¡ãæãäžãããšãã«ããããã©ã®ããã«æ©èœããããã¡ãã£ãšèŠãŸããã ãã ãããŠãŒã¹ã±ãŒã¹ïŒãŠãŒã¶ãŒã®IPãååŸããæ©èœïŒã¯éåžžã«äžè¬çã§ãã
ä¿®æ£ãå®è£ ããæ¹æ³ã«ã€ããŠã®ç¥èã¯éãããŠããŸãã ãã¶ããéä¿¡å IPã¢ãã¬ã¹ãå€æŽããªãç¹å¥ãªã¿ã€ãã®ãããã¯ãŒã¯ã§ããïŒ
Rancherã¯Dockerã¹ãŠã©ãŒã ã¢ãŒãã«äŒŒãŠãããæåŸ ã©ããã®åäœãããŠããããã§ãã å€åããã¯å§ããã®ã«è¯ãå Žæã§ãã
@sanimejã¯ãå¯èœã§ããã°ãã¹ãŠã®IPãX-Forwarded-ForããããŒã«è¿œå ããããšããå§ãããŸããå¯èœã§ããã°ããã¹ãŠã®ãã§ãŒã³ã確èªã§ããŸãã
@PanJããŒãããããŠnignxã¹ã¿ã³ãã¢ãã³ã³ã³ããããµãŒãã¹åãŸãã¯IPãä»ããŠswarmã€ã³ã¹ã¿ã³ã¹ãšã©ã®ããã«éä¿¡ããã®ã§ããïŒ ãã¶ããswarmã€ã³ã¹ã¿ã³ã¹ã«æž¡ãnginxæ§æéšåãå ±æã§ããŸãã
@marechã¹ã¿ã³ãã¢ãã³ã³ã³ããã¯ããŒã80
ããªãã¹ã³ããŠããã localhost:8181
ãããã·ããŸã
server {
listen 80 default_server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8181;
proxy_read_timeout 90;
}
}
SSLã¿ãŒãããŒã·ã§ã³ãè¡ãå¿
èŠãããå Žåã¯ãããŒã443
ããªãã¹ã³ããå¥ã®ãµãŒããŒãããã¯ãè¿œå ããŠãããSSLã¿ãŒãããŒã·ã§ã³ãšlocalhost:8181
ãžã®ãããã·ãè¡ããŸãã
Swarmã¢ãŒãã®nginxã¯8181:80
ãå
¬ââéãããªã¯ãšã¹ããã¹ãã«åºã¥ããŠå¥ã®ãµãŒãã¹ã«ã«ãŒãã£ã³ã°ããŸãã
server {
listen 80;
server_name your.domain.com;
location / {
proxy_pass http://your-service:80;
proxy_set_header Host $host;
proxy_read_timeout 90;
}
}
server {
listen 80;
server_name another.domain.com;
location / {
proxy_pass http://another-service:80;
proxy_set_header Host $host;
proxy_read_timeout 90;
}
}
ãã®å ŽåãAPIRateLimitããã³ãã®ä»ã®é¢æ°ã¯ãŠãŒã¶ãŒã®IPã¢ãã¬ã¹ã«äŸåããŸãã ã¹ãŠã©ãŒã ã¢ãŒãã§åé¡ãã¹ãããããæ¹æ³ã¯ãããŸããïŒ
logstashãswarmã¢ãŒãã§å®è¡ããããšãããšãã«ãåé¡ãçºçããŸããïŒããŸããŸãªãã¹ãããsyslogã¡ãã»ãŒãžãåéããããïŒã logstashã®ãhostããã£ãŒã«ãã¯ãæ¥ç¶ããŠãããã¹ãã®å®éã®IPã§ã¯ãªããåžžã«10.255.0.xãšããŠè¡šç€ºãããŸãã ããã«ããããã°ã¡ãã»ãŒãžã®éä¿¡å ãããããªãããããŸã£ãã䜿çšã§ããªããªããŸãã ãœãŒã¹IPã®å€æãåé¿ããæ¹æ³ã¯ãããŸããïŒ
ãã®åé¡ã®è§£æ±ºçã«ã€ããŠã¯+1ã
ãŠãŒã¶ãŒã®IPãååŸããæ©èœããªããšãPrometheusãªã©ã®ç£èŠãœãªã¥ãŒã·ã§ã³ã䜿çšã§ããªããªããŸãã
ãããããããã§ã¯Linuxã«ãŒãã«ã®IPVSæ©èœã圹ç«ã€ã§ãããã æ¥ç¶ããŠãŒã¶ãŒã¹ããŒã¹ã§ãããã·ãããŠãããããIPã®å€æŽãè¡ãããŠãããšæããŸãã äžæ¹ãIPVSã¯ãéä¿¡å IPã¢ãã¬ã¹ãå€æŽããã«ãã«ãŒãã«ç©ºéã§èŠæ±ããªãã€ã¬ã¯ãããŠè² è·åæ£ã§ããŸãã IPVSã¯ãããŸããŸãªè² è·åæ£ã¢ã«ãŽãªãºã ããããŒãã£ã³ã°IPã¢ãã¬ã¹ãçŽæ¥ã«ãŒãã£ã³ã°ãªã©ãããé«åºŠãªæ©èœãçµã¿èŸŒãã®ã«ãé©ããŠããŸãã
ç§ã«ãšã£ãŠã¯ãä»®æ³IPãšãšã³ããã€ã³ããå±ãããµãŒããŒã®IPãšã®é¢ä¿ããªããšãããŠç¥ãããšãã§ããã°ååã§ãããã ããããã°ãPrometheusãä»®æ³IPã«é¢é£ããã¢ã©ãŒããéä¿¡ãããšãã«ã圱é¿ãåãããµãŒããŒãèŠã€ããããšãã§ããŸãã ããã¯è¯ã解決çã§ã¯ãããŸããããäœããªãããã¯ãŸãã§ãã
@vfarcicä»ã®ããæ¹ã§ã¯ãããå¯èœã ãšã¯æããŸããã ãã¹ãŠã®ã¯ã©ã€ã¢ã³ãæ¥ç¶ã¯åãIPããã®ãã®ã§ããããããããå ã«æ»ãããšã¯ã§ããŸããã åäœããå¯äžã®æ¹æ³ã¯ãæ¥ç¶ã®ãããã·/ NATãå®è¡ããŠãããã®ããã¿ã€ã ã¹ã¿ã³ããéä¿¡å IPãããã³éä¿¡å ããŒããå«ãæ¥ç¶ãã°ãä¿åããå Žåã§ãã ããã§ãããœãŒã¹IPãå¿ èŠãªã»ãšãã©ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯ããŸã圹ã«ç«ã¡ãŸããã
ç§ã¯ãããããŠãŒã¹ã±ãŒã¹ãããŸã説æããŠããŸããã§ããã
Swarmã°ããŒãã«ãµãŒãã¹ãšããŠå®è¡ãããŠãããšã¯ã¹ããŒã¿ãŒãå»æ£ããããã«æ§æãããPrometheusã䜿çšããŠããŸãã ã¿ã¹ã¯ã䜿çšããŸãã
ãdockernetworkinspectãã«æ°ã¥ããŸãã
äœãã®ãããªãã®ïŒ
"Containers": {
"57bc4f3d826d4955deb32c3b71550473e55139a86bef7d5e584786a3a5fa6f37": {
"Name": "cadvisor.0.8d1s6qb63xdir22xyhrcjhgsa",
"EndpointID": "084a032fcd404ae1b51f33f07ffb2df9c1f9ec18276d2f414c2b453fc8e85576",
"MacAddress": "02:42:0a:00:00:1e",
"IPv4Address": "10.0.0.30/24",
"IPv6Address": "",
"Node": "swarm-4"
},
...
ãããŒããã®è¿œå ã«æ³šæããŠãã ããã
--filter
åŒæ°ãè¿œå ãããåäžã®ããŒãã ãã§ãªããã¯ã©ã¹ã¿ãŒå
šäœã§ãã®ãããªæ
å ±ãå©çšã§ããå Žåã¯ãã³ã³ãããŒã®IPv4ã¢ãã¬ã¹ãšããŒãã ããã¯çŽ æŽããã解決çã§ã¯ãããŸããããããã§ãäœããªãããã¯ãŸãã§ãã çŸåšãPrometheusãåé¡ãæ€åºããããã¢ãã¬ã¹ã®å ŽæãèŠã€ãããŸã§ãåããŒãã§ãdockernetworkinspectããå®è¡ããå¿
èŠããããŸãã
@dackã«åæã
ãã®ãœãªã¥ãŒã·ã§ã³ã¯IPã¬ãã«ã§æ©èœããå¿ èŠããããŸããããã«ãããHTTPã«åºã¥ããªããµãŒãã¹ãé©åã«æ©èœããŸãïŒhttpããããŒã«äŸåã§ããŸãã...ïŒã
ãããŠããããããã«éèŠã§ãããã匷調ããããšã¯ã§ããŸãããããããªããã°ãã¹ãŠã©ãŒã ã¢ãŒãã§ã¯ãŸã£ããåäœã§ããªããµãŒãã¹ããããããããŸãã
ãããHaProxyããã®åé¡ã解決ããŠããæ¹æ³ã§ãïŒ http ïŒ//blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/
@kobologã¯ãDockerConã§ã®IPVSã«é¢ããè¬æŒãèžãŸããŠããã®åé¡ã«å ã
ãªã¹ãã«èªåãè¿œå ããã ãã§ãã logstashã䜿çšããŠsyslogã¡ãã»ãŒãžãåãå ¥ããŠããŸããããã¹ãIPã10.255.0.4ã«èšå®ãããŠãããšãã¹ãŠelasticsearchã«ããã·ã¥ãããããã䜿çšã§ããªããªããã³ã³ãããŒåãããŠããªãlogstashãããã€ã¡ã³ãã«æ»ãå¿ èŠããããŸããããã«å¯Ÿããä¿®æ£ããªãå Žåã
@mrjanaã¯ããã®åé¡ãåé¿ããããã«å¿ èŠãªææ¡ãè¿œå ã§ããŸããïŒ
IPVSã¯ãHTTPã¬ã€ã€ãŒã®åé¡ãä¿®æ£ã§ãããŠãŒã¶ãŒã¹ããŒã¹ãªããŒã¹ãããã·ã§ã¯ãããŸããã ããããHAProxyã®ãããªãŠãŒã¶ãŒã¹ããŒã¹ãããã·ãšããã®éãã§ãã HAProxyã䜿çšããå Žåã¯ãHAProxyãã¯ã©ã¹ã¿ãŒã«é
眮ãããã¹ãŠã®ãµãŒãã¹ã€ã³ã¹ã¿ã³ã¹ãšHAProxyãåããããã¯ãŒã¯ã«åå ãããããšã§ãããè¡ãããšãã§ããŸãã ããããã°ãHAProxyã¯HTTP header.x-forwarded-for
ãä¿®æ£ã§ããŸãã ãŸãã¯ãL7ããŒããã©ã³ãµãŒãã¯ã©ã¹ã¿ãŒã®å€éšã«ããå Žåã¯ããµãŒãã¹ã®åã
ã®ã€ã³ã¹ã¿ã³ã¹ã®ãããããå
¬éããHost
PublishModeãšåŒã°ããæ°ããPublishMode
ã®ä»åŸã®ïŒ1.13ã§ã®ïŒæ©èœã䜿çšã§ããŸããç¬èªã®åå¥ã®ããŒãã§ãå€éšããŒããã©ã³ãµãŒããã®ããŒãã«åããããšãã§ããŸãã
@mrjana ïŒçŸåšã¹ãŠã©ãŒã ã¢ãŒãã§
@dackç§ã®ç解ã§ã¯ãDockerå ¥åãããã¯ãŒã¯ã¯ãã§ã«IPVSã䜿çšããŠããŸãã
HAProxyã䜿çšããå Žåã¯ãHAProxyãã¯ã©ã¹ã¿ãŒã«é 眮ãããã¹ãŠã®ãµãŒãã¹ã€ã³ã¹ã¿ã³ã¹ãšHAProxyãåããããã¯ãŒã¯ã«åå ãããããšã§ãããè¡ãããšãã§ããŸãã ããããã°ãHAProxyã¯HTTPããããŒãä¿®æ£ã§ããŸããx-forwarded-for
@mrjanaã§ããHAProxyãã¯ã©ã€ã¢ã³ãIPãååŸããå¯äžã®æ¹æ³ã¯ã
ç°¡åã«èšãã°ãDockerãµãŒãã¹ãšã¹ãŠã©ãŒã ã¢ãŒãã䜿çšãããšããã«ããã«å¯ŸåŠããæ¹æ³ã¯ç§ãç¥ãéã絶察ã«ãããŸããã
Dockerå ¥åãããã¯ãŒã¯ã®äœæè ããã£ã¹ã«ãã·ã§ã³ã«åå ã§ããã°èå³æ·±ãã§ããããIPVSãå éšã§ã©ã®ããã«æ§æ/éçšãããŠãããïŒIPVSã«ã¯å€ãã®ã¢ãŒãããããŸãïŒãããã³ã©ã®ããã«ä¿®æ£ã§ãããã«ã€ããŠã®æŽå¯ãåŸãããå¯èœæ§ããããŸããåé¡ã
@tlvennããããœãŒã¹ã³ãŒãã®ã©ãã«ãããç¥ã£ãŠããŸããïŒ ç§ã¯ééã£ãŠããå¯èœæ§ããããŸãããç§ã芳å¯ããããã€ãã®ããšã«åºã¥ããŠãIPVSã䜿çšããŠãããšã¯æããŸããã
ããã«ã¡ã¯@dack ã
圌ãã®ããã°ããïŒ
å éšçã«ã¯ãLinuxã«ãŒãã«ã«15幎以äžäœ¿çšãããŠããã«ãŒãã«å ã®ã¬ã€ã€ãŒ4ãã«ããããã³ã«ããŒããã©ã³ãµãŒã§ããLinuxIPVSã䜿çšããŠãããæ©èœãããŸãã ã«ãŒãã«å ã«IPVSã«ãŒãã£ã³ã°ãã±ããã䜿çšãããšãswarmã®ã«ãŒãã£ã³ã°ã¡ãã·ã¥ã¯ãã³ã³ãããæèããé«æ§èœã®è² è·åæ£ãå®çŸããŸãã
ç§ãééã£ãŠããªããã°ãã³ãŒããœãŒã¹ã¯swarmkitãããžã§ã¯ãã«ååšããã¯ãã§ãã
@stevvooeã¯ãããã§æ ¹æ¬çãªåé¡ãäœã§ããããç解ããã®ã«åœ¹ç«ã€ã®ã§ã¯ãªãããšæããŸãã
OKãã³ãŒããç°¡åã«èŠãŠããŸããããä»ã§ã¯å°ãããç解ã§ãããšæããŸãã ããã°ã«èšèŒãããŠããããã«ãå®éã«IPVSã䜿çšããŠããããã«èŠããŸãã SNATã¯ãservice_linux.goã§èšå®ãããiptablesã«ãŒã«ãä»ããŠå®è¡ãããŸãã ç§ãæ£ããç解ããŠããã°ããã®èåŸã«ããããžãã¯ã¯æ¬¡ã®ããã«ãªããŸãïŒããŒãAãããŒãBã§å®è¡ãããŠãããµãŒãã¹ã®ã¯ã©ã€ã¢ã³ããã±ãããåä¿¡ãããšä»®å®ããŸãïŒã
SNATã®èåŸã«ããçç±ã¯ãå¿çãå ã®èŠæ±ãééããã®ãšåãããŒããééããå¿ èŠãããããã ãšæããŸãïŒNAT / IPVSç¶æ ãæ ŒçŽãããå Žæã§ããããïŒã ãªã¯ãšã¹ãã¯ä»»æã®ããŒããçµç±ããå¯èœæ§ããããããSNATã䜿çšããŠããµãŒãã¹ããŒãããªã¯ãšã¹ããã«ãŒãã£ã³ã°ããããŒããèªèããŸãã åäžã®è² è·åæ£ããŒãã䜿çšããIPVSã»ããã¢ããã§ã¯ãããã¯åé¡ã«ã¯ãªããŸããã
ãããã£ãŠãåé¡ã¯ããã¹ãŠã®ããŒããçä¿¡ã¯ã©ã€ã¢ã³ãèŠæ±ãåŠçã§ããããã«ããªãããSNATãåé¿ããæ¹æ³ã§ãã æåã®ã¢ãããŒããäœã§ãããå®å šã«ã¯ããããŸããã SNATã«äŸåãã代ããã«ãããªã·ãŒã«ãŒãã£ã³ã°ã䜿çšããŠå¿çãéä¿¡ã§ããããã«ããµãŒãã¹ããŒãã«ç¶æ ããŒãã«ãèšå®ããæ¹æ³ããããããããŸããã ãããã¯ãããçš®ã®ã«ãã»ã«åã圹ç«ã€ãããããŸããïŒVXLANïŒïŒã ãŸãã¯ãIPVSã®çŽæ¥ã«ãŒãã£ã³ã°æ¹åŒã䜿çšããããšãã§ããŸãã ããã«ããããµãŒãã¹ããŒãã¯ïŒå ã®èŠæ±ãåä¿¡ããããŒããä»ããŠã§ã¯ãªãïŒã¯ã©ã€ã¢ã³ãã«çŽæ¥å¿çã§ããããã«ãªãããµãŒãã¹ã«æ°ãããããŒãã£ã³ã°IPãè¿œå ã§ããããã«ãªããŸãã ãã ãããµãŒãã¹ã«ã¯ãããŒãã£ã³ã°IPçµç±ã§ã®ã¿æ¥ç¶ã§ããåã ã®ããŒãIPçµç±ã§ã¯æ¥ç¶ã§ããªãããšãæå³ããŸãïŒãããã©ã®ãŠãŒã¹ã±ãŒã¹ã§ãåé¡ã«ãªããã©ããã¯ããããŸããïŒã
ããªãèå³æ·±ãçºèŠ@dack ïŒ
ããŸãããã°ããã®SNATããã¹ãŠäžç·ã«ã¹ããããã解決çãèŠã€ããã§ãããã
ãããŸã§ã®éã PublishMode
ã䜿çšããŠãã¹ãã¬ãã«ã®ããŒãå
¬éãå°å
¥ããå
¥åãããã¯ãŒã¯ãå¹æçã«ãã€ãã¹ãããå°ãåã«ã³ããããããåé¿çãããå¯èœæ§ããããŸãã
ããããã®ãã£ãŒãããã¯ã«æè¬ããŸããé±æ«ã®åŸã§ãã®åé¡ã詳ããèŠãŠãããŸãã
ãããŸã§ã®éãããã€ãã®æ å ±ïŒ
@tlvenn ïŒ @mrjanaã¯ãå ¥åãããã¯ãŒã¯æ©èœã®èåŸã«ããäž»èŠãªäœæè ã§ãã ãœãŒã¹ã¯äž»ã«docker / libnetworkã«ãããäžéšã¯SwarmKitã«ãããŸã
@dack ïŒããã¯ç¢ºãã«IPVSã«ãã£ãŠæ¯ããããŠããŸã
@tlvennç§ãç¥ãéããDocker Swarmã¯ãã¹ã«ã¬ãŒãã䜿çšããŸããããã¯ãæãç°¡åãªæ¹æ³ã§ãããã»ãšãã©ã®æ§æã§æ©èœããããšãä¿èšŒãããŠããããã§ãã ããã«ãããã¯å®éã«ããŒãããã¹ã«ã¬ãŒãã§ããå¯äžã®ã¢ãŒãã§ã[reïŒ@dack]ãããã¯äŸ¿å©ã§ãã çè«çã«ã¯ããã®åé¡ã¯IPIPã«ãã»ã«åã¢ãŒãã䜿çšããããšã§è§£æ±ºã§ããŸãããã±ãããããŒã¯æ¬¡ã®ããã«ãªããŸãã
ãã¡ãããå€ãã®èŠåãééã£ãŠããå¯èœæ§ã®ããããšããããŸãããäžè¬çã«ããã¯å¯èœã§ãããIPIPã¢ãŒãã¯æ¬çªç°å¢ã§åºã䜿çšãããŠããŸãã
IPåºå®ããã®ä»ã®ã»ãã¥ãªãã£ãã§ãã¯ã§æ£ããå€éšIPãåä¿¡ã§ããããã«ããå¿ èŠããããããããã«å¯Ÿãã解決çãããã«èŠã€ããããšãæåŸ ããŠããŸãã
èŠãŠã åœç€Ÿã®è£œåã¯ãã»ãã¥ãªãã£ãšåæã®ããã«ãœãŒã¹IPæ å ±ã掻çšããŠããŸãã
@aluzzardiæŽæ°ã¯ãããŸããïŒ
ãã³ããæ¥å¹Žåãã«éå§ããéåžžã«å€§èŠæš¡ãªãããžã§ã¯ãã§ãããæ©èœãããå¿ èŠããããŸãã
ãããŒã調ã¹ããšãçŸåšã¯æ¬¡ã®ããã«æ©èœããŠããããã§ãïŒãã®äŸã§ã¯ãããŒãAãçä¿¡ãã©ãã£ãã¯ãåä¿¡ããããŒãBããµãŒãã¹ã³ã³ãããŒãå®è¡ããŠããŸãïŒã
SNATã¯æ¬¡ã®ãããªæ¹æ³ã§åé¿ã§ãããšæããŸãã
è¿œå ã®ããŒãã¹ãšããŠãNATç¶æ ãä¿åããå¿ èŠããªãããªãŒããŒã¬ã€ãããã¯ãŒã¯ãã©ãã£ãã¯ãåæžãããŸãã
@aluzzardi @mrjanaããã«é¢ããæŽæ°ã¯ãããŸããïŒ Dockerããã®å°ãã®ãã£ãŒãããã¯ãããã ããã°å¹žãã§ãã
èŠãŠã ãœãŒã¹IPæ å ±ããªããšãã»ãšãã©ã®ãµãŒãã¹ãæåŸ ã©ããã«æ©èœããŸãã
ã©ãããŠãããªããŸãã ïŒ
@tlvennã¯Githubã®ãã°ã®ããã§ããïŒ
@PanJ @tlvenn @vfarcic @dackãªã©ãPTALïŒ27917ã ãµãŒãã¹å
¬éã¢ãŒã= host
ãæå¹ã«ããæ©èœãå°å
¥ããŸãããããã«ããããµãŒãã¹ãIPVSããã€ãã¹ãã docker run -p
ãããªåäœãåãæ»ãæ¹æ³ãæäŸããã次ã®ãããªå Žåã«ãœãŒã¹IPãä¿æãããŸãããããå¿
èŠã
plsã¯1.13.0-rc2ãè©Šãããã£ãŒãããã¯ãæäŸããŸãã
ãã£ã±ãå€ãª
å ¬éã¢ãŒãã«é¢ããŠã¯ãäžèšã®ã¹ãŠã©ãŒã ããããããã§ã«ãªã³ã¯ããŠããŸããããã¯åé¿çã«ãªãå¯èœæ§ããããŸããããã®åé¡ã«å®å šã«å¯ŸåŠããããã®é©åãªãœãªã¥ãŒã·ã§ã³ãDocker1.13ã«ä»å±ããŠããããšãå¿ããé¡ã£ãŠããŸãã
ãœãŒã¹IPãä¿æããããšã¯ãŠãŒã¶ãŒãæåŸ ããåäœã§ãããçŸåšã®DockerãµãŒãã¹ã®éåžžã«æ·±å»ãªå¶éã§ããããããã®åé¡ã¯ãã°ãšããŠåé¡ãããå¯èœæ§ããããŸãã
@kobologãš@dackã®äž¡æ¹ããããã解決ããæ¹æ³ã«ã€ããŠããã€ãã®æœåšçãªãªãŒããèãåºãããšæããŸã
Dockerã§ãã®åé¡ã調æ»ããŠããã®ã¯èª°ããã¹ããŒã¿ã¹ã®æŽæ°ã«ã€ããŠãããçšåºŠã®å¯èŠæ§ãæããŠãã ããã åãã£ãŠæè¬ããŸãã
ïŒ27917以å€ã«ã1.13ã®è§£æ±ºçã¯ãããŸããã ãã€ã¬ã¯ããªã¿ãŒã³æ©èœã¯ãããŸããŸãªãŠãŒã¹ã±ãŒã¹ã«ã€ããŠåæããå¿ èŠãããããã°ä¿®æ£ãšèŠãªãããããã«è»œèŠãããã¹ãã§ã¯ãããŸããã ããã1.14ã§èª¿ã¹ãããšãã§ããŸãã ãã ããããã¯ãã¢ã«ãŽãªãºã ïŒrr察ä»ã®10ã®ã¡ãœããïŒãããŒã¿ãã¹ïŒLVS-DRãLVS-NATãããã³LVS-TUNïŒãå«ãæ§æå¯èœãªLBåäœã®ã«ããŽãªã«ãåé¡ãããŸãã 誰ããããã«è²¢ç®ããããšãããšããªããªããplsã¯PRãããã·ã¥ããç§ãã¡ã¯ãããåããããšãã§ããŸãã
ååã«å ¬å¹³ãªããšã§ãããçŸåšä»£æ¿æ段ãããããšãèãããšã @ mavenugoã ãšæããŸãã
å°ãªããšãã1.13ã®ããã¥ã¡ã³ããä¿®æ£ããŠãããã©ã«ãã®å ¥åå ¬éã¢ãŒãã§DockerãµãŒãã¹ã䜿çšããå ŽåããœãŒã¹IPãä¿æãããªãããšãæ確ã«ç€ºããããããµãŒãã¹ãå®è¡ããããã®èŠä»¶ã§ããå Žåã¯ãã¹ãã¢ãŒãã䜿çšããããšã瀺åã§ããŸããïŒ ïŒ
ããã¯ããµãŒãã¹ã«ç§»è¡ããŠãã人ã ãããã®äºæããªãåäœã«ãã£ãŠç«å·ãè² ããªãããã«ããã®ã«åœ¹ç«ã€ãšæããŸãã
確ãã«ããã§ãããã®åäœã瀺ãããã¥ã¡ã³ãã®æŽæ°ãšãå
Žmode=host
ã䜿çšããåé¿çã¯ãLVS-NATã¢ãŒãã§å€±æãããããªãŠãŒã¹ã±ãŒã¹ã«åœ¹ç«ã¡ãŸãã
ããäžåºŠãã§ãã¯ã€ã³ããŠããã®æ¬åœã®ããšãç解ããã®ã«æ°ããé²å±ããªãã£ããã©ããã確èªããŸããïŒ ããã¯ç¢ºãã«ç§ãã¡ã«ãšã£ãŠã倧ããªå¶éã§ã
Docker 1.14ã®ããŒããããã«è§£æ±ºçã¯ãããŸããïŒ ãã®åé¡ã®äžéšãåå ã§ãdockerã䜿çšãããœãªã¥ãŒã·ã§ã³ã®å±éãé ããŠããŸãã
client-ipãä¿æããã«ã¹ã¿ã ããããŒãhttp / httpsãªã¯ãšã¹ãã«è¿œå ãããã®ã楜ãã¿ã«ããŠããŸãã ããã¯å¯èœã§ããã¯ãã§ãããïŒ X_Forwarded_forããã€äžæžãããããã¯æ°ã«ããªãã®ã§ããªã¯ãšã¹ãã矀ãã«å ¥ã£ãæåã®ãšãã«ã®ã¿èšå®ãããã«ã¹ã¿ã ãã£ãŒã«ããå¿ èŠã§ãã
client-ipãä¿æããã«ã¹ã¿ã ããããŒãhttp / httpsãªã¯ãšã¹ãã«è¿œå ãããã®ã楜ãã¿ã«ããŠããŸãã ããã¯å¯èœã§ããã¯ãã§ãããïŒ X_Forwarded_forããã€äžæžãããããã¯æ°ã«ããªãã®ã§ããªã¯ãšã¹ãã矀ãã«å ¥ã£ãæåã®ãšãã«ã®ã¿èšå®ãããã«ã¹ã¿ã ãã£ãŒã«ããå¿ èŠã§ãã
è² è·åæ£ã¯L3 / 4ã§è¡ãããŸãã httpããããŒãè¿œå ããããšã¯ã§ããŸããã
ä¿®æ£ã«ã¯ãéä¿¡å ã¢ãã¬ã¹ã®æžãæããåé€ããããšãå«ãŸããŸãã
@mavenugoä»æ¥mode=host
ã䜿çšããŸããã çŸåšã¯æ©èœããŠãããã¯ã©ã€ã¢ã³ãIPã¯ä¿æãããŠããŸãããããè¯ã解決çãæåŸ
ããŠããŸã:)ãç²ãæ§ã§ããïŒ
äºéæçš¿ã§ããããªãã...
ã¹ã¿ãã¯ãã¡ã€ã«ïŒyml v3ïŒã䜿çšããŠãdocker service createãä»ããŠ--publish mode=host,target=80,published=80
ã䜿çšããå ŽåãšåãåäœãåŸãã«ã¯ã©ãããã°ããã§ããïŒ
ç§ã¯è©Šãã
...
services:
proxy:
image: vfarcic/docker-flow-proxy:1.166
ports:
- "80:80/host"
- "443:443/host"
...
ããããããã¯æ©èœããŠããŸããïŒhttps://docs.docker.com/docker-cloud/apps/stack-yaml-reference/#/portsãšåããã¿ãŒã³ã䜿çšïŒ
ã¹ã¿ãã¯ãã¡ã€ã«ïŒyml v3ïŒã䜿çšããŠãdocker servicecreateãä»ããŠ--publishmode = hostãtarget = 80ãpublished = 80ã䜿çšããå ŽåãšåãåäœãåŸãã«ã¯ã©ãããã°ããã§ããïŒ
@ hamburml - httpsïŒ//github.com/docker/docker/issues/30447ã®æªè§£æ±ºã®åé¡/æ©èœã«æ³šç®ããŠ
æ®å¿µãªããã mode=host
ãåé¿çãšããŠäœ¿çšããããšã¯ã§ããŸãããããã¯ããµãŒãã¹ãã¹ãŠã©ãŒã ãããã¯ãŒã¯ãšéä¿¡ãããã¹ãã€ã³ã¿ãŒãã§ã€ã¹ã ãã§ãªããã¹ãŠã®ããŒãã§ãªãã¹ã³ããå¿
èŠãããããã§ã...
@ tkeeler33ãµãŒãã¹ãglobal
ãµãŒãã¹ïŒã¹ãŠã©ãŒã å
ã®åããŒãã«ã€ã³ã¹ã¿ã³ã¹ããããã€ããïŒãšããŠãããã€ããã¹ãŠã©ãŒã ãããã¯ãŒã¯ã«æ¥ç¶ããŠã¹ãŠã©ãŒã å
ã®ä»ã®ãµãŒãã¹ãšéä¿¡ã§ããããã«ããå¿
èŠããããšæããŸãã
@ thaJeztah-ã¯ãããã ããã³ã³ããããªãŒããŒã¬ã€/ã¹ãŠã©ãŒã ãããã¯ãŒã¯ãšãã¹ãmode=host
äž¡æ¹ã«åæã«æ¥ç¶ããããšã¯ã§ããŸããã ãããçŸæç¹ã§ã®ç§ã®æ倧ã®å¶éã§ãã
@ tkeeler33ã¯ç§ã®ããã«åãããã§ãã
$ docker network create -d overlay swarm-net
$ docker service create \
--name web \
--publish mode=host,published=80,target=80 \
--network swarm-net \
--mode=global \
nginx:alpine
$ docker service create --name something --network swarm-net nginx:alpine
web
ãµãŒãã¹ãåããããã¯ãŒã¯äžã®something
ãµãŒãã¹ã«æ¥ç¶ã§ãããã©ããããã¹ãããŸãã
docker exec -it web.xczrerg6yca1f8ruext0br2ow.kv8iqp0wdzj3bw7325j9lw8qe sh -c 'ping -c3 -w1 something'
PING something (10.0.0.4): 56 data bytes
64 bytes from 10.0.0.4: seq=0 ttl=64 time=0.251 ms
--- something ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.251/0.251/0.251 ms
@ thaJeztah-ããããšãïŒ æ·±ãæãäžããåŸãåé¡ã¯--opt encrypted
ãªãã·ã§ã³ã䜿çšããŠDockerãããã¯ãŒã¯ãäœæããããšã§ãããããã«ããã³ã³ãããŒããã¹ãããã®æ¥ç¶ã«å€±æããããšã«æ°ä»ããŸããã æé ãè©ŠããŠã¿ããšãæ ¹æ¬çãªåå ããã°ããçµã蟌ãããšãã§ããŸããã ãã®ãªãã·ã§ã³ã¯ãé©åãªæ«å®çãªåé¿çã§ããå¯èœæ§ããããŸããã»ãã¥ãªãã£ãžã®åœ±é¿ã«é ãæ©ãŸããå¿
èŠããããŸãã
æ å ±ã«å€§ãã«æè¬ããŸãïŒ
@ tkeeler33 --opt encrypted
ã¯ãã¹ãããŒããããã³ã°ã«åœ±é¿ãäžããªãã¯ãã§ãã æå·åãªãã·ã§ã³ã®å¯äžã®ç®çã¯ãããŒãéã®vxlanãã³ãã«ãã©ãã£ãã¯ãæå·åããããšã§ãã ããã¥ã¡ã³ãããïŒãæå·åïŒ--optæå·åïŒã䜿çšããŠãªãŒããŒã¬ã€ãããã¯ãŒã¯ãäœæããããšãèšç»ããŠããå Žåã¯ããããã³ã«50ïŒESPïŒãã©ãã£ãã¯ãèš±å¯ãããŠããããšã確èªããå¿
èŠããããŸããã èšå®ããã§ãã¯ããŠãESPãèš±å¯ãããŠããããšã確èªã§ããŸããïŒ
ãŸãã --opt encrypted
ãªãã·ã§ã³ã¯ãçŽç²ã«ããŒã¿ãã¬ãŒã³æå·åã§ãã ãã¹ãŠã®ã³ã³ãããŒã«ãã¬ãŒã³ãã©ãã£ãã¯ïŒã«ãŒãã£ã³ã°äº€æããµãŒãã¹ãã£ã¹ã«ããªé
åžãªã©ïŒã¯ããªãã·ã§ã³ããªããŠãããã©ã«ãã§ãã¹ãŠæå·åãããŸãã
@mavenugoãã®éãã§ãã --opt encrypted
ã§æ°ãããããã¯ãŒã¯ãäœæãããšããããã¯ããŸããããŸããã æ°ããäœæãããããã¯ãŒã¯ãæ¢åã®ãããã¯ãŒã¯ãšæ¯èŒãããšã "Internal": true
ãèšå®ãããŠããããšã«æ°ä»ããŸããã ããã¯ããããåé¡ã§ãããæåã®ãããã¯ãŒã¯äœææã®ééãã§ãã...ããªãã®å©ããšèª¬æã«æè¬ããŸããããã¯é·ãäžæ¥ã§ãã...
@dack @kobolog LVS-Tunnelããã³LVS-DRã¢ãŒãã®äžè¬çãªå±éã§ã¯ãçä¿¡ãã±ããã®å®å IPã¯ãå®ãµãŒããŒã§éARPIPãšããŠãããã°ã©ã ãããŠãããµãŒãã¹VIPã«ãªããŸãã ã«ãŒãã£ã³ã°ã¡ãã·ã¥ã¯æ ¹æ¬çã«ç°ãªãæ¹æ³ã§æ©èœããçä¿¡èŠæ±ã¯ä»»æã®ãã¹ãã«éä¿¡ãããå¯èœæ§ããããŸãã å®ãµãŒããŒããã±ãããåãå ¥ããã«ã¯ïŒä»»æã®LVSã¢ãŒãã§ïŒãå®å IPãããŒã«ã«IPã«å€æŽããå¿ èŠããããŸãã ããã¯ãšã³ãã³ã³ããããã®å¿çãã±ãããæ£ããéä¿¡å ã¢ãã¬ã¹ã§æ»ãæ¹æ³ã¯ãããŸããã çŽæ¥è¿ã代ããã«ãå¿çãã±ãããå ¥åãã¹ãã«æ»ãããšããããšãã§ããŸãã ãããããœãŒã¹IPãå€æŽããŠæ£æ¹åœ¢ã«æ»ã以å€ã«ããããè¡ãããã®ã¯ãªãŒã³ãªæ¹æ³ã¯ãããŸããã
@thaJeztahããã¥ã¡ã³ãã§ãããæ確ã«ããã¯ã©ã€ã¢ã³ãIPãä¿æããå¿ èŠãããå Žåã¯ããã¹ãmodã䜿çšããããšãææ¡ãããã®åé¡ã解決ããå¿ èŠããããšæããŸãã
@sanimejNATãªãã§ãããè¡ãããšãäžå¯èœãªçç±ã¯ãŸã ããããŸããã ããšãã°ãéåžžã®LVS-DRãããŒã䜿çšãããªãã·ã§ã³ã ãããããŸãããïŒ Dockerã¯éarpvipãé©åãªããŒãã«è¿œå ããLVSã¯çä¿¡ãã±ãããããŒãã«è»¢éããçºä¿¡ãã±ããã¯çŽæ¥æ»ããŸãã çä¿¡ãã±ãããä»»æã®ãã¹ãã«ãããããå¯èœæ§ãããããšãéèŠãªã®ã¯ãªãã§ããïŒ ããã¯ãè€æ°ã®ããã³ããšã³ããµãŒããŒãšè€æ°ã®ããã¯ãšã³ããµãŒããŒãåããæšæºã®LVSãšåãã§ãã
@thaJeztahåé¿çãããããšã:)
ãããã·ãcomposeããŒãžã§ã³3ã§ãããã€ããŠããå Žåãæ°ããå
¬éæ§æã¯ãµããŒããããŠããªãããããã®ã³ãã³ãã䜿çšããŠãããã€ããããµãŒãã¹ã«ããããé©çšã§ããŸãïŒ nginx_proxy
ããµãŒãã¹åã«çœ®ãæããŸãïŒ
docker service update nginx_proxy \
--publish-rm 80 \
--publish-add "mode=host,published=80,target=80" \
--publish-rm 443 \
--publish-add "mode=host,published=443,target=443"
@dackéåžžã®LVS-DRãããŒã§ã¯ãå®å IPã¯ãµãŒãã¹VIPã«ãªããŸãã ãããã£ãŠãLBã¯ãå®å IPãå€æŽããã«ããã±ãããããã¯ãšã³ãã«éä¿¡ã§ããŸãã çä¿¡ãã±ããã®å®å IPã¯ãã¹ãã®IPã®1ã€ã«ãªããããããã¯ã«ãŒãã£ã³ã°ã¡ãã·ã¥ã«ã¯åœãŠã¯ãŸããŸããã
@sanimejãã®åé¡ã解決ããããã«äžèšã®ææ¡ã«é¢ãããã£ãŒãããã¯ã¯ãããŸããïŒ
@tlvenn LVS-IPãã³ãã«ã¯LVS-DRãšéåžžã«ãã䌌ãŠããŸãããããã¯ãšã³ããmac-rewriteã§ã¯ãªãIPãã³ãã«å ã®IPãä»ããŠãã±ãããååŸããç¹ãç°ãªããŸãã ãããã£ãŠãã«ãŒãã£ã³ã°ã¡ãã·ã¥ã®ãŠãŒã¹ã±ãŒã¹ã§ãåãåé¡ãçºçããŸãã
ããªããåç
§ããææ¡ãã..
The real server receives the enclosing packet, decapsulates it and sees real client IP as source and virtual service IP as destination.
ãã±ããã®å®å IPã¯ãVIPã§ã¯ãªããã¯ã©ã€ã¢ã³ãããã±ãããéä¿¡ãããã¹ãã®IPã«ãªããŸãã æžãæããããªãå Žåãå®ãµãŒããŒã¯å€éšIPããããŒãåé€ããåŸã«ããããããŸãã å®å IPãæžãæãããããšãã¯ã©ã€ã¢ã³ããžã®å®ãµãŒããŒã®å¿çã®éä¿¡å IPãæ£ãããªããªããæ¥ç¶ã«å€±æããŸãã
æ確å@sanimejãããããšãã ããããPROXYãããã³ã«ãå®è£ ã§ããŸããïŒ ã·ãŒã ã¬ã¹ãªãœãªã¥ãŒã·ã§ã³ã¯æäŸãããŸããããå°ãªããšããŠãŒã¶ãŒIPã解決ãããœãªã¥ãŒã·ã§ã³ããµãŒãã¹ã«æäŸããŸãã
éä¿¡å ããŒãã®ç¯å²ããããã¯ã«åå²ããã¯ã©ã¹ã¿ãŒå ã®åãã¹ãã«ãããã¯ãå²ãåœãŠãããšã§ãéä¿¡å IPã®ä¿æãå®çŸããããã®åä»ãªæ¹æ³ããããŸãã 次ã«ããã€ããªããNAT + DRã¢ãããŒããå®è¡ã§ããŸãããã®ã¢ãããŒãã§ã¯ãå ¥åãã¹ããéåžžã®SNATãå®è¡ãããã±ãããå®ãµãŒããŒã«éä¿¡ããŸãã å®ãµãŒããŒãå®è¡ãããŠãããã¹ãã§ãéä¿¡å IPã«åºã¥ããŠSNATãå®è¡ããéä¿¡å ããŒããå ¥åãã¹ãã«å²ãåœãŠãããç¯å²ã®ããŒãã«å€æŽããŸãã 次ã«ãã³ã³ããããã®ãªã¿ãŒã³ãã±ããã§ãéä¿¡å ããŒãç¯å²ïŒããã³ã¿ãŒã²ããããŒãïŒãšç §åããéä¿¡å IPãå ¥åãã¹ãã®IPã«å€æŽããŸãã
æè¡çã«ã¯ããã§åé¡ãããŸããããã¯ã©ã¹ã¿ãŒã¡ã³ããŒããã°ããè¿œå ããã³åé€ãããå®éã®å±éã§ã¯ãå®çšçã§ãªãè匱ã§ãã ããã«ãããããŒãã¹ããŒã¹ã倧å¹
ã«åæžãããŸãã
å ¥åãã¹ãã§ãœãŒã¹IPãå€æŽã§ããªããããåè¿°ã®NAT + DRã¢ãããŒãã¯æ©èœããŸããã éä¿¡å ããŒãã®ã¿ããã®ç¹å®ã®ãã¹ãã®ç¯å²å ã®ããŒãã«å€æŽããããã¯ãšã³ããã¹ãããã®ã«ãŒãã£ã³ã°ããªã·ãŒã䜿çšããŠãã±ãããå ¥åãã¹ãã«æ»ãããšã¯ããªãã·ã§ã³ã®å ŽåããããŸãã ããã«ã¯ãåã«è¿°ã¹ãä»ã®åé¡ããŸã ãããŸãã
@thaJeztah
Nginxã³ã³ããããWebã³ã³ããã«å®éã®IPã¢ãã¬ã¹ã転éããããã®åé¿çã¯ãããŸããïŒ
ç§ã¯ã§åäœããŠããnginxã®ã³ã³ããæã£ãŠglobal
ã¢ãŒããšã«å
Žhost
ãããnginxã®ã³ã³ããã¯ãæ£ããIPã¢ãã¬ã¹ãååŸããŸãã äž¡æ¹ã®ã³ã³ããã¯ãäºããæ£åžžã«èªèããŸãããWebã³ã³ããã¯ã¯ã©ã€ã¢ã³ãã¢ãã¬ã¹ã§ã¯ãªãNginxã³ã³ããã®IPã¢ãã¬ã¹ãååŸããŸãã
Nginxã¯Webã®ãªããŒã¹ãããã·ã§ãããWebã¯ããŒã8000ââã§uwsgiãå®è¡ããŸãã
server {
resolver 127.0.0.11;
set $web_upstream http://web:8000;
listen 80;
server_name domain.com;
location / {
proxy_pass $web_upstream;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
@lpakulaäžèšã®ç§ã®çããšãã®åäœããnginxæ§æã確èªããŠãã ãã
@ pi0è¿ä¿¡ããããšãããããŸã
ãªã³ã¯ããnginxæ§æã䜿çšããŠããŸãããIPã¢ãã¬ã¹ããŸã ééã£ãŠãããããæ§æã«äœããäžè¶³ããŠããå¿ èŠããããŸã
ãªãŒããŒã¬ã€ãããã¯ãŒã¯ãš2ã€ã®ãµãŒãã¹ãåããDocker ïŒ
docker service create --name nginx --network overlay_network --mode=global \
--publish mode=host,published=80,target=80 \
--publish mode=host,published=443,target=443 \
nginx:1.11.10
docker service create --name web --network overlay_network \
--replicas 1 \
web:newest
Nginxã³ã³ãããŒã¯ãææ°ã®å
¬åŒã³ã³ãããŒhttps://hub.docker.com/_/nginx/ã䜿çšã
Webã³ã³ããã¯ããŒã8000ââã§uwsgiãµãŒããŒãå®è¡ããŸã
ãªã³ã¯ããã°ããŒãã«nginx.conf
ããŠããŸããã conf.d/default.conf
ã¯æ¬¡ã®ããã«ãªããŸãã
server {
resolver 127.0.0.11;
set $web_upstream http://web:8000;
listen 80;
server_name domain.com;
location / {
proxy_pass $web_upstream;
}
}
ãããŠãnginxã³ã³ãããã°ïŒ
194.168.X.X - - [17/Mar/2017:12:25:08 +0000] "GET / HTTP/1.1" 200
Webã³ã³ãããã°ïŒ
10.0.0.47 - - [17/Mar/2017 12:25:08] "GET / HTTP/1.1" 200 -
ããã«äœãæ¬ ããŠããŸããïŒ
IPã¢ãã¬ã¹ã¯ãŸã ééã£ãŠããŸãã ãã ããHTTPããããŒãè¿œå ãããŸãã
å®éã®IPã¢ãã¬ã¹ãå«ãŸããŠããŸãã éžæããWebãµãŒããŒãæ§æããå¿
èŠããããŸã
ãããã·ãä¿¡é ŒããïŒãœãŒã¹IPã®ä»£ããã«ããããŒã䜿çšããïŒ
19:36ã«ã«ã·ã¥Pakulaã§éã2560幎3æ17æ¥ã«ã¯[email protected]
æžããŸããïŒ
@ pi0https ïŒ//github.com/pi0è¿ä¿¡ããããšãããã
ãªã³ã¯ããnginxæ§æã䜿çšããŠããŸãããIPã¢ãã¬ã¹ã¯ãŸã ã§ã
ééã£ãŠããŸããæ§æã«äœããæ¬ ããŠããå¿ èŠããããŸããªãŒããŒã¬ã€ãããã¯ãŒã¯ãš2ã€ã®Docker ïŒ
ãµãŒãã¹docker service create --name nginx --network overlay_network --mode=global \ --publish mode=host,published=80,target=80 \ --publish mode=host,published=443,target=443 \ nginx:1.11.10 docker service create --name web --network overlay_network \ --replicas 1 \ web:newest
Nginxã³ã³ããã¯ææ°ã®å ¬åŒã³ã³ããã䜿çšããŠããŸã
https://hub.docker.com/_/nginx/ httpïŒ// url
Webã³ã³ããã¯ããŒã8000ââã§uwsgiãµãŒããŒãå®è¡ããŸããªã³ã¯ããã°ããŒãã«nginx.confã䜿çšããŠããŠãconf.d /default.confã®å€èŠ³
次ã®ããã«ïŒãµãŒããŒ{
ãªãŸã«ã127.0.0.11;
$ web_upstream httpïŒ// web ïŒ8000;ãèšå®ããŸããlisten 80; server_name domain.com; location / { proxy_pass $web_upstream; }
}
ãããŠãnginxã³ã³ãããã°ïŒ
194.168.XX --- [2017幎3æ17æ¥ïŒ12ïŒ25ïŒ08 +0000] "GET / HTTP / 1.1" 200
Webã³ã³ãããã°ïŒ
10.0.0.47 ---- [2017幎3æ17æ¥12:25:08] "GET / HTTP / 1.1" 200-
ããã«äœãæ¬ ããŠããŸããïŒ
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/docker/issues/25526#issuecomment-287342795 ã
ãŸãã¯ã¹ã¬ããããã¥ãŒãããŸã
https://github.com/notifications/unsubscribe-auth/ABtu97EFaCmLwAZiOrYT4nXi4oXPCbLQks5rmn43gaJpZM4Jf2WK
ã>>
PanJã
Panjamapong Sermsawatsri
é»è©±ã ïŒ+66ïŒ869761168
@lpakulaããã web:newest
ç»åãX-Real-IP
ããããŒãå°éããå¿
èŠãããå¥ã®ããšããããŸãã nginxã¯éä¿¡è
ã®IPãèªåçã«å€æŽããããã³ãããããŒãéä¿¡ããã ãã§ãã
@ pi0 @PanJ
ããã¯çã«ããªã£ãŠããŸããã¿ããªããããšãïŒ
ãã¹ãã¢ãŒãã䜿çšããŠããŒãããã€ã³ãããŸãã
nginxã¯ã TPROXYã«ãŒãã«ã¢ãžã¥ãŒã«ã䜿çšããŠIPééæ§ããµããŒãããŸãã
@stevvooe Dockerããã®ãããªããšãããããšãã§ããŸããïŒ
nginxã¯ãTPROXYã«ãŒãã«ã¢ãžã¥ãŒã«ã䜿çšããŠIPééæ§ããµããŒãããŸãã
@stevvooe Dockerããã®ãããªããšãããããšãã§ããŸããïŒ
å¯èœæ§ã¯äœãã§ããããšã³ããªã¯ããŒãéã§è¿œè·¡ããå¿ èŠãããããã§ãã @sanimejãŸãã¯@mavenugoã«ããŸãã
swarmã¯ã¯ã©ã€ã¢ã³ãIPã¢ãã¬ã¹ãååŸããããã®RESTAPIãæäŸã§ããŸããïŒ
ãã®åé¡ã«é¢ä¿ã®ãªã@tonysongtl
ä»ã«èæ ®ãã¹ãç¹ã¯ãå¯çšæ§ã®é«ãã»ããã¢ããã§ãã©ãã£ãã¯ãããŒãã«é ä¿¡ãããæ¹æ³ã§ãã ããŒãã¯ãã¯ã©ã€ã¢ã³ãã«ãšã©ãŒãçºçãããããšãªãããŠã³ã§ããå¿ èŠããããŸãã çŸåšã®æšå¥šäºé ã¯ãå€éšããŒããã©ã³ãµãŒïŒELBãF5ãªã©ïŒã䜿çšããã¬ã€ã€ãŒ4ã§åSwarmããŒããžã®è² è·åæ£ãç°¡åãªã¬ã€ã€ãŒ4ãã«ã¹ãã§ãã¯ã§è¡ãããšã§ãã F5ã¯SNATã䜿çšããŠãããšæããŸãããããã£ãŠããã®æ§æã®æè¯ã®ã±ãŒã¹ã¯ãå®éã®ã¯ã©ã€ã¢ã³ãIPã§ã¯ãªããF5ã®åäžã®IPããã£ããã£ããããšã§ãã
åç
§ïŒ
https://docs.docker.com/engine/swarm/ingress/#configure -an-external-load-balancer
https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations
https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing
äžèšã®ã³ã¡ã³ããåæ ããŠã
Calicoã«ã¯ipipã¢ãŒãïŒ https://docs.projectcalico.org/v2.2/usage/configuration/ip-in-ipïŒããããŸãhttps://githubengineering.com/kubernetes-at-github/
ããã
ç解ãšå®å šæ§ã®ããã«ãèŠçŽãããŠãã ãããééã£ãŠããå Žåã¯èšæ£ããŠãã ããã
äž»ãªåé¡ã¯ãã³ã³ãããå ã®src-IPãåä¿¡ããŠââããªãããVIPã矀ãã£ãŠãããšããããšã§ãã 次ã®ã·ããªãªã§ãã®åé¡ãåçŸããŸããã
create docker swarm
docker service create --name web --publish 80:80 nginx
access.log source IP is 10.255.0.7 instead of client's browser IP
ããã¿ããã§ãïŒ
swarmå
ã®ãµãŒãã¹ãïŒããã©ã«ãã®ïŒã¡ãã·ã¥ã䜿çšããŠããå Žåãswarmã¯NATãå®è¡ããŠãåãçºä¿¡å
ããã®ãã©ãã£ãã¯ãåžžã«åãhost-running-serviceã«éä¿¡ãããããã«ããŸããïŒ
ãããã£ãŠãå
ã®src-IPã倱ãããswarmã®ãµãŒãã¹VIPã«çœ®ãæããããŸãã
@kobolog https://github.com/moby/moby/issues/25526#issuecomment-258660348ããã³@dackhttps ïŒ //github.com/moby/moby/issues/25526#issuecomment-260813865ã®ææ¡ã¯@sanimejã«ãã£ãŠåè«ãããããhttps://github.com/moby/moby/issues/25526#issuecomment -280722179 https://github.com/moby/moby/issues/25526#issuecomment -281289906ããããTBHã圌ã®è°è«ã¯å®å šã«æ確ã§ã¯ãããŸããç§ã¯ãŸã ãããã決å®çã«äžå¯èœãªã®ã«ãªãã¹ã¬ãããéããããªãã£ãã®ãç解ã§ããŸããã
@sanimejã¯ããã§
ç¹å®ã®ãµãŒãã¹ã«å¯ŸããŠãNATã®ä»£ããã«ãªããŒã¹ãããã·ããæå¹ã«ãããªãã·ã§ã³ã¯ããã¹ãŠã®äººãæºè¶³ããããã®ãã¹ãŠã®åé¡ã解決ããŸãããïŒ
äžæ¹ãIIUCã®å Žåãæ®ã£ãŠããå¯äžã®ãªãã·ã§ã³ã¯https://docs.docker.com/engine/swarm/services/#publish -a-services-ports-directly-on-the-swarm-nodeã䜿çšããããšã§ããããã¯ã -ç¹°ãè¿ããŸãããIIUC-ã¯ã¡ãã·ã¥ããŸã£ãã䜿çšããŠããªãããã«èŠãããããã¹ãŠã©ãŒã ã¢ãŒãã䜿çšããå©ç¹ãããããŸããïŒcomposeãšæ¯èŒããŠïŒã å®éã1.12以åã®çŸ€ãã®ããã«èŠãã_Consul_ãªã©ãå¿ èŠã§ãã
ããªãã®å©ããšå¿èã«æè¬ããŸãã
ãããã
@sanimej
ããã«... DockerãããŒããã©ã¯ãŒãã£ã³ã°NATãå®è¡ããŠããªãïŒå®å
IP /ããŒãã®ã¿ãå€æŽããŠããïŒã®ã¯ãªãã§ããïŒ
ãã£ã€ã ã鳎ããããã ãã§ãã ãããè¡ãç°¡åãªæ¹æ³ã¯ãªãããšã¯ç解ããŠããŸãããçºä¿¡å IPã¢ãã¬ã¹ãäœããã®æ¹æ³ã§ä¿åããªããšãå€ãã®ã¢ããªã±ãŒã·ã§ã³ã®äœ¿çšäŸãå€§å¹ ã«åŠšããããŸãã ãããç§ã®é ã®ãŠã£ãºãããèããããšãã§ããããã€ãã§ãïŒ
ãããã¯ãŒã¯/ãµãŒãã¹ãšã³ãžãã¢ãªã³ã°ã«ã¯ããŠãŒã¶ãŒã®åºæã詳现ã«ç€ºãã¡ããªãã¯ãèšå®ã§ããããšãäžå¯æ¬ ã§ãã
å€ãã®ã»ãã¥ãªãã£ã¢ããªã±ãŒã·ã§ã³ã§ã¯ããµãŒãã¹ã®æªçšã«åºã¥ãåçãªãã©ãã¯ãªã¹ããèš±å¯ããããã«ãçºä¿¡å ã®IPã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ããå¿ èŠããããŸãã
å€ãã®å Žåãäœçœ®èªèãµãŒãã¹ã¯ãä»ã®æ¹æ³ã倱æãããšãã«ãŠãŒã¶ãŒã®äžè¬çãªäœçœ®ãç¹å®ããããã«ãIPã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ã§ããå¿ èŠããããŸãã
ãã®åé¡ã®ã¹ã¬ãããèªãã ãšãããDocker Swarmå ã«ã¹ã±ãŒã©ãã«ãªãµãŒãã¹ãå¿ èŠãªå Žåãç¹å®ã®åé¿çãããŸãæ©èœããŠããªãããã§ãã ã¯ãŒã«ãŒããŒãããšã«1ã€ã®ã€ã³ã¹ã¿ã³ã¹ã«å¶éãããšããªãã¡ãªã³ã°ã®æè»æ§ãå€§å¹ ã«äœäžããŸãã ãŸããSwarmãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã³ã³ããã«ãã£ãŒãããåã«ããšããžã§LB / ProxyãéSwarmãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã³ã³ãããšããŠå®è¡ãããšãããã€ããªããã¢ãããŒããç¶æããããšã¯ãéå»ã«ããã®ãŒãããã§ãã ãŠãŒã¶ãŒããµãŒãã¹ãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã®ããã«2ã€ã®ç°ãªããã©ãã€ã ãç¶æããå¿ èŠãããã®ã¯ãªãã§ããïŒ ãšããžã§LB /ãããã·ãåçã«ã¹ã±ãŒãªã³ã°ã§ããã®ã¯ã©ãã§ããïŒ ããã¯æåã§è¡ãå¿ èŠããããŸãããïŒ
DockerããŒã ã¯ãããããããã®ã³ã¡ã³ããæ€èšããDockerãšã³ã·ã¹ãã ã«ååšããå質ãšæè»æ§ãç¶æããªããããã®æ©èœãå°å ¥ããæ¹æ³ããããã©ããã確èªã§ããŸããïŒ
ããã«äœè«ã§ãããç§ã¯çŸåšããã«èŠèãããŠããŸãã æ¿èª/èªèšŒããããªã¯ãšã¹ããããŠã³ã¹ããªãŒã ã®WebãµãŒããŒã«è»¢éããWebã¢ããªã±ãŒã·ã§ã³ããããŸãã åœç€Ÿã®ãµãŒãã¹æè¡è ã¯ãWebã¢ã¯ã»ã¹ãã°ã䜿çšããããŠã³ã¹ããªãŒã ãµãŒããŒã«ãŠãŒã¶ãŒãå°éãããã©ããã確èªã§ããå¿ èŠããããŸãã çŸåšã®ã·ããªãªã§ã¯ããããã·ãµãŒããŒãçºä¿¡å IPã¢ãã¬ã¹ãèªèããªãããããã®æ©èœãæäŸããæ¹æ³ã¯ãããŸããã ã¢ããªã±ãŒã·ã§ã³ãç°¡åã«ã¹ã±ãŒã©ãã«ã«ããããšæã£ãŠããŸãããå°ãªããšãã¹ã±ãŒãªã³ã°ãããã€ã³ã¹ã¿ã³ã¹ããšã«æ°ããVMãã¹ããŒããªãéããæ瀺ãããåé¿çã§ã¯ãããå®è¡ã§ããªãããã§ãã
@Jitsusamaã¯Kubernetesã§åé¡ã解決ã§ããŸããïŒ
@thaJeztah docker -composeã䜿çšããŠ
ç§ã¯è©Šãã
`services:
math:
build: ./math
restart: always
ports:
- target: 12555
published: 12555
mode: host
ãããããœãŒã¹IPãšããŠ172.xx1ã䜿çšããŠããããã§ã
@trajano ãç§ã«ã¯æãããããããŸããã Kubernetesã¯ã©ãããããããã®åé¡ãåé¿ã§ããŸããïŒ
@å®æ§
ã¯ãããœãŒã¹IPãã©ã®ããã«ä¿æãããã«ã€ããŠã®ããã¥ã¡ã³ãããããŸãã ããã¯æ©èœããŸãããããŒããã©ã³ãµãŒã䜿çšããªãå Žåã¯ããšã³ããã€ã³ãã®ãªãããŒãã§ãã±ãããããããããããããããã»ã©ãããã§ã¯ãããŸããã ã»ã«ããã¹ãã®ããŒããã©ã³ãµãŒãšããŠRancherã䜿çšããäºå®ã®å Žåãæ®å¿µãªããçŸåšã¯ãŸã ãµããŒããããŠããŸããã
@trajano
ãããããœãŒã¹IPãšããŠ172.xx1ã䜿çšããŠããããã§ã
ã¢ããªã±ãŒã·ã§ã³ã«ããŒã«ã«ã§ã¢ã¯ã»ã¹ããŠããå Žåã docker_gwbridge
ã¯ãããã·ã³ã³ãããšå¯Ÿè©±ããã€ã³ã¿ãŒãã§ã€ã¹ã§ããããããã®IPã¯æ£ããã¯ãã§ãïŒswarmã䜿çšããŠããå ŽåïŒã IPãããã¯ãŒã¯å
ã®å¥ã®ãã·ã³ããã¢ããªã«ã¢ã¯ã»ã¹ããŠãæ£ããã¢ãã¬ã¹ãååŸã§ãããã©ããã確èªã§ããŸãã
äœæã®åé¿çã«ã€ããŠã¯ãå¯èœã§ãã ããã§ã¯ãã€ã¡ãŒãžjwilder/nginx-proxy
ãããã³ããšã³ããªããŒã¹ãããã·ãšããŠïŒæŠå¿µãåçŽåããããã«ïŒäœ¿çšããå
¬åŒãã«ãã€ã¡ãŒãžnginx
ãããã¯ãšã³ããµãŒãã¹ãšããŠäœ¿çšããŸãã DockerSwarmã¢ãŒãã§ã¹ã¿ãã¯ããããã€ããŸãã
version: '3.3'
services:
nginx-proxy:
image: 'jwilder/nginx-proxy:alpine'
deploy:
mode: global
ports:
- target: 80
published: 80
protocol: tcp
mode: host
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
nginx:
image: 'nginx:1.13.5-alpine'
deploy:
replicas: 3
ports:
- 80
- 443
environment:
- VIRTUAL_HOST=website.local
$ echo '127.0.0.1 website.local' | sudo tee -a /etc/hosts
$ docker stack deploy --compose-file docker-compose.yml website
ããã«ãããã¹ã¿ãã¯çšã®website_default
ãããã¯ãŒã¯ãäœæãããŸãã ç§ã®ãšã³ããã€ã³ãã¯ç°å¢å€æ°VIRTUAL_HOST
ã§å®çŸ©ãããŠããã http://website.local
ã¢ã¯ã»ã¹ãããšæ¬¡ã®ããã«ãªããŸãã
website_nginx-proxy.0.ny152x5l9sh7<strong i="30">@Sherry</strong> | nginx.1 | website.local 172.18.0.1 - - [08/Sep/2017:21:33:36 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36"
website_nginx.1.vskh5941kgkb<strong i="33">@Sherry</strong> | 10.0.1.3 - - [08/Sep/2017:21:33:36 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.18.0.1"
website_nginx.1.vskh5941kgkb
ã®ããããŒã®çµããã«ã¯ãå
ã®IPïŒ 172.18.0.1
ïŒã®ãã³ããããããšã«æ³šæããŠãã ããã X-Forwarded-ForãšX-Real-IPã¯ãããã©ã«ãã§jwilder/nginx-proxy
ã®nginx.tmpl
ã«èšå®ãããŠããŸãã
ããŒã443
å Žåãdocker-composeãã¡ã€ã«ã«äž¡æ¹ã®ããŒããè¿œå ã§ããªãã£ãããã次ã䜿çšããŸãã
docker service update website_nginx-proxy \
--publish-rm 80 \
--publish-add "mode=host,published=80,target=80" \
--publish-rm 443 \
--publish-add "mode=host,published=443,target=443" \
--network-add "<network>"
ãŸããç°å¢å€æ°VIRTUAL_HOST
ãå«ãã¢ããªã§ãªããŒã¹ãããã·ããããããã¯ãŒã¯ãè¿œå ããŸãã jwilder/nginx-proxy
ã®ããã¥ã¡ã³ãã§ã¯ããã詳现ãªãªãã·ã§ã³ã䜿çšã§ããŸãããŸãã¯ãç¬èªã®èšå®ãäœæããããšãã§ããŸãã
Kubernetesã®ã€ã³ã°ã¬ã¹ã³ã³ãããŒã©ãŒã¯åºæ¬çã«åãããšãè¡ããŸããã€ã³ã°ã¬ã¹ãã£ãŒãã¯ïŒéåžžïŒ X-Forwarded-For
ãšX-Real-IP
ããµããŒãããŠãããã€ã³ã°ã¬ã¹ã®éžæãšã¿ã€ããããã³ãããã®ãããã€ã¡ã³ãã¬ããªã«ãå°ãæè»ã«ãµããŒãããŠããŸãã
ãã®ãããkubernetesã®ããã¥ã¡ã³ãã¯å®å
šã§ã¯ãããŸããã ãããŠããå¥ã®æ¹æ³
ããªãäžè¬çã«ã¯ãå®éã«ã¯å
¥å+ãããã·ãããã³ã«ã§ãã
https://www.haproxy.com/blog/haproxy/proxy-protocol/
ãããã·ãããã³ã«ã¯ããœãŒã¹ãä¿æããåºãåãå
¥ããããŠãããããã³ã«ã§ã
æ
å ±ã Haproxyã«ã¯ããããã·ãããã³ã«ã®ãµããŒããçµã¿èŸŒãŸããŠããŸãã Nginx
ãããã·ãããã³ã«ãèªã¿åãããšã¯ã§ããŸãããæ¿å
¥ããããšã¯ã§ããŸããã
ãããã·ãããã³ã«ãèšå®ããããšãã©ãããã§ããã®æ
å ±ã«ã¢ã¯ã»ã¹ã§ããŸã
ã®ãããªããŠã³ã¹ããªãŒã ãµãŒãã¹
https://github.com/nginxinc/kubernetes-ingress/blob/master/examples/proxy-protocol/README.md
openshiftã§ããããœãŒã¹IPæ
å ±ã«ããã掻çšããŸã
https://docs.openshift.org/latest/install_config/router/proxy_protocol.html
ããã¯ããããã·ãããã³ã«ãæ¿å ¥ããk8sã®ææ°ã®haproxyå ¥åã§ãã
矀ãã§ãããè¡ãæ¹æ³ã¯ãå
¥åããããã·ãèªã¿åããããã«ããããšã§ãã
ãããã³ã«ïŒæ¬¡ã®ãããªã¢ããã¹ããªãŒã LBãããã©ãã£ãã¯ãåä¿¡ããŠââããå Žå
ãã§ã«æ³šå
¥ããããããã·ãããã³ã«ïŒããã³æ³šå
¥ããããããã·ãããã³ã«
æ
å ±ïŒãã¹ãŠã®ãã©ãã£ãã¯ãå®éã«æåã«å
¥åã«ãããããå ŽåïŒã
ç¹ã«ããå Žåãç§ã¯ä»ã®æ¹æ³ã§ãããè¡ãããšã«è³æããŠããŸãã
ãããè¡ãããã®äžè¬çã«åãå
¥ããããŠããæšæºã
Traefikã¯æ°é±éåã«proxy_protocolãµããŒããè¿œå ããv1.4.0-rc1以éã§å©çšå¯èœã§ãã
ããã¯ãdockerswarmã®å
¥åã¬ãã«ã§å®è¡ããå¿
èŠããããŸãã å
¥åã®å Žå
ãããã·ãããã³ã«ããŒã¿ã泚å
¥ãããããŠã³ã¹ããªãŒã ãµãŒãã¹ã泚å
¥ããŸãã
ïŒtraefixãnginxãªã©ãå«ãïŒã¯ãããèªã¿åãããšãã§ããŸãã
2017幎9æ10æ¥21:42ã«ããmonotykamaryã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
Traefikã¯proxy_protocolãµããŒããè¿œå ããŸãã
https://github.com/containous/traefik/pull/2004æ°é±éåã§ããã
v1.4.0-rc1以éã§å©çšã§ããŸããâ
ããªããã³ã¡ã³ãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-328352805 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU3jj5dJcpMDysjIyGQK7SGx8GwWbks5shApqgaJpZM4Jf2WK
ã
imã¯ããã®ãã°ãšã€ã³ãã©ãããã®é¢ä¿ã«ã€ããŠãæ··ä¹±ããŠããŸãã äŸïŒ https ïŒ
ããŒã«ã¢ãããã€ã³ãã©ãããã«çŸ€ããããŸããïŒ ç§ã¯ç¹ã«ãã®å ¥å£åŽã«ç±å¿ã§ãã
ãã®åé¡ãçºçããŠããŸãã ã€ã³ããŠã³ãæ¥ç¶ã®ã¯ã©ã€ã¢ã³ãIPãšèŠæ±ãããIPãç¥ãããã ããšãã°ããŠãŒã¶ãŒããµãŒããŒãžã®çã®TCPæ¥ç¶ãå®è¡ããå ŽåããŠãŒã¶ãŒã®IPãäœã§ããããããã³ãŠãŒã¶ãŒãæ¥ç¶ãããã·ã³ã®IPãç¥ããããšããŸãã
@blazedd以åããã³ä»ã®ã¹ã¬ããã§ã³ã¡ã³ãããããã«ãããã¯å®éã«ã¯publishModeã䜿çšããŠå¯èœã§ãã ããªãã¡ïŒãµãŒãã¹ã¯ã¡ãã·ã¥ãããã¯ãŒã¯ã«ãã£ãŠåŠçãããŸããã
IIUCãã€ã³ã°ã¬ã¹ããããåŠçããæ¹æ³ãæ¹åããããã«ããã€ãã®é²æ©ãé²ãã§ããŸããããããå®éã«ã¯å¯äžã®è§£æ±ºçã§ãã
å€éšLBæ§æãåé¿ããããã«ãpublishmodeãšmodeïŒglobalã䜿çšããŠnginxãµãŒãã¹ããããã€ããŸãã
@mostologãè¿äºããããšãããããŸãã ã»ãã®å°ãã®ã¡ã¢ïŒ
publishMode
ã¯åé¡ããŸã£ãã解決ããŸããã ã€ã³ããŠã³ããœã±ããæ¥ç¶ã¯ãã¹ãŠã©ãŒã ãã»ããã¢ããããããŒã«ã«ãããã¯ãŒã¯ã«åŒãç¶ã解決ãããŸãã å°ãªããšãããŒããªã¹ãã䜿çšããå Žåmode: host
nginx
ã¯æ¬åœã«è¯ã解決çã§ã¯ãããŸããã ç§ãã¡ã®ã¢ããªã±ãŒã·ã§ã³ã¯TCPããŒã¹ã§ãããWebãµãŒããŒã§ã¯ãããŸããã æåã§ã³ãŒãã£ã³ã°ããã«äœ¿çšã§ããããããŒã¯ãããŸãããdocker run --net=host ...
ã䜿çšãããšããã¹ãŠæ£åžžã«æ©èœããŸãã@blazeddã¹ã¿ãã¯ã«ã¯æ¬¡ã®ãã®ããããŸãã
ports:
- target: 80
published: 80
protocol: tcp
mode: host
ãããã£ãŠããã°ã«å®éã®IPãèšé²ãããã«éããããŸããã
@mostologå°ãªããšãWindowsã§ã¯åäœããŸããã ãŸã 172.0.0.xã¢ãã¬ã¹ããœãŒã¹ãšããŠååŸããŠããŸãã
@mostolog mode: host
ã¯ãã³ã³ããããã¹ããããã¯ãŒã¯ã«å
¬éããŸããã ã³ã³ãããå
¥åãããã¯ãŒã¯ããåé€ããŸããããã¯ãã³ã³ãããå®è¡ãããšãã«Dockerãéåžžåäœããæ¹æ³ã§ãã dockerrunã³ãã³ãã§äœ¿çšããã--publish 8080:8080
ãè€è£œããŸãã nginxãå®éã®IPãååŸããŠããå Žåãããã¯ãœã±ããããããã®IPã«çŽæ¥æ¥ç¶ãããŠããçµæã§ã¯ãããŸããã ããããã¹ãããã«ã¯ããã¬ãŒã ã¯ãŒã¯ãªãã§çã®TCPå®è£
ãŸãã¯HTTPãµãŒããŒã®äœ¿çšãçå£ã«æ€èšããå ±åãããã¢ãã¬ã¹ã確èªããå¿
èŠããããŸãã
IPVSã«ãŒããããã¯ãŒã¯ãã³ã³ããã«çŽæ¥äœ¿çšããŠã¿ãŸãããïŒ ãã¹ãŠã®ã¹ãŠã©ãŒã ããŒãã®ãªãŒããŒã¬ã€ã€ã³ã¿ãŒãã§ã€ã¹ã®IPãä»®æ³IPãšããŠãã€ã³ããã ip rule from xxx table xxx
ã䜿çšããŠãã«ãã²ãŒããŠã§ã€ãäœæãããšãã¹ãŠã©ãŒã ããŒãã¯ãŠãŒã¶ãŒã¹ããŒã¹ãããã¯ãŒã¯ãããã·ããŒã¢ã³ïŒdockerdïŒãªãã§ãã¯ã©ã€ã¢ã³ããã³ã³ãããŒã«çŽæ¥ã«ãŒãã£ã³ã°ã§ããŸãïŒDNATïŒã
@blazeddè©ŠããŠã¿ãŸãããïŒ @mostologã®äŸã«åŸããšãå€éšIPã¢ãã¬ã¹ãååŸããŠããŸãã
ç§ã¯åã³ãã®åé¡ã«çŽé¢ããŠããŸãã
ç§ã®èšå®ã¯æ¬¡ã®ãšããã§ãã
ã¹ã¿ãã¯ãã¹ãŠã©ãŒã ã«ãããã€ããã¢ãã¬ã¹ãæäœããã«ä»®æ³IPã®ããŒã80ã§ãªãã¹ã³ãããããšæããŸãã
ç§ã¯ãããè¡ãããšã§ã»ãšãã©ããã«çãããšãã§ããŸãïŒ
ããŒãïŒ
-ã¿ãŒã²ããïŒ80
å
¬éïŒ80
ãããã³ã«ïŒtcp
ã¢ãŒãïŒãã¹ã
ããã§ã®åé¡ã¯ããã€ã³ãããIPã¢ãã¬ã¹ãæå®ã§ããªãããšã§ãããã¹ãŠã«ãã€ã³ãããã ãã§ãã ãã®ããŒãã䜿çšããŠè€æ°ã®ãµãŒãã¹ãå®è¡ããå Žåãããã«ããåé¡ãçºçããŸãã 1ã€ã®IPã«ã®ã¿ãã€ã³ãããå¿ èŠããããŸãã ç°ãªãããŒãã䜿çšããããšã¯ãDRããŒããã©ã³ã·ã³ã°ã®ãªãã·ã§ã³ã§ã¯ãããŸããã éçºè ã¯ãåãIPãè€æ°ã®ããŒãã«ååšããããšã¯æ±ºããŠãªããšæ³å®ããŠããããã§ããããã¯ãDRããŒããã©ã³ãµãŒã䜿çšããå Žåã«ã¯åœãŠã¯ãŸããŸããã
ããã«ãçãæ§æã䜿çšãããšããã€ã³ãIPã¯ç¡èŠããããã¹ãŠã®ã¢ãã¬ã¹ã«ãã€ã³ããããŸãã åäžã®IPã«ãã€ã³ãããå¯äžã®æ¹æ³ã¯ãã¯ã©ã¹ã¿ãŒåãããŠããªãã³ã³ãããŒïŒãµãŒãã¹ãã¹ã¿ãã¯ã§ã¯ãªãïŒãå®è¡ããããšã§ãã
ãã®ããããµãŒãã¹/ã¹ã¿ãã¯æ©èœã«äŸåããã®ã§ã¯ãªããã¹ã¿ã³ãã¢ãã³ã³ã³ããã䜿çšããŠãèªåã§ç®¡çããå¿ èŠããããŸãã
åãåé¡ããããŸãã
ãã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ïŒç¹ã«HTTPã§ã¯ãªãçã®UDP / TCPã䜿çšãããã®ããããŸãïŒãæåŸ
ã©ããã«æ©èœããããšãå¯èœã«ããdockeringreså
ã®ééçãªãœãªã¥ãŒã·ã§ã³ã«æ祚ããŸãã
ãµãŒãã¹ãã°ããŒãã«ã«å±éãããŠããããããmode = hostportpublishingãåé¿çã䜿çšã§ããŸãã
ãã ããããã¯macvlanãããã¯ãŒã¯ãã©ã€ããŒã®äœ¿çšãšäºææ§ããªãããã§ããããã¯ä»ã®çç±ã§å¿
èŠã§ãã
ãmacvlanãã©ã€ãã¯ããŒããããã³ã°ããµããŒãããŠããŸãããã®ãããªãã°ãååŸããŸãã
è€æ°ã®ãããã¯ãŒã¯ã䜿çšããŠã¿ãŸãããã圹ã«ç«ã¡ãŸããã
ããã§ç¹å®ã®ãã±ãããäœæããŸããïŒ https ïŒ
ããã¯ä»ã®ãšããç§ã«è§£æ±ºçãæ®ããŸããïŒ 'ïŒ
ããã«ã¡ã¯ãã¿ããª
ä»ã®ãšããåé¿çã¯ãããŸããïŒ ãã¹ãããŒããšããŠå
¬éããã«
枯 ïŒ
2018幎1æ11æ¥00:03ã«ããOlivierVoortmanã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
åãåé¡ããããŸãã
Docker Ingresså ã§ããã¹ãŠãèš±å¯ããééçãªãœãªã¥ãŒã·ã§ã³ã«æ祚ããŸã
ã¢ããªã±ãŒã·ã§ã³ïŒç¹ã«HTTPã§ã¯ãªãçã®UDP / TCPã䜿çšãããã®ããããŸãïŒã¯æ¬¡ã®ããã«æ©èœããŸã
æåŸ ããããç§ã®ãµãŒãã¹ã¯ãmode = hostportpublishingãã®åé¿çã䜿çšã§ããŸã
ã°ããŒãã«ã«å±éã
ãã ããããã¯macvlanã®äœ¿çšãšäºææ§ããªãããã§ã
ãããã¯ãŒã¯ãã©ã€ããä»ã®çç±ã§å¿ èŠã§ãã
ãmacvlanãã©ã€ãã¯ããŒããããã³ã°ããµããŒãããŠããŸãããã®ãããªãã°ãååŸããŸãã
è€æ°ã®ãããã¯ãŒã¯ã䜿çšããŠã¿ãŸãããã圹ã«ç«ã¡ãŸãããããã§ç¹å®ã®ãã±ãããäœæããŸããïŒdocker / libnetworkïŒ2050
https://github.com/docker/libnetwork/issues/2050
ããã¯ä»ã®ãšããç§ã«è§£æ±ºçãæ®ããŸããïŒ 'ïŒâ
ããªããã³ã¡ã³ãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-356693751 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUzlM-BMbEsDYAiYH6hKLha-aRqerks5tJQJngaJpZM4Jf2WK
ã
ã¯ã©ã€ã¢ã³ãã®IPãååŸã§ããªãã®ã¯æ¬åœã«æ®å¿µã§ãã ããã«ãããã»ãšãã©ã®dockerswarmã®åªããæ©èœã䜿çšã§ããªããªããŸãã
ç§ã®ã»ããã¢ããã§ã¯ãã¯ã©ã€ã¢ã³ãã®IPãååŸããå¯äžã®æ¹æ³ã¯ã network_mode:host
ã䜿çšããswarmããŸã£ãã䜿çšããªãããšã§ãã
mode=host port publishing
ãŸãã¯åŸæ¥ã®docker run -p "80:80" ...
ããŠãæ©èœããŸããã§ãã
ããã€ãã®è§£æ±ºçãhttps://github.com/moby/moby/issues/15086ã§ææ¡ãããŸããããç§ã®ããã«åããå¯äžã®è§£æ±ºçã¯ããã¹ãããããã¯ãŒãã³ã°ã§ãã...
é©åãªIPããªãå Žåã®å¥ã®åé¡ã¯ãnginxã®ã¬ãŒãå¶éãæ£ããæ©èœãããdocker swarmããŒããã©ã³ãµãŒã§äœ¿çšã§ããªãããšã§ããããã¯ãnginxãåäžã®ãŠãŒã¶ãŒ/ IPããã®ãªã¯ãšã¹ãããã¹ãŠã«ãŠã³ãããããããªã¯ãšã¹ããã¬ãŒãå¶éãããŠæåŠãããããã§ãã ãããã£ãŠãåé¿çã¯mode = hostã䜿çšããããšã ãã§ããããã®æ¹æ³ã§ã¯è² è·åæ£æ©èœã倱ãããDNSãç¹å®ã®ã€ã³ã¹ã¿ã³ã¹ãæãããã«ããå¿ èŠããããŸãã
ããããdockerã¯ãã®ä»äºã«çæ³çãªããŒã«ã§ã¯ãããŸãããç§ã¯ãåé¢ã«é¢ããHTTPãµãŒããŒãã»ããã¢ããããã¯ã©ã€ã¢ã³ãIPãHTTPãªã¯ãšã¹ãããããŒã®äžéšãšããŠé 眮ããããã«vagrantã調ã¹ãŠããŸããã
DockerããªãŒããŒã¬ã€ãããã¯ãŒã¯ãä»ããŠã¯ã©ã€ã¢ã³ãæ å ±ãæž¡ãããšãã§ããããã«ãªããŸã§ãDocker Flow ProxyãTraefikãªã©ã®ãããã·ã䜿çšãããã®ãµãŒãã¹ã§ãã¹ãã¢ãŒãã§ç®çã®ããŒããå ¬éããã¢ããªã±ãŒã·ã§ã³ãµãŒãã¹ãããã«æ¥ç¶ããããšãã§ããŸãã å®å šãªãœãªã¥ãŒã·ã§ã³ã§ã¯ãããŸããããéåžžã«ããŸãæ©èœããã¢ããªã±ãŒã·ã§ã³ãµãŒãã¹ã®è² è·åæ£/ã¯ã©ã€ã¢ã³ãIPã®ååŸãå¯èœã§ãã
@ deeeky666 Traefikããã³åæ§ã®æ©èœã¯ããããã³ã°ãããŠããªãå Žåã«ã®ã¿æ©èœããŸã
traefikã§udoãµããŒãã衚瀺ãããŸãã
ç§ã®iPhoneããéä¿¡ããã
æåŸã«ãDockerã³ã³ããããããããŸããã çç£æºåãã§ããŠããŸããïŒ
5:43ã®æ°Žã2018幎1æ24æ¥ã«ã¯ãEfrain [email protected]ã¯æžããŸããïŒ
traefikã§udoãµããŒãã衚瀺ãããŸãã
ç§ã®iPhoneããéä¿¡ããã
>>
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-360091189 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AHf7rvMcH2iFBxcExfO_Ol0UttCspuTnks5tNwlkgaJpZM4Jf2WK
ã
åé¡ã¯ãéšåçã«è§£æ±ºããããã 17.12.0-ce
䜿çšããŠmode=host
ã
docker service create --publish mode=host,target=80,published=80 --name=nginx nginx
ããã€ãã®å¶éããããŸãïŒã«ãŒãã£ã³ã°ã¡ãã·ã¥ãªãïŒããæ©èœããŸãïŒ
@goetas mode=host
ã¯åé¿çãšããŠãã°ããã®éæ©èœããã®ã§ãåé¡ãäœããã®åœ¢ã§è§£æ±ºããããšã¯èšããŸããã mode = hostã®äœ¿çšã«ã¯å€ãã®å¶éããããããŒããå
¬éãããŠããã矀ãã®è² è·åæ£ã䜿çšã§ããªããªã©ã§ãã
@darklowç§ã¯å¶éãç¥ã£ãŠããŸãããç§ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯åé¡ãããŸããïŒãã以äžã§ã¯ãªãã«ããŠãïŒïŒã 17.09.1-ce
ã§ã¯ãŸã£ããæ©èœããŠããªãã£ãã®ã§ãç§ã«ãšã£ãŠã¯ãã§ã«æ¹åãããŠããŸãïŒ
ãã®åé¿çã®å€§ããªæ¬ ç¹ã¯ãæŽæ°äžã®ããŠã³ã¿ã€ã ãåé¿ã§ããªãããšã§ãã
çŸåšãå®å®æ§ãéä¿¡å
IPã¢ãã¬ã¹ãããããããããšãéžæããå¿
èŠããããŸãã
åæããŸãã Swarmã«ã¯ããœãŒã¹IPãä¿æããããã®é«å¯çšæ§ã®æ¹æ³ãå¿ èŠã§ãã
ãããããããã·ãããã³ã«ã䜿çšããŠããŸãã è¿œå ããã®ã¯å€§ããªåªåã§ã¯ãªããšæããŸã
DockerSwarmãžã®ãããã·ãããã³ã«ã®ãµããŒãã
ããã調ã¹ãŠãã人ã¯ããŸããïŒ
2018幎1æ28æ¥22:39ããå æ°æ»å ã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
ãã®åé¿çã®å€§ããªæ¬ ç¹ã¯ãããŠã³ãåé¿ããããšãã§ããªãããšã§ã
æŽæ°äžã®æéã
çŸåšãå®å®æ§ãšãœãŒã¹IPã®ã©ã¡ããæŸæ£ããããéžæããå¿ èŠããããŸã
äœæãâ
ããªããã³ã¡ã³ãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-361078416 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU-or7fnhKTg7fhjtZYjGYHBFRE7Dks5tPKnYgaJpZM4Jf2WK
ã
@sandysåæããŸãã ãããã·ãããã³ã«ã¯çŽ æŽãããã¢ã€ãã¢ã§ãã
@thaJeztah @aluzzardi @mrjanaãã®åé¡ã«æ³šæãåããŠãã ããã ãã°ããã®éãããŒã ããã®å¿çã¯ãããŸããã§ããã ããããšãããããŸããã
ãããã·ãããã³ã«ã¯ç§ã«ãšã£ãŠæè¯ã®è§£æ±ºçã®ããã«æããŸãã ããŸãããã°ãããŒã ã¯ãããæ€èšããã§ãããã
@goetaså°ãªããšãããæç¹ã§ã¯æ©èœããŠããŸããããdocker1.12.6ã§ã¯åã³172.xxxã®åäœã«æ»ã£ãããã§ãã
ããã¯éåžžã«æªãããšã§ãããã¬ãŒãå¶éãäžæ£é²æ¢ããã®ã³ã°ãå®å
šãªãã°ã€ã³ãã»ãã·ã§ã³ç£èŠãªã©ã軜æžããŸãã
modeïŒhostã§ãªãã¹ã³ããããšã¯
ããã¯ç§ãã¡ã«ãšã£ãŠéåžžã«éèŠã§éèŠãªãã°ã§ãããSwarmã§ã®çšŒåã劚ããŠããŸãã ãŸãããããã·ãããã³ã«ããã®ããã®é©åãªãœãªã¥ãŒã·ã§ã³ã§ãããšä¿¡ããŠããŸãã Dockerå ¥åã¯ããããã·ãããã³ã«ã§ãœãŒã¹IPãæž¡ãå¿ èŠããããŸãã
Twitterã§ææ¡ãããŠãã解決çã®1ã€ã¯ã Swarmã®å€éšã§ç®¡çãããã€ã³ã°ã¬ã¹ãšããŠTraefikã䜿çšããããšã§ãã ããã¯ç§ãã¡ã«ãšã£ãŠéåžžã«æé©ã§ã¯ãªãã管çããããªãŒããŒãããã§ã¯ãããŸããã
Swarméçºè ãSwarm-ingressã«ãããã·ãããã³ã«ãå®è£ ããæ¹æ³ã確èªãããå Žåã¯ãTraefikã§èª¬æãããŠãããã¹ãŠã®ãã°ã確èªããå¿ èŠããããŸãïŒäŸïŒhttpsïŒ//github.com/containous/traefik/issues/2619ïŒ
ã¹ãŠã©ãŒã ã¢ãŒãã§ã¯ãªããäœæãã䜿çšããŠããããäžè²«ããŠæ©èœãããŸããã å€åäœãèããããšã
ãããã·ãããã³ã«ã«é¢ããããã€ãã®æžå¿µäºé ïŒ
Dockerèªäœã«ãã£ãŠãã³ãŒããããŸããããããšãã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠãã³ãŒããããŸããïŒ ãããã·ãããã³ã«ã®å®è£ ãã¢ããªã±ãŒã·ã§ã³ã«äŸåããŠããå Žåãããã¯ãã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ã®äžè¬çãªãœãªã¥ãŒã·ã§ã³ã§ã¯ãªãããããã·ãããã³ã«ãå®è£ ããWebãµãŒããŒãŸãã¯ãã®ä»ã®ã¢ããªã±ãŒã·ã§ã³ã§ã®ã¿æ©èœããŸãã Dockerããããã·ãããã³ã«ãã¢ã³ã©ããããŠã¢ãã¬ã¹ãå€æããå Žåãæ¥ç¶ç¶æ ã远跡ããçºä¿¡ãã±ããã«å¯ŸããŠéå€æãå®è¡ããå¿ èŠããããŸãã dockerã¯å€ãã®éWebã¢ããªã±ãŒã·ã§ã³ã«ã圹ç«ã€ãããç§ã¯Webåºæã®ãœãªã¥ãŒã·ã§ã³ïŒã¢ããªã±ãŒã·ã§ã³ã®ãããã·ãããã³ã«ã«äŸåïŒã«ã¯è³æããŠããŸããã ãã®åé¡ã¯ãTCP / UDPã¢ããªã±ãŒã·ã§ã³ã®äžè¬çãªã±ãŒã¹ã§å¯ŸåŠããå¿ èŠããããŸããDockerã«ã¯ãWebåºæã®ãã®ã¯ä»ã«ãããŸããã
ä»ã®ã«ãã»ã«åæ¹æ³ãšåæ§ã«ããã±ãããµã€ãº/ MTUã®åé¡ãæžå¿µãããŸãã ãã ããããã¯ããããããã®åé¡ã®ã»ãŒãã¹ãŠã®è§£æ±ºçã§æžå¿µãããããšã«ãªããšæããŸãã ãã®çãã¯ãã¹ãŠã©ãŒã ãããã¯ãŒã¯ããªãŒããŒãããã蚱容ããã®ã«ååãªå€§ããã®MTUããµããŒãããŠããããšã確èªããããšã§ãããã ã»ãšãã©ã®çŸ€ãã¯ããŒã«ã«ãããã¯ãŒã¯äžã§å®è¡ãããŠãããšæãã®ã§ãããã¯ãããã倧ããªåé¡ã§ã¯ãããŸããã
@ trajano-ãã¹ããããã¯ãŒã¯ã§åäœããããšã¯ããã£ãŠããŸãïŒããã¯ãããããäœæãœãªã¥ãŒã·ã§ã³ãå®è¡ããŠããããšã§ãïŒã ãã ããããã«ãããswarmã®ã¯ã©ã¹ã¿ãŒãããã¯ãŒã¯ã®å©ç¹ïŒè² è·åæ£ãªã©ïŒããã¹ãŠå€±ãããŸãã
@dackããã¯ãšã³ãã¯ãããã·ãããã³ã«ãç¥ã£ãŠããå¿
èŠããããŸãã
ç§ã¯ãããã»ãšãã©ã®å Žåã解決ãããšæããŸãããããŠå°ãªããšãããªãã¯ã³ã³ããå
ã®ããªãã®ããã¯ãšã³ãã®åã«ãããã³ã«ããããŒãåŠçããèããã¹ã¹ã«ãŒã®ãããªãããã·ã眮ãããšãã§ããŸãã
æ
å ±äžè¶³ã¯èŽåœçãªåé¡ã§ãã®ã§ãä»ã®ãã¡ããšãã解決çã«å
ç«ã£ãŠãã§ããã ãæ©ã解決ããå¿
èŠããããšæããŸãã
ãããã·ãããã³ã«ã¯åºãåãå
¥ããããŠããŸãã ãµããŒããããŠããããŒã«ã®æ°ã確èªããŠãã ãã-httpsïŒ//www.haproxy.com/blog/haproxy/proxy-protocol/
ã¯ã©ãŠãããŒããã©ã³ãµãŒïŒELBãGoogle LBïŒãTraefikãªã©ã®æ°ããããŒã«ãã«ããŒããŠããŸããã
ãŸããããã¯kubernetesã®ã»ãŒæšæºã§ãïŒ https ïŒ
çŸæç¹ã§ã¯ããããã·ãããã³ã«ã¯ããã®åé¡ã解決ããäžã§æãåºãåãå ¥ããããŠããæšæºã§ãã ç§ã¯ãããåçºæããäžçã®nginxesãšã®äºææ§ãå£ãããšã«å€§ããªäŸ¡å€ãèŠãŠããŸããã
ãããã¯L7ãããã³ã«ã§ãã 矀ãã®äŸµå ¥ã¯L4ã§ãã ããã§åçºæãããŠãããã®ã¯äœããããŸãããããã¯ãã¹ãŠDNATã䜿çšããIPVSã§ãã
@ cpuguy83ã¯ããªããä»äœãæå³ããŠããã®ãç解ã§ããŸããã§ããã
ãããã·ãããã³ã«ã¯ã¬ã€ã€ãŒ4ã§ãã
http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
PROXYãããã³ã«ã®ç®æšã¯ããµãŒããŒã®å éšæ§é ã
ãµãŒããŒãååŸã§ããã¯ãã®ãããã·ã«ãã£ãŠåéãããæ å ±
ã¯ã©ã€ã¢ã³ãããµãŒããŒçµç±ã§ã¯ãªããµãŒããŒã«çŽæ¥æ¥ç¶ããŠããå Žåã¯ãããèªäœã§
ãããã·ãŒã ãããã³ã«ã«ãã£ãŠéã°ããæ å ±ã¯ããµãŒããŒãéã¶æ å ±ã§ãã
getocknameïŒïŒãšgetpeernameïŒïŒã䜿çšããŠååŸããŸãã
- ã¢ãã¬ã¹ãã¡ããªïŒIPv4ã®å Žåã¯AF_INETãIPv6ã®å Žåã¯AF_INET6ãAF_UNIXïŒ
- ãœã±ãããããã³ã«ïŒTCPã®å Žåã¯SOCK_STREAMãUDPã®å Žåã¯SOCK_DGRAMïŒ
- ã¬ã€ã€3ã®éä¿¡å ã¢ãã¬ã¹ãšå®å ã¢ãã¬ã¹
- ã¬ã€ã€ãŒ4ã®éä¿¡å ããŒããšå®å ããŒãïŒããå ŽåïŒ
http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1 -accept-proxy
accept-proxy
ã®ããããã«ãã£ãŠåãå ¥ããããæ¥ç¶ãä»ããŠPROXYãããã³ã«ã®äœ¿çšã匷å¶ããŸã
åãè¡ã§å®£èšããããœã±ããã PROXYãããã³ã«ã®ããŒãžã§ã³1ããã³2
ãµããŒããããæ£ããæ€åºãããŸãã PROXYãããã³ã«ãã¬ã€ã€ãŒã決å®ããŸã
ã¢ãã¬ã¹ãã©ãã«ã§ã䜿çšãããçä¿¡æ¥ç¶ã®3/4ã¢ãã¬ã¹
ãtcp-requestconnectionãã«ãŒã«ãé€ããŠäœ¿çšãããŸãã
å®éã®æ¥ç¶ã¢ãã¬ã¹ã®ã¿ã衚瀺ãããŸãã ãã°ã«ã¯äœæãåæ ãããŸã
éåããŠããªãéãããããã³ã«ã«ç€ºãããŠããŸããéåããŠããå Žåã¯ãå®éã®
ã¢ãã¬ã¹ã¯åŒãç¶ã䜿çšãããŸãã ãã®ããŒã¯ãŒããšå€éšããã®ãµããŒãã®çµã¿åãã
ã³ã³ããŒãã³ãã¯ãå¹ççã§ä¿¡é Œæ§ã®é«ã代æ¿æ段ãšããŠäœ¿çšã§ããŸãã
X-Forwarded-åžžã«ä¿¡é Œã§ãããšã¯éãããåžžã«ã§ããªãã¡ã«ããºã ã®å Žå
䜿çšå¯èœã ãã詳现ãªæ å ±ã«ã€ããŠã¯ããtcp-requestconnectionexpect-proxyããåç §ããŠãã ããã
ãããã³ã«ã®äœ¿çšãèš±å¯ããã¯ã©ã€ã¢ã³ãã®èšå®ã
ãããã·ãããã³ã«ãããè¯ãæ¹æ³ããã£ããšããããšã§ããïŒ ããã¯å®å šã«å¯èœã§ãããdockerswarmã§ã®ãœãŒã¹IPä¿åã®ã³ã³ããã¹ãã§ãã£ãšç¥ããããšæããŸãã ãã ãããããã·ãããã³ã«ã¯ãswarm-ingressã®ããŠã³ã¹ããªãŒã ã«ãªãä»ã®ããŒã«ïŒnginxãªã©ïŒããswarm-ingressã®ã¢ããã¹ããªãŒã ã«ãªãAWSELBãªã©ã®ããŒã«ã«ãã£ãŠããåºããµããŒããããŠããŸãã ããã¯ç§ã®å¯äžã®0.02ãã«ã§ãã
@sandysãããã·ãããã³ã«ã¯ã«ãã»ã«åã®ããã«èŠããŸãïŒå°ãªããšãæ¥ç¶ã®éå§æïŒãããã«ã¯ãã¹ã¿ãã¯ã®ãã£ãšäžã®ã¬ã·ãŒããŒããã®ã«ãã»ã«åã®ç¥èãå¿ èŠã§ãã ãã®ã¢ãããŒãã«ã¯å€ãã®ãã¬ãŒããªãããããŸãã
ç§ã¯ãããã³ã¢ã§ãµããŒãããããããŸããããããããå ¥åããã©ã°å¯èœã«ããããšã¯äŸ¡å€ã®ããã¢ãããŒãã§ãããã
@sandyshttps ïŒ//github.com/sandysãããã·ãããã³ã«ã¯æ¬¡ã®ããã«ãªããŸã
ç¥èãå¿
èŠãšããã«ãã»ã«åïŒå°ãªããšãæ¥ç¶éå§æïŒ
ã¹ã¿ãã¯ã®ãã£ãšäžã®åä¿¡æ©ããã®ã«ãã»ã«åã®ã äž
ãã®ã¢ãããŒãã«ã¯å€ãã®ãã¬ãŒããªãããããŸãã
ããã¯æ¬åœã§ãã ãããRFCã®æšæºã§ããçç±ã§ãã ãããŸã
ãããããã®èåŸã«ããå¢ã-ã»ãŒãã¹ãŠã®ã³ã³ããŒãã³ãã®éèŠæ§
ããããµããŒãããŸãã ç§èŠããããµããŒãããããšã¯æªã決æã§ã¯ãããŸããã
ç§ã¯ãããã³ã¢ã§ãµããŒãããããããŸããããããããã€ã³ã°ã¬ã¹ãäœããŸã
ãã©ã°å¯èœãªã¢ãããŒãã¯äŸ¡å€ã®ããã¢ãããŒãã§ãã
ããã¯ãã倧ããªè°è«ã§ã-ããããç§ã¯ãããåäžã®æ倧ã®ãã®ã«è¿œå ãããããããŸãã
Docker Swarmãä»ã®è£œåãããåªããŠããç¹ã¯ããã¹ãŠã®ããããªãŒãæèŒããŠããããšã§ãã
ãã«ãã€ã³ã
ããã§ãããããã·ãããã³ã«ã
æ¥çã®æ¯æãåŸãŠãããã®åé¡ã
Linuxããã³LxCïŒç¹ã«dockerã§ã¯ãªãïŒã§L3ã«ãŒã¿ãŒãã·ãã¥ã¬ãŒãããããšã¯ã§ããŸãããïŒ
@trajanoã·ãã¥ã¬ãŒã·ã§ã³ã¯å¿
èŠãããŸãããããã®åé¡ã解決ããããã®ã«ãã»ã«åãå¿
èŠã§ãã
ããšãã°ããªãã·ã§ã³ïŒäŸïŒ --use-proxy-protocol
ïŒã¯ãã¯ã©ã€ã¢ã³ãIPã¢ãã¬ã¹ãå¿
èŠãšããnginxãªã©ã®ã«ãã»ã«åããããã±ããã®åŠçæ¹æ³ãç¥ã£ãŠãããµãŒãã¹ã«æäŸã§ããŸãã
çŸåšæ©èœããŠããããã«ããã±ãããåä¿¡ããDockerããŒãã¯SNATãå®è¡ããã¢ããªã±ãŒã·ã§ã³ã³ã³ãããå«ãããŒãã«ãã±ããã転éããŸãã SNATã®ä»£ããã«äœããã®åœ¢åŒã®ãã³ããªã³ã°/ã«ãã»ã«åã䜿çšãããå Žåãå ã®å€æŽãããŠããªããã±ãããã¢ããªã±ãŒã·ã§ã³ã«æž¡ãããšãã§ããã¯ãã§ãã
ããã¯ä»ã®ãããžã§ã¯ãã§è§£æ±ºãããåé¡ã§ãã ããšãã°ãOpenStackã§ã¯ãGREãVXLANãªã©ã®ãã³ãã«ã䜿çšã§ããŸãã
ãã®ã¹ã¬ããã®æè¿ã®éšåã§ãDockerããŒã ã代衚ããå°ãªããšããèãããŸãããšèšã£ãŠãã人ã¯ããŸããïŒ çŽ18ãæåã®2016幎8æ9æ¥ã«æåã«å ±åãããåŸããããã«äœ¿ããããšæåŸ ãããã³ãã¥ããã£ã«ãšã£ãŠãã®ãããªé¢å¿ã®ããæ©èœããŸã 解決ãããŠããªãããã§ãã
ãã®ã¹ã¬ããã®æè¿ã®éšåã§ãDockerããŒã ã代衚ããå°ãªããšããèãããŸãããšèšã£ãŠãã人ã¯ããŸããïŒ
/ cc @GordonTheTurtle @thaJeztah @riyazdf @aluzzardi
@ bluejaguar @ ruudboonç§ã¯Dockerã®äžéšã§ãã ããã¯ããç¥ãããŠããåé¡ã§ãã çŸåšããããã¯ãŒã¯ããŒã ã¯ããªãŒããŒã¬ã€ãããã¯ãŒã¯ã®å®å®æ§ã«é¢ããé·å¹Žã®ãã°ã«çŠç¹ãåœãŠãŠããŸãã ããããéå»æ°åã®ãªãªãŒã¹ã§å®éã«æ°ãããããã¯ãŒã¯æ©èœããªãã£ãçç±ã§ãã
ç§ã®ææ¡ã¯ãåé¡ã解決ããããã«é²ãã§åãçµãå ·äœçãªææ¡ããŸãã¯å°ãªããšã誰ãããããåãå ¥ããŠå®è¡ã§ããååãªææ¡ãèãåºãããšã§ãã
@ cpuguy83ç§ã¯https ïŒ
ããã«ãELBã¯2017幎11æã«ãããã·ãããã³ã«v2ã®ãµããŒããè¿œå ããŸããïŒhttps://docs.aws.amazon.com/elasticloadbalancing/latest/network/doc-history.htmlïŒ
OpenStackã®ãªã¯ã¿ãã¢LB-ãµãŒãã¹ãšããŠã®ïŒç§ãã¡ã®é²å ¥ã«é¡äŒŒïŒã¯ãæšå¹Ž4æã®ãããã·ãããã³ã«ãå䜵- http://git.openstack.org/cgit/openstack/octavia/commit/?id=bf7693dfd884329f7d1169eec33eb03d2ae81ace
openstackã®ãããã·ãããã³ã«ã«é¢ããããã¥ã¡ã³ãã®äžéšã次ã«ç€ºããŸã-https ïŒ //docs.openshift.com/container-platform/3.5/install_config/router/proxy_protocol.html
埮åŠãªéãã®ããã€ãã¯ãhttpsã®ãããã·ãããã³ã«ã«é¢ãããã®ã§ãïŒå
¥åã§èšŒææžãçµäºããå Žåãšããã§ãªãå Žåã®äž¡æ¹ïŒã
ãã®åé¡ã«é¢ããæŽæ°/åé¿çã¯ãããŸããïŒ DockerSwarmã¢ãŒãã®ã¯ã©ã€ã¢ã³ãIPãæ¬åœã«ç¥ãå¿
èŠããããŸãã
ã©ããªå©ãã§ã倧æè¿ã§ãã
ç§ã®ããŒãžã§ã³ïŒ
ã¯ã©ã€ã¢ã³ãïŒ
ããŒãžã§ã³ïŒ18.02.0-ce
APIããŒãžã§ã³ïŒ1.36
GoããŒãžã§ã³ïŒgo1.9.3
Gitã³ãããïŒfc4de44
æ§ç¯ïŒ2018幎2æ7æ¥æ°Žææ¥21:16:33
OS / ArchïŒlinux / amd64
å®éšçïŒèª€ã
ãªãŒã±ã¹ãã¬ãŒã¿ãŒïŒçŸ€ã
ãµãŒãïŒ
ãšã³ãžã³ïŒ
ããŒãžã§ã³ïŒ18.02.0-ce
APIããŒãžã§ã³ïŒ1.36ïŒæå°ããŒãžã§ã³1.12ïŒ
GoããŒãžã§ã³ïŒgo1.9.3
Gitã³ãããïŒfc4de44
æ§ç¯ïŒ2018幎2æ7æ¥æ°Žææ¥21:15:05
OS / ArchïŒlinux / amd64
å®éšçïŒèª€ã
@adijes ãããã³ãã®åé¡ã«çŽé¢ããŠããä»ã®ãŠãŒã¶ãŒã ã³ã³ãããbridge
ãããã¯ãŒã¯ã«ãã€ã³ãã§ããŸãïŒãã®ã¹ã¬ããã®èª°ããèšåããŠããããã«ïŒã
version: "3.4"
services:
frontend:
image: nginx
deploy:
placement:
constraints:
- node.hostname == "prod1"
networks:
- default
- bridge
# backed services...
# ...
networks:
bridge:
external:
name: bridge
frontend
ã¯bridge
ãã€ã³ããããŠãããåžžã«æ£ç¢ºãªãã¹ãã«ãšã©ãŸãããã®IPã¯ãããªãã¯ãã¡ã€ã³ã«ãã€ã³ããããŠããŸãã ããã«ãããå®éã®ãŠãŒã¶ãŒIPãåä¿¡ã§ããããã«ãªããŸãã ãŸãã default
ãããã¯ãŒã¯ã«ããã€ã³ããããŠãããããããã¯ã¢ããããããµãŒãã¹ã«æ¥ç¶ã§ããŸãã
frontend
ããã®å¯äžã®ãã¹ãã§ã©ã€ãã«ä¿ã€éããã¹ã±ãŒãªã³ã°ããããšãã§ããŸãã ããã«ããããã¹ãã¯åäžé害ç¹ã«ãªããŸãããïŒç§ã¯ïŒå°ããªãµã€ãã§ãåé¡ãããŸããã
ããå€ãã®æ å ±ãè¿œå ããããã«ç·šéïŒ
ç§ã®nginxã³ã³ããã¯https://github.com/jwilder/nginx-proxyã®èåŸã«ãããSSLãæå¹ã«ããããã«https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companionã䜿çšããŠãdocker run
ã³ãã³ããä»ããŠå®è¡ãããŸãã ããããããããç§ãã¯ã©ã€ã¢ã³ãããå®éã®IPãååŸããçç±ã§ãã bridge
ãããã¯ãŒã¯ã¯ãnginxã³ã³ãããnginx-proxyãšéä¿¡ã§ããããã«ããããã«å¿
èŠã§ãã
FWIWãç§ã䜿çšããŠãããã®ïŒ
Client:
Version: 17.09.1-ce
API version: 1.32
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:23:40 2017
OS/Arch: linux/amd64
Server:
Version: 17.09.1-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:25:03 2017
OS/Arch: linux/amd64
Experimental: false
äžèšã®ã»ããã¢ããã¯ãå®è¡äžã®å¥ã®ã»ããã¢ããã§ãæ©èœããŸãã
Client:
Version: 17.09.1-ce
API version: 1.32
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:23:40 2017
OS/Arch: linux/amd64
Server:
Version: 17.09.1-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:25:03 2017
OS/Arch: linux/amd64
Experimental: false
@ letientai299ããã¯ç§ã®ããã«åäœããŸãã
ãããã¯ãŒã¯ãããªããžãã¯å€éšãšããŠå®£èšãããŠããŸãããé©åãªã¹ã³ãŒãã§ã¯ãããŸããããã¹ãŠã©ãŒã ãã§ã¯ãªããããŒã«ã«ãã§ãã
ãã¹ã¿ãŒããŒããš3ã€ã®ã¯ãŒã«ãŒããŒãããããŸã
@trajano ãç§ã®ã¢ããããŒããåç §ããŠãã ããã
@ letientai299å®ã¯ãã©ããã£ãŠbridge
ãã¹ãŠã©ãŒã ã¢ãŒãã§åäœãããã®ã ãããšæã£ãŠããŸããã ã€ãŸããç§ãæã£ãŠãããšã©ãŒã¯çºçããŸããã§ããã
@dackããªãããã¹ããããã¯ãŒãã³ã°ãšèšããšããç§ã¯ããªããæã£ãŠããããšãæå³ãããšæããŸã
ports:
- target: 12555
published: 12555
protocol: tcp
mode: host
æ®å¿µãªããã docker stack deploy
ã¢ãŒãã§å®è¡ãããšãæ©èœããããœãŒã¹IPã倱ãããŸãããdocker-composeupã¯æ£ããæ©èœããŸãã
@goetasã«åºã¥ããŠæ¬¡ã®ããšãè©ŠããŸãã
docker service create --constraint node.hostname==exposedhost \
--publish published=12555,target=12555,mode=host \
trajano.net/myimage
ããã§ããœãŒã¹IPãååŸããéã¯ãããŸããããã¯Server Version: 17.12.0-ce
ããæç¹ã§èª°ãã欲ããããããªãã®ã®ããã§ããªãŒããŒã¬ã€ãããã¯ãŒã¯ãããªããž/ãã¹ããããã¯ãŒã¯ãšäžç·ã«äœ¿çšããããšã¯å®éã«ã¯äžå¯èœã§ãããããããŸããŸãªçç±ã§ã¯ã©ã€ã¢ã³ãIPãæ¬åœã«å¿ èŠãªå Žåã®ãããã«ãŒã§ãã
ã¯ã©ã€ã¢ã³ãïŒ
ããŒãžã§ã³ïŒ17.12.0-ce
APIããŒãžã§ã³ïŒ1.35
GoããŒãžã§ã³ïŒgo1.9.2
Gitã³ãããïŒc97c6d6
æ§ç¯ïŒ2017幎12æ27æ¥æ°Žææ¥20:03:51
OS / ArchïŒdarwin / amd64
ãµãŒãïŒ
ãšã³ãžã³ïŒ
ããŒãžã§ã³ïŒ17.12.1-ce
APIããŒãžã§ã³ïŒ1.35ïŒæå°ããŒãžã§ã³1.12ïŒ
GoããŒãžã§ã³ïŒgo1.9.4
Gitã³ãããïŒ7390fc6
æ§ç¯ïŒ2018幎2æ27æ¥ç«ææ¥22:17:54
OS / ArchïŒlinux / amd64
å®éšçïŒç
2018幎ã§ãããã®åé¡ã«ã€ããŠäœãæ°ããããšã¯ãããŸããïŒ
ã¹ãŠã©ãŒã ã¢ãŒãã§ã¯ãnginx reqlimitã䜿çšã§ããŸããã $ remote_addrã¯åžžã«10.255.0.2ããã£ããããŸããã
ããã¯ãDockerSwarmã«é¢ããéåžžã«æ·±å»ãªåé¡ã§ãã
ãã¶ããä»æ¥ããkubernetesãè©ŠããŠã¿ãå¿
èŠããããŸãã
@Maslowç§ã¯äžèšã®ããã€ãã®ã³ã¡ã³ãããããšããã«æçš¿ããŸããã
ãã§ãã¯ããªã©ãã¯ã¹ã§ããŸãã
networks:
bridge:
external:
name: bridge
ãŸãã¯æ¬¡ã®ããã«æ¡åŒµããŸã
networks:
bridge:
external:
name: bridge
scope: local
ããã³scope: local
ãããã¯ãŒã¯ã¯ããããã¯ãŒã¯ã¢ãŒããhost
å Žåã«ã®ã¿èš±å¯ãããŸã
ãããã¯ãŒã¯ãããªããžãã¯å€éšãšããŠå®£èšãããŠããŸãããé©åãªã¹ã³ãŒãã§ã¯ãããŸããããã¹ãŠã©ãŒã ãã§ã¯ãªããããŒã«ã«ãã§ãã
ãŸãã¯èš±å¯ãã
networks:
bridge:
driver: bridge
倱æããªãããã«
ãµãŒãã¹trajano_servã®äœæã«å€±æããŸããïŒããŒã¢ã³ããã®ãšã©ãŒå¿çïŒãããã¯ãŒã¯trajano_bridgeããµãŒãã¹ã§äœ¿çšã§ããŸããã ãªãŒããŒã¬ã€ãã©ã€ããŒã§äœæããããããã¯ãŒã¯ãªã©ãã¹ãŠã©ãŒã ã察象ãšãããããã¯ãŒã¯ã®ã¿ã䜿çšã§ããŸãã
å
¬éãããããŒãã«mode: host
ãããå Žåã
ports:
- target: 32555
published: 32555
protocol: tcp
mode: host
@trajanoãã§ã«çŸ€ããããé矀ãã¹ã³ãŒãã®ãããã¯ãŒã¯ã䜿çšã§ããŸã...äŸïŒããã¯æ©èœããŸãïŒ
version: '3.4'
services:
test:
image: alpine
command: top
ports:
- target: 32555
published: 32555
protocol: tcp
mode: host
networks:
- bridge
networks:
bridge:
external:
name: bridge
Dockerã¹ã¿ãã¯ããããã€ããè€æ°ã®ã¯ãŒã«ãŒãå«ã矀ãã§ããããã¹ãããŸãããïŒ ç§ã¯ãããcomposeã§åäœããããšãç¥ã£ãŠããŸãã
2018幎3æ18æ¥ã«ã¯ã8ïŒ55 PMã§ããã©ã€ã¢ã³ã»ãŽãã®[email protected]ã¯æžããŸããïŒ
@trajanoãã§ã«çŸ€ããããé矀ãã¹ã³ãŒãã®ãããã¯ãŒã¯ã䜿çšã§ããŸã...äŸïŒããã¯æ©èœããŸãïŒ
ããŒãžã§ã³ïŒã3.4ã
ãµãŒãã¹ïŒ
ãã¹ãïŒ
ç»åïŒé«å±±
ã³ãã³ãïŒããã
ããŒãïŒ
-ã¿ãŒã²ããïŒ32555
å ¬éæ¥ïŒ32555
ãããã³ã«ïŒtcp
ã¢ãŒãïŒãã¹ã
ãããã¯ãŒã¯ïŒ
- æ©ãããã¯ãŒã¯ïŒ
æ©ïŒ
å€éšã®ïŒ
ååïŒæ©
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããããã¹ã¬ããããã¥ãŒãããŠãã ããã
ã¯ããç§ã¯çŸ€ããéããŠããããã£ãŠããŸã...
2018幎3æ19æ¥æææ¥åå9æ12åãArchimedes Trajano <
[email protected]>ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
Dockerã¹ã¿ãã¯ãæã€è€æ°ã®ã¯ãŒã«ãŒããã矀ãã§ããããã¹ãããŸããã
é åã ç§ã¯ãããcomposeã§åäœããããšãç¥ã£ãŠããŸãã2018幎3æ18æ¥ã«ã¯ãåå8æ55åPMã§ããã©ã€ã¢ã³ã»ãŽã[email protected]
æžããŸããïŒ@trajanoãã§ã«çŸ€ããããé矀ãã¹ã³ãŒãã®ãããã¯ãŒã¯ã䜿çšã§ããŸã...
äŸïŒããã¯æ©èœããŸãïŒããŒãžã§ã³ïŒã3.4ã
ãµãŒãã¹ïŒ
ãã¹ãïŒ
ç»åïŒé«å±±
ã³ãã³ãïŒããã
ããŒãïŒ
- ã¿ãŒã²ããïŒ32555
å ¬éæ¥ïŒ32555
ãããã³ã«ïŒtcp
ã¢ãŒãïŒãã¹ã
ãããã¯ãŒã¯ïŒ- æ©
ãããã¯ãŒã¯ïŒ
æ©ïŒ
å€éšã®ïŒ
ååïŒæ©
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããããã¹ã¬ããããã¥ãŒãããŠãã ãããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-374206587 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAwxZsm3OohKL0sqUWhlgUNjCrqR0OaVks5tf67YgaJpZM4Jf2WK
ã
-
+1
3ã€ã®ããŒãã䜿çšãã次ã®DockerSwarmããŒããã©ã³ã·ã³ã°ã§ãã®åé¡ãçºçããŸãã
ãªãŒããŒã¬ã€ãããã¯ãŒã¯<-> nginxãããã·jwilderdocker <-> nginxwebãããdocker
ææ¡ã«åŸããŸãããããã°ã¯Real ClientIPã§ã¯ãªãdockernetwork ip10.255.0.3ãè¿ãç¶ããŸãã
+1
@ cpuguy83ããã¯ãç§ãã¡ã®ãã倧ããªçŸ€ãã®ã»ããã¢ããã®ãããã«ãŒã«ãªãå§ããŠããŸãã ã¯ã©ãŠãïŒãããã·ãããã³ã«ãããŒããã©ã³ãµãŒã«ãã£ãŠäºå®äžäœ¿çšãããŠããïŒãããã«æŽ»çšãå§ãããšããã®æ å ±ã倱ãããŸããããã¯ç§ãã¡ã«ãšã£ãŠéåžžã«éèŠã§ãã
ETAã«ã€ããŠäœãèãããããŸããïŒ ããã¯ç§ãã¡ã«å€§ãã«åœ¹ç«ã€ã§ãããã
@sandysæ£ç¢ºã«ã¯äœã®ããã®ETAïŒ
@ cpuguy83ããã«ã¡ã¯ããè¿äºããããšã
ãã®åé¡ãåãäžããããã®ã¯ãã€ã ãšæããŸããïŒãããšããŠãïŒïŒ
ãã®åé¡ã¯ãã°ããŒãã«ãµãŒãã¹ãå®è¡ããPublishMode = hostã䜿çšããŠããŒããå ¬éããããšã§è§£æ±ºã§ããããšã«æ³šæããŠãã ããã 人ã ãæ¥ç¶ããããŒããããã£ãŠããå Žåã¯ããããå¿ èŠãããŸãããå¶çŽã䜿çšããŠããã®ããŒãã«åºå®ããŸãã
@kleptogéšåçã«ã¯ã§ããŸããã ãµãŒãã¹ã®æŽæ°äžã®ããŠã³ã¿ã€ã ãåé¿ããããšã¯ã§ããŸããã
ãã¹ãã·ããªãª-lvs / ipvsã詳ãã調ã¹ãŸãã
ããã§ããœãŒã¹IPãä¿æãããŸãã
ç§ã¯ãŸã ãªãŒããŒãããã®åœ±é¿ãç解ããããšããŠããŸããå
¥åã³ã³ããã«snatã«ãŒã«ã ããå«ããã®ã§ã¯ãªããåãµãŒãã¹ã³ã³ããå
ã§ããªã·ãŒããŒã¹ã®ã«ãŒãã£ã³ã°ãç¶æããŠããŸãã
ãããããããæ©èœããããšã¯æ¬åœã«å®å¿ã§ãã
ç§ã®çŽ æŽãªãããã§ç³ãèš³ãããŸãããã誰ãïŒ @dack ïŒïŒãç§ã«
ãããããã£ãã ãã«ãããŒãã¹ãŠã©ãŒã ã§ã¯ãIPã¯lvsãã£ã¬ã¯ã¿ãŒã§ããå¿ èŠãããããªã¯ãšã¹ããå ¥ã£ãæ£ããããŒãã«æ»ãæ¹æ³ãèŠã€ããããã«...
ãšã«ããã³ãŒããèŠãã®ã¯é¢çœãã§ãããã 誰ãããã§ã«ç¥ã£ãŠããã°ãããã¯ç§ã«ããããã®æéãç¯çŽããããšãã§ããŸãã ããããšãããããŸãã
ããã«é¢ããæŽæ°ã¯ãããŸããŸãªåœã«3ã€ã®ã¯ã©ã¹ã¿ãŒããããAzure Traffic Managerã§ããå®éã®ãŠãŒã¶ãŒIPãå¿ èŠã§ããããã§ãªãå ŽåããŠãŒã¶ãŒãé©åãªã¯ã©ã¹ã¿ãŒãªã©ã«ãªãã€ã¬ã¯ãããŸããã誰ããããã«ããŸãã¯ãããããã§ãã¯ããŸããïŒ ããããšã
ãŸããããã«é¢ããæŽæ°ãå¿ èŠã§ã-ããã¯å€§ããªèœãšãç©Žã§ã-ãããåé¿ããå¯äžã®æ¹æ³ã¯ãåã«å¥ã®ãããã·ãè¿œå ããx-forwarded-forãã¹ã¿ãã¯ã«éä¿¡ããããšã§ããããã¯ãSwarmããããªãã¯ã®ãªãã·ã§ã³ã§ã¯ãªãããšãæå³ããŸãå€ãã®ã·ããªãªã§ãã©ãã£ãã¯ã«çŽé¢ããŠããŸãã
@ cpuguy83 @trajano
以äžãåäœããªãããšã確èªã§ããŸã
version: '3.4'
services:
nginx:
ports:
- mode: host
protocol: tcp
published: 80
target: 80
- mode: host
protocol: tcp
published: 443
target: 81
networks:
bridge:
external:
name: bridge
network "bridge" is declared as external, but it is not in the right scope: "local" instead of "swarm"
ã§å€±æããŸãã
DockerããŒãžã§ã³
Client:
Version: 18.03.0-ce-rc4
API version: 1.37
Go version: go1.9.4
Git commit: fbedb97
Built: Thu Mar 15 07:33:59 2018
OS/Arch: windows/amd64
Experimental: false
Orchestrator: swarm
Server:
Engine:
Version: 18.03.0-ce
API version: 1.37 (minimum version 1.12)
Go version: go1.9.4
Git commit: 0520e24
Built: Wed Mar 21 23:08:31 2018
OS/Arch: linux/amd64
Experimental: false
@ Mobe91
矀ããåçŸããŠã¿ãŠãã ããã ç§ããšã©ãŒããããŸããã ååæåã®çŸ€ãã®åŸããã¹ãŠãç§ã®ããã«åããã
ç§ã®docker-compose.yml
ãã¡ã€ã«ïŒ
version: "3.6"
services:
nginx:
image: nginx:latest
depends_on:
- my-app
- my-admin
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 9080
published: 9080
protocol: tcp
mode: host
volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro
- /home/project/data/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /home/project/data/nginx/conf.d:/etc/nginx/conf.d
- /home/project/public:/var/public
networks:
- my-network
- bridge
deploy:
placement:
constraints: [node.role == manager]
my-app:
image: my-app
ports:
- 8080:8080
volumes:
- /usr/src/app/node_modules
- /home/project/public:/usr/src/app/public
networks:
- my-network
my-admin:
image: my-admin
ports:
- 9000:9000
networks:
- my-network
networks:
my-network:
bridge:
external: true
name: bridge
ç§ã®docker version
ïŒ
Client:
Version: 18.03.0-ce
API version: 1.37
Go version: go1.9.4
Git commit: 0520e24
Built: Wed Mar 21 23:10:01 2018
OS/Arch: linux/amd64
Experimental: false
Orchestrator: swarm
Server:
Engine:
Version: 18.03.0-ce
API version: 1.37 (minimum version 1.12)
Go version: go1.9.4
Git commit: 0520e24
Built: Wed Mar 21 23:08:31 2018
OS/Arch: linux/amd64
Experimental: false
ç§ã®è±èªã§ããããªããã
@ Mobe91ããã¯ç§ã䜿çšãããã®ã§ããããportainerããŸãã¯Linuxãã·ã³ãããããã€ããŸãã Windowsããæ£ããå±éã§ããŸããã
version: '3.4'
services:
hath:
image: trajano.net/hath
deploy:
placement:
constraints:
- node.hostname==docker-engine
networks:
- host
ports:
- target: 12555
published: 12555
protocol: tcp
mode: host
secrets:
- hath_client_login
volumes:
- hath:/var/lib/hath
volumes:
hath:
name: 'noriko/s/hath'
driver: cifs
networks:
host:
external:
name: host
secrets:
hath_client_login:
external:
name: hath_client_login
äž»ãªéãã¯ã bridge
host
ã§ã¯ãªã
ãã¡ãããè² è·åæ£æ©èœã¯ãããŸãããè² è·åæ£ãå¿ èŠãªå Žåã¯ãè² è·åæ£ãè¡ãL3ã«ãŒã¿ãŒã®ãããªãã®ãåé¢ã«é 眮ããå¿ èŠã
@trajanoã¯æ£ããã§ããWindowsã¯ã©ã€ã¢ã³ããåé¡ã§ãããLinuxã¯ã©ã€ã¢ã³ãã§ã®å±éã¯
ãããããªãhost
ãŸãã¯bridge
ãããã¯ãŒã¯ãå¿
èŠãªã®ãããããŸããã
以äžã¯ç§ã«ãšã£ãŠã¯åé¡ãªãæ©èœããŸããã€ãŸããnginxã§å®éã®ã¯ã©ã€ã¢ã³ãIPã¢ãã¬ã¹ãååŸããŸãã
version: '3.4'
services:
nginx:
ports:
- mode: host
protocol: tcp
published: 80
target: 80
@ Mobe91ããããšãç§ã¯ãã®ããã®åé¡ãéãhttps://github.com/moby/moby/issues/32957ãšé£æºã
ç¹æ¯ã䜿ã£ã人ã¯ããŸããïŒ http://cilium.readthedocs.io/en/latest/gettingstarted/docker/ ã
ãµãŒãã¹ããã¹ãã«çµã³ä»ããªããŠãããããä¿®æ£ã§ããå¯èœæ§ãããããã§ãã
@sandysè¯ãçºèŠ-ç§ã¯ããããã¹ããå§ããããšããŠããŸããããã¯ããªãã®ããã«åããŸãããïŒ ãããä¿®æ£ã§ããªãå Žåã¯ãnginxã矀ãããåŒãåºãããšããŠããŸã.....
ãããã·ãåã ã®ãã¹ãã«åºå®ããªãããã«å±éãåèšèšããéã«ããã«ã¶ã€ãããŸããïŒæ¬çªç°å¢ã§ã¯ãä»ã®çç±ã§ã€ã³ã¿ãŒãã§ã€ã¹ã«ãã€ã³ããããããã¯ã©ã€ã¢ã³ãIPãå¯ç£ç©ãšããŠãããã¯ã¢ãããããŸãïŒã
ç§ãã¡ã®ãã¹ãç°å¢ã§ã¯ãå¶çŽã«ãã£ãŠãããŒãžã£ãŒã«ãããã€ããåãããŒãžã£ãŒãå®è¡äžã®ã€ã³ã¹ã¿ã³ã¹ãååŸããããã«mode = global
ãèšå®ããããšã«ãã£ãŠã®ã¿æ¹åã§ããŸãã ç¹ã«ãããŒãžã£ãŒããŒãã倱ããäœãããã©ãã£ãã¯ããã®ããŒãã«èªå°ããŠããå Žåã¯ã泚æããå¿
èŠãããã®ã¯äŸç¶ãšããŠäœåãªãªãŒããŒãããã§ãã ãã ããåäžã®ãã¹ãã«åºå®ããããã¯ãŸãã§ãã
@sandysç¹æ¯ãè©ŠããŸãããïŒ å°ãªããšãk8sã§åãåé¡ãçºçããŠããããã«èŠããWeaveã«äŒŒãŠããŸãïŒ https ïŒ
Ciliumã䜿çšã§ããŸããã§ããããCiliumã«é£çµ¡ããŸãã
swarmconfigãæ¯æŽããéçºè
ã ããããç§ã¯ç¹æ¯ã«éåžžã«è奮ããŠããŸã
ã€ã³ã°ã¬ã¹ã¯è§£æ±ºãããåé¡ã§ããããïŒç¹ããšã¯ç°ãªãïŒ
2018幎5æ10æ¥æšææ¥ã17ïŒ24 James Greenã notifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
ãããã·ãã«åºå®ããªãããã«ãããã€ã¡ã³ããåèšèšããéã«ããã«ã¶ã€ãããŸãã
åã ã®ãã¹ãïŒæ¬çªç°å¢ã§ã¯ãä»ã®ã€ã³ã¿ãŒãã§ã€ã¹ã«ãã€ã³ãããŸãïŒ
çç±ã«ãããã¯ã©ã€ã¢ã³ãIPãå¯ç£ç©ãšããŠãããã¯ã¢ãããããŸãïŒãç§ãã¡ã®ãã¹ãç°å¢ã§ã¯ããããŒãžã£ãŒã«å±éããããšã«ãã£ãŠã®ã¿æ¹åããããšãã§ããŸã
å¶çŽãšèšå®ã¢ãŒã=ã°ããŒãã«ã§ãåãããŒãžã£ãŒã
å®è¡äžã®ã€ã³ã¹ã¿ã³ã¹ã 泚æããªããã°ãªããªãã®ã¯ãŸã äœåãªãªãŒããŒãããã§ãã
ç¹ã«ããããŒãžã£ãŒããŒãã倱ããäœããç§ãã¡ãæ瀺ããŠããå Žå
ãããžã®ãã©ãã£ãã¯ã ãã ããåäžã®ãã¹ãã«åºå®ããããã¯ãŸãã§ãã@sandys https://github.com/sandys Ciliumãè©ŠããŸãããïŒ ã«äŒŒãŠããŸã
å°ãªããšãk8sã§åãåé¡ãçºçããããã«èŠããWeaveïŒ
kubernetes / kubernetesïŒ51014
https://github.com/kubernetes/kubernetes/issues/51014â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-388032011 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUzQCgIeTenQIHIERxOfHKCzn1O6Aks5txCpogaJpZM4Jf2WK
ã
2018幎5æ10æ¥17:24ã«ããJamesGreenã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
ãããã·ãã«åºå®ããªãããã«ãããã€ã¡ã³ããåèšèšããéã«ããã«ã¶ã€ãããŸãã
åã
ã®ãã¹ãïŒæ¬çªç°å¢ã§ã¯ãä»ã®ã€ã³ã¿ãŒãã§ã€ã¹ã«ãã€ã³ãããŸãïŒ
çç±ã«ãããã¯ã©ã€ã¢ã³ãIPãå¯ç£ç©ãšããŠãããã¯ã¢ãããããŸãïŒã
ç§ãã¡ã®ãã¹ãç°å¢ã§ã¯ããããŒãžã£ãŒã«å±éããããšã«ãã£ãŠã®ã¿æ¹åããããšãã§ããŸã
å¶çŽãšèšå®ã¢ãŒã=ã°ããŒãã«ã§ãåãããŒãžã£ãŒã確å®ã«å®è¡ãããããã«ããŸã
å®äŸã ç¹ã«æ¬¡ã®å Žåã¯ã泚æããå¿
èŠãããã®ã¯ãŸã äœåãªãªãŒããŒãããã§ãã
ãããŒãžã£ãŒããŒãã倱ããäœãããã©ãã£ãã¯ãããã«åããŠããŸãã
ãã ããåäžã®ãã¹ãã«åºå®ããããã¯ãŸãã§ãã
@sandys https://github.com/sandys Ciliumãè©ŠããŸãããïŒ ã«äŒŒãŠããŸã
å°ãªããšãk8sã§åãåé¡ãçºçããããã«èŠããWeaveïŒ
kubernetes / kubernetesïŒ51014
https://github.com/kubernetes/kubernetes/issues/51014
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-388032011 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUzQCgIeTenQIHIERxOfHKCzn1O6Aks5txCpogaJpZM4Jf2WK
ã
ããã«ã¡ã¯ãã¿ããªã
Ciliumã§DockerSwarmããµããŒããããå ŽåïŒç¹ã«å
¥åãš
ãã®ç¹å®ã®åé¡ã®åšãïŒããã®ãã°ã«ã€ããŠã³ã¡ã³ã/ãããããŠãã ãã-
https://github.com/cilium/cilium/issues/4159
éã12ïŒ59 AMã§2018幎5æ11æ¥ãäžMcBacker [email protected]ã¯æžããŸããïŒ
>>
- 1
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-388159466 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU_18F_cNttRUaAwaRF3gVpMZ-3qSks5txJUfgaJpZM4Jf2WK
ã
çŸåšã®ããŒãžã§ã³ã§ã¯ã次ã®ããã«æ©èœããŸãã
ãã®åŸããããã©ã«ãããããã¯ãŒã¯ã«ãããã®ã§ã矀ãã®ä»ã®ããŒãã«ã¢ã¯ã»ã¹ã§ããŸãã
web-server:
image: blabla:7000/something/nginx:latest
#ports:
# - "80:80"
# - "443:443"
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
deploy:
mode: global
restart_policy:
condition: any
update_config:
parallelism: 1
delay: 30s
éµã¯ports.mode: host
ã䜿çšããããšã§ããããšã確èªã§ããŸãã ããã¥ã¡ã³ãïŒhttps://docs.docker.com/compose/compose-file/#long-syntax-1ïŒããïŒ
ã¢ãŒãïŒåããŒãã§ãã¹ãããŒããå ¬éããããã®ãã¹ãããŸãã¯è² è·åæ£ãããã¹ãŠã©ãŒã ã¢ãŒãããŒãã®å ¥åã
次ã«ã mode: host
䜿çšãããšãå
¥åã«ããè² è·åæ£ãåæ¢ããå®éã®IPã衚瀺ãããŸãã äŸãšããŠããããç§ã®nginxãã°ã§ãïŒ
mode: host
metrics-agents_nginx.1.pip12ztq3y1h<strong i="14">@xxxxxxxx</strong> | 62.4.X.X - - [12/Jun/2018:08:46:04 +0000] "GET /metrics HTTP/1.1" 200 173979 "-" "Prometheus/2.2.1" "-" [CUSTOM] "request_time: 0.227" remote_addr: 62.4.X.X proxy_add_x_forwarded_for: 62.4.X.X
mode: host
metrics-agents_nginx.1.q1eosiklkgac<strong i="20">@xxxxxxxx</strong> | 10.255.0.2 - - [12/Jun/2018:08:50:04 +0000] "GET /metrics HTTP/1.1" 403 162 "-" "Prometheus/2.2.1" "-" [CUSTOM] "request_time: 0.000" remote_addr: 10.255.0.2 proxy_add_x_forwarded_for: 10.255.0.2
ãããŠãæåŸã®ãã°ã403 Forbiddenå¿çã§ããçç±ãããããªãå Žåãããã¯nginxã§ãã¯ã€ããªã¹ãïŒ allow 62.4.X.X
ããã³deny all
ïŒã䜿çšããŠããããã§ãã
ç°å¢ïŒ
Description: Debian GNU/Linux 9.4 (stretch)
Docker version 18.03.0-ce, build 0520e24
@nperronãèšã£ãããšã確èªããŸãã
ãã¹ãã¢ãŒãã䜿çšãããšãã¯ã©ã€ã¢ã³ãIPãååŸã§ããŸãã
DockerããŒãžã§ã³18.03.1-ceããã«ã9ee9f40
Ubuntu 16.04.4 LTS
åäœããŠããããšã確èªã§ããŸãã
DockerããŒãžã§ã³18.03.1-ceããã«ã9ee9f40
Ubuntu 16.04.4 LTS
èŠåïŒIPTABLES = FALSEãèšå®ããå Žåãããã¯æ©èœããŸããïŒ
UFWã䜿çšããŠããŒããä¿è·ããŠããŠãDockerã®çŸ€ãããããã®UFWèšå®ãäžæžãããŠããããšãããã£ãå Žåã¯ããããè¡ã£ãå¯èœæ§ããããŸãïŒãŸãã¯å°ãªããšãç§ã¯è¡ããŸããïŒã
ã³ãã³ããŸãã¯/etc/docker/daemon.jsonã§iptables = falseãèšå®ããããšãææ¡ãããã¥ãŒããªã¢ã«ãããã€ããããŸãã
ããŸãããã°ãããã¯ç§ãã¡ããã©çµéšãã欲æ±äžæºã誰ãã«æãã§ãããïŒ
Ingressã䜿çšããŠããªãããããã¢ãŒãïŒãã¹ãã=åäœããŠãããšèšãã®ã¯ãããã¹ãã§ãã ãã®ãããã¹ãŠã©ãŒã ã§ãµãŒãã¹ãå®è¡ããŠããã³ã³ããã1ã€ã ãæã€ããšã¯äžå¯èœã§ãããããã§ãä»»æã®ãã¹ããä»ããŠãã®ã³ã³ããã«ã¢ã¯ã»ã¹ã§ããŸãã ãµãŒãã¹ããã°ããŒãã«ãã«ããå¿ èŠããããããµãŒãã¹ãå®è¡ãããŠãããã¹ãã§ã®ã¿ã¢ã¯ã»ã¹ã§ãããããSwarmã®ç®çãå°ãæãªãããŸãã
TLDRïŒãã¢ãŒãïŒãã¹ããã¯åé¿çã§ããã解決çã§ã¯ãããŸãã
@ r3pekãã®èŠå¢ã解決ããããã«ãã¹ãã¢ãŒãã䜿çšãããšãã€ã³ã°ã¬ã¹ã倱ãããããšã«åæããŸãããã¹ãŠã©ãŒã ã®ç®çå
šäœãæãªãããšã¯ã»ãšãã©ãªããšæããŸãã ç§ãã¡ã®äœ¿çšã·ããªãªã§ã¯ãåããªãŒããŒã¬ã€ã¹ãŠã©ãŒã ã«ãããŸãïŒ
ã€ã³ãã©ãããçµç±ã§ã®ã¿ã¢ã¯ã»ã¹ããå¿
èŠããã管çè€è£œã³ã³ãã->åŒã³åºãå
ã®IPãå¿
èŠãšããªãããããéåžžãã«æ§æãããå
¥åãå©çšããŸãã
å
¬éãããŠããªãã³ã³ãã->ãããã«ã€ããŠã¯äœãèšãããšã¯ãããŸããïŒãã ãããµãŒãã¹åãä»ããŠãããã«ã¢ã¯ã»ã¹ã§ããããšã®åãéå°è©äŸ¡ããŠãããšæããŸãïŒã
å
¬éãµãŒãã¹->ããã¯httpsããã³URLããŒã¹ã®ã«ãŒãã£ã³ã°ãè¡ãnginxãããã·ã§ãã ããã¯ãx-forwardãå¿
èŠã«ãªãåã§ãã°ããŒãã«ã«å®çŸ©ãããŠããŸãã-ã¯ã©ã€ã¢ã³ãã®å®éã®IPã«å¯ŸããŠãå®éã®åé¡ã¯ãããŸããã
nginxãã°ããŒãã«ã§ãããå ¥åããªããšããããšã¯ãã¯ã©ã¹ã¿ãŒã®ä»»æã®IPãä»ããŠå°éã§ããããšãæå³ããŸãããè² è·åæ£ããã©ãŒã«ããã¬ã©ã³ãã§ã¯ãªããããnginxã®åã«éåžžã«å®äŸ¡ã§ç°¡åã«ã»ããã¢ããã§ããL4AzureããŒããã©ã³ãµãŒãè¿œå ããŸãããµãŒãã¹ã
ããªããèšãããã«ãHostã¯åé¿çã§ããããããæå¹ã«ãããšDocker Swarmã®ç®çãå®å šã«ç¡å¹ã«ãªããšèšãã®ã¯ãå°ãèªåŒµãããimoã§ãã
ããã«ã¡ã¯ããã«ã
èªåŒµãããŠãããšã¯æããŸãã-ãã¹ãã¢ãŒãã¯åäžã®ãã€ã³ããå
¬éããããã§ã
倱æã®ã ããã«ãè² è·ã®ç®¡çã®è¿œå ã¬ã€ã€ãŒãå¿
èŠã§ã
矀ãã®çæ
ç³»ã®å€ã§ãã©ã³ã¹ãåããŸãã
èªåã§çŽºç¢§ã®lbã䜿çšãããšèšãããšã§ã
å£è«ã
ãã¯ã©ã€ã¢ã³ãIPäŒæã§çŸ€ããå®è¡ããã«ã¯ã
ã»ããã¢ããããå€éšããŒããã©ã³ãµãŒã䜿çšããŠããããšã確èªããŠãã ãã...ãŸãã¯
ã¯ã©ãŠããµãŒãã¹ã®1ã€ãã
äžæçãªåé¿çã§ã¯ãªããšèšã£ãŠããã®ã§ã¯ãããŸãã...ãããã
ç§ãã¡å
šå¡ãæåºãšããŠèªèããŠããªãå ŽåãSwarmã®çŽæãç¡èŠããŸã
æ¬ ç¹ã
2018幎7æ5æ¥æšææ¥ã14ïŒ16 Roberto Fabriziã notifications @ github.com
æžããŸããïŒ
@ r3pek https://github.com/r3pekç§ã¯ããªãã倱ãããšã«åæããŸããã
ãã®çª®ç¶ã解決ããããã«ãã¹ãã¢ãŒãã䜿çšããå Žåã®å ¥åãç§ã¯ãããèšãã ãã
Swarmã®ç®çå šäœãæãªãããšã¯ã»ãšãã©ãããŸããã
ãããªãã¯ã«é¢ããå ¥åãããã¯ãŒã¯ã ç§ãã¡ã®äœ¿çšã·ããªãªã§ã¯ãåã
ãªãŒããŒã¬ã€ã¹ãŠã©ãŒã ïŒ
管çè€è£œã³ã³ããã¯ã
ã€ã³ãã©ããã->çºä¿¡è ã®IPãå¿ èŠãšããªããããæ§æãããŠããŸã
ãéåžžããå ¥åãå©çšããŸãã
é²åºãããŠããªãã³ã³ãã->ãããã«ã€ããŠã¯äœãèšãããšã¯ãããŸããïŒç§ã¯ããªãããããšä¿¡ããŠããŸã
圌ãã®ãµãŒãã¹ãä»ããŠãããã«ã¢ã¯ã»ã¹ã§ããããšã®åãéå°è©äŸ¡ããŠãã
ååã§ããïŒã
å ¬éã³ã³ãã->ããã¯httpsãšURLãå®è¡ããnginxãããã·ã§ã
ããŒã¹ã®ã«ãŒãã£ã³ã°ã x-forward-forãå¿ èŠã«ãªãåã§ãã°ããŒãã«ã«å®çŸ©ãããŠããŸãã
ã¯ã©ã€ã¢ã³ãã®å®éã®IPãªã®ã§ãå®éã®åé¡ã¯ãããŸãããnginxãã°ããŒãã«ã§ãããå ¥åããªããšããããšã¯ã
ã¯ã©ã¹ã¿ãŒã®ä»»æã®IPã§ãããè² è·åæ£ãããŠããªããããéåžžã«éåžžã«å€ãã®IPãè¿œå ããŸãã
nginxã®åã«L4Azure LoadBalancerãå®äŸ¡ã§ç°¡åã«ã»ããã¢ããã§ããŸã
ãµãŒãã¹ãããªããèšãããã«ããã¹ãã¯åé¿çã§ããããããå®å šã«æå¹ã«ããããšãèšã£ãŠããŸã
DockerSwarmã®ç®çãæã¡ç Žãã®ã¯å°ãèªåŒµãããimoã§ããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-402650066 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU_ogRzwM6X0PMknXxsxmZLLTtfraks5uDdJlgaJpZM4Jf2WK
ã
Docker Swarmã®å ¥åã«ã貧匱ãªããŒããã©ã³ãµãŒïŒIPVSïŒãéžæãããããšã¯æããã§ãã å°ãªããšãL4ãããã·ãããã³ã«ããµããŒãããŠããã°ãããã¯åé¡ã«ã¯ãªããŸããã ãããL7ãã³ããäžããããšãã§ãããã¹ãŠã®è¿œå æ©èœãªãã§ãŸã L4ïŒTCPïŒããŒããã©ã³ãµãŒã§ããããšãé€ããŠã
Kubernetesã«ã¯ã nginxå
¥åã haproxyå
¥åãªã©ã®L4ïŒTCPïŒ-L7ïŒHTTPïŒããŒããã©ã³ãµãŒããããã©ã¡ããL4ãããã·ãããã³ã«ãŸãã¯L7 HTTPããããŒã®äœ¿çšãèš±å¯ããŠããŠãŒã¶ãŒã®å®éã®ãã¹ã«X-Forwarded-For
ãå©çšãããããã«ããŸãããã¯ãšã³ããžã®IPã
DockerSwarmã€ã³ã°ã¬ã¹ã®éçºè ã¯äœãšèšãã ããããšæããŸãã ãããã誰ãããã®ã±ãŒã¹ãhttps://github.com/docker/swarmkit/issuesã«ç§»åããå¿ èŠããã
Kubernetesã«ã¯ãnginxå ¥åãhaproxyå ¥åãªã©ã®L4ïŒTCPïŒ-L7ïŒHTTPïŒããŒããã©ã³ãµãŒããããã©ã¡ããL4ãããã·ãããã³ã«ãŸãã¯L7 HTTPããããŒã䜿çšããŠãX-Forwarded-Forã䜿çšããŠãŠãŒã¶ãŒã®å®éã®IPãæž¡ãããšãã§ããŸããããã¯ãšã³ãã«ã
AFAICSããããã®LBãµãŒãã¹ã¯K8ã«çµã¿èŸŒãŸããŠããŸããããæ瀺çã«ãããã€ããå¿ èŠããããµãŒãã¹ã§ãã Dockerswarmã§ãåãããšãã§ããŸãã ããã§ã¯éãã¯ããããŸããã ïŒãããé€ãã°ãnginxå ¥åã³ã³ãããŒã©ãŒã¯ãå ¬åŒãã®ããã§ããïŒ
ç§ã®ç¥ãéããéãã¯ããã®ãããªè² è·åæ£ãµãŒãã¹ããããã€ããå Žåã§ããswarmkitããŒããã©ã³ãµãŒãããåŒã³åºããããããããŠãŒã¶ãŒã®IPã倱ãããããšã§ãã ãããã£ãŠããã¹ãã¢ãŒãã䜿çšããŠããªãå ŽåãswarmkitããŒããã©ã³ãµãŒãç¡å¹ã«ããããšã¯ã§ããŸããã
å
¬å¹³ãæãããã«-k8sã§ã¯ãã«ã¹ã¿ã å
¥åãè¡ãããšãã§ããŸãã 矀ãã£ãŠãã
ã§ã¯ãããŸããã
矀ãã¯ããã¹ãŠããçµã¿èŸŒã¿ãã§ãããšããç«å ŽãåããŸãã åãããšã
ãããã¯ãŒã¯-k8sã§ã¯ãçµã¿èŸŒã¿ã®swarmã«weaveãªã©ãèšå®ããå¿
èŠããããŸãã
ã¢ã³ãã¬ã€ãèšã£ãŠããããšïŒãããŠç§ã¯äžçš®ã®åæã§ãïŒã¯ããã§ã-
swarmã¯ããŠãŒã¶ãŒãæã£ãŠããã®ã§ãå
¥åã®äžéšãšããŠãã®æ©èœãäœæããå¿
èŠããããŸã
ãããå¶åŸ¡ããããšã¯ã§ããŸããã
17:07ã»ãã£ã®ã§åã2018幎7æ28æ¥ã«[email protected]æžããŸããïŒ
ç§ã®ç¥ãéããéãã¯ããã®ãããª
è² è·åæ£ãµãŒãã¹ã¯ãswarmkitããŒããã©ã³ãµãŒãããåŒã³åºãããŸãã
ãã®ããããŠãŒã¶ãŒã®IPã倱ããŸãã ãããã£ãŠãswarmkitãç¡å¹ã«ããããšã¯ã§ããŸãã
ãã¹ãã¢ãŒãã䜿çšããŠããªãå Žåã¯ããŒããã©ã³ãµãŒãâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-408601274 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU1-Ism_S1Awml8lO8N0Aq6rtrLH4ks5uLEzugaJpZM4Jf2WK
ã
矀ãã®ãããåãé€ãçµãããšæããŸããããã¹ããŒãžã«äžãããšãWebãµãŒããŒã³ã³ãããžã®ãã¹ãŠã®å€éšã¢ã¯ã»ã¹ãå ¥åãããã¯ãŒã¯IPãšããŠè¡šç€ºãããŠããããšã«æ°ä»ããŸããã
ç§ã¯ã¹ã¿ãã¯ãåäžããŒãã®çŸ€ãã§å®è¡ããŠãããå°ãªããšãä»åŸæ°ãæã¯å®è¡ããäºå®ã§ãã çŸåšã®ïŒåäžããŒãã®çŸ€ãïŒãŠãŒã¹ã±ãŒã¹ã§æãæªãåé¿çããå§ãã§ããŸããïŒ ç§ã¯ã¯ã©ã€ã¢ã³ãIPãªãã§ã¯ã§ããŸãã-ããŸãã«ãå€ãã®ã¯ã©ã€ã¢ã³ãIPã«äŸåããŠããŸãã
äžæçãªã¢ãããŒãã¯ãåçŽãªãããã·ã³ã³ããããã°ããŒãã«ãã¢ãŒãïŒIIRCãå®éã®NICã®IPãååŸã§ããïŒã§å®è¡ãããããã·ããããŒãè¿œå ããŠã¹ãŠã©ãŒã ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã§å®è¡ãããŠããå éšãµãŒãã¹ã«ãã¹ãŠã®æ¥ç¶ã転éããããšã§ããã
x-forwarded-forããããŒãååŸããã ãã§ååãªå Žåã¯ããã®ã»ããã¢ãããAFAICTã§æ©èœããã¯ãã§ãã
ããããšãã@ maximelbã æçµçã«äœã䜿çšããŸãããïŒnginxãhaproxyãªã©ïŒïŒ
@jamiejacksonããã¯ç©äºãå°ãç°ãªããšããã§ãã ç§ãã¡ã®å Žåãé·æéå®è¡ãããSSLæ¥ç¶ãšãã®äžã®ã«ã¹ã¿ã ãã€ããªãããã³ã«ããã¹ããããµãŒããŒãå®è¡ããŠãããããHTTPãããã·ã¯äœ¿çšã§ããŸããã§ããã ããã§ãåçŽãªTCPãã©ã¯ãŒããŒãäœæããå éšãµãŒããŒã§æåã§è§£åã§ãããmsgpackãããããŒã䜿çšããŸããã
ç§ã¯HTTPãããã·ã«ããŸã粟éããŠããŸãããããããã®ã»ãšãã©ãããªãã®ããã«ããªãã¯ãè¡ããšæããŸãã ïŒ-/
ããã«ã¡ã¯ããã·ã ã
ããã¯ç§ãã¡ã«ãšã£ãŠéåžžã«èå³æ·±ããã®ã§ãã Dockerãå
±æã§ããŸããïŒ
ãã£ã³ã¹ ïŒ
ç§ã¯ãããã©ã®ããã«æ©èœããããç解ããããšããŠããŸãã ä»æ¥ã¯éã«nginxããããŸã
ãããã·ïŒãµãŒãã¹ãšããŠïŒãšãã®èåŸã«ããè€æ°ã®DockerãµãŒãã¹ã
ããªãã®å Žå-nginxã¯ãã°ããŒãã«ã¢ãŒãããããã·ã«ãªããŸããïŒ ãŸãã¯ããã¯
ç¹å¥ãªTCPãã©ã¯ãŒããŒã ãããã£ãŠãããŒãæ°ãã¹ã±ãŒãªã³ã°ãããšããããã·ãã©ã¯ãŒããŒã
åããŒãã«è¡ããŸãã ç§ã¯ã©ãããããããã®ç¶æ³ã§x-forwarded
å
¥åãããã¯ãŒã¯ãå€éšIPã匷å¶çµäºãããããããããŒã倱ãããŸãã
ïŒãããã·ãããã³ã«ããªãããïŒã
詳现ãæããŠããã ããã°å¹žãã§ãã
ãããã
ãµã³ãã£ãŒã
2018幎8æ8æ¥æ°Žææ¥åå7æ18åMaximeLamothe-Brassard <
[email protected]>ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
ç§ãã¡ã®äžæçãªã¢ãããŒãã¯ãã§åçŽãªãããã·ã³ã³ãããå®è¡ããããšã§ãã
ãã°ããŒãã«ãã¢ãŒãïŒIIRCãå®éã®NICã®IPãååŸã§ããïŒãããŠããã䜿çšãã
矀ãã§å®è¡ãããŠããå éšãµãŒãã¹ã«ãã¹ãŠã®æ¥ç¶ã転éããŸã
ãããã·ããããŒãè¿œå ããããªãŒããŒã¬ã€ãããã¯ãŒã¯ãx-forwarded-forããããŒãååŸããã ãã§ååãªå Žåã¯ããã®ã»ããã¢ãããè¡ãå¿ èŠããããŸã
ä»äºAFAICTãâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-411257087 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUx3DOjXb79FNjsuZ-RZVqkkhHAbYks5uOkOHgaJpZM4Jf2WK
ã
@sandys確ãã«ãããã¯
ããã¯ãªããŒã¹ãããã·docker-composeãšã³ããªã§ãã
reverseproxy:
image: yourorg/repo-proxy:latest
networks:
- network_with_backend_service
deploy:
mode: global
ports:
- target: 443
published: 443
protocol: tcp
mode: host
ããã¯ããã¯ãšã³ããµãŒãã¹ãšã³ããªã§ãã
backendservice:
image: yourorg/repo-backend:latest
networks:
- network_with_backend_service
deploy:
replicas: 2
ãªããŒã¹ãããã·ïŒããã¯ãšã³ãåŽïŒã®ã¿ãŒã²ããã¯tasks.backendservice
ïŒãã¹ãŠã®ã¬ããªã«ã®Aã¬ã³ãŒãããããŸãïŒã«ãªããŸãã ããã¯ãšã³ããµãŒãã¹ãããã©ã«ãã®ã¹ãŠã©ãŒã ãªãŒããŒã¬ã€ãããã¯ãŒã¯äžã«ããå Žåã¯ã networks
éšåãã¹ãããã§ããŸãã
global
ãããã¯ãããã®ã³ã³ãããŒãæ£ç¢ºã«ãããã€ããŸãããã¹ãŠã®Dockerã¹ãŠã©ãŒã ããŒãã«1åã ãã§ããããŒãmode: host
ã¯ããããŒãã®ãã€ãã£ãNICã«ãã€ã³ãããããšãããã®ã§ãã
ããã圹ã«ç«ãŠã°å¹žãã
ãã¹ãã¢ãŒãã䜿çšããŠããŸãã ã»ãŒããªãã¯å€éšããŒããã©ã³ãµãŒãæã£ãŠããŸã
å
šäœã®åã§ã
ãã¹ãã¢ãŒãã«ãªã£ãŠãããããSwarmã«äŸåããããšã¯ã§ããªããªããŸããã
ããã¯å®éã«ç§ãã¡ããã°ãã話ããŠããåé¡ã§ã:(
2018幎8æ8æ¥æ°Žææ¥ã20ïŒ47 Maxime Lamothe-Brassardã<
[email protected]>ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
@sandys https://github.com/sandys確ãã«ãããã«ç§ãã¡ããã®æç²ããããŸã
docker-é¢é£ããã³ã³ãããŒã§äœæããŸããããã¯ãªããŒã¹ãããã·docker-composeãšã³ããªã§ãã
ãªããŒã¹ãããã·ïŒ
ç»åïŒyourorg / repo- proxyïŒlatest
ãããã¯ãŒã¯ïŒ
--network_with_backend_service
é åïŒ
ã¢ãŒãïŒã°ããŒãã«
ããŒãïŒ
-ã¿ãŒã²ããïŒ443
å ¬éïŒ443
ãããã³ã«ïŒtcp
ã¢ãŒãïŒãã¹ãããã¯ããã¯ãšã³ããµãŒãã¹ãšã³ããªã§ãã
ããã¯ãšã³ããµãŒãã¹ïŒ
ç»åïŒyourorg / repo- backendïŒlatest
ãããã¯ãŒã¯ïŒ
--network_with_backend_service
é åïŒ
ã¬ããªã«ïŒ2ãªããŒã¹ãããã·ïŒããã¯ãšã³ãåŽïŒã®ã¿ãŒã²ããã¯æ¬¡ã®ããã«ãªããŸã
tasks.backendserviceïŒãã¹ãŠã®ã¬ããªã«ã®Aã¬ã³ãŒãããããŸãïŒã ããªãã¯ã§ãã
ããã¯ãšã³ããµãŒãã¹ãããã©ã«ãã®çŸ€ãã«ããå Žåã¯ããããã¯ãŒã¯ã®éšåãã¹ãããããŸã
ãªãŒããŒã¬ã€ãããã¯ãŒã¯ãã°ããŒãã«ãããã¯ãããã®ã³ã³ãããæ£ç¢ºã«ãããã€ããŸã-ãã¹ãŠã®Dockerã«1åããšèšããŸã
矀ãããŒãã ããŒãã¢ãŒãïŒãã¹ãã¯ããã€ãã£ãã«ãã€ã³ãããšèšã£ãŠãããã®ã§ã
ããŒãã®NICããããã圹ã«ç«ãŠã°å¹žãã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-411442155 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU8N7KAFtOp_cPO8wpbBQqzDfpBWOks5uOwEkgaJpZM4Jf2WK
ã
æå³ã100ïŒ ç¢ºå®ã§ã¯ãããŸããããå€éšã§ã¯ãã¯ã©ã¹ã¿ãŒããŒãããšã«Aã¬ã³ãŒããæã€DNSã䜿çšããŠããŸãã ããã«ãããå€éšå¯åéšåããªããŠãå®äŸ¡ãªããã©ã³ã¹èª¿æŽããå¯èœã«ãªããŸãã ã¯ã©ã€ã¢ã³ãããªã¯ãšã¹ããè¡ããšãã©ã³ãã ãªAã¬ã³ãŒããéžæããã¯ã©ã¹ã¿ãŒããŒãã®1ã€ã§443ã«æ¥ç¶ããŸãã
ããã§ããã®ç¹å®ã®ããŒãã§å®è¡ããã443ã§ãªãã¹ã³ããŠãããªããŒã¹ãããã·ã¯ãå®éã®ã¯ã©ã€ã¢ã³ãIPãå«ããã€ãã£ãæ¥ç¶ãååŸããŸãã 次ã«ããã®ãªããŒã¹ãããã·ã³ã³ããã¯ããããŒãè¿œå ããã¹ãŠã©ãŒã ãªãŒããŒã¬ã€ãããã¯ãŒã¯ïŒtasks.backendïŒã䜿çšããŠæ¥ç¶ãå¥ã®å éšã³ã³ããã«è»¢éããŸãã ããã¯tasks.backendã¿ãŒã²ããã䜿çšãããããå éšãµãŒãã¹ã®ã©ã³ãã ãªAã¬ã³ãŒããååŸããŸãã
ãããã£ãŠãå³å¯ãªæå³ã§ã¯ãæ¥ç¶ããªãã€ã¬ã¯ãããã®ã¯ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã®éæ³ããã€ãã¹ããŠããŸãã 代ããã«ããªããŒã¹ãããã·ã䜿çšããŠãã®åäœãè€è£œããããããŒãè¿œå ããŸãã æçµçãªå¹æã¯ããªãŒããŒã¬ã€ãããã¯ãŒã¯ã®éæ³ãšåãã§ãïŒå€§ãŸããªæå³ã§ïŒã ãŸããã¹ãŠã©ãŒã ã®å®è¡ãšäžŠè¡ããŠå®è¡ããŸããã€ãŸããåãã¯ã©ã¹ã¿ãŒäžã§ã¯ã©ã€ã¢ã³ãIPãå¿ èŠãšããªãä»ã®ãã¹ãŠã®ãµãŒãã¹ããä»ã«äœãããã«å®è¡ã§ããŸãã
決ããŠå®ç§ãªè§£æ±ºçã§ã¯ãããŸããããä¿®æ£ãè¡ããããŸã§ïŒããããã°ïŒãå€éšã³ã³ããŒãã³ããäž»èŠãªDockeræ§æãªãã§è§£æ±ºã§ããŸãã
@jamiejacksonãèŠã€ãããæãæªããåé¿çã¯ããã¹ãã¢ãŒãã®ã°ããŒãã«ãµãŒãã¹ãšããŠTraefikã䜿çšããããšã§ãã 圌ãã¯åœŒãã®ããã¥ã¡ã³ãã«è¯ã
https://github.com/containous/traefik/issues/1880
ã圹ã«ç«ãŠãã°ã ãŸããå®éã®ãªã¯ãšã¹ã¿ãŒIPã確èªã§ããªããœãªã¥ãŒã·ã§ã³ã䜿çšããããšã¯ã§ããªããããäœããå€æŽããããŸã§ããã®åé¡ã®ä¿®æ£ã«åºå·ããŸãã å°ãªããšãã»ãã¥ãªãã£äžã®çç±ãããããã¯ããªãäžè¬çãªããŒãºã®ããã§ãã
ç解ããŸããïŒãããŠããã®ç·©ãããŒãžã§ã³ãç§ãã¡ã䜿çšãããã®ã§ãïŒã
ãã ãããã®ç¹å®ã®ãã°ã®ã¢ãžã§ã³ãã¯ãéçºè
ã«èŠæ±ããããšã§ããã
ãããéæ³ã®ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã«çµã¿èŸŒãããã«ïŒãããããããã·ã䜿çšããŠïŒ
ãããã³ã«ãŸãã¯ä»ã®ã¡ã«ããºã ïŒ
2018幎8æ8æ¥æ°Žææ¥ã21ïŒ22 Maxime Lamothe-Brassardã<
[email protected]>ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
æå³ã100ïŒ ããããªãããå€éšã§ã¯Aä»ãã®DNSã䜿çšããŠãã
ã¯ã©ã¹ã¿ããŒãããšã®ã¬ã³ãŒãã ããã«ãããå®äŸ¡ãªããã©ã³ã·ã³ã°ããæäŸãããŸãã
å€éšå¯åéšåã ã¯ã©ã€ã¢ã³ãããªã¯ãšã¹ããè¡ããšãã圌ãã¯ã©ã³ãã ãªAãéžæããŸãã
èšé²ããã¯ã©ã¹ã¿ãŒããŒãã®1ã€ã§443ã«æ¥ç¶ããŸããããã§ããã®ç¹å®ã®ããŒãã§å®è¡ãããŠãããªããŒã¹ãããã·ãš
443ã§ãªãã¹ã³ãããšãå®éã®ã¯ã©ã€ã¢ã³ãIPãå«ããã€ãã£ãæ¥ç¶ãååŸãããŸãã
次ã«ããã®ãªããŒã¹ãããã·ã³ã³ããã¯ããããŒãè¿œå ããæ¥ç¶ã転éããŸã
ã¹ãŠã©ãŒã ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã䜿çšããŠå¥ã®å éšã³ã³ããã«
ïŒtasks.backendïŒã ããã¯tasks.backendã¿ãŒã²ããã䜿çšããããã
ã©ã³ãã å éšãµãŒãã¹ã®ã¬ã³ãŒãããããã£ãŠãå³å¯ãªæå³ã§ã¯ããªãŒããŒã¬ã€ãããã¯ãŒã¯ã®éæ³ããã€ãã¹ããŠããŸãã
æ¥ç¶ããªãã€ã¬ã¯ãããŸãã 代ããã«ããã®åäœã次ã®ããã«è€è£œããŸãã
ãªããŒã¹ãããã·ãšããããŒãè¿œå ããŸãã æçµçãªå¹æã¯åãã§ãïŒ
ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã®éæ³ãšããŠã®ã«ãŒãºã»ã³ã¹ïŒã ããã¯ãŸããããããŸã
矀ãã®å®è¡ãšäžŠè¡ããŠãä»ã®ãã¹ãŠã®ãµãŒãã¹ãå®è¡ã§ããããšãæå³ããŸãã
äœãããã«åãã¯ã©ã¹ã¿ãŒäžã®ã¯ã©ã€ã¢ã³ãIPãå¿ èŠãšããªã
ä»ã®ãããã®ããã決ããŠå®ç§ãªè§£æ±ºçã§ã¯ãããŸããããä¿®æ£ãè¡ããããŸã§ïŒããããã°ïŒããã¯åŸãããŸã
å€éšã³ã³ããŒãã³ããäž»èŠãªDockeræ§æãªãã§ããªãããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-411455384 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU5RKjGc3hEk6bk-doicDa1MbYGAyks5uOwlIgaJpZM4Jf2WK
ã
TBHå
¥åãããã¯ãŒã¯ã«IPãè¿œå ããããã®ããããé©çšãããŠããªãçç±ãããããŸãã
ãããã·ãããã³ã«ã®ããŒã¿ã
ããã¯ã€ã³ã¯ãªã¡ã³ã¿ã«ã§ãããæ¢åã®ã¹ã¿ãã¯ãå£ãããšã¯ãªããæ確ã«å®çŸ©ãããŠããŸã
æšæºãããã¯å€§ããªã¯ã©ãŠããã³ããŒã§ããåºããµããŒããããŠããŸããããã¯åºã
ã¢ããªã±ãŒã·ã§ã³ãã¬ãŒã ã¯ãŒã¯ã«ãã£ãŠãµããŒããããŸãã
ããã¯éèŠãªéçºåªåã§ããïŒ
2018幎8æ8æ¥æ°Žææ¥ã21ïŒ30 Matt Glaserã notifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
@jamiejacksonhttps ïŒ//github.com/jamiejackson ãæãæªãã
ç§ãã¡ãèŠã€ããåé¿çã¯ããã¹ãã¢ãŒãã§ã°ããŒãã«ãµãŒãã¹ãšããŠTraefikã䜿çšããããšã§ãã
圌ãã¯åœŒãã®ããã¥ã¡ã³ãã«è¯ãäžè¬çãªäŸãæã£ãŠããŸã
https://docs.traefik.io/user-guide/cluster-docker-consul/#full-docker-compose-file_1 ã
ãã®èšå®ã«é¢é£ããå Žåãšé¢é£ããªãå Žåããããã°ãããã€ãèŠãããŸãããã
Traefikã¯çŽ æŽããããããžã§ã¯ãã§ãããSwarmã§ã¯ããªãå®å®ããŠããããã§ãã ãããŸã
ãã®åé¡ããŒãžã®ã¹ã¬ããå šäœïŒããã«ã«ãŒãããã¯ããŸã:)ïŒã
åæ§ã®åé¿çïŒ
å«ã/ traefikïŒ1880
https://github.com/containous/traefik/issues/1880ã圹ã«ç«ãŠãã°ã ãŸããç§ãã¡ãã§ããªããœãªã¥ãŒã·ã§ã³ã䜿çšããããšã¯ã§ããŸãã
å®éã®ãªã¯ãšã¹ã¿ãŒIPã確èªããŠããã®ã¯ã©ããžä¿®æ£ãè¡ããããŸã§ç¶ããŸãã
äœããå€ããã ã»ãã¥ãªãã£äžã®çç±ãããããªãäžè¬çãªããŒãºã®ããã§ãã
å°ãªããšããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-411458326 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU7NNbsW44L95VYCvlyL_Bje-h6L9ks5uOwsUgaJpZM4Jf2WK
ã
ãããšãDockerã¯çŸåšå
¥åãã©ãã£ãã¯ã«è§ŠããŠããªãã®ã§ãå°ãªããšãè¿œå ããããšã¯éèŠã§ã¯ãããŸããã
ãŸããããã¯ãªãŒãã³ãœãŒã¹ãããžã§ã¯ãã§ããããšã«æ³šæããŠãã ãããæ¬åœã«äœããå¿
èŠãªå Žåã¯ãéåžžããããå®è£
ããã®ã¯ããªã次第ã§ãã
+1ãããã¯æ¬åœã«ã·ã§ãŒããããŒã§ãã
ç§ã¯ãã¢ããªã±ãŒã·ã§ã³ã®å€§éšåãå®éã®ã¯ã©ã€ã¢ã³ãIPãå¿
èŠãšããŠãããšæããŸãã ã¡ãŒã«ãµãŒããŒã¹ã¿ãã¯ã«ã€ããŠèããŠã¿ãŠãã ãããä»»æã®ãã¹ãããã®ã¡ãŒã«ãåãå
¥ããäœè£ã¯ãããŸããã
proxy_protocol
nginxã°ããŒãã«ã¹ããªãŒã ã€ã³ã¹ã¿ã³ã¹ãã¹ãã¢ãŒãã«åãæ¿ããŸãããããã¯ãã¬ããªã±ãŒããããã¢ããªã±ãŒã·ã§ã³proxy_nginxã«è»¢éãããŸãã ããã¯ä»ã®ãšããååã«æ©èœããŸãã
ãµãŒãã¹ã°ããŒãã«nginx_stream
stream {
resolver_timeout 5s;
# 127.0.0.11 is docker swarms dns server
resolver 127.0.0.11 valid=30s;
# set does not work in stream module, using map here
map '' $upstream_endpoint {
default proxy_nginx:443;
}
server {
listen 443;
proxy_pass $upstream_endpoint;
proxy_protocol on;
}
}
ãµãŒãã¹è€è£œnginx_proxy
server {
listen 443 ssl http2 proxy_protocol;
include /ssl.conf.include;
ssl_certificate /etc/nginx/certs/main.crt;
ssl_certificate_key /etc/nginx/certs/main.key;
server_name example.org;
auth_basic "closed site";
auth_basic_user_file /run/secrets/default.htpasswd;
# resolver info in nginx.conf
set $upstream_endpoint app;
location / {
# relevant proxy_set_header in nginx.conf
proxy_pass http://$upstream_endpoint;
}
}
nginx_streamã®nginxèšå®å
šäœã貌ãä»ããããšã¯å¯èœã§ããããïŒ
nginx_proxyãšãã®Swarmæ§æïŒ
ãããæ©èœããå Žåãããã¯çŽ æŽãããã§ãïŒ
2018幎9æ11æ¥ç«ææ¥ã17ïŒ14 rubotã notifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
proxy_protocolnginxã°ããŒãã«ã¹ããªãŒã ã€ã³ã¹ã¿ã³ã¹ã«åãæ¿ããŸããã
è€è£œãããã¢ããªã±ãŒã·ã§ã³proxy_nginxã«è»¢éããŸãã ããã¯ååã«æ©èœããŸã
ä»ã®ãšããã¯ããµãŒãã¹ã°ããŒãã«nginx_stream
ã¹ããªãŒã {
resolver_timeout 5s;
ïŒ127.0.0.11ã¯docker swarmsdnsãµãŒããŒã§ã
ãªãŸã«ã127.0.0.11valid = 30s;
ïŒã»ããã¯ã¹ããªãŒã ã¢ãžã¥ãŒã«ã§ã¯æ©èœããŸãããããã§ãããã䜿çšããŸã
ããã '' $ upload_endpoint {
ããã©ã«ãã®proxy_nginx ïŒ443;
}server { listen 443; proxy_pass $upstream_endpoint; proxy_protocol on; }
}
ãµãŒãã¹è€è£œnginx_proxy
ãµãŒããŒ{
443 ssl http2proxy_protocolããªãã¹ã³ããŸãã
ã€ã³ã¯ã«ãŒã/ssl.conf.include;ssl_certificate /etc/nginx/certs/main.crt; ssl_certificate_key /etc/nginx/certs/main.key; server_name example.org; auth_basic "closed site"; auth_basic_user_file /run/secrets/default.htpasswd; # resolver info in nginx.conf set $upstream_endpoint app; location / { # relevant proxy_set_header in nginx.conf proxy_pass http://$upstream_endpoint; }
}
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-420244262 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU5K-gK09XdI9NxLlT36IrJP7U7_cks5uZ6IrgaJpZM4Jf2WK
ã
@sandysç°å¢å€æ°ãä»ããŠæ§æããããããã·ãããã³ã«éšåã®haproxyããŒã¹ã®ãœãªã¥ãŒã·ã§ã³ããããŸãã
nginx_streamãšnginx_proxyã®nginxèšå®å šäœãSwarmèšå®ã§è²Œãä»ããããšã¯å¯èœã§ããããïŒ ãããæ©èœããå Žåãããã¯çŽ æŽãããã§ãïŒ
@sandysãã®ãããªãã®ïŒ
https://gist.github.com/rubot/10c79ee0086a8a246eb43ab631f3581f
åãåé¡ãçºçããŸãããããã¯å¯ŸåŠãããäºå®ã§ããïŒ ãªãªãŒã¹ãäºå®ãããŠããåºæ¬çãªæ©èœã®ããã§ãã
é åïŒ
ã¢ãŒãïŒã°ããŒãã«
ããŒãïŒ
- ã¿ãŒã²ããïŒ443å ¬éïŒ443ãããã³ã«ïŒtcpã¢ãŒãïŒãã¹ã
ãã®ã¢ããã€ã¹ã«åŸããšãdocker swarmãã©ã³ãµãŒãæ¹çšåŒããå€ãããããåé¡ãä¿®æ£ãããŸãã
ããã¯ãŸã HAã§ããããã§ã«haproxyïŒdocker flowãããã·ã³ã³ããå
ïŒãæã£ãŠããã®ã§ãç§ã«ãšã£ãŠã¯æå¹ãªãœãªã¥ãŒã·ã§ã³ã§ãã
å¯äžã®åé¡ã¯ãhaproxyçµ±èšããã¹ãŠã®ã¬ããªã«ã«åæ£ãããŠãããããã¯ã©ã¹ã¿ãŒå
šäœã®ãã©ãã£ãã¯ãç£èŠãããšãã«ãäœããã®æ¹æ³ã§ãã®æ
å ±ãéçŽããå¿
èŠãããããšã§ãã 以åã¯ãDockerSwarmãã©ã³ãµãŒã®èåŸã«ããhaproxyã€ã³ã¹ã¿ã³ã¹ã1ã€ã ããããŸããã
也æ¯ã
ãžã£ãã¯
OPã®ãªã¯ãšã¹ãïŒ @PanJ ïŒãèªããšã
18.09ãšã³ãžã³ã䜿çšããŠããç§ã«ãšã£ãŠããã¹ãã§ã¯äž¡æ¹ã®é·æã掻çšã§ããŸãã åäžã®ãµãŒãã¹ãããã¯ãšã³ããªãŒããŒã¬ã€ãããã¯ãŒã¯ã«æ¥ç¶ãããã¹ãNICã«ããŒããå ¬éããŠããã¹ãIPã«çä¿¡ããå®éã®ã¯ã©ã€ã¢ã³ãIPã確èªããããšãã§ããŸãã ãããtraefikãªããŒã¹ãããã·ã§äœ¿çšããŠ
@PanJããã¯ããªãã®ããã«ããã解決ããŸããïŒ
éèŠãªã®ã¯ãããŒããmode: ingress
ïŒããã©ã«ãïŒã§ã¯ãªãmode: host
ã§å
¬éããããšã§ãã
ãã®ã¢ãŒãã®å©ç¹ã¯ãå®éã®ã¯ã©ã€ã¢ã³ãIPãšãã€ãã£ããã¹ãNICã®ããã©ãŒãã³ã¹ãåŸãããããšã§ãïŒIPVSã«ãã»ã«åAFAIKã®å€éšã«ããããïŒã çæã¯ãã¬ããªã«ãå®è¡ããŠããããŒãã§ã®ã¿ãªãã¹ã³ããããšã§ãã
ç§ã«ãšã£ãŠããå ¥åIPVSã«ãŒãã£ã³ã°ã䜿çšããã¯ã©ã€ã¢ã³ãIPã衚瀺ãããããšããèŠæ±ã¯ãlibnetworkã®å¥ã®æ©èœèŠæ±ã§ãã
ããã§äœãå€ãã£ãã®ã§ããïŒ ãããè¡ãããã«ãã¹ãã¢ãŒãã䜿çšããŠãããã
ä¹
ãã¶ãã§ãã å®éãããã¯ãã®ã¹ã¬ããã§ææ¡ãããŠããåé¿çã§ãã
è¯ãã
åé¡ã¯ãã¡ããããã®ãµãŒãã¹ãç¹å®ã®ãã®ã«ããã¯ããå¿
èŠããããšããããšã§ã
Swarmãä»ã®å Žæã§ã¹ã±ãžã¥ãŒã«ã§ããªãããã«ãã¹ãããŸãã åé¡ã¯äœã§ããã
å®å
šã«-ãã®ãããã·ãããã³ã«/ IPVSãªã©ããã®åé¡ã解決ããŸãã
2019幎1æ4æ¥éææ¥ã09ïŒ34 Bret Fisher < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
OPã®ãªã¯ãšã¹ãïŒ @PanJ https://github.com/PanJ ïŒãèªããšã
ææ¡ãããŠããããã«ãçŸåšã®æ©èœããã®åé¡ã解決ããŠããããã§ã
æã OPã¯å ¥åã«ãŒãã£ã³ã°+ã¯ã©ã€ã¢ã³ãIPAFAIKãèŠæ±ããŸããã§ããã圌ãã¯å°ããŸãã
ã¬ããªã«/ã°ããŒãã«ã®ã¹ãŠã©ãŒã ãµãŒãã¹ã§ã¯ã©ã€ã¢ã³ãIPãååŸããæ¹æ³ã«ã€ããŠã¯ã
ããã¯çŸåšå®è¡å¯èœã§ãã æ¹åã®2ã€ã®äž»èŠãªé åã¯ãããèµ·ããããšãå¯èœã«ããŸãïŒ
- ããã§ãããŒããã«ãå ¬éãããSwarmãµãŒãã¹ãäœæã§ããŸãã
ãã¹ãIPãå ¥åã«ãŒãã£ã³ã°ã¬ã€ã€ãŒãã¹ããã- ãã®åããµãŒãã¹ã¯ããªãŒããŒã¬ã€ã®ãããªä»ã®ãããã¯ãŒã¯ã«æ¥ç¶ã§ããŸãã
åæã«ããªãŒããŒã¬ã€ã®ã¡ãªããã§ä»ã®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸã18.09ãšã³ãžã³ã䜿çšããŠããç§ã«ãšã£ãŠããã¹ãã§ã¯äž¡æ¹ã®é·æã掻çšã§ããŸãã NS
åäžã®ãµãŒãã¹ãããã¯ãšã³ããªãŒããŒã¬ã€ãããã¯ãŒã¯ã«æ¥ç¶ããå ¬éããããšãã§ããŸã
ãã¹ãNICã®ããŒãã確èªããå®éã®ã¯ã©ã€ã¢ã³ãIPããã¹ãIPã«çä¿¡ããã®ã確èªããŸãã ç§
ãããtraefikãªããŒã¹ãããã·ã§äœ¿çšããŠãtraefikã§ã¯ã©ã€ã¢ã³ãIPãã©ãã£ãã¯ããã°ã«èšé²ããŸã
ããã¯ããã¯ãšã³ããµãŒãã¹ã«åããããŠããŸã
https://github.com/BretFisher/dogvscat/blob/7e9fe5b998f2cf86951df3f443714beb413d63fb/stack-proxy-global.yml#L75-L83 ã
ããã§ããæ¬ç©ã®ãã°ãèšé²ããããšããç§ãèŠãã»ãšãã©ã®ãªã¯ãšã¹ãã解決ã§ãããšæããŸãã
IPãã@PanJ https://github.com/PanJããã¯ããªãã®ããã«ããã解決ããŸããïŒ
éèŠãªã®ã¯ãããŒããã¢ãŒãïŒå ¥åã§ã¯ãªãã¢ãŒãïŒãã¹ãã§å ¬éããããšã§ãïŒ
ãã£ãã©ã«ãïŒããã®ã¢ãŒãã®é·æã¯ãå®éã®ã¯ã©ã€ã¢ã³ãIPãšãã€ãã£ããã¹ãNICãååŸããããšã§ãã
ããã©ãŒãã³ã¹ïŒIPVSã«ãã»ã«åAFAIKã®å€éšã«ããããïŒã çæã¯ããã§ã
ã¬ããªã«ãå®è¡ããŠããããŒãã§ã®ã¿ãªãã¹ã³ããŸããç§ã«ãšã£ãŠããå ¥åIPVSã«ãŒãã£ã³ã°ã䜿çšãããã®ã§ããã
ã¯ã©ã€ã¢ã³ãIPãã¯ãlibnetworkã®å¥ã®æ©èœèŠæ±ã§ããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451348906 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUzs15UVWOVl54FLwBJSZJKX-9D0jks5u_tLPgaJpZM4Jf2WK
ã
@BretFisher mode: host
ã¯åé¿çã«ãããã解決çã§ã¯ãããŸããã @sandysã«ãããšãåé¿çã«ã¯æ³šæç¹ãã»ãšãã©ãªãããããã®åé¡ã¯ä¿®æ£ããããšèŠãªãã¹ãã§ã¯ãããŸããã
åé¿çãèŠã€ãã£ããããæ¹åããããã©ããã¯ããããŸããã ç§ã¯ããªãé·ãéKubernetesã«ç§»åããŸãããããã®åé¡ã2幎以äžç¶ããŠããããšã«ãŸã é©ããŠããŸãã
ãªãããããã°ã ãšäººã
ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ç§ãã
kubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã§ããé©åã§ã¯ãããŸãã
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã ããªãã
å€éšLBãæã£ãŠããããnginxå
¥åãããã·ã®ãããªãã®ã䜿çšããå¿
èŠããããŸã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯åãã§ã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ããã§ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠããã¯ãã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå
¥ããŠãã ããããã®çŸ€ãã¯
èªåã§ã«ã¹ã¿ãã€ãº
PanJ [email protected] schriebç¥ç¶ã4ã2019幎1æã9ïŒ28ååïŒ
@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠhttps://github.com/sandys
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ããã®åé¡ãèæ ®ãã¹ãã§ã¯ãããŸãã
ä¿®æ£ããããšãããåé¿çãè¡ãããŠãããããæ¹åããããã©ããã¯ããããŸãã
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸããããä»ã§ã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451382365 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAPgu40OJ-uNKORD-LAD12m1lafxzMiSks5u_xCcgaJpZM4Jf2WK
ã
dockerflowãããžã§ã¯ããæ¡åŒµããnginxããªã¢ã³ããè¿œå ããŠéå§ããããšãã§ããŸã
kubernetes-swarnã®ingressproxyã ééããªãããã¯ãã¹ãŠçŸ€ãã§ãã£ã±ãã§ã
ããããããããšãç¥ã£ãŠããã®ã§ãè¿œå ã®ã·ã¹ãã ã³ã³ããã調éããŸã
kubernetesã§ããããã ã¹ãªã ãªè³æºã®ããã®çŸ€ãã®åŒ·ãã§ã¯ãããŸããã
ç¡é§ã®ãªããããžã§ã¯ãïŒ
Ruben Nicolaides [email protected] schrieb am Fr.ã4ã2019幎1æã
ãªãããããã°ã ãšäººã ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ç§ãã
kubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã§ããé©åã§ã¯ãããŸãã
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã ããªãã
å€éšLBãæã£ãŠããããnginxå ¥åãããã·ã®ãããªãã®ã䜿çšããå¿ èŠããããŸã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯åãã§ã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ããã§ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠããã¯ãã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå ¥ããŠãã ããããã®çŸ€ãã¯
èªåã§ã«ã¹ã¿ãã€ãºPanJ [email protected] schriebç¥ç¶ã4ã2019幎1æã9ïŒ28ååïŒ
@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠhttps://github.com/sandys
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ããã®åé¡ãèæ ®ãã¹ãã§ã¯ãããŸãã
ä¿®æ£ããããšãããåé¿çãè¡ãããŠãããããæ¹åããããã©ããã¯ããããŸãã
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸããããä»ã§ã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451382365 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAPgu40OJ-uNKORD-LAD12m1lafxzMiSks5u_xCcgaJpZM4Jf2WK
ã
ãããã¯è€éãªãœãªã¥ãŒã·ã§ã³ã§ã-ãããã·ãããã³ã«ã¯ããããŒãè¿œå ããã ãã§ã
æ
å ±ã§ãããéåžžã«ããç¥ãããŠããæšæºã§ã-haproxyãnginxãAWS elbã
ãªã©ãã¹ãŠãããã«ç¶ããŸãã https://www.haproxy.com/blog/haproxy/proxy-protocol/
å€æŽã®è¡šé¢ç©ã¯ãçµã¿èŸŒã¿ã®Swarmã«å¶éãããŸãã
ã€ã³ã°ã¬ã¹ïŒãã®ãµããŒããè¿œå ãããå ŽæïŒã ãããŠããã¹ãŠã®ãµãŒãã¹ããããæã£ãŠããŸã
å©çšå¯èœã
2019幎1æ4æ¥éææ¥ã14ïŒ36 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
dockerflowãããžã§ã¯ããæ¡åŒµããnginxããªã¢ã³ããè¿œå ããŠéå§ããããšãã§ããŸã
kubernetes-swarnã®ingressproxyã ééããªãããã¯ãã¹ãŠçŸ€ãã§ãã£ã±ãã§ã
ããããããããšãç¥ã£ãŠããã®ã§ãè¿œå ã®ã·ã¹ãã ã³ã³ããã調éããŸã
kubernetesã§ããããã ã¹ãªã ãªè³æºã®ããã®çŸ€ãã®åŒ·ãã§ã¯ãããŸããã
ç¡é§ã®ãªããããžã§ã¯ãïŒRuben Nicolaides [email protected] schrieb am Fr.ã4ã2019幎1æã
ãªãããããã°ã ãšäººã ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ç§ãã
kubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã§ããé©åã§ã¯ãããŸãã
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã åã¯
ãŸã
å€éšLBãæã£ãŠããããnginxå ¥åãããã·ã®ãããªãã®ã䜿çšããå¿ èŠããããŸã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯åãã§ã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ããã§ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠããã¯ãã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå ¥ããŠãã ããããã®çŸ€ãã¯
èªåã§ã«ã¹ã¿ãã€ãºPanJ [email protected] schriebç¥ç¶ã4ã2019幎1æã9ïŒ28ååïŒ
@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠhttps://github.com/sandys
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ããããèæ ®ãã¹ãã§ã¯ãããŸãã
åé¡
ä¿®æ£ããããšãããåé¿çãè¡ãããŠãããããæ¹åããããã©ããã¯ããããŸãã
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸããããããã§ã
ãªã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451382365 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<
https://github.com/notifications/unsubscribe-auth/AAPgu40OJ-uNKORD-LAD12m1lafxzMiSks5u_xCcgaJpZM4Jf2WKã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451389574 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU2FCEGFs5v6IOEy6AqjcBMl7IqEiks5u_xmTgaJpZM4Jf2WK
ã
ç§ãèšã£ãããã«ããã§ã«ãããã·ãå©çšããŠããäžèšã®tcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠãã ãã
ãããã³ã«ã
ãããã·ãããã³ã«ãè¿œå ããã«ã¯ãã³ã³ããå
ã®æ§æãå¿
èŠã«ãªããŸãã
äžæµã®çŸ€ãã«è¿œå ãããŸããã ã¯ãªãŒããŒãšå€åãã£ãšè¯ã以å€ã«äŸ¡å€ã¯ãããŸãã
ãªã¯ãšã¹ãã«ææžåãããç®æš
ãµã³ãã£ãŒãã¹ãªããŽã¡ãµ[email protected] schriebã¯ç¥ç¶ã4 2019幎1æã§ãã
11:37ïŒ
ãããã¯è€éãªãœãªã¥ãŒã·ã§ã³ã§ã-ãããã·ãããã³ã«ã¯ããããŒãè¿œå ããã ãã§ã
æ å ±ã§ãããéåžžã«ããç¥ãããŠããæšæºã§ã-haproxyãnginxãAWS elbã
ãªã©ãã¹ãŠãããã«ç¶ããŸãã https://www.haproxy.com/blog/haproxy/proxy-protocol/å€æŽã®è¡šé¢ç©ã¯ãçµã¿èŸŒã¿ã®Swarmã«å¶éãããŸãã
ã€ã³ã°ã¬ã¹ïŒãã®ãµããŒããè¿œå ãããå ŽæïŒã ãããŠããã¹ãŠã®ãµãŒãã¹ããããæã£ãŠããŸã
å©çšå¯èœã2019幎1æ4æ¥éææ¥ã14ïŒ36 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
dockerflowãããžã§ã¯ããæ¡åŒµããnginxããªã¢ã³ããã«è¿œå ããããšãã§ããŸã
å§ãã
kubernetes-swarnã®ingressproxyã ééããªãããã¯ãã¹ãŠçŸ€ãã§ãã£ã±ãã§ã
ããããããããšãç¥ã£ãŠããã®ã§ãè¿œå ã®ã·ã¹ãã ã³ã³ããã調éããŸã
kubernetesã§ããããã ã¹ãªã ãªè³æºã®ããã®çŸ€ãã®åŒ·ãã§ã¯ãããŸããã
ç¡é§ã®ãªããããžã§ã¯ãïŒRuben Nicolaides [email protected] schrieb am Fr.ã4ã2019幎1æã
ãªãããããã°ã ãšäººã ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ç§ãã
kubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã§ããé©åã§ã¯ãããŸãã
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã åã¯
ãŸã
å€éšLBãæã£ãŠããããnginxå ¥åãããã·ã®ãããªãã®ã䜿çšããŸãã
ããªããã°ãªããªã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯åãã§ã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ããã§ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠããã¯ãã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå ¥ããããã®çŸ€ãã¯ããå¿ èŠããããŸã
ãªã
èªåã§ã«ã¹ã¿ãã€ãºPanJ [email protected] schriebç¥ç¶ã4ã2019幎1æã9ïŒ28ååïŒ
@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠ<
https://github.com/sandys>
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ããããèæ ®ãã¹ãã§ã¯ãããŸãã
åé¡
ä¿®æ£ããããšãããåé¿çãè¡ãããŠãããããæ¹åããããã©ããã¯ããããŸãã
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸããããããã§ã
ãªã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451382365 ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<https://github.com/notifications/unsubscribe-auth/AAPgu40OJ-uNKORD-LAD12m1lafxzMiSks5u_xCcgaJpZM4Jf2WK
>>ã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451389574 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<
https://github.com/notifications/unsubscribe-auth/AAEsU2FCEGFs5v6IOEy6AqjcBMl7IqEiks5u_xmTgaJpZM4Jf2WKã
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451409453 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAPgu83fSrSzfopOlDXsDooN1tMboGZaks5u_y8EgaJpZM4Jf2WK
ã
äžèšã®è§£æ±ºçã«ã¯ããã¹ãã¢ãŒããã€ã³ãã£ã³ã°ãå¿
èŠã§ãã ããã倧ããªåé¡ã§ãã ãã
Dockerã¹ã±ãžã¥ãŒã©ãŒã䜿çšããŠã³ã³ãããŒãå²ãåœãŠãå¯èœæ§ãæé€ããŸã
å¥ã®ãã¹ããž-ç§ã¯ãã¯ãã¡ãã·ã¥ãããã¯ãŒã¯ã®äžéšã§ã¯ãããŸããã
2019幎1æ4æ¥éææ¥ã17ïŒ28 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
ç§ãèšã£ãããã«ããã§ã«ãããã·ãå©çšããŠããäžèšã®tcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠãã ãã
ãããã³ã«ã
ãããã·ãããã³ã«ãè¿œå ããã«ã¯ãã³ã³ããå ã®æ§æãå¿ èŠã«ãªããŸãã
äžæµã®çŸ€ãã«è¿œå ãããŸããã ã¯ãªãŒããŒãšå€åãã£ãšè¯ã以å€ã«äŸ¡å€ã¯ãããŸãã
ãªã¯ãšã¹ãã«ææžåãããç®æšãµã³ãã£ãŒãã¹ãªããŽã¡ãµ[email protected] schriebã¯ç¥ç¶ã4 2019幎1æã§ãã
11:37ïŒãããã¯è€éãªãœãªã¥ãŒã·ã§ã³ã§ã-ãããã·ãããã³ã«ã¯ããããŒãè¿œå ããã ãã§ã
æ å ±ã§ãããéåžžã«ããç¥ãããŠããæšæºã§ã-haproxyãnginxãAWS elbã
ãªã©ãã¹ãŠãããã«ç¶ããŸãã https://www.haproxy.com/blog/haproxy/proxy-protocol/å€æŽã®è¡šé¢ç©ã¯ãçµã¿èŸŒã¿ã®Swarmã«å¶éãããŸãã
ã€ã³ã°ã¬ã¹ïŒãã®ãµããŒããè¿œå ãããå ŽæïŒã ãããŠããã¹ãŠã®ãµãŒãã¹ã
ãã
å©çšå¯èœã2019幎1æ4æ¥éææ¥ã14ïŒ36 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
dockerflowãããžã§ã¯ããæ¡åŒµããnginxããªã¢ã³ããã«è¿œå ããããšãã§ããŸã
å§ãã
kubernetes-swarnã®ingressproxyã ééããªãããã¯ãã¹ãŠè©°ãŸã£ãŠããŸã
矀ã
ããªããããããããããšãç¥ã£ãŠããã®ã§ãè¿œå ã®ã·ã¹ãã ã³ã³ãããäžããã§ããã
ã®
kubernetesã§ããããã ã¹ãªã ãªè³æºã®ããã®çŸ€ãã®åŒ·ãã§ã¯ãããŸããã
ç¡é§ã®ãªããããžã§ã¯ãïŒRuben Nicolaides [email protected] schrieb am Fr.ã4ã2019幎1æã
ãªãããããã°ã ãšäººã ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ç§ãã
èŠç¹ã§ãããkubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã¯
é©å
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã åã¯
ãŸã
å€éšLBãæã£ãŠããããnginxå ¥åãããã·ã®ãããªãã®ã䜿çšããŸãã
ããªããã°ãªããªã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯æã£ãŠããŸã
åã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ã
ãã¶ã......ã ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠããã¯ãã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå ¥ããããã®çŸ€ãã¯ããå¿ èŠããããŸã
ãªã
èªåã§ã«ã¹ã¿ãã€ãºPanJ [email protected] schriebç¥ç¶ã4ã2019幎1æã9ïŒ28ååïŒ
@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯ã®ã¿
NS
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠ<
https://github.com/sandys>
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ãèæ ®ãã¹ãã§ã¯ãããŸãã
ãã
åé¡
ä¿®æ£ããããšãããåé¿çããã£ãã®ã§ãæ¹åããããã©ããã¯ããããŸãã
ãã®é
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸãã
ãŸã
ãªã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451382365 ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<>>
ã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451389574 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<https://github.com/notifications/unsubscribe-auth/AAEsU2FCEGFs5v6IOEy6AqjcBMl7IqEiks5u_xmTgaJpZM4Jf2WK
>>ã
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451409453 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<
https://github.com/notifications/unsubscribe-auth/AAPgu83fSrSzfopOlDXsDooN1tMboGZaks5u_y8EgaJpZM4Jf2WKã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451424992 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU-q-I3fXVAP9JcGgTdJJOzI7b575ks5u_0HIgaJpZM4Jf2WK
ã
ç§ãèšã£ãããã«ãkubernetes nginxingressã«ã¯ãã¹ãã¢ãŒãã®ãã€ã³ãã£ã³ã°ãå¿
èŠã§ãã
ããŒã¢ã³ã»ããã å€éšLBã¯ããŒãããŒãã«æ¥ç¶ããŸããããŒãããŒãã«ã¯ãã¹ãã¢ãŒããå¿
èŠã§ã
皌åäžããŸãã¯çšŒåäžã®ãããã·ãããã³ã«ãæåã§æ§æããŸãã Kubernetes
ããã§ããåãåé¡ãæ±ããŸãã
矀ãã®ããã®ç§ã®èŠ³ç¹ããã®1ã€ã®å¯èœãªæ©èœèŠæ±ã¯
ãããã¯ãŒã¯ãããã€ããŒããã©ã°å¯èœã«ããŸãã ããã«ããã䜿çšãå¯èœã«ãªããŸã
lvs / iptables以å€ã®ãã¯ããã¯
ãµã³ãã£ãŒãã¹ãªããŽã¡ãµ[email protected] schriebã¯ç¥ç¶ã4 2019幎1æã§ãã
13:05ïŒ
äžèšã®è§£æ±ºçã«ã¯ããã¹ãã¢ãŒããã€ã³ãã£ã³ã°ãå¿ èŠã§ãã ããã倧ããªåé¡ã§ãã ãã
Dockerã¹ã±ãžã¥ãŒã©ãŒã䜿çšããŠã³ã³ãããŒãå²ãåœãŠãå¯èœæ§ãæé€ããŸã
å¥ã®ãã¹ããž-ç§ã¯ãã¯ãã¡ãã·ã¥ãããã¯ãŒã¯ã®äžéšã§ã¯ãããŸããã2019幎1æ4æ¥éææ¥ã17ïŒ28 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
ç§ãèšã£ãããã«ããã§ã«ãããã·ãå©çšããŠããäžèšã®tcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠãã ãã
ãããã³ã«ã
ãããã·ãããã³ã«ãè¿œå ããã«ã¯ãã³ã³ããå ã®æ§æãå¿ èŠã«ãªããŸã
ããã
äžæµã®çŸ€ãã«è¿œå ãããŸããã ã¯ãªãŒããŒãšå€å以å€ã«äŸ¡å€ã¯ãããŸãã
ããè¯ã
ãªã¯ãšã¹ãã«ææžåãããç®æšãµã³ãã£ãŒãã¹ãªããŽã¡ãµ[email protected] schriebååç¥ç¶ã4ã1æ
2019ã
11:37ïŒãããã¯è€éãªãœãªã¥ãŒã·ã§ã³ã§ã-ãããã·ãããã³ã«ã¯è¿œå ããã ãã§ã
ããã
æ å ±ã§ãããéåžžã«ããç¥ãããŠããæšæºã§ã-haproxyãnginxãAWS
ãšã«ãã
ãªã©ãã¹ãŠãããã«ç¶ããŸãã
https://www.haproxy.com/blog/haproxy/proxy-protocol/å€æŽã®è¡šé¢ç©ã¯ãçµã¿èŸŒã¿ã®Swarmã«å¶éãããŸãã
ã€ã³ã°ã¬ã¹ïŒãã®ãµããŒããè¿œå ãããå ŽæïŒã ãããŠããã¹ãŠã®ãµãŒãã¹ã
ãã
å©çšå¯èœã2019幎1æ4æ¥éææ¥ã14ïŒ36 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
dockerflowãããžã§ã¯ããæ¡åŒµããnginxããªã¢ã³ããã«è¿œå ããããšãã§ããŸã
å§ãã
kubernetes-swarnã®ingressproxyã ééããªãããã¯ãã¹ãŠè©°ãŸã£ãŠããŸã
矀ã
ããªããããããããããšãç¥ã£ãŠããã®ã§ãè¿œå ã®ã·ã¹ãã ã³ã³ãããäžããã§ããã
ã®
kubernetesã§ããããã ã¹ãªã ãªçŸ€ãã®åŒ·ãã§ã¯ãªãã§ãã
è³æº
ç¡é§ã®ãªããããžã§ã¯ãïŒRuben Nicolaides [email protected] schrieb am Fr.ã2019幎1æ4æ¥ã
09:48ïŒãªãããããã°ã ãšäººã ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ãã
åã®
èŠç¹ã§ãããkubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã¯
é©å
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã
åã¯
ãŸã
å€éšLBã䜿çšããããnginxå ¥åãããã·ãªã©ã䜿çšããŸã
ã©ãã®
ããªããã°ãªããªã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯æã£ãŠããŸã
åã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ã
ãã¶ã......ã ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ããã§ãã¯ããŠããã¯ããŸã
åŸã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå ¥ããããã®çŸ€ãã®å¿ èŠæ§
ã«
ãªã
èªåã§ã«ã¹ã¿ãã€ãºPanJ [email protected] schriebã¯ç¥ç¶ã4 2019幎1æã§ãã
09:28ïŒ@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯
ããã ã
NS
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠ<
https://github.com/sandys>
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ãèæ ®ãã¹ãã§ã¯ãããŸãã
ãã
åé¡
ä¿®æ£ããããšãããåé¿çããã£ãã®ã§ãæ¹åããããã©ããã¯ããããŸãã
ãã®é
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸãã
ãŸã
ãªã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
< https://github.com/moby/moby/issues/25526#issuecomment -451382365
ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<>>
ã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451389574 ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<>>
ã
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451409453 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<https://github.com/notifications/unsubscribe-auth/AAPgu83fSrSzfopOlDXsDooN1tMboGZaks5u_y8EgaJpZM4Jf2WK
>>ã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451424992 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<
https://github.com/notifications/unsubscribe-auth/AAEsU-q-I3fXVAP9JcGgTdJJOzI7b575ks5u_0HIgaJpZM4Jf2WKã
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451426276 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAPguw88UN68sw_TNTunZpuAGqgvexxMks5u_0NxgaJpZM4Jf2WK
ã
ãããŠæ確ã«ããããã«ãäžèšã®ãœãªã¥ãŒã·ã§ã³ã«ã¯ãµãŒãã¹ã®åã«tcpã¹ããªãŒã ããããŸã
ãããã·ãŒã ãããã£ãŠãããªãã®ãªã¯ãšã¹ãã¯ééããªããã°ã§ã¯ãªããæ©èœã®ãªã¯ãšã¹ãã§ãã ãš
ãã®æ©èœã¯ããããã¯ãŒã¯ã¢ãŒãã§å®è£
ãããå Žåã矀ãã§ã®ã¿å®è£
ã§ããŸãã
äž»ãªåé¡ã¯NAT /ãã¹ãã¬ãã«ã§IPã倱ãããšã«ãããããå€æŽããŸã
Ruben Nicolaides [email protected] schrieb am Fr.ã4ã2019幎1æã13ïŒ11ïŒ
ç§ãèšã£ãããã«ãkubernetes nginxingressã«ã¯ãã¹ãã¢ãŒãã®ãã€ã³ãã£ã³ã°ãå¿ èŠã§ãã
ããŒã¢ã³ã»ããã å€éšLBã¯ããŒãããŒãã«æ¥ç¶ããŸããããŒãããŒãã«ã¯ãã¹ãã¢ãŒããå¿ èŠã§ã
皌åäžããŸãã¯çšŒåäžã®ãããã·ãããã³ã«ãæåã§æ§æããŸãã Kubernetes
ããã§ããåãåé¡ãæ±ããŸãã
矀ãã®ããã®ç§ã®èŠ³ç¹ããã®1ã€ã®å¯èœãªæ©èœèŠæ±ã¯
ãããã¯ãŒã¯ãããã€ããŒããã©ã°å¯èœã«ããŸãã ããã«ããã䜿çšãå¯èœã«ãªããŸã
lvs / iptables以å€ã®ãã¯ããã¯ãµã³ãã£ãŒãã¹ãªããŽã¡ãµ[email protected] schriebååç¥ç¶ã4ã1æ
2019ã13ïŒ05ïŒäžèšã®è§£æ±ºçã«ã¯ããã¹ãã¢ãŒããã€ã³ãã£ã³ã°ãå¿ èŠã§ãã ããã倧ããªåé¡ã§ãã ãã
Dockerã¹ã±ãžã¥ãŒã©ã䜿çšããŠå²ãåœãŠãå¯èœæ§ãæé€ããŸã
ã³ã³ãã
å¥ã®ãã¹ããž-ç§ã¯ãã¯ãã¡ãã·ã¥ãããã¯ãŒã¯ã®äžéšã§ã¯ãããŸããã2019幎1æ4æ¥éææ¥ã17ïŒ28 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
ç§ãèšã£ãããã«ããã§ã«ãããã·ãå©çšããŠããäžèšã®tcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ã確èªããŠãã ãã
ãããã³ã«ã
ãããã·ãããã³ã«ãè¿œå ããã«ã¯ãã³ã³ããå ã®æ§æãå¿ èŠã«ãªããŸã
ããã
äžæµã®çŸ€ãã«è¿œå ãããŸããã ã¯ãªãŒããŒãšå€å以å€ã«äŸ¡å€ã¯ãããŸãã
ããè¯ã
ãªã¯ãšã¹ãã«ææžåãããç®æšãµã³ãã£ãŒãã¹ãªããŽã¡ãµ[email protected] schriebååç¥ç¶ã4ã1æ
2019ã
11:37ïŒãããã¯è€éãªãœãªã¥ãŒã·ã§ã³ã§ã-ãããã·ãããã³ã«ã¯è¿œå ããã ãã§ã
ããã
æ å ±ã§ãããéåžžã«ããç¥ãããŠããæšæºã§ã-haproxyãnginxãAWS
ãšã«ãã
ãªã©ãã¹ãŠãããã«ç¶ããŸãã
https://www.haproxy.com/blog/haproxy/proxy-protocol/å€æŽã®è¡šé¢ç©ã¯ãçµã¿èŸŒã¿ã®Swarmã«å¶éãããŸãã
ã€ã³ã°ã¬ã¹ïŒãã®ãµããŒããè¿œå ãããå ŽæïŒã ãããŠããã¹ãŠã®ãµãŒãã¹ã¯
æã£ãŠã
ãã
å©çšå¯èœã2019幎1æ4æ¥éææ¥ã14ïŒ36 rubot < [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
dockerflowãããžã§ã¯ããæ¡åŒµããnginxããªã¢ã³ããã«è¿œå ããããšãã§ããŸã
å§ãã
kubernetes-swarnã®ingressproxyã ééããªãããã¯ãã¹ãŠè©°ãŸã£ãŠããŸã
矀ã
ããªããç¥ã£ãŠããããã«ãè¿œå ã®ã·ã¹ãã ã³ã³ããã調éããŸã
æ
ã®
kubernetesã§ããããã ã¹ãªã ãªçŸ€ãã®åŒ·ãã§ã¯ãªãã§ãã
è³æº
ç¡é§ã®ãªããããžã§ã¯ãïŒRuben Nicolaides [email protected] schrieb am Fr.ã2019幎1æ4æ¥ã
09:48ïŒãªãããããã°ã ãšäººã ãèããã®ããç§ã¯ãŸã ã¡ãã£ãšé©ããŠããŸãã ãã
åã®
èŠç¹ã§ãããkubernetesã«ç§»è¡ããã¹ããŒãã¡ã³ãã¯
é©å
çãã ç§ãèŠãããã«ãkubernetesã«ã¯ãŸã£ããåãåé¡/åäœããããŸãã
åã¯
ãŸã
å€éšLBã䜿çšããããnginxå ¥åãããã·ãªã©ã䜿çšããŸã
ã©ãã®
ããªããã°ãªããªã
ããŒã¢ã³ã»ãããšããŠå®è¡ããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããããããç§ãã¡ã¯æã£ãŠããŸã
åã
ããã§ã¯æ£ç¢ºãªç¶æ³ã§ãããããã§ã¯æºåãããèªå解決çã¯ãããŸããã 誰ã
ãã¶ã......ã ãã
äžèšã®ææ¡ãããtcpã¹ããªãŒã ãœãªã¥ãŒã·ã§ã³ããã§ãã¯ããŠããã¯ããŸã
åŸã
nginxãããã·ã®åäœã®ãããªãã®ã ãã åãå ¥ããããã®çŸ€ã
ããå¿ èŠããããŸã
ãªã
èªåã§ã«ã¹ã¿ãã€ãºPanJ [email protected] schriebã¯ç¥ç¶ã4 2019幎1æã§ãã
09:28ïŒ@BretFisher https://github.com/BretFisherã¢ãŒãïŒãã¹ãã¯
ããã ã
NS
åé¿çã§ããã解決çã§ã¯ãããŸããã @sandysãšããŠ<
https://github.com/sandys>
åé¿çã«ã¯ããã€ãã®æ³šæç¹ããããšè¿°ã¹ãã®ã§ãèæ ®ãã¹ãã§ã¯ãããŸãã
ãã
åé¡
ä¿®æ£ããããšãããåé¿çããã£ãã®ã§ãæ¹åããããã©ããã¯ããããŸãã
ãã®é
çºèŠããã ç§ã¯ããªãé·ãéKubernetesã«åŒã£è¶ããŠããŸãã
ãŸã
ãªã
ãã®åé¡ã2幎以äžãç¶ããŠããããšã«é©ãããâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
<
https://github.com/moby/moby/issues/25526#issuecomment-451382365>ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<>>
ã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451389574 ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<>>
ã
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451409453 ã
ãŸã
ãã¥ãŒã
ã¹ã¬ãã
<https://github.com/notifications/unsubscribe-auth/AAPgu83fSrSzfopOlDXsDooN1tMboGZaks5u_y8EgaJpZM4Jf2WK
>>ã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451424992 ããŸãã¯
ãã¥ãŒã
ã¹ã¬ãã
<
https://github.com/notifications/unsubscribe-auth/AAEsU-q-I3fXVAP9JcGgTdJJOzI7b575ks5u_0HIgaJpZM4Jf2WKã
â
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-451426276 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAPguw88UN68sw_TNTunZpuAGqgvexxMks5u_0NxgaJpZM4Jf2WK
ã
ããããã°ãšåŒãã§ãæ©èœèŠæ±ãšåŒãã§ãããœãŒã¹NATã®ãªãå ¥åã¡ãã·ã¥ã¯ïŒç§ã®æèŠã§ã¯ïŒäžå¯æ¬ ã§ãã æ¬åœã®ãœãŒã¹IPãèŠãããšãã§ããªããšå£ããŠããŸãã¢ããªã±ãŒã·ã§ã³ã¯ãããããããŸãã ãã¡ãããWebãµãŒããŒã®å Žåã¯ããã¹ãããŒãã䜿çšããŠãªããŒã¹ãããã·ãå®è¡ããã¯ã©ã€ã¢ã³ãIPããããŒãè¿œå ã§ããŸãã ãã ããããã«ãããªãŒããŒããããè¿œå ãããWebããŒã¹ä»¥å€ã®ã¢ããªã±ãŒã·ã§ã³ã®ãªãã·ã§ã³ã§ã¯ãªãå¯èœæ§ããããŸãã ãã±ããã®å®éã®éä¿¡å IPãæ£ããããšãå®éã«å¿ èŠãšããã¢ããªã±ãŒã·ã§ã³ã§ã¯ãå¯äžã®ãªãã·ã§ã³ã¯å ¥åã¡ãã·ã¥ã䜿çšããªãããšã§ãã ããã¯ããããã矀ãã䜿çšããããšã®å©ç¹ã®å€§éšåãæšãŠãŸãã
ãã®åé¡ãä¿®æ£ããããã©ããããç¥ãããã ããã
代ããã«kubernetiesã䜿çšããå¿
èŠããããŸããïŒ
åãåé¡ãçºçããŸãã...çŸæç¹ã§ã¯ä¿®æ£ãèŠã€ãããŸããã
誰ãããã®è¡åã®è§£æ±ºçãèŠã€ããããããã«å ±åããŠãã ããã
ããããšãïŒ
åãåé¡ããããŸãã Apache httpdãµãŒããŒãããããªã¯ãšã¹ããåä¿¡ããŠââããåœã«é¢ããçµ±èšãåŸã§æœåºããããã«ããã¹ãŠã®ã¢ã¯ã»ã¹ããã°ã«èšé²ããããšæããŸãã
phpïŒapacheããã¹ãããããŒãã£ãŒã«ããæ£ãããã°ã«èšé²ããªãã£ãçç±ãç解ããããšãããšãã«ãç§ã¯ãã®åé¡ã«èªåã§ééããŸããã ç§ã¯ã·ã§ãã¯ãåãããããäœå¹Žãçµã£ãŠããŸã æ©èœããŠããªãããšã«å€±æããŠããŸãã ãã¹ããã£ãŒã«ãããŠãŒã¶ãŒã©ã³ããããã·IPããã°ã«èšé²ãç¶ããå ŽåãWebãã¹ãã£ã³ã°ã«Swarmã¢ãŒããã©ã®ããã«äœ¿çšããå¿ èŠããããŸããïŒ ã¹ãŠã©ãŒã ã¢ãŒãã§ãããåé¿ããæ¹æ³ãèŠã€ããããšãã§ããŸããã§ããã Classic SwarmïŒã³ã³ããããŒã¹ïŒãConsulã®ãããªãã®ã䜿çšã§ãããšæããŸãããããã¯éè¡ããŠããããã«æããŸãã
ç§ã¯èªåã®ã·ããªãªã«åãå ¥ãããã解決çãèŠã€ããŸããïŒ
services:
server:
image: httpd:2
deploy:
mode: global
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- my_second_service
- another_great_software
ããã«ãããapacheã¯ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã®èåŸã§ã¯ãªããã¹ãã³ã³ãã¥ãŒã¿ãŒã§ãªãã¹ã³ããŸãïŒé©åãªãªã¢ãŒãIPã¢ãã¬ã¹ãèªã¿åããŸãïŒãã networks
ãªãã·ã§ã³ãä»ããŠä»ã®ãµãŒãã¹ã«ãªã¯ãšã¹ãããããã·ããããã䜿çšããããšã§ãé«å¯çšæ§ããå®çŸããŸããã©ãã§ãå®è¡
@ rafaelsierra-ãããç§ãæ±ããŠããåé¡ã§ãïŒãããŠç§ãééã£ãŠããå Žåã¯ä¿®æ£ããŠãã ããïŒãããã®æ§æã§ã¯1ã€ã®Apache / PHPã³ã³ãããŒã®ã¿ãå®è¡ããããã¹ãããŒãã®ããŒã80ã«ãã€ã³ãã§ããŸãã Nginxã³ã³ãããããŒã80/443ã«ãã€ã³ãããŠãããããã®Apacheã³ã³ãããå®è¡ããããããä»®æ³ãã¹ãããå¿ èŠããããŸãã
@SysEngDanã¯ãã確ãã«80/443ããŒãã«ãã€ã³ãã§ããã³ã³ããã¯1ã€ã ãã§ããããã®ããŒãã«ãã€ã³ãããã³ã³ããã¯ä»ã®ã³ã³ãããžã®ãã¹ãŠã®ãªã¯ãšã¹ãã®ãããã·ã®ã¿ãæ åœãããããç§ã®å Žåã¯åé¡ãããŸããããªãŒããŒã¬ã€ãããã¯ãŒã¯ã®èåŸã§å®è¡ãããŠããŸãã
åäžã®nginx / Apacheã³ã³ããããã¹ãŠã®ãªã¯ãšã¹ããåä¿¡ããvhostã«åºã¥ããŠé©åãªã³ã³ããã«ãããã·ããããšã§ãããããåããœãªã¥ãŒã·ã§ã³ã䜿çšã§ããŸãããããã®ã³ã³ããã¯ãã¹ãã«ãã€ã³ãããå¿ èŠã¯ãããŸããã
@ rafaelsierra-ãããããé¡ãããŸãããã®ãã±ããã«èšèŒãããŠããåé¡ãç解ããŠãããã©ããã¯ããããŸããã åã®æ®µèœã§è¿°ã¹ãããã«ãµãŒãã¹ãæ§æãããšãåé¡ã¯ãã¯ã©ã€ã¢ã³ãIPããªãŒããŒã¬ã€ãããã¯ãŒã¯ã§ã®ã¿ãªãã¹ã³ããŠããã³ã³ãããŒã«æž¡ãããªãããšã§ãã ãã¹ãã«çŽæ¥ãã€ã³ãããå Žåãåé¡ã§ã¯ãããŸããã å€éšïŒãã¹ãïŒããå éšïŒãªãŒããŒã¬ã€ïŒãžã®ããã«ãŒãããã¯ãŒã¯ãããã·ã«äŸåããŠããå Žåãå®å Apacheã³ã³ããã¯å ã®ã¯ã©ã€ã¢ã³ãIPã¢ãã¬ã¹ã§ã¯ãªãããããã·ã®IPïŒããã«ãŒãããã¯ãŒã¯ããïŒãåãåããŸãã
@SysEngDanç§ã¯ãã®åé¡ãç解ããŠããŸãããéå»2幎éã¯è§£æ±ºçããªãããïŒæ£çŽãªãšãããããããä¿®æ£å¯èœããã©ããã¯ããããŸããïŒãèªåã®ããŒãºã«åã£ãå¥ã®è§£æ±ºçãèãåºãå¿ èŠããããŸããïŒã¢ã¯ã»ã¹ãå¶éããïŒãªã¢ãŒãIPã¢ãã¬ã¹ã«åºã¥ãïŒã
åäžã®ã³ã³ãããŒããã¹ãã®ããŒã80/443ã§ãªãã¹ã³ããä»ã®ã³ã³ãããŒã«ãããã·ããïŒãã®åé¡ã®ç¯å²å€ã§ãããããèšåããªãã£ãé©åãªHTTPããããŒã䜿çšããïŒããšã§åé¡ã解決ãããã®ãœãªã¥ãŒã·ã§ã³ãå ±æããããšæããŸããããªãŒããŒã¬ã€ããããããã¯ãŒã¯ããªã¢ãŒãIPã¢ãã¬ã¹ãæž¡ãããšãã§ããªãããã«åæ§ã®åé¡ã«çŽé¢ããŠãã人ã ã®ããã«
ãããããªããããã§äœããããããããŸã.....ãã¿ãŸãããç§ã¯ãããéããŸããã ãªãŒããŒã¬ã€ãããã¯ãŒã¯ãåãåãã代ããã«å€éšåãã³ã³ããããµãŒãã¹ãããã¯ãŒã¯ïŒãããã¯ãŒã¯ãæå®ããã«æ°ãããµãŒãã¹ãéå§ãããšèªåçã«äœæããããã®ïŒã«çŽæ¥æ¥ç¶ããŸãã ããããŸãããããã¯ããŸããããšæããŸãã è¿œå ããããªãŒããŒãããã¯ãdocker-composeãã¡ã€ã«ã«ãµãŒãã¹ãããã¯ãŒã¯ãè¿œå ããã¿ã¹ã¯ã§ãã ãã¹ãã³ã³ãããèµ·åãããããã®ãµãŒãã¹ã®1ã€ãå©çšã§ããªãå Žåã¯ã©ããªãã®ã§ããããïŒ
ãã®å Žåã502ãååŸããŸãã
docker-compose.ymlã1ã€ããããŸããããªãŒããŒã¬ã€ããããããã¯ãŒã¯ãä»ããŠçžäºã«éä¿¡ããè€æ°ã®ãµãŒãã¹ãåããè€æ°ã®ã¹ã¿ãã¯ãããããã¹ããµãŒããŒã«ãã€ã³ãããŠããããåŒãç¶ãã¢ã¯ã»ã¹ã§ããå ¬éãµãŒãã¹ããããŸããä»ã®ãã¹ãŠã®ãªãŒããŒã¬ã€ãããã¯ãŒã¯ããã¹ãŠã®ãªã¯ãšã¹ãããããã·ã§ããŸãã
ãã¹ãã¢ãŒãã®åé¿çã¯ããã®åé¡ã«ã€ããŠãã§ã«äœåºŠãè°è«ãããŠããŸãã äžéšã®éãããã·ããªãªïŒç¹å®ã®ãªããŒã¹ãããã·Webãã©ãã£ãã¯ã®èšå®ãªã©ïŒã§ã¯åé¡ãªãå ŽåããããŸããããã®åé¡ã®äžè¬çãªè§£æ±ºçã§ã¯ãããŸããã åãããœãªã¥ãŒã·ã§ã³ããããäžåºŠããã·ã¥ããã®ã§ã¯ãªãã以åã®æçš¿ãèªãã§ãã ããã
@darrellennsããã«ã¯200以äžã®ã³ã¡ã³ãããããŸããå ¬åŒã®è§£æ±ºçãæäŸãããŠããªãå Žåã§ããåºæ¬çãªãé©çšãããå Žåã¯ãã¹ããã€ã³ãã䜿çšããããœãªã¥ãŒã·ã§ã³ãæäŸããŠããã®åé¡ãããã¯ããŠã¯ãªãŒã³ã¢ããããæ¹ããããšæããŸããããããªããšãç§ã®ãããªå€ãã®äººãèŠéããŠããŸããŸãããããšåããã®ãäœåºŠãã³ã¡ã³ããç¶ãã
ãããã£ãŠããã®ãã°ã¯ãipsããã¯ã€ããªã¹ãã«ç»é²ããtraefiksã®æ©èœã«åœ±é¿ãäžãããšæããŸãã ããã¯æ£ããã§ããïŒ
ãšã«ãããã¹ãŠã©ãŒã ã¢ãŒããå®è¡ããããšããŠãã人ã«ãšã£ãŠãããã¯ãã¹ãã¢ãŒãã䜿çšããŠããŒããå ¬éããäŸã§ãã
docker service create \
--name traefik \
--constraint=node.role==manager \
--publish mode=host,target=80,published=80 \
--publish mode=host,target=443,published=443 \
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--mount type=bind,source=/home/$USER/dev-ops/logs,target=/dev-ops/logs \
--mount type=bind,source=/opt/data/traefik/traefik.toml,target=/traefik.toml \
--mount type=bind,source=/opt/data/traefik/acme.json,target=/acme.json \
--network traefik \
--label traefik.frontend.rule=Host:traefik.example.com \
--label traefik.port=8080 \
traefik \
--docker \
--docker.swarmMode \
--docker.watch \
--docker.exposedByDefault
@coltenkrauterãããäœã«åœ±é¿ãããæ£ç¢ºã«ã¯ããããŸãããããã¹ãã¢ãŒãã§ã¯traefikãµãŒãã¹ã®ã¬ããªã«ã1ã€ããå®è¡ã§ããããããç§ã ãã§ã¯ãªããšæããŸãã ãã®ããã«ããµãŒãã¹ã®ã¹ãŠã©ãŒã ã¢ãŒãæ©èœãäžç¶ããã«ãtraefikã®å®å®æ§ãå®å šã«ä¿¡é Œããå¿ èŠããããŸãã
ãŸããæåã«å ±åãããããã«ãtraefikã®ç¹å¥ãªããŒãºãšã¯ããŸãé¢ä¿ããªããå ã®IPãåãåããªãæ±çšhttpãµãŒãã¹ã§ãã¹ããããŸãããã€ãŸããdocker swarmã¢ãŒããå£ããŠããŸãïŒãã®éèŠãªæ©èœããããŸããïŒã誰ãæ°ã«ããªãããã§ãã
ãããŠãç§ã¯ãã®ããšã«ã€ããŠã³ã¡ã³ããç¶ããããšæããŸãããªããªããnoisããããä¿®æ£ããã誰ããéªéããŠããããšãé¡ã£ãŠããŸãïŒïŒïŒç³ãèš³ãããŸããããããã¯ç§ã®ãŠãŒã¶ãŒããã®ç§ã«ãåãã§ãïŒ
ãã¹ãã¢ãŒãã§ã¯ãtraefikãµãŒãã¹ã®ã¬ããªã«ã1ã€ããå®è¡ã§ããããããç§ã ãã§ã¯ãªããšæããŸãã ãã®ããã«ããµãŒãã¹ã®ã¹ãŠã©ãŒã ã¢ãŒãæ©èœãäžç¶ããã«ãtraefikã®å®å®æ§ãå®å šã«ä¿¡é Œããå¿ èŠããããŸãã
ãã¹ãããšã«1ã€ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ã§ããŸã
ãã¹ãã¢ãŒãã§ã¯ãtraefikãµãŒãã¹ã®ã¬ããªã«ã1ã€ããå®è¡ã§ããããããç§ã ãã§ã¯ãªããšæããŸãã ãã®ããã«ããµãŒãã¹ã®ã¹ãŠã©ãŒã ã¢ãŒãæ©èœãäžç¶ããã«ãtraefikã®å®å®æ§ãå®å šã«ä¿¡é Œããå¿ èŠããããŸãã
ãã¹ãããšã«1ã€ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ã§ããŸã
yaãããããtraefikã¯æ£ããåäœããããã«ãããå¿ èŠãšããã®ã§ããããŒãžã£ããŒãã§åäœããããšãäœåãªããããŸãã ã€ãŸãã1ã€ã®ãããŒãžã£ãŒããŒãã1ã€ã®ãã¹ãã1ã€ã®ã€ã³ã¹ã¿ã³ã¹
traefikã¯ã
dockerãœã±ãããããã·ããªã¢ãŒããœã±ããããŸãã¯traefikãšã³ã¿ãŒãã©ã€ãºã ããã
ãã®æ¹æ³ã®ã¹ã¿ãã¯ãã¡ã€ã«ã®äŸïŒ
https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml
17:25ãããšã«Crucianiã§åã2019幎3æ16æ¥ã«ã¯[email protected]
æžããŸããïŒ
ãã¹ãã¢ãŒãã§ã¯ãtraefikãµãŒãã¹ã®ã¬ããªã«ã1ã€ããå®è¡ã§ããŸããããå®è¡ã§ããŸããã
ããã¯ç§ã ãã ãšæããŸãã ãã®ããã«ç§ã¯traefikã®å®å®æ§ãå®å šã«ä¿¡é Œããªããã°ãªããŸãã
ãµãŒãã¹ã®ã¹ãŠã©ãŒã ã¢ãŒãæ©èœãäžç¶ããã«ããã¹ãããšã«1ã€ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ã§ããŸã
yaããããtraefikã¯ãããå¿ èŠãšããã®ã§ãããŒãžã£ãŒããŒãã§åäœããããšãäœåãªããããŸã
æ£ããåäœããŸãã ã€ãŸãã1ã€ã®ãããŒãžã£ãŒããŒãã1ã€ã®ãã¹ãã1ã€ã®ã€ã³ã¹ã¿ã³ã¹â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-473593956 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAwW31DHIwEJE1EqN3-8qj44WopocuQTks5vXWE_gaJpZM4Jf2WK
ã
ãããç¥ãã®ã¯èå³æ·±ãã§ããããã®æ©èœã¯kubernetesã§å©çšã§ããŸãããdocker swarmã¢ãŒãã§ã¯å©çšã§ããŸããããŸããtraefikã®è€æ°ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ãããªãã·ã§ã³ããããšäž»åŒµããŠããŸãããè€æ°ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ããå Žåã¯ãè€æ°ã®ããŒãã§å®è¡ããŸããåäžããŒãã®å Žåãããã¯ãµããŒããããŠããªããããäžå¯èœã§ãã
ãŸãããªã¯ãšã¹ãããããã·ããã ãã§ãªããä»ã®ãµãŒãã¹ã¯ããŒãããããã§ããŸãããããã¯ããã¹ãŠã®ãã¹ããããŒãã«ãããããå¿
èŠãããç¹å¥ãªçš®é¡ã®æ§æãå¿
èŠã§ããããšã«ãããã€ã³ã¹ã¿ã³ã¹ããšã«å°ãªããšã1ã€ã®è€æ°ã®ããŒããå¿
èŠã ããã§ãã ã
ãªã©ãªã©ã ãã®ãã£ã¹ã«ãã·ã§ã³ãäžã«ã¹ã¯ããŒã«ããŠãããã«é¢ããä»ã®ãã£ã¹ã«ãã·ã§ã³ãèŠã€ããããšãã§ããŸãã åé¿çãç¶æããã®ãé£ãããåŸãã®ãé£ããã®ã§ãåé¿çãäœæããã®ãã©ãã ãè¯ãããšãããã¢ã¹ãã¬ãŒã·ã§ã³ã«éå ã§ãããšã¯æããŸããã ãããŠãç¹å¥ãªå Žåã®åé¿çãç¶æããããã«è²»ãããããã¹ãŠã®æéã¯ãåé¡ãä¿®æ£ããããã«ããããè²»ããããŸãã
äžæ¹ããã®çš®ã®æ©èœãdocker swarmã®ã¢ãã«ã®ã»ãã¥ãªãã£åé¡ã§ããå Žåã¯ãwontfixãšããŠããŒã¯ããã ãã§ãkubernetesã«åãæ¿ããäºå®ã§ãããã®å Žåã¯ããããžã§ã¯ãéã§ç«¶åã¯ãªããšæããŸããæ瀺çã«ã¯æ±ºããŠèµ·ãããªããšèšã£ãŠããã ããªã®ã§ãå¯èœã§ããã°ãããããçš®é¡ã®ããŒãã¹ãŠã©ãŒã ã«ããã«ãŒã¹ãŠã©ãŒã ã¢ãŒããéžæããåã«ã誰ã§ãã¢ã¯ã·ã§ã³ãå®è¡ã§ããŸãã
kubernetesã«ã¯ã矀ãã£ãŠããªãæ©èœããããããããŸãããã®éãåæ§ã§ãã ç§ãã¡ã¯çãæ©èœãå«ãå€ãã®èŠå ã«åºã¥ããŠãç¹å®ã®ãœãªã¥ãŒã·ã§ã³ã«ã©ã®ãªãŒã±ã¹ãã¬ãŒã¿ãŒã䜿çšãããã決å®ããŸãã ãã¹ãŠã®åé¡/ããŒãºã解決ããããŒã«ã¯ãããŸããã
ç§ã¯ãã å©ããããšããŠããã³ãã¥ããã£ã¡ã³ããŒã§ãã ãã®åé¡ã®çŸåšã®è§£æ±ºçãæ°ã«å ¥ããªãå Žåã¯ãããããkubernetesãªã©ã䜿çšããŠãä»ã®æ¹æ³ã§è§£æ±ºããå¿ èŠãããããã§ãã kubernetesã§è§£æ±ºããæ¹æ³ãèªåã®å¥œã¿ã«åã£ãŠãããšæãå Žåã¯ãããã1ã€ã®ãªãŒã±ã¹ãã¬ãŒã¿ãŒãå¥ã®ãªãŒã±ã¹ãã¬ãŒã¿ãŒãããéžæããåççãªçç±ã§ãã
æŽå²çã«ãmobyãšswarmã®ã¡ã³ããã¯ããã®ãããªåé¡ãwontfixãšããŠã¯ããŒãºããŸãããããã¯ãææ¥ãã³ãã¥ããã£ã®èª°ãããã®åé¡ã®è§£æ±ºçãå«ãPRãããããããå¯èœæ§ãããããã§ãã ãŸãããããŸã§ãããåé¿ããæ¹æ³ãè°è«ããããšã¯ããã®åé¡ã¹ã¬ããã®æå¹ãªäœ¿çšæ³ã ãšæããŸãã :)
矀ãã®ã¡ã³ããã§ã¯ãããŸããããæŽå²çã«ãããŒã ã¯ããªããžããªã§ã³ããããååŸããŠããçŸåšã®PRãè¶ ããŠãå°æ¥ã®æ©èœèšç»ãé瀺ããŠããªããšèšããŸãã
ãã¡ããããªãã®ã³ã¡ã³ãã¯æè¿ããããšèšãã®ãå¿ããŸããïŒãŸãã¯ç§ã¯ããããããŸããªæ¹æ³ã§èšããŸãããããããªããïŒã ããããç§ã¯å ã®@PanJã¬ããŒããè£åŒ·ã
ãããŸã§ã®éãã¹ãŠã©ãŒã ã¢ãŒãã®å€ã§ãããã·ã³ã³ãããå®è¡ããã¹ãŠã©ãŒã ã¢ãŒãã§å ¬éããŒãã«è»¢éãããšããåé¿çãå®è¡ããå¿ èŠããããšæããŸãïŒSSLçµäºã¯ãã®ã³ã³ããã§ãå®è¡ããå¿ èŠããããŸãïŒãããã«ãããã¹ãŠã©ãŒã ã®ç®çãæãªãããŸããèªå·±ä¿®åŸ©ãšãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã®ããã®ã¢ãŒãã
ããã¯ããã¡ãããã®ç¹å®ã®ãããã¯ã«ã€ããŠã®ã¿ããã¹ãŠã©ãŒã ã¢ãŒãã®ç®çãç Žããããšãæå³ããŸããããã£ãšæ³šæãæã䟡å€ããããŸãã
ããŒã ã«ãããã·ãããã³ã«ãè¿œå ããPRãæ§ç¯ãããããšããŠããŸã
å
¥åãããã¯ãŒã¯ã ç§ãã¡ã¯Golangããã°ã©ããŒã§ã¯ãªãã®ã§ãå°ãããããŸã
ããªãããŒã
ããããç§ã¯DockerããŒã ãæé«ãã€æã
äºææ§ã®ããïŒãšã³ã·ã¹ãã å
šäœã®ïŒãœãªã¥ãŒã·ã§ã³ã¯ããããã·ãããã³ã«ãéå±€åããããšã§ã
å
¥åãããã¯ãŒã¯ã®ãµããŒãã
è€éãã¯ãå
¥åãããã¯ãŒã¯ãå¿
èŠãªã ãã§ã¯ãªããšããäºå®ã«ãããŸã
ç¬èªã®ããããŒãæ¿å
¥ããŸãããååšããå¯èœæ§ããããšããäºå®ããµããŒãããå¿
èŠããããŸã
ãã§ã«æ¿å
¥ãããŠããã¢ããã¹ããªãŒã ãããã·ãããã³ã«ããããŒïŒããšãã°ãGoogleLBãŸãã¯
AWS ELBïŒã
2019幎3æ17æ¥ãæ¥ææ¥ã12ïŒ17 Daniele Crucianiã notifications @ github.com
æžããŸããïŒ
ãã¡ããããªãã®ã³ã¡ã³ãã¯æè¿ããããšèšãã®ãå¿ããŸããïŒãŸãã¯ç§ã¯ããã
ãããŸããªæ¹æ³ãç³ãèš³ãããŸããïŒã ããããç§ã¯å ã®@PanJã匷åããã®ã奜ãã§ã
https://github.com/PanJã¬ããŒãïŒãã®éãç§ã¯å®è¡ããŠããåé¿çãå®è¡ããå¿ èŠããããšæããŸã
ã¹ãŠã©ãŒã ã¢ãŒãå€ã®ãããã·ã³ã³ãããå ¬éããŒãã«è»¢éããŸã
ã¹ãŠã©ãŒã ã¢ãŒãïŒSSLã¿ãŒãããŒã·ã§ã³ããã®ã³ã³ããã§å®è¡ããå¿ èŠããããŸãïŒã§ã¯ã
èªå·±å埩ãšãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã®ããã®ã¹ãŠã©ãŒã ã¢ãŒãã®ç®çãç ŽããŸããããã¯ãã¹ãŠã©ãŒã ã¢ãŒãã®ç®çãç Žãããšããæå³ã§ãããã¡ããããã ãã§ãã
ç¹å®ã®ãããã¯ã¯ããã£ãšæ³šæãæãã«å€ããã®ã«ååã§ããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-473621667 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUwNWJsGKlLejcNzS2pR0awBB4OVlks5vXeTugaJpZM4Jf2WK
ã
https://stackoverflow.com/questions/50585616/kubernetes-metallb-traefik-how-to-get-real-client-ip
éå±€åãããå®å
šã«æ§æå¯èœãªk8sãæ±ããããããã«
docker swarmã䜿çšããŠdigitaloceanã§nginxãå®è¡ããnginxãã°å
ã§10.255.0.2
ã ãã§ãªãå®éã®$remote_addr
ãååŸããããšããŠãã人ã®ããã«ã @coltenkrauterã®ãœãªã¥ãŒã·ã§ã³ã䜿çšã§ããŸãã ãã£ããã¯ãããªãã ãã®ã»ãšãã©ã®äººã
ã®ããã«[OK]ãããå¿
èŠãããããã®æº¶æ¶²ã§ãã¹ãäžã®1åã®nginxã®ã³ã³ãããå®è¡ããããšãã§ãããšããããšã§ãã
docker-compose.yml
ãã¡ã€ã«ãå€æŽããã ãã§ãã
services:
nginx:
ports:
- "80:80"
- "443:443"
services:
nginx:
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
_ç·šéïŒä»ãç§ãã¡ã¯çãæ£ããçããåŸãããšãä¿èšŒãããŠããŸã_
åé¡ãã€ã³ã°ã¬ã¹ãããã¯ãŒã¯ã§çºçãããšåé¡ãè¿°ã¹ãŠããå Žåãã€ã³ã°ã¬ã¹ïŒ mode: host
ïŒã䜿çšããªãããšã¯åé¿çã§ã¯ãã
ãªããŒã¹ãããã·ãšããŠåäžã®ãã¹ãã ãã䜿çšãã人ã¯èª°ãããŸããã ãããŒãã£ã³ã°IPãæã€è€æ°ã®ãã¹ããå¿
èŠã§ããããã®èšå®ãå®çŸããã«ã¯swarm-meshãå¿
é ã§ãã
äžå¯èœãããããŸãããã INGRESS
ãã§ãŒã³ã®ãã段éã§MASQUERADE
ãå®è¡ããããã«iptablesã«ãŒã«ãå€æŽãããšãå®éã®ãœãŒã¹IPãä¿æãããããã«åé¿çã«ãªããšæããŸããã iptables / netfilterã®å°é家ã¯ããªãã®ã§ããïŒ
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-INGRESS all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-INGRESS (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
å¥ã®æ¹æ³ãšããŠãå
ã®ãœãŒã¹IPãååŸããŠX-Forwarded-For
ããããŒãäœæããã ãã§çŸ€ããããšã¯ã§ããŸãããïŒ
ãªããŒã¹ãããã·ãšããŠåäžã®ãã¹ãã ãã䜿çšãã人ã¯èª°ãããŸããã ãããŒãã£ã³ã°IPãæã€è€æ°ã®ãã¹ããå¿ èŠã§ããããã®èšå®ãå®çŸããã«ã¯swarm-meshãå¿ é ã§ãã
矀ãã®åããŒãã¯ããªããŒã¹ãããã·ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ãããªãŒããŒã¬ã€ãããã¯ãŒã¯ãä»ããŠåºç€ãšãªããµãŒãã¹ã«ãã©ãã£ãã¯ãã«ãŒãã£ã³ã°ã§ããŸãïŒãã ãããããã·ã®ã¿ãå ã®IPã¢ãã¬ã¹ãèªèããŸãïŒã
ã¹ã¬ããå šäœãå¿ ãèªãã§ãã ããïŒGitHubã¯ããªãã®æçšãªã³ã¡ã³ããé ããŠããã®ã§ãããããå±éããå¿ èŠããããŸãïŒdispointed :);
å¥ã®æ¹æ³ãšããŠãå ã®ãœãŒã¹IPãååŸããŠ
X-Forwarded-For
ããããŒãäœæããã ãã§çŸ€ããããšã¯ã§ããŸãããïŒ
https://github.com/moby/moby/issues/25526#issuecomment-367642600ãåç
§ããŠX-Forwarded-For
ã¯L7ãããã³ã«ã§ãã 矀ãã®äŸµå
¥ã¯L4ã§ãããDNATã§IPVSã䜿çšããŸã
@ port22ã¯ãäžè¬çã«ãæã ã¯ãã®åé¡ãåé¿ããã«ã¯è§£æ±ºçã§ã¯ãªãããšã«åæãã解決çã¯ããããlayerableäœã@sandysãäžã§ææ¡ã確èªããããšã§ãïŒ25526ã³ã¡ã³ã
å¥ã®æ¹æ³ãšããŠãå ã®ãœãŒã¹IPãååŸããŠäœæããã ãã§çŸ€ããããšã¯ã§ããŸãã
X-Forwarded-ForããããŒïŒ
ïŒ25526ïŒã³ã¡ã³ãïŒãåç §
https://github.com/moby/moby/issues/25526#issuecomment-367642600 ;
X-Forwarded-Forã¯L7ãããã³ã«ã§ãã 矀ãã®äŸµå ¥ã¯L4ã§ãããDNATã§IPVSã䜿çšããŸã
ããã§ã®æ£ãã解決çã¯ãL4ã§æ³šå
¥ããããããã·ãããã³ã«ã§ãã 幟ã€ããã
åããŠãŒã¹ã±ãŒã¹ã«ã€ããŠã®Envoyã§ã®é¢é£ããè³åŠäž¡è«ã®è°è«
https://github.com/envoyproxy/envoy/issues/4128ããã³
https://github.com/envoyproxy/envoy/issues/1031
2019幎4æ10æ¥æ°Žææ¥åå1æ40åSebastiaanvan Stijn <
[email protected]>ã¯æ¬¡ã®ããã«æžããŠããŸãïŒ
ãªããŒã¹ãããã·ãšããŠåäžã®ãã¹ãã ãã䜿çšãã人ã¯èª°ãããŸããã è€æ°æ¬²ãã
ãããŒãã£ã³ã°IPãæã€ãã¹ãã§ããããããå®çŸããã«ã¯swarm-meshãå¿ é ã§ãã
èšå®ã矀ãã®åããŒãã¯ããªããŒã¹ãããã·ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ããã«ãŒãã£ã³ã°ã§ããŸã
ãªãŒããŒã¬ã€ãããã¯ãŒã¯ãä»ããåºç€ãšãªããµãŒãã¹ãžã®ãã©ãã£ãã¯ïŒãã ãã
ãããã·ã¯å ã®IPã¢ãã¬ã¹ãç¥ã£ãŠããŸãïŒãã¹ã¬ããå šäœãå¿ ãèªãã§ãã ããïŒGitHubã¯ããªã䟿å©ãªãã®ãé ããŠããããã§ã
ã³ã¡ã³ããªã®ã§ãããããæ¡åŒµããå¿ èŠããããŸãðïŒ;å¥ã®æ¹æ³ãšããŠãå ã®ãœãŒã¹IPãååŸããŠäœæããã ãã§çŸ€ããããšã¯ã§ããŸãã
X-Forwarded-ForããããŒïŒïŒ25526ïŒã³ã¡ã³ãïŒãåç §
https://github.com/moby/moby/issues/25526#issuecomment-367642600 ;
X-Forwarded-Forã¯L7ãããã³ã«ã§ãã 矀ãã®äŸµå ¥ã¯L4ã§ãããDNATã§IPVSã䜿çšããŸãâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-481415217 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsU5KdnWQ21hJx_xzc-QROJiWbAlulks5vfPOigaJpZM4Jf2WK
ã
矀ãã®åããŒãã¯ããªããŒã¹ãããã·ã®ã€ã³ã¹ã¿ã³ã¹ãå®è¡ã§ããŸã
ããã«ãããã¹ãŠã©ãŒã ããŒããã©ã³ãµãŒã®æ©èœãæé€ãããŸããããã¯ãå®éã«ã¯ãã®åé¡ã®ãã¹ãŠã§ãã
ãããŠãå
·äœçã«èšããšãtraefikã¯ã¯ã©ã¹ã¿ãŒã¢ãžã£ã€ã«ã§ã¯ãªããšããã®ãç§ã®åé¡ã§ãã æ§æããã¯ãšã³ããšããŠconsulã䜿çšããŠããå Žåãé€ããã¹ã¿ã³ãã¢ãã³ã§å®è¡ããå¿
èŠããããŸããããã«ãããæ倧蚌ææžãæ倧100ã«å¶éãããŸãããããã¯ç§ã«ã¯é©çšãããŸããã 確ãã«ãããã¯çŸ€ãã®åé¡ã§ã¯ãªããtraefikã®åé¡ã§ãããšèšãããšãã§ããŸãã ãããããäºå®ïŒtraefikã¯ãããã¯é äºã®åé¡ã§ãããšè¿°ã¹ãŠããŸãã é äºã¯ããè¿°ã¹ãŠããŸãïŒtraefikã¯ãããééã£ãŠããŸãã
@ port22äžè¬çã«ãåé¿çã¯è§£æ±ºçã§ã¯ãªãããšã«åæããŸã
ç§ã®ãã€ã³ãã¯ãã€ã³ã°ã¬ã¹ãå¿ èŠãªå Žåãã€ã³ã°ã¬ã¹ã䜿çšããªãããšã¯åé¿çã§ã¯ãªããšããããšã§ãã åé¿çã¯ããããã³ã°ãå¿ èŠãªå Žåã§ãããœãŒã¹IPãä¿æããªããswarmããŒããã©ã³ãµãŒã䜿çšã§ããããã«ãããã®ã§ãã
DNATã§IPVSã䜿çšãã
ãããã£ãŠãç§ã¯ãããDNATã«ãŒã«/ãã§ãŒã³å
ã®MASQUERADE
ã§å®è¡ã§ãããšèããŠããŸããã ïŒ
@ port22ããããŸãããã
ããªããžãããã¯ãŒã¯https://docs.docker.com/network/overlay/#customize-the-docker_gwbridge-interfaceã®ãããªãªãã·ã§ã³ãããã¯ãã§ã
ãããã£ãŠããããç°¡åã«ã»ããã¢ããã§ããããã«ããããã§ãããããã§ãäž»ãªåé¡ã¯ããªãŒããŒã¬ã€ãããã¯ãŒã¯ã§ã®ãµããŒãã®æ¬ åŠã§ãã ãããã£ãŠããªãã·ã§ã³ã¯ç¡èŠãããããããªãã·ã§ã³ã¯ãããŸãããdockerdã¯ãå€éšããå€æŽãããå Žåã«ã«ãŒã«ãæžãæããŸãã
ã解決ããããã«ãããã·ãããã³ã«ãµããŒãã®æ©èœãªã¯ãšã¹ããæåºããŸãã
ãã®ãã°ã®åé¡ã
誰ããã³ã¡ã³ããè¿œå ãããå Žåã«åããŠã
https://github.com/moby/moby/issues/39465
2019幎4æ10æ¥æ°Žææ¥ã21ïŒ37 Daniele Crucianiã notifications @ github.com
æžããŸããïŒ
@ port22 https://github.com/port22ç§ã¯ããªãã®äž»åŒµãç解ããŸãããã
ãã®ãããã¯ãŒã¯èªäœã§ãç§ã¯ããã海岞å£ã§åäœãããããã«è©Šã¿ãŸãããã
å¯äžã®æ¹æ³ã¯ãDockerã«ãŒã«/ãã§ãŒã³ã®äŸå€ãäœæããããšã§ãããç§ã«ã¯ãããŸããã§ãã
Dockerã¹ãŠã©ãŒã ã¢ãŒãã§ã®æåïŒãã ããã¹ãŠã©ãŒã ã¢ãŒãã®Dockerã§ã¯åé¡ãããŸããã
ãããŸã§ã®ãšããã矀ãã«ã¶ã€ãã£ãŠãããµãŒãã¹ä»¥å€ã®ãã¹ãŠã®ãµãŒãã¹ãç¡å¹ã«ããŠããŸãïŒ
ãã¶ããããªããžãããã¯ãŒã¯ã®ãããªãªãã·ã§ã³ãããã¯ãã§ã
https://docs.docker.com/network/overlay/#customize -the-docker_gwbridge-interface
ãããã£ãŠããããç°¡åã«ã»ããã¢ããã§ããããã«ããããã§ãããããã§ãäž»ãªåé¡ã¯
ãªãŒããŒã¬ã€ãããã¯ãŒã¯ã®ãµããŒãããããŸããã ãããã£ãŠããªãã·ã§ã³ã¯ãããŸããã
ãããã¯ç¡èŠãããdockerdã¯ããå€æŽãããå Žåã«ã«ãŒã«ãæžãæããŸã
å€ãâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526#issuecomment-481754635 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAEsUxsVQ7m9uiYbHhNKMMtkhTZV6iTNks5vfgwygaJpZM4Jf2WK
ã
3幎åŸãä¿®æ£ã¯ãããŸãããïŒ
ç§ãåãåé¡ãæ±ããŠããŸãããhaproxyã«åé¡ããããŸãã ãããã·ãµãŒããŒããã¹ãã¢ãŒãã«ããHAã§ããŒãã¢ã©ã€ãã䜿çšããããšã¯åé¡ãããŸããããæ¬ èœããŠããéšåã¯è² è·åæ£ã ãã§ãããåçŽãªWebãããã·ã§ã¯ããã»ã©åé¡ã«ã¯ãªããªããšæããŸãã è€éãªã¹ã¯ãªãããå«ãŸããŠãããããããã·ãšããã¯ãšã³ããåãç©çãã·ã³äžã«ãªãããããã¯ãŒã¯ãã©ãã£ãã¯ã1ã€ã®NICã«å¯ŸããŠé«ãããå Žåãé€ãã...
ã§ã¯ãå éšãªãŒããŒã¬ã€ãããã¯ãŒã¯ã®ãã©ã€ããŒãã¢ãã¬ã¹ã§ã¯ãªããDocker Swarmã®å€éšããã®ãªã¯ãšã¹ãã®éä¿¡å IPã¢ãã¬ã¹ã確èªããããšã¯æ¬åœã«äžå¯èœã§ããïŒ ãŸã ïŒ
@thaJeztah Docker IncããŒã ã®èª°ããããã®åé¡ã®ã¹ããŒã¿ã¹ã«ã€ããŠæŽæ°ããŠãããŸããïŒ ããã¯ãŸã æ€èšããã³/ãŸãã¯åãçµãã§ããŸããïŒ ETAã¯ãããŸããïŒ ãŸãã¯ãDockerãKubernetesãšçµ±åãããŠãããããããã¯å®å šã«ç¡èŠãããŸããïŒ ããã¯ã»ãŒ3幎åã«å ±åãããŠããŸãïŒ/
@thaJeztah https://github.com/thaJeztah DockerIncã®èª°ããã§ããŸãã
ããŒã ã¯ããã®åé¡ã®ã¹ããŒã¿ã¹ã«ã€ããŠæŽæ°ããŸãã ãŸã æ€èšäžã§ãã
ããã³/ãŸãã¯åãçµãã ïŒ ETAã¯ãããŸããïŒ ãŸãã¯ãDocker以éãããã¯å®å šã«ç¡èŠãããŸããïŒ
Kubernetesãšã®çµ±åïŒ ããã¯ã»ãŒ3幎åã«å ±åãããŠããŸãïŒ/
ç§ãå®å
šã«ã§ããããã«ããã®ã¹ããŒãã¡ã³ãïŒãä¿®æ£ãããªããïŒãååŸããã®ã¯æ¬åœã«è¯ãããšã§ã
kubernetesãžã®ç§»è¡ãæ£åœåããŸãã æ®å¿µã ã
ããããšãã
>>
ãã¶ã圌ãã¯ãã€ãã¿ãŒã§è¿ä¿¡ããã ãããïŒ
ãããä¿®æ£ããå¿ èŠãããæ¡åŒµãªã¯ãšã¹ããææ¡ãããŠããŸã-httpsïŒ//github.com/moby/moby/issues/39465
ããã«ããªãã®èããã³ã¡ã³ããè¿œå ããŠãã ãã
ç§ã¯ãã§ã«ãã®åé¡ã«ã€ããŠã³ã¡ã³ãããŠããŸã:-)
ããã¯ç§ã«ãšã£ãŠãã°ããã®éãããã«ãŒã§ããã ç§ã¯IPã¢ãã¬ã¹ãééããå¿ èŠããããå€ãã®æ€çŽ¢ïŒãã®ã¹ã¬ããã§ä»ã®äººãšäžç·ã«æ€çŽ¢ããŠã»ãŒ3幎ã«ãªããŸã...ïŒã®åŸãswarmã§å®è¡å¯èœãªãœãªã¥ãŒã·ã§ã³ã¯ãŸã èŠã€ãããŸããã§ããã
ãã®åé¡ã®ãããæ¬çªç°å¢ã§swarmã䜿çšã§ããŸããã§ããããããè¿œå ã§ãããã©ããã«ã€ããŠã¯ãæ£åŒãªåçãåŸ ã£ãŠããŸãã ãããè¿œå ãããŠããªãå Žåã¯ã代æ¿ã®ææ¡ããããœãªã¥ãŒã·ã§ã³ãæè¿ããŸãã
haproxyã®èåŸã«ããtraefikã䜿çšããŠåãåé¡ãçºçããŠããŸãã 2016幎以æ¥ãããã«ã¯254件ã®ã³ã¡ã³ããããã®ãèŠãŠé©ããã
@Betriebsrat traefikããªã¯ãšã¹ããããã«åŠçã§ããªãããã«ããã®ã¯ãªãã§ããïŒ haproxyã¯æ¬åœã«å¿ èŠã§ããããããšãåãªãç¿æ £ã§ããïŒ traefikããã¹ãã¢ãŒãã§å ¬éãããšãã¯ã©ã€ã¢ã³ãã®IPã¢ãã¬ã¹ã衚瀺ããããã¹ãŠãæ£åžžã«ãªããŸã:)
ãã®ã解決çãã¯äœåºŠãèšåããããšæããŸããã人ã ã¯ãããèŠéãç¶ããŠããŸãã
ç§ã¯ãããæã ãªãã·ã§ã³ã§ã¯ãªãããšãç¥ã£ãŠããŸãããããç§ã¯ã»ãšãã©ã®å Žåãããå¯èœã§ããã¯ãã ãšä¿¡ããŠããŸãã
@ajardanç§ãè©Šãã解決çã¯ãããã³ããšã³ãã§å¿çãããã¹ãã1ã€ä»¥äžãããããå®è¡ã§ããŸããã çæ³çã«ã¯ã矀ãå
šäœããªã¯ãšã¹ããã«ãŒãã£ã³ã°ã§ããããã«ãããã§ãã å°èŠæš¡ãªæäœã®å Žåã1ã€ã®ãµãŒãã¹ãhost
ã¢ãŒãã«åãæ¿ããŠããããåã蟌ã¿ãµãŒããŒãšããŠäœ¿çšããã ãã§åé¡ãªãæ©èœããããšã«åæããŸãã
traefikã®ãããªãã®ããã¹ãã¢ãŒãã«é 眮ãããšãã»ãšãã©ã®å Žåã矀ãã䜿çšããããšã§å©çšããããšããŠããå©ç¹ãç¡å¹ã«ãªããŸã:(
@pattonwebzãã¹ãã¢ãŒãã¯ãè€æ°ã®ãã¹ãã§è€æ°ã®ã³ã³ãããŒãå®è¡ãããµãŒãã¹ã«å¯ŸããŠæå¹ã«ã§ããŸã
ãã®ã»ããã¢ãããã°ããŒãã«ã¢ãŒãã®ãµãŒãã¹ã§äœ¿çšããŸãããããããŒãžã£ãŒããŒãã«éå®ãããŠãããæ°äžã®ãªã¯ãšã¹ãã«å¯ŸããŠå®å šã«æ£åžžã«æ©èœããŠããŸããã
詳现ãå¿ èŠãªå Žåã¯ã詳ãã説æãããŠããã ããŸãã
@ pattonwebz @ ajardanããããã¹ãŠã®å Žåã«æ§æå¯èœãªhaproxyãµãŒãã¹ã䜿çšããŠã
@pattonwebzäžèšã®@ajardanã®ãœãªã¥ãŒã·ã§ã³ã«å ããŠããã¹ããããã¯ãŒã¯ã䜿çšããŠã°ããŒãã«ã¢ãŒãã§https://hub.docker.com/r/decentralize/swarm-tcp-proxyãå®è¡ããã€ã³ããŠã³ããã©ãã£ãã¯ã«PROXYãããã³ã«ãµããŒããè¿œå ã§ããŸãã次ã«ããããã·ãããã³ã«ããããŒããã³ãŒãããããã«æ§æãããTraefikã«è»¢éããŸãã
ããã¯ãDocker Swarmã®äžéšãšããŠã®ãã©ã°ã§ãããããããã¹ãŠã§ã¯ãããŸããã
è€éãªãœãªã¥ãŒã·ã§ã³ç§èŠã
haproxyã䜿çšããŠã蚌ææžã管çããSSLããªãããŒãããŸãã
ãå®è¡ã¯ãã¹ãã¢ãŒãããšãã解決çã¯è§£æ±ºçã§ã¯ãªããšããããšã人ã
ã¯èŠéãç¶ããŠããŸãã
Dockerã®è² è·åæ£ã掻çšããããã«ãå
¥åãããã¯ãŒã¯ãšé£æºããããšãæãã§ããŸãã
ã¹ã¬ããå
šäœã¯åºæ¬çã«ããã¹ãã¢ãŒãã䜿çšããã->ã3幎éç¶ããçç±ããµãŒã¯ã«ã®ããã«äžå¯èœã§ãã
ããã§ãå®è¡å¯èœãªä»£æ¿æ段ãšããŠswarm-tcp-proxy
ãæ€èšããŸãããéå»ã«åæ§ã®ããšãæ€èšãããšããã®ãããªã¢ã€ãã¢ãæã£ãç§ã«ãšã£ãŠã¯åžžã«äœããååŒã®ããŒã«ãŒã«ãªã£ãŠããŸããŸãã
å®ç§ãªäžçã§ã¯ãç§ã®æ¢åã®ïŒãããŠå®éã®ã¯ã©ã€ã¢ã³ãIPãååŸããæ©èœããªãããšãé€ããŠããŸãæ©èœããŠããïŒçŸ€ãã¯ãè¿œå ã®ãµãŒãã¹ã¬ã€ã€ãŒããããã·ãè¶ ãããããã·ãå¿ èŠãšããã«ãIPããŒã¿ãåŠçããŠééããã ãã§ãã
ãå®è¡ã¯ãã¹ãã¢ãŒãããšãã解決çã¯è§£æ±ºçã§ã¯ãªããšããããšã人ã ã¯èŠéãç¶ããŠããŸãã
ããèªäœã¯è§£æ±ºçã§ã¯ãããŸããããåé¿çãšããŠéåžžã«ããŸã䜿çšã§ããŸãïŒãããŠäœ¿çšãããŠããŸãïŒã Dockerã®ãã€ãã£ãããŒããã©ã³ãµãŒã¯åŒãç¶ã䜿çšã§ããŸããDockerã®ãµãŒãã¹ã¡ãã·ã¥ã«ã¢ã¯ã»ã¹ããåã«ããã¹ããããã¯ãŒã¯ã¹ã¿ãã¯ã«ã¬ã€ã€ãŒãè¿œå ããã ãã§ãã
@Betriebsrat traefikã¯èšŒææžãšSSLãéåžžã«ããŸãå®è¡ã§ããã®ã§ããªããããå¿ èŠãªã®ããŸã ããããŸããã
ãŸããåã«@matthanleyãè¿°ã¹ãããã«ã
ããã¯ãµãŒãã¹ããšã«æ§æå¯èœã§ãããããéåžžã«æè»ã§ãã
Dockerã¹ãŠã©ãŒã ã¯ã©ã¹ã¿ãŒã®å€éšã«å¥ã®NginxãµãŒããŒãèšå®ãããªã¯ãšã¹ããã¹ãŠã©ãŒã ãµãŒãã¹ã«è»¢éããããšãã§ããŸãã ãã®Niginxconfã«ã¯ããã©ã¯ãŒãããããŒãè¿œå ããã ãã§ãã äŸãã°ã
äœçœ® / {
proxy_pass httpïŒ// phpestate;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
DockerSwarmã¢ãŒãã§å®éã®ã¯ã©ã€ã¢ã³ãIPãååŸãããœãªã¥ãŒã·ã§ã³ã¯ãªãããã§ãã
åãåé¡ã確èªãã次ã®å®è£
ã«ãã£ãŠåé¿ããŸããã
https://github.com/moby/moby/issues/25526#issuecomment -475083415
åäžã®ããŒãã§è€æ°ã®å ¥åã³ã³ãããå®è¡ããããšã¯ã§ããªããããããã¯çæ³çã§ã¯ãªããœãªã¥ãŒã·ã§ã³ã§ãïŒçŸåšã¯ã°ããŒãã«ã§ãããšæšæž¬ãããŸãïŒ
é£ããã®ã¯ãDockerãTCP / UDPãåŠçããããšã§ãããããã¯HTTPãããã³ã«ã®åé¡ã§ãã å°ãªããšããDockerããœãŒã¹IPããªã¢ãŒããã¹ããšããŠãåœé ãããã®ã§ã¯ãªããSwarm Meshããç¬èªã®å éšIPãæäŸããããšãæã¿ãŸã...ãããããªã¿ãŒã³ãã©ãã£ãã¯ãééã£ãå Žæã«éããããããåé¡ãçºçããå¯èœæ§ããããŸãã
æãç°¡åãªæ¹æ³ã¯ããã¹ãŠã®httpãªã¯ãšã¹ãã«å¯ŸããŠå ã®IPã®ããããŒãè¿œå ããããšã§ãã
æ£ããã å
·äœçã«ã¯ãl4ã§æ©èœãããããã·ãããã³ã«ããããŒãšããŠ
ããã³l7ã§ãããã»ãšãã©ã®æ¢ç¥ã®ã¢ããªã±ãŒã·ã§ã³ãœãããŠã§ã¢ïŒããã³
ããã°ã¯ã©ãŠããããã€ããŒïŒã
ç§ã¯ãã®ããã«å¥ã®ãã°ãæåºããŸãããããã¯ããã€ãã®ã³ã¡ã³ãã«ãªã³ã¯ãããŠããŸã
ãã®äžã èå³ãããã°ããã®ãã°ã«è¿œå ããŠãã ãã
2019幎9æ5æ¥æšææ¥ã18ïŒ56 Vladimirã notifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
æãç°¡åãªæ¹æ³ã¯ããã¹ãŠã®å ã®IPã®ããããŒãè¿œå ããããšã§ãã
httpãªã¯ãšã¹ããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/25526?email_source=notifications&email_token=AAASYU7APUNJPLZ6AJ6XXMDQIECIJA5CNFSM4CL7MWFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2
ãŸãã¯ã¹ã¬ããããã¥ãŒãããŸã
https://github.com/notifications/unsubscribe-auth/AAASYU4VZGKUFLL5STZ44GDQIECIJANCNFSM4CL7MWFA
ã
ãã®2019ãšããã¯ãŸã åé¡ã§ããïŒ ããã¯traefikã®ipãã¯ã€ããªã¹ããèŠçã«ããŸãã ãã¹ãŠã®ããŒãã«ãã¹ãããŒããå¿ èŠãªããã§ã¯ãããŸããã
@kaysondç§ãã¡ã®ç«å Žã¯Swarmããããããããšã§ããã AWSãšECSã«ç§»è¡ããŠããŸãã ç³ãèš³ãããŸãããããã以äžå»ºèšçãªãã®ãæçš¿ããããšã¯ã§ããŸããããæçµçã«ã¯æ©èœãããã®ãå¿ èŠã§ãã ããã¯ãç§ãã¡ã«åœ±é¿ãäžããå¯äžã®äž»èŠãªSwarmãã°ïŒãŸãã¯æ©èœã®æ¬ åŠïŒã§ã¯ãªããä»ã®äººã¯ããæ°å¹Žã§æãããªä¿®æ£/ãã£ãŒãããã¯ãåããŠããŸããã æãæ®å¿µã§ãããããã«ãããŸãã
@jmkgreenç§ãã¡ã¯åãç«å Žã«ããããã®åé¡ããŸã ç¶ããŠãããããéå»6ãæ以äžã«ããã£ãŠ
åé¿çã®åé¡ã¯äœã§ããïŒ ãã¹ãã¢ãŒã+ã°ããŒãã«ã§ãµãŒãã¹ã宣èšãããã¹ãŠã®ããŒãã«ãããããããã«LBãèšå®ããŸããããã¯æ©èœããŸãã ãããã·ã¯è»œéã§ããããïŒhttpsãªãããŒããªã©ãè¡ãããnginxã䜿çšããŸãïŒããã¹ãŠã®ãµãŒããŒã«ãããã€ãããŠãããšããäºå®ã¯ããµãŒããŒãªãœãŒã¹ã®1ïŒ æªæºãã䜿çšããªããšããåé¡ã§ã¯ãããŸããã ããã»ã¹äžã«ãšã©ãŒãçºçããå Žåã¯ãç§ããæäŒãããŸãïŒ[email protected]ïŒã
åé¿çã®åé¡ã¯äœã§ããïŒ ãã¹ãã¢ãŒã+ã°ããŒãã«ã§ãµãŒãã¹ã宣èšãããã¹ãŠã®ããŒãã«ãããããããã«LBãèšå®ããŸããããã¯æ©èœããŸãã
@RemiBouãããã·èªäœãæŽæ°/åèµ·åããå¿ èŠãããå Žåãå€éšããŒããã©ã³ãµãŒã¯åæ¢ãããã«ã¯æ€åºããããããã·ããŸã åèµ·åããŠããããŒãã«ãªã¯ãšã¹ããéä¿¡ãç¶ããŸãã ãããã£ãŠãå€éšLBæ§æã«å¿ããŠãæ倧30ç§ã®åæ¢ãçºçããŸãã
ãŸããSwarmã«ã¯ããµãŒãã¹æŽæ°ããã»ã¹ã«ããã¯ãå
¥ããŠå€éšããŒããã©ã³ãµãŒãåŒã³åºããæŽæ°äžã«ããŒãããµãŒãã¹åæ¢ã«ããæ¹æ³ã¯ãããŸããã ãŸããæŽæ°ãããåã«ã¹ã¯ãªãããããªã¬ãŒããŠã³ã³ãããŒå
ã§å®è¡ããããšãã§ããŸããïŒããšãã°ãã i_am_healthy
ããã©ã°ãåé€ããå€éšLBã«ããŒãªã³ã°ã«ãã£ãŠãµãŒãã¹ãåæ¢ããŠããããšãæ€åºãããïŒã
åé¿çã®åé¡ã¯äœã§ããïŒ
ç§ã®åé¡ã¯ããã®åé¿çã§ã¯ããã¹ãäžã§åããµãŒãã¹ã®ããã€ãïŒãŸãã¯åãããŒããå¿ èŠãšããããã€ãã®ãµãŒãã¹ïŒãå®è¡ããããšãäžå¯èœã§ãããšããããšã§ãã ããã¯ç§ãåãçµãã§ãããããžã§ã¯ãã®å¿ èŠæ§ã§ãã
確ãã«ãããããããã ããå®è¡ããIPã矀ãã®äžã«ãããšãã«ãããã·ãµãŒãã¹ããããã€ããããšã¯ã§ããŸãããhttpããããŒãšããŠä»ã®ãµãŒãã¹ã«è»¢éã§ããŸããïŒ
確ãã«ãããããããã ããå®è¡ããIPã矀ãã®äžã«ãããšãã«ãããã·ãµãŒãã¹ããããã€ããããšã¯ã§ããŸãããhttpããããŒãšããŠä»ã®ãµãŒãã¹ã«è»¢éã§ããŸããïŒ
ã¯ã...ãããŠããã®ã·ã³ãããã·ãµãŒãã¹ãåæ§æãŸãã¯æŽæ°ããå¿ èŠããªãéããããŠã³ã¿ã€ã ãåé¿ããããã«ãSwarmLBã䜿çšããŠãã®èåŸã«ããã³ã³ããŒãã³ããæŽæ°ããããšãã§ããŸãã
誰ããhttps://hub.docker.com/r/decentralize/swarm-tcp-proxyãæããŠãããhaproxyã䜿çšããŠãããå®è¡ããŠããŸãã
ã§ãã¡ãã£ãšèŠçã ãŸãããããã·ãæŽæ°ããå¿ èŠãããå Žåã§ããããŠã³ã¿ã€ã ãçºçããŸãã
@ ms1111 Nginx
åé¿çã®åé¡ã¯äœã§ããïŒ
ãã®å Žåããã®åé¿çãšããã¹ãã«å
¬éãããŠããããŒããç¹å®ã®IPã¢ãã¬ã¹ã«ãã€ã³ãã§ããªãããšã®çµã¿åããã§ãã 代ããã«ãå®éã®èšªåè
ã®IPãå¿
èŠãšããPROXYãããã³ã«ããµããŒããããã¹ãŠã®å
éšãµãŒãã¹ã§ã¯ããã¹ãã®0.0.0.0
ã«ããŒããå
¬éãããŠããŸãããããã¯æé©ãšã¯èšããŸããã
ãã1ã€ã¯ã1ç§ãããæ°çŸã®æ°ããæ¥ç¶ãããå Žåã®ç¡èŠã§ããªãããã©ãŒãã³ã¹ãããã§ã-å
¬éãããŠãããã¹ãŠã®ããŒãã¯ãå®éã«ã¯conntrack
ãå¿
èŠãšããiptablesã®DNATã«ãŒã«ã§ãããä»ã®åé¡ããããŸãïŒk8sããããããŸãããSwarmã«ã¯ããããããŸãïŒãããæªåãããNATã®è¿œå ã¬ãã«ïŒã
Dockerã«ã
èµ·ããïŒ ãã®åé¡ã«é¢äžããŠãã人ã®æ°ãèãããšãæãããªåé¡ããããŸãïŒåãåå ãæã€ä»ã®äººãããŸãïŒã ç§ãã¡ãåŸãŠããã®ã¯ãåé¿çã解決çã§ã¯ãªãçç±ãäœåºŠã説æãããŠããã«ãããããããåé¿çãããããšãäœåºŠãç¹°ãè¿ã人ã ã ãã§ãã ãåé¿çããšããèšèã¯ããããäžæçãªãã®ã§ãããåŸã§è§£æ±ºãããããšã瀺ããŠããŸãã åé¡ãäœæãããŠãã3幎以äžãçµéãããã®éãã£ãšãåé¿çããããŸãããšããå¿çãè¿ãããŸãã
ãã¹ãŠã®SwarmãŠãŒã¶ãŒã«ã
çŸå®çã«ããŸãããã æ²ããçå®ã¯ãDockerãå«ãã誰ãSwarmãæ¬åœã«æ°ã«ãããŠããªããšããããšã§ãã 誰ããk8sã«ç§»è¡ããSwarmãžã®ãå®éã®ãæè³ã¯ãããŸããã ãããžã§ã¯ãã¯çåœç¶æã®ããã«æ»ã¬ã®ãåŸ ã£ãŠããã®ã§ããã®åé¡ãä¿®æ£ãããããšãæåŸ ããªãã§ãã ããã ã¹ããŒãã«ãªããk8sã«ç§»è¡ããŸãã
ãã®åé¡ã¯ããŸãã«ãé·ãéç¡èŠãããŠããããã§ãã å®è£ ãããããšã¯ãªãããã§ãã è¿œãããã£ããããŠk8sã䜿çšããã ãã§ãã
@leojonathanoh k8sããã®ç¹å®ã®åé¡ãã©ã®ããã«æ£ç¢ºã«è§£æ±ºãããã詳ãã説æããŠããã ããŸãã:)ïŒ
ã·ã³ãã«ïŒãããã·ãããã³ã«
@ajatkjèšã£ãããã«ã ãŸãã¯ããããäžå¯èœãªå Žåã¯ãå€éšããŒããã©ã³ãµãŒãšService
ãªãœãŒã¹ã®externalTrafficPolicy: Local
ã ããã§èšãã®ã¯ããã ãã§ãã ãããŠãç§ã¯ã¹ã¬ããããéäŒããŠããŸãã
ãªã人ã ã¯ä»ã®äººã ã圌ãã®ããã«ä»äºãããããšãæåŸ ããã®ã§ããïŒ
ç§ã¯ããŒããŒã«ãªããããšæã£ãŠããŸãããå®éã«ã¯ä»ã®å€ãã®ããšã«åãçµãã§ãããããã¯ç§ã®æ¥ã ã«ã¯åœ±é¿ããŸããã ããã¯ããªãã®æ¥ã ã«åœ±é¿ãäžããŸããïŒ ããã解決ããããã®ãµããŒããå¿ èŠã§ãã
ç§ããããäœåºŠãèŠãŠããŸããããéæ³ã®çŸ€ãã«ãŒãã£ã³ã°ã䜿çšããŠããIPVSNATã§ãããæ©èœãããæ¹æ³ã¯å®éã«ã¯ãªãããã§ãã
ããã§ã¯ãk8sã®æ¹ãã¯ããã«æè»ã§ããããšã«åæããŸãã ãããããªãã®ããŒãºã«ããããåããªãã°ãããã䜿ã£ãŠãã ããã
ä¿®æ£ãããŠããªãããšã蚎ããk8sã«åãæ¿ãããšè
è¿«ããããšã¯ãåé¡è¿œè·¡ã·ã¹ãã ã«ã¯ãŸã£ããæå³ããªããäžè¬çã«åœ¹ã«ç«ããªãã ãã§ãã
人ã ã¯åœŒããæã£ãŠããç¥èãæäŒããŸãã ãã¹ãŠã®äººãã³ãŒãèªäœãå€æŽããã¹ãã«ãæã£ãŠããããã§ã¯ãªããããå¿ èŠãªå€æŽã«ã€ããŠã³ã³ã»ã³ãµã¹ãåŸãã®ã«åœ¹ç«ã€ãã®ãããªåé¡ãäœæããŸãã
ããã§ã¯ãç¹ã«å€æŽãå ããå¿ èŠããããšäž»åŒµãã人ã¯èª°ãããŸãããã @ sandysããããã·ãããã³ã«ã«é¢ããŠéããåé¡ã«ã€ããŠããã³ã¢ããŒã ãå€æŽã«åæããŸããã ã§ã¯ãå€æŽãåãå ¥ãããããã©ããããããªãå Žåã誰ããããã«ã©ã®ããã«åãçµãããšãã§ããŸããïŒ
æè¯ã®æ¹æ³ã¯ãææ¡ãèãåºãããšã§ãã äœæ¥ãå®äºããåŸãã¢ãŒããã¯ãã£ã¯ã©ã®ããã«ãªããšæããŸããã ããã¯äœããããããŸããïŒ ç§ãã¡ã¯äœã倱ããŸããïŒ
ãã¹ãã¢ãŒããããã¯ãŒã¯ãè©ŠããŠãã ãã
æè¯ã®æ¹æ³ã¯ãææ¡ãèãåºãããšã§ãã äœæ¥ãå®äºããåŸãã¢ãŒããã¯ãã£ã¯ã©ã®ããã«ãªããšæããŸããã ããã¯äœããããããŸããïŒ ç§ãã¡ã¯äœã倱ããŸããïŒ
ãã§ã«ããã§è¡ãããŠããŸãïŒïŒ39465
host-mode-networkingãè©ŠããŠãã ãã
ã³ã¡ã³ãããåã«ã¹ã¬ããå šäœããèªã¿ãã ãã
ããããã·ãããã³ã«ã䜿çšãããã確ãã«èå³æ·±ããã®ã¯äœãã¬ã€ã¢ãŠãããŠããŸããã
ã³ãŒãããŒã¹ã«å€æŽãå ããå¿
èŠããããŸãã
ããã¯åçŽãªè³ªåãããããŸããããæåã«ãœãŒã¹IPãæžãçŽãå¿ èŠãããã®ã¯ãªãã§ããïŒ ãšã«ããããã©ãã£ãã¯ã¯ã€ã³ã¿ãŒãã§ã€ã¹ã®ããã©ã«ãã²ãŒããŠã§ã€ãä»ããŠè¿ãããŸãããïŒ ã¹ãŠã©ãŒã ããŒããã©ã³ãµãŒãä»ããŠéä¿¡ãããå Žåã§ããã²ãŒããŠã§ã€ã¯ããã©ãã£ãã¯ã®éä¿¡å ãæ¢ã«èªèããŠããããŒããã©ã³ãµãŒãä»ããŠãããè¿ãããšãã§ããŸã...
ããã¯åçŽãªè³ªåãããããŸããããæåã«ãœãŒã¹IPãæžãçŽãå¿ èŠãããã®ã¯ãªãã§ããïŒ ãšã«ããããã©ãã£ãã¯ã¯ã€ã³ã¿ãŒãã§ã€ã¹ã®ããã©ã«ãã²ãŒããŠã§ã€ãä»ããŠè¿ãããŸãããïŒ ã¹ãŠã©ãŒã ããŒããã©ã³ãµãŒãä»ããŠéä¿¡ãããå Žåã§ããã²ãŒããŠã§ã€ã¯ããã©ãã£ãã¯ã®éä¿¡å ãæ¢ã«èªèããŠããããŒããã©ã³ãµãŒãä»ããŠãããè¿ãããšãã§ããŸã...
ã©ã®IPãããªã¯ãšã¹ããæ¥ãŠããããç¥ãå¿ èŠããããŸãã ãã¶ããç¹å®ã®ãŠãŒã¶ãŒãIPãå¶éããããšæã£ãŠããŠãå®è¡äžã®ãµãŒãã¹ã®å€éšã§ãããè¡ãããšã¯ã§ããŸãããã€ãŸããtraefikã¯ãã©ã®ãŠãŒã¶ãŒãIPãäœæããŠããããæå®ãããªã¯ãšã¹ãã®å 容ãç¥ããªããããäžéšã®ãŠãŒã¶ãŒãé€å€ããŠåãå ¥ããããšã¯ã§ããŸããããã®ä»ã¯ipã®ã¿ã«åºã¥ããŠããŸãïŒãã®äŸã®ããªã·ãŒã¯ip + request-content => allow / disallowã§ããããïŒã
ãŸãã¯ãå€ãã®å Žåãæ¥ç¶ããã°ã«èšé²ããããã ãã«äœ¿çšããŸãã ãµãŒãã¹ã®äœ¿çšéã顧客ã«è«æ±ããå¿ èŠããããŸãããŸãããªã¯ãšã¹ãã®æéããªãœãŒã¹ã®éããªã¯ãšã¹ãã®ãœãŒã¹IPã衚圢åŒã§æäŸããå¿ èŠããããŸãã è«æ±ãããã»ãšãã©ãã¹ãŠã®ãµãŒãã¹ããã®çš®ã®ã¬ããŒããæäŸããŸãã
ããªãã¯ç§ã®è³ªåã誀解ãããšæããŸãã ãµãŒãã¹ãçã®ãœãŒã¹IPã確èªãããçç±ãç解ããŠããŸãã Dockerãã³ã³ããã«å°éããåã«å€æŽããçç±ãç¥ããã
2019幎11æ1æ¥ã1:47ã«ã¯ã1ïŒ47 AMã§ããããšã«Cruciani [email protected]æžããŸããïŒ
ãã¶ãããã¯çŽ æŽãªè³ªåã§ããããªãæžãçŽãå¿ èŠãããã®ã§ããïŒ
ãããããœãŒã¹IPïŒ ãã©ãã£ãã¯ã¯çµç±ã§è¿ãããŸããã
ãšã«ããã€ã³ã¿ãŒãã§ãŒã¹ã®ããã©ã«ãã²ãŒããŠã§ã€ïŒ 矀ãã®è² è·ãä»ããŠæ¥ããšããŠã
ãã©ã³ãµãŒãã²ãŒããŠã§ã€ã¯ããŒããã©ã³ãµãŒãä»ããŠãããè¿ãããšãã§ããŸã
ãã©ãã£ãã¯ãã©ãããæ¥ãã®ãã¯ãã§ã«ããã£ãŠããŸã...ã©ã®IPãããªã¯ãšã¹ããæ¥ãŠããããç¥ãå¿ èŠããããŸãã å€å
ç¹å®ã®ãŠãŒã¶ãŒãIPãå¶éãããã®ã§ãããå€éšã§ãããè¡ãããšã¯ã§ããŸãã
å®è¡äžã®ãµãŒãã¹ãã€ãŸãtraefikã¯ãªã¯ãšã¹ãã®å 容ãç¥ããŸãã
ããã¯ã©ã®ãŠãŒã¶ãŒããããäœã£ãŠããããæå®ãããããããªãã®ã§ãããã¯ããã€ããé€å€ããããšã¯ã§ããŸãã
ãŠãŒã¶ãŒãšIPã®ã¿ã«åºã¥ããŠä»ãåãå ¥ããŸãïŒããã®ããªã·ãŒã®ãã
äŸã¯ip + request-content => allow / disallowïŒã§ãããŸãã¯ãå€ãã®å Žåãæ¥ç¶ããã°ã«èšé²ããããã ãã«äœ¿çšããŸãã 顧客ã«è«æ±ããå¿ èŠããããŸã
ç§ã®ãµãŒãã¹ã®äœ¿çšã®ããã«ããããŠç§ã¯è¡šåœ¢åŒã§æäŸããå¿ èŠããããŸãïŒæé
ãªã¯ãšã¹ãããªãœãŒã¹ã®éããªã¯ãšã¹ãã®ãœãŒã¹IPã ã»ãŒãã¹ãŠã®ãµãŒãã¹
è«æ±æžã¿ã¯ããã®çš®ã®ã¬ããŒããæäŸããŸãã-
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ããã
https://github.com/moby/moby/issues/25526#issuecomment -548711563
@kaysond質åããã®ã¯è¯ãå Žæã§ã¯ãããŸããã
ããªãã¯æ¬è³ªçã«2ã€ã®è³ªåãããŠããŸãã
ã©ã¡ããç°ãªãæ¹æ³ã§çããã®ã¯é£ããã§ãã
ãããã®è³ªåãããã®ã«æé©ãªå Žæã¯ã©ãã«ããã®ã ããããç§ã¯ä»ããããã®éžæã®å±¥æŽãšãã®ãã¹ãŠãã©ã®ããã«æ©èœããããèªãããšã«éåžžã«èå³ãæã£ãŠããã®ã§ãããã§ããå°ãã³ã³ããã¹ããåŸãããšãã§ããŸãã
@kaysond質åããã®ã¯è¯ãå Žæã§ã¯ãããŸããã
ããªãã¯æ¬è³ªçã«2ã€ã®è³ªåãããŠããŸãã
- IPVSãæè¡çã«ã©ã®ããã«æ©èœããããããã³
- libnetworkãæåã«IPVSãéžæããçç±
ã©ã¡ããç°ãªãæ¹æ³ã§çããã®ã¯é£ããã§ãã
ãã¹ãŠã®ã¢ããããŒãïŒ
åãåé¡ã«ééããã®ã§ããã°ãããã®ã¹ã¬ããããã©ããŒããŠããŸããã traefikã®èåŸã«ãã矀ãã®äžã§ããã€ãã®ããããŸããã åé¡ã¯ãç§ãã¡ãcloudflareã®èåŸã«ããŠãCF転éããããŒãååŸããå¿ èŠããã£ãããšã§ããã ïŒã¯ããç§ãã¡ã¯ipvsã䜿çšããç§ãã¡ã®ãµãŒãã¹ã¯çŸ€ãã§è€è£œãããŸãïŒã
ã§ãããããäžåºŠè©ŠããŠã¿ãŸããïŒ
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:29:52 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:28:22 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
ããã³æ¬¡ã®Dockerãæ§æããŸãã
version: "3.3"
services:
traefik:
image: "traefik:v2.0.0-rc3"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.swarmMode=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "simple-service"
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=HostRegexp(`{any:.*}`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
whoamiã®åºåã¯æ¬¡ã®ãšããã§ãã
Hostname: 085c373eb06d
IP: 127.0.0.1
IP: 10.0.1.10
IP: 172.19.0.4
RemoteAddr: 10.0.1.11:51888
GET / HTTP/1.1
Host: testserver.nub.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Dnt: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 10.0.0.2
X-Forwarded-Host: testserver.nub.local
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ad14e372f6e9
X-Real-Ip: 10.0.0.2
ã ãããããã ããã§ãæ©èœããŸãã
奜å¥å¿ãã....äžéšã®éçºè ã¯ã矀ãã®ãããã¯ãŒã¯ã管çããã³ãŒããç§ã«ææã§ããŸããïŒ
ã§ãããããäžåºŠè©ŠããŠã¿ãŸããïŒ
Client: Docker Engine - Community Version: 19.03.5 API version: 1.40 Go version: go1.12.12 Git commit: 633a0ea838 Built: Wed Nov 13 07:29:52 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.5 API version: 1.40 (minimum version 1.12) Go version: go1.12.12 Git commit: 633a0ea838 Built: Wed Nov 13 07:28:22 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.10 GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339 runc: Version: 1.0.0-rc8+dev GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 docker-init: Version: 0.18.0 GitCommit: fec3683
ããã³æ¬¡ã®Dockerãæ§æããŸãã
version: "3.3" services: traefik: image: "traefik:v2.0.0-rc3" container_name: "traefik" command: #- "--log.level=DEBUG" - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.swarmMode=true" - "--providers.docker.endpoint=unix:///var/run/docker.sock" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web.address=:80" ports: - "80:80" - "8080:8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" whoami: image: "containous/whoami" container_name: "simple-service" deploy: labels: - "traefik.enable=true" - "traefik.http.routers.whoami.rule=HostRegexp(`{any:.*}`)" - "traefik.http.routers.whoami.entrypoints=web" - "traefik.http.services.whoami.loadbalancer.server.port=80"
whoamiã®åºåã¯æ¬¡ã®ãšããã§ãã
Hostname: 085c373eb06d IP: 127.0.0.1 IP: 10.0.1.10 IP: 172.19.0.4 RemoteAddr: 10.0.1.11:51888 GET / HTTP/1.1 Host: testserver.nub.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Dnt: 1 Upgrade-Insecure-Requests: 1 X-Forwarded-For: 10.0.0.2 X-Forwarded-Host: testserver.nub.local X-Forwarded-Port: 80 X-Forwarded-Proto: http X-Forwarded-Server: ad14e372f6e9 X-Real-Ip: 10.0.0.2
ã ãããããã ããã§ãæ©èœããŸãã
ãã¹ãã¢ãŒãããšã«traefikã䜿çšããŠãå®éã®IPãååŸã§ããŸã
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
ãŸã éããŠããŸããïŒ
2020-05-08
ãŸã éããŠããŸããïŒ
2020-05-08
ããããŸã éããŠããã ã¹ã¬ããã«ã¯ãè¡šé¢äžã«ããã¯ãã®ããã«ç°¡åã«è§£æ±ºã§ããªãçç±ã匷調ããã¢ãŒããã¯ãã£äžã®åé¡ããããŸãã ãã®æç¹ã§ããããã®åé¡ã¯ããããå æã§ããªãå¯èœæ§ããããŸãã
å®éã®ãŠãŒã¶ãŒIPãååŸããå¿ èŠãããå Žåã¯ãããã®ã¹ã¬ããã«ããã€ãã®ä»£æ¿æ¡ãæ²èŒãããŠããŸãã ãµãŒãã¹ã®HOSTã¢ãŒãã¯æãåçŽãªã¢ãããŒãã®ããã«èŠããŸãããåã ã®ããŒãã§ã¹ã±ãŒã©ããªãã£ãå¿ èŠãšãããã®ã«ã¯é©ããŠããŸããã
DigitalOcean LB-> Traefik-> Apacheã³ã³ããã§PROXYãããã³ã«ã䜿çšããããšã«æåããŸããã Apacheã³ã³ããã¯ããµãŒãã¹ã«ã¢ã¯ã»ã¹ãããŠãŒã¶ãŒã®å®éã®IPããã°ã«èšé²ããããšãã§ããŸããã çè«çã«ã¯ããã¹ãŠã®ãããã·ã¬ã€ã€ãŒãPROXYãããã³ã«ããµããŒãããŠããéãæ©èœããã¯ãã§ãã
https://docs.traefik.io/v1.7/configuration/entrypoints/#proxyprotocol
TraefikãµãŒãã¹ã¯ãingressããšããååã®1ã€ã®Dockerãããã¯ãŒã¯äžã«ãããApacheãµãŒãã¹ã«ã¯ç¬èªã®ã¹ã¿ãã¯ãããã¯ãŒã¯ããããŸãããå€éšãšããŠãingressããããã¯ãŒã¯ã®äžéšã§ããããŸãã
https://autoize.com/logging-client-ip-addresses-behind-a-proxy-with-docker/
2020幎ããŸã ä¿®æ£ãããŠããŸããã éåžžã«éèŠãªæ©èœã®ããã§ã
ããã¯éåžžã«å¿ èŠã§ãã ããã€ãã®ãã¹ãã¢ãŒãã眮ãããšã¯åãªããããã§ããããããã¯ãŒã¯ã®èåŸã§NGINXãå®è¡ããå¿ èŠãããå ŽåããããŸãïŒäœ¿çšæ³ãšèšå®ã«ãã£ãŠç°ãªããŸãïŒã ãããä¿®æ£ããŠãã ããã
ããã®åé¿çãšããã¹ããèšå®ããã«docker swarmãå®è¡ããããšã¯ãã¯ã©ã€ã¢ã³ãåŽã§IPãååŸããããšã ãšæããŸãã å ã Webããã³ã¢ãã€ã«ã¯ã©ã€ã¢ã³ãã«jsã䜿çšããä¿¡é Œã§ãããœãŒã¹ããã®ã¿åãå ¥ããŸãã å ã js-> get ipãããã¯ãšã³ãã¯ãŠãŒã¶ãŒããŒã¯ã³ãªã©ãå«ãIPã®ã¿ãåãå ¥ããŸããipã¯ããããŒã«èšå®ããhttpsãä»ããŠæå·åã§ããŸãã ããããç§ã¯ããã©ãŒãã³ã¹ã«ã€ããŠç¥ããŸãã
@ Damidara16ããã¯ãŸãã«ç§ãã¡ããããããªãããšã§ãã ãããããã®ã¯æ¬åœã«å®å šã§ã¯ãããŸããã å¿ èŠã«å¿ããŠãã€ãã¹ã§ããŸãã
æªãããšã«ãããã¯ãŸã æªè§£æ±ºã®åé¡ã§ããæ²ããããšã«...ããã¯ããã«ä¿®æ£ãããããã«ã¯èŠããŸãã
æªãããšã«ãããã¯ãŸã æªè§£æ±ºã®åé¡ã§ããæ²ããããšã«...ããã¯ããã«ä¿®æ£ãããããã«ã¯èŠããŸãã
ãããã«ãã£ãŠãŸããªãééããããšæããŸãã githubããã®æ©èœãéå§ããŠä»¥æ¥ãå€ãã®ãã°ã¯ç¡èŠã§ããŸãã
æªãããšã«ãããã¯ãŸã æªè§£æ±ºã®åé¡ã§ããæ²ããããšã«...ããã¯ããã«ä¿®æ£ãããããã«ã¯èŠããŸãã
ãããã«ãã£ãŠãŸããªãééããããšæããŸãã githubããã®æ©èœãéå§ããŠä»¥æ¥ãå€ãã®ãã°ã¯ç¡èŠã§ããŸãã
ããã¯ãäŒæ¥ã®è¥å€§åããããŒã ãã³ãã¥ããã£ã管çããããã®æè¯ã®æ©èœã§ãã
ãããä¿®æ£ãããå¯èœæ§ã¯ã»ãšãã©ãããŸããã 誰ããk8sããã¬ãŒã¹ãã«åã£ããšèããŠããã矀ãã¯å¿ èŠãããŸãããããããã䜿çšããããŒã ã®å¿ èŠæ§ãšã¹ãã«ã«å¿ããŠãäž¡æ¹ãå ±åããé©åã«äœ¿çšã§ãããšæããŸãã RIPã¹ãŠã©ãŒã :)
ç§ã¯ãããŒãžãHAIPã䜿çšããŠããŸããã矀ãã®åã«äœãä»ã®ãã®ã䜿çšããããšãã§ããŸããããã¯ã矀ãã®IPãæãã¹ã¿ã³ãã¢ãã³ã®nginxããŒããã©ã³ãµãŒã§ãã
https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/
ããªãã®çŸ€ãã§ã¯ããªããŒã¹ãããã·ã¯ãããå¿ èŠãšããŸãïŒ
server {
listen 443 ssl proxy_protocol;
location / {
proxy_set_header X-Real-IP $proxy_protocol_addr; # this is the real IP address
ã¹ãŠã©ãŒã ãå®è¡ããŠããå Žåã¯ãã¹ãŠã©ãŒã ïŒãŸãã¯ã¹ãã£ãããŒãªã©ïŒãžã®ãªã¯ãšã¹ããã©ãŠã³ãããã³ããããã®ããŒããã©ã³ãµãŒãå¿ èŠã«ãªããŸãã
ãããŸã§ã®ãšããããã®ã¢ãŒããã¯ãã£äžã®æ±ºå®ã¯ãæ¬ ããŠããéšåãã®ããã«èŠãããããããŸãããããªãã·ã§ã³ãæäŸããçµã¿èŸŒã¿æ©èœãç¡å¹ã«ããŠã¢ããªã±ãŒã·ã§ã³ã®ããŒãºã«ããé©ãããã®ã«çœ®ãæããå¿ èŠããªããããšã«ãããæè»æ§ãè¿œå ãããŸãã
ãã®åé¡ã®åé¿çãèŠã€ããå¯èœæ§ããããšæããŸããããšãã°ã-constraint-add = 'node.hostname == mynode'ã䜿çšãããããŸãã¯ãããããåäžã®ããŒãã§æ§æããã矀ãã®ã»ããã
æ ¹æ¬çãªåé¡ã¯ãingress_sboxåå空éã®iptables natããŒãã«ã®SNATã«ãŒã«ãåå ã§çºçããŸããããã«ããããã¹ãŠã®çä¿¡ãªã¯ãšã¹ããã³ã³ããã«è¡šç€ºãããå ¥åãããã¯ãŒã¯ã«ããŒãã®IPã¢ãã¬ã¹ãå²ãåœãŠãããŸãïŒäŸïŒ10.0.0.2ã10.0.0.3ãã ..ãããã©ã«ãã®å ¥åãããã¯ãŒã¯æ§æïŒãäŸïŒ
iptables -t nat -A POSTROUTING -d 10.0.0.0/24 -m ipvs --ipvs -j SNAT --to-source 10.0.0.2
ãã ãããã®SNATã«ãŒã«ãåé€ãããšãã³ã³ããã¯åä¿¡ãã±ãããåä¿¡ããŸããïŒçŸåšã¯å ã®éä¿¡å IPããçºä¿¡ãããŠããŸãïŒãå ã®éä¿¡å IPã«è¿éãããéä¿¡ãã±ããã¯ãåãå ¥åãããã¯ãŒã¯äžã§ã¯ãªããäžã«ããã³ã³ããã®ããã©ã«ãã²ãŒããŠã§ã€ãä»ããŠéä¿¡ãããŸãã docker_gwbridgeãããã¯ãŒã¯ïŒäŸïŒ172.31.0.1ïŒãããã³ãããã®ãã±ããã¯å€±ãããŸãã
ãããã£ãŠãåé¿çã¯æ¬¡ã®ãšããã§ãã1ãingress_sboxåå空éã§ãã®SNATã«ãŒã«ãåé€ïŒå®éã«ã¯çŠæ¢ïŒããŸãã 2.ã¹ãŠã©ãŒã ãµãŒãã¹ã³ã³ããã®ããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«ãäœæããŸããããã«ããããããã®çºä¿¡ãã±ããã¯ãããŒãã®å ¥åãããã¯ãŒã¯IPã¢ãã¬ã¹ïŒäŸïŒ10.0.0.2ïŒã«åŒ·å¶çã«æ»ãããŸãã 3.ããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«ã®è¿œå ãèªååããŠããã¹ãŠã®æ°ãããµãŒãã¹ã³ã³ããã«äœææã«ããã«ã€ã³ã¹ããŒã«ãããããã«ããŸãã
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT
ïŒdockerã¯ãµãŒãã¹ã®äœæäžã«SNATã«ãŒã«ãæ°ååäœæããããã«èŠãããããæ¢åã®SNATã«ãŒã«ãåã«åé€ããã®ã§ã¯ãªãããã®æ¹æ³ã§è¡ããŸãããã®ã¢ãããŒãã¯ãã®ã«ãŒã«ã«åã£ãŠä»£ãããããå埩åããããŸãïŒã
docker inspect -f '{{.State.Pid}}' <container-id>
nsenter -n -t $NID bash -c "ip route add table 1 default via 10.0.0.2 && ip rule add from 10.0.0.0/24 lookup 1 priority 32761"
docker event
ãšçµã¿åããããšã次ã®ingress-routing-daemon
ã¹ã¯ãªããã䜿çšããŠãSNATã«ãŒã«ã®å€æŽãæ°ããéå§ãããã³ã³ãããŒã®ç£èŠãããã³ããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«ã®è¿œå ã®ããã»ã¹ãèªååãããŸãã#!/bin/bash
# Ingress Routing Daemon
# Copyright © 2020 Struan Bartlett
# --------------------------------------------------------------------
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation files
# (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# --------------------------------------------------------------------
# Workaround for https://github.com/moby/moby/issues/25526
echo "Ingress Routing Daemon starting ..."
read INGRESS_SUBNET INGRESS_DEFAULT_GATEWAY \
< <(docker inspect ingress --format '{{(index .IPAM.Config 0).Subnet}} {{index (split (index .Containers "ingress-sbox").IPv4Address "/") 0}}')
echo INGRESS_SUBNET=$INGRESS_SUBNET
echo INGRESS_DEFAULT_GATEWAY=$INGRESS_DEFAULT_GATEWAY
# Add a rule ahead of the ingress network SNAT rule, that will cause the SNAT rule to be skipped.
echo "Adding ingress_sbox iptables nat rule: iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT"
while nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -D POSTROUTING -d 10.0.0.0/24 -m ipvs --ipvs -j ACCEPT; do true; done 2>/dev/null
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT
# Watch for container start events, and configure policy routing rules on each container
# to ensure return path traffic from incoming connections is routed back via the correct interface.
docker events \
--format '{{.ID}} {{index .Actor.Attributes "com.docker.swarm.service.name"}}' \
--filter 'event=start' \
--filter 'type=container' | \
while read ID SERVICE
do
if [ -n "$SERVICE" ]; then
NID=$(docker inspect -f '{{.State.Pid}}' $ID)
echo "Container ID=$ID, NID=$NID, SERVICE=$SERVICE started: applying policy route."
nsenter -n -t $NID bash -c "ip route add table 1 default via $INGRESS_DEFAULT_GATEWAY && ip rule add from $INGRESS_SUBNET lookup 1 priority 32761"
fi
done
ããã§ããªã¯ãšã¹ããåäžããŒãã®å ¬éããŒãã«å°çãããšããã®ã³ã³ããã«ã¯ããªã¯ãšã¹ããè¡ã£ãŠãããã·ã³ã®å ã®IPã¢ãã¬ã¹ã衚瀺ãããŸãã
äžèšã®ingress-routing-daemon
ãããµãŒãã¹ãäœæããåã«ãã¹ãŠã©ãŒã ããŒãã®ãã¹ãŠã®ããŒãã§ã«ãŒããšããŠ
äžèšã¯ããã«ãããŒãã¹ãŠã©ãŒã ã§å®è¡ãããŠãããµãŒãã¹ã®åäžããŒãã«å¶çŽãããè€æ°ã®ã¬ããªã«ã䜿çšããŠãã¹ããããŠããŸãã
ãŸããè€æ°ã®ããŒãã䜿çšããŠãã¹ããããŠãããåããŒãã«ã¯ãã®ããŒãã«å¶çŽãããåå¥ã®ããŒãããšã®ãµãŒãã¹ããããŸãããããã«ã¯ãããŒãããšã®ãµãŒãã¹ããšã«ç°ãªãå ¬éããŒãã䜿çšããå¿ èŠããããšããå¶éããããŸãã ããã§ããããã¯ããã€ãã®ãŠãŒã¹ã±ãŒã¹ã§æ©èœããå¯èœæ§ããããŸãã
ãããããç¬èªã®ã¹ãŠã©ãŒã å ã®åäžããŒããšããŠæ§æãããŠããå Žåããã®ã¡ãœããã¯è€æ°ã®ããŒãã䜿çšããŠãæ©èœããã¯ãã§ãã ããã«ã¯ãDockerã¹ãŠã©ãŒã ã䜿çšããŠããŒãéã§ã³ã³ãããŒãåæ£ããããšãã§ããªããªããšããå¶éããããŸãããã³ã³ãããŒã¬ããªã«ãã©ã€ããµã€ã¯ã«ç®¡çãªã©ãDockerãµãŒãã¹ã䜿çšããããšã«ããä»ã®ç®¡çäžã®å©ç¹ããããŸãã
ä»åŸã®éçºã«ããããã®ã¡ãœããã¯ãããŒãããšã®åå¥ã®ãµãŒãã¹ãã¹ãŠã©ãŒã ã®åå²ãå¿ èŠãšããã«ãè€æ°ã®ããŒãã«ã¹ã±ãŒãªã³ã°ã§ããããã«ãªãã¯ãã§ãã ç§ã¯2ã€ã®å¯èœãªã¢ãããŒããèããããšãã§ããŸãïŒ1ãåããŒãã®ipvsadmããŒãã«ãããã¹ãŠã®éããŒã«ã«IPãåé€ããããã«DockerãŸãã¯ç¹æ³šããŒã¢ã³ãæé ããŸãã 2.ããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«ãæ¡åŒµããŠãåºåããã±ãŒãžãæ£ããããŒãã«ã«ãŒãã£ã³ã°ããããã«èª¿æŽããŸãã
1ã®å Žåãipvsadm -S -nãããŒãªã³ã°ããŠããµãŒãã¹ã«è¿œå ãããæ°ããIPãæ¢ãããããããããŒã«ã«ã§ãããã©ããã確èªããããã§ãªããã®ãåé€ããŸãã ããã«ãããåããŒãããµãŒãã¹å šäœå ã§ç¬èªã®ã³ã³ãããŒã®ããŒããã©ã³ãµãŒãšããŠæ©èœã§ããããã«ãªããŸãããããããŒãã«å°éãããªã¯ãšã¹ããå¥ã®ããŒãã«è»¢éããããšã¯ã§ããŸããã ããã¯ç¢ºãã«ç§èªèº«ã®ãŠãŒã¹ã±ãŒã¹ãæºãããŸãããµãŒããŒã®ã»ããã®åã«ç¬èªã®IPVSããŒããã©ã³ãµãŒãããããããããWebã¢ããªã±ãŒã·ã§ã³ãå®è¡ããŠãããåãã¢ããªã±ãŒã·ã§ã³ã®è€æ°ã®è² è·åæ£ãããã³ã³ãããŒåãããã€ã³ã¹ã¿ã³ã¹ã«çœ®ãæããããšèããŠããŸãã ããµãŒããŒå šäœã倱ãããšãªãæŽæ°ãããŒã«ã¢ãŠãã§ããããã«ããŸãã
2ã®å Žåãiptablesã䜿çšããŠãåããŒãã®ingress_sbox iptableã«ããŒãããšã®TOSãå²ãåœãŠãããšãã§ããŸãïŒããšãã°ãããŒãã®å ¥åãããã¯ãŒã¯IPã®æåŸã®ãã€ãã«ïŒã 次ã«ãã³ã³ããã§ãTOSå€ãæ¥ç¶ããŒã¯ã«ããããã次ã«æ¥ç¶ããŒã¯ããéä¿¡ãã±ããã®ãã¡ã€ã¢ãŠã©ãŒã«ããŒã¯ã«ãããããããã«èª¿æŽãããã¡ã€ã¢ãŠã©ãŒã«ããŒã¯ããšã«ããã±ãããçºä¿¡å ããŒãã«ã«ãŒãã£ã³ã°ããç°ãªãã«ãŒãã£ã³ã°ããŒãã«ãéžæããŸãã ãã®ããã®ã«ãŒã«ã¯å°ãäžæ Œå¥œã§ããã2ã16ããŒãã«çŽ°ããã¹ã±ãŒãªã³ã°ããå¿ èŠããããšæããŸãã
äžèšãã圹ã«ç«ãŠã°å¹žãã§ãã ç§ãïŒ2ïŒã«è¡ããŸãããããŠç§ãé²æ©ãããªãã°ããããªãã¢ããããŒããæçš¿ããŸãã
以äžã¯ãå
¥åã«ãŒãã£ã³ã°ããŒã¢ã³ã®æ¹è¯çã§ããingress-routing-daemon-v2
ãããã¯ãããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«ã¢ãã«ãæ¡åŒµããŠãSNATãå¿
èŠãšããã«åã³ã³ãããåºåãã±ãããæ£ããããŒãã«ã«ãŒãã£ã³ã°ã§ããããã«ããŸãã
以åã®ã¢ãã«ã«åŸã£ãŠSNATã«ãŒã«ãçŠæ¢ããããšã«å ããŠãæ°ããã¢ãã«ã§ã¯ãIPVSããŒããã©ã³ãµãŒãšã³ããã€ã³ããšããŠäœ¿çšããäºå®ã®åããŒãïŒéåžžã¯ãããŒãžã£ãŒããŒãããŸãã¯ãããã®ãµãã»ããïŒã®ingress_sboxåå空éã«iptablesã«ãŒã«ãå¿ èŠã§ãããããŒãžã£ãŒããŒãïŒãå ¥åãããã¯ãŒã¯å ã®ä»»æã®ããŒãå®ãŠã®ãã¹ãŠã®ãã±ããã«ããŒãããšã®TOSå€ãå²ãåœãŠãŸãã ïŒããŒãã®å ¥åãããã¯ãŒã¯IPã®æåŸã®ãã€ãã䜿çšããŸããïŒ
TOSå€ã¯ãã±ããå ã«æ ŒçŽãããŠãããããçä¿¡èŠæ±ãéä¿¡ããããã±ãããéä¿¡ãããå®å ããŒãã§èªã¿åãããšãã§ããŸãã
次ã«ãå®å ããŒãã®ã³ã³ãããŒã§ãåãå€ã䜿çšããŠãçä¿¡ãã±ããã®TOSå€ãæ¥ç¶ããŒã¯ã«ãããããããã«èª¿æŽããŸãã
ããã§ãåãæ¥ç¶äžã®çºä¿¡ãã±ããã«ã¯åãæ¥ç¶ããŒã¯ãä»ãããããããåãå€ã䜿çšããŠãçºä¿¡ãã±ããã®æ¥ç¶ããŒã¯ããã¡ã€ã¢ãŠã©ãŒã«ããŒã¯ã«ãããã³ã°ããŸãã
æåŸã«ãäžé£ã®ããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«ã¯ããã¡ã€ã¢ãŠã©ãŒã«ããŒã¯å€ã«åŸã£ãŠãçºä¿¡ãã±ãããå¿ èŠãªããŒããã©ã³ãµãŒãšã³ããã€ã³ãããŒãã«ã«ãŒãã£ã³ã°ããããã«èšèšãããå¥ã®ã«ãŒãã£ã³ã°ããŒãã«ãéžæããŸãã
ããã§ãã¯ã©ã€ã¢ã³ããªã¯ãšã¹ããã¹ãŠã©ãŒã å ã®ä»»æã®ããŒãã®å ¬éããŒãã«å°çãããšããªã¯ãšã¹ãã®éä¿¡å ã®ã³ã³ããïŒåãããŒããŸãã¯ä»ã®ããŒãããããã¯ãã®äž¡æ¹ïŒã«ããªã¯ãšã¹ããè¡ã£ãã¯ã©ã€ã¢ã³ãã®å ã®IPã¢ãã¬ã¹ã衚瀺ãããŸããå¿çãå ã®ããŒããã©ã³ãµãŒããŒãã«ã«ãŒãã£ã³ã°ããŠæ»ãããšãã§ããŸãã ããã«ãããå¿çãã¯ã©ã€ã¢ã³ãã«ã«ãŒãã£ã³ã°ã§ããããã«ãªããŸãã
ããŒããã©ã³ãµãŒãšã³ããã€ã³ããšããŠäœ¿çšãããã¹ãŠã®ã¹ãŠã©ãŒã ã®ããŒãã§ã«ãŒããšããŠingress-routing-daemon-v2
ãå®è¡ããããšã«ãããã¹ãŠã©ãŒã ã«åºæã®INGRESS_NODE_GATEWAY_IPS
å€ãçæããŸãïŒéåžžã¯ãããŒãžã£ãŒã®ã¿ïŒããŒãããŸãã¯ãããŒãžã£ãŒããŒãã®ãµãã»ããïŒã INGRESS_DEFAULT_GATEWAY
衚瀺ãããå€ã«æ³šæããŠãã ããã ãããè¡ãå¿
èŠãããã®ã¯1åã ãããŸãã¯ããŒããè¿œå ãŸãã¯åé€ãããã³ã§ãã INGRESS_NODE_GATEWAY_IPS
ã¯10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5
ããã«ãªããŸãïŒå
¥åãããã¯ãŒã¯çšã«å®çŸ©ããããµãããããšããŒãã®æ°ã«ããïŒã
ãµãŒãã¹ãäœæããåã«ãã¹ãŠã©ãŒã ã®ããŒãïŒãããŒãžã£ãŒãšã¯ãŒã«ãŒïŒã®ãã¹ãŠã®ããŒãã§ã«ãŒããšããŠINGRESS_NODE_GATEWAY_IPS="<Node Ingress IP List>" ingress-routing-daemon-v2 --install
ãå®è¡ããŸãã ïŒãµãŒãã¹ããã§ã«äœæãããŠããå Žåã¯ãæ£ã®æ°ã®ã¬ããªã«ã«ã¹ã±ãŒã«ããã¯ããåã«ãå¿
ã0ã«ã¹ã±ãŒã«ããã¯ããŠãã ãããïŒããŒã¢ã³ã¯iptablesãåæåããdockerãæ°ããã³ã³ãããŒãäœæããã¿ã€ãã³ã°ãæ€åºããæ°ããã³ã³ãããŒããšã«æ°ããã«ãŒãã£ã³ã°ã«ãŒã«ãé©çšããŸãã
ããŒã¢ã³ã®ã¢ã¯ãã£ããã£ãç¹å®ã®ãµãŒãã¹ã«å¶éããå¿
èŠãããå Žåã¯ã [ -n "$SERVICE" ]
ã[ "$SERVICE" = "myservice" ]
ãŸãã
åããŒãã§ingress-routing-daemon-v2 --uninstall
ãå®è¡ããŸãã
ingress-routing-daemon-v2
ã¹ã¯ãªããã¯ã4ããŒãã®çŸ€ãã«ãããã€ãããWebãµãŒãã¹ã®8ã€ã®ã¬ããªã«ã§ãã¹ããããŠããŸãã
æå®ãããè² è·åæ£ããããšã³ããã€ã³ãããŒãIPã®ããããã«åãããããµãŒãã¹ã®CurlèŠæ±ã¯æåããå¿çãè¿ããã³ã³ãããŒãã°ã®æ€æ»ã¯ãã¢ããªã±ãŒã·ã§ã³ãçä¿¡èŠæ±ãCurlã¯ã©ã€ã¢ã³ãã®IPããçºä¿¡ããããã®ãšããŠèªèããããšã瀺ããŸããã
TOSå€ã¯8ãããã®æ°å€ãæ ŒçŽã§ããããããã®ã¢ãã«ã¯ååãšããŠæ倧256ã®ããŒããã©ã³ãµãŒãšã³ããã€ã³ãããŒãããµããŒãã§ããŸãã
ãã ãããã®ã¢ãã«ã§ã¯ããã¹ãŠã®ã³ã³ãããŒã«1ã€ã®iptablesãã³ã°ã«ã«ãŒã«+1ã€ã®ããªã·ãŒã«ãŒãã£ã³ã°ã«ãŒã«+1ã€ã®ããªã·ãŒã«ãŒãã£ã³ã°ããŒãã«ããããŒãžã£ãŒãšã³ããã€ã³ãããŒãããšã«ã€ã³ã¹ããŒã«ããå¿ èŠãããããããã®ãããªãšã³ããã€ã³ãããŒãã®æ°ãå¢ãããšãããã©ãŒãã³ã¹ãäœäžããå¯èœæ§ããããŸãïŒãã ããçµéšäžãããã¯ææ°ã®ããŒããŠã§ã¢äžã®16æªæºã®ããŒããã©ã³ãµãŒãšã³ããã€ã³ãããŒãã§ã¯ç®ç«ããªãå¯èœæ§ããããŸãïŒã
ããŒããã©ã³ãµãŒãšã³ããã€ã³ãããŒããã¹ãŠã©ãŒã ã«è¿œå ããå ŽåããŸãã¯æ¢åã®ãããŒãžã£ãŒããŒããããŒããã©ã³ãµãŒãšã³ããã€ã³ããšããŠäœ¿çšãå§ãããå Žåã¯ãæ¢åã®ã³ã³ãããŒããã©ãã£ãã¯ãæ°ãããšã³ããã€ã³ãããŒãã«ã«ãŒãã£ã³ã°ã§ããªããããæ
éã«èžã¿èŸŒãå¿
èŠããããŸãã æ°ããããŒããã©ã³ãµãŒãšã³ããã€ã³ãã䜿çšããåã«ã INGRESS_NODE_GATEWAY_IPS
ã®æŽæ°å€ã䜿çšããŠINGRESS_NODE_GATEWAY_IPS="<Node Ingress IP List>" ingress-routing-daemon-v2
ãåèµ·åãããã¹ãŠã®ã³ã³ãããŒã®ããŒãªã³ã°æŽæ°ãå®è¡ããŠã¿ãŠãã ããã
ç§ã¯Dockerã³ãŒãããŒã¹ã«ç²ŸéããŠããŸãããã ingress-routing-daemon-v2
ãè¡ãããšã§ãååãšããŠDockerããã€ãã£ãã«å®è£
ã§ããªããã®ã¯èŠåœãããŸããããDockerããŒã ã«ä»»ããŸããæ€èšããããDockerã³ãŒãã«ç²ŸéããŠãã人ã®ããã®æŒç¿ãšããŠã
ãããæ°ããingress-routing-daemon-v2
ã¹ã¯ãªããã§ãã
#!/bin/bash
# Ingress Routing Daemon v2
# Copyright © 2020 Struan Bartlett
# ----------------------------------------------------------------------
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation files
# (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# ----------------------------------------------------------------------
# Workaround for https://github.com/moby/moby/issues/25526
if [ "$1" = "--install" ]; then
INSTALL=1
elif [ "$1" = "--uninstall" ]; then
INSTALL=0
else
echo "Usage: $0 [--install|--uninstall]"
fi
echo
echo " Dumping key variables..."
if [ "$INSTALL" = "1" ] && [ -z "$INGRESS_NODE_GATEWAY_IPS" ]; then
echo "!!! ----------------------------------------------------------------------"
echo "!!! WARNING: Using default INGRESS_NODE_GATEWAY_IPS"
echo "!!! Please generate a list by noting the values shown"
echo "!!! for INGRESS_DEFAULT_GATEWAY on each of your swarm nodes."
echo "!!!"
echo "!!! You only have to do this once, or whenever you add or remove nodes."
echo "!!!"
echo "!!! Then relaunch using:"
echo "!!! INGRESS_NODE_GATEWAY_IPS=\"<Node Ingress IP List>\" $0 -x"
echo "!!! ----------------------------------------------------------------------"
fi
read INGRESS_SUBNET INGRESS_DEFAULT_GATEWAY \
< <(docker inspect ingress --format '{{(index .IPAM.Config 0).Subnet}} {{index (split (index .Containers "ingress-sbox").IPv4Address "/") 0}}')
echo " - INGRESS_SUBNET=$INGRESS_SUBNET"
echo " - INGRESS_DEFAULT_GATEWAY=$INGRESS_DEFAULT_GATEWAY"
# We need the final bytes of the IP addresses on the ingress network of every node
# i.e. We need the final byte of $INGRESS_DEFAULT_GATEWAY for every node in the swarm
# This shouldn't change except when nodes are added or removed from the swarm, so should be reasonably stable.
# You should configure this yourself, but for now let's assume we have 8 nodes with IPs in the INGRESS_SUBNET numbered x.x.x.2 ... x.x.x.9
if [ -z "$INGRESS_NODE_GATEWAY_IPS" ]; then
INGRESS_NET=$(echo $INGRESS_DEFAULT_GATEWAY | cut -d'.' -f1,2,3)
INGRESS_NODE_GATEWAY_IPS="$INGRESS_NET.2 $INGRESS_NET.3 $INGRESS_NET.4 $INGRESS_NET.5 $INGRESS_NET.6 $INGRESS_NET.7 $INGRESS_NET.8 $INGRESS_NET.9"
fi
echo " - INGRESS_NODE_GATEWAY_IPS=\"$INGRESS_NODE_GATEWAY_IPS\""
# Create node ID from INGRESS_DEFAULT_GATEWAY final byte
NODE_ID=$(echo $INGRESS_DEFAULT_GATEWAY | cut -d'.' -f4)
echo " - NODE_ID=$NODE_ID"
if [ -z "$INSTALL" ]; then
echo
echo "Ingress Routing Daemon v2 exiting."
exit 0
fi
# Add a rule ahead of the ingress network SNAT rule, that will cause the SNAT rule to be skipped.
[ "$INSTALL" = "1" ] && echo "Adding ingress_sbox iptables nat rule: iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT"
while nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -D POSTROUTING -d 10.0.0.0/24 -m ipvs --ipvs -j ACCEPT; do true; done 2>/dev/null
[ "$INSTALL" = "1" ] && nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT
# 1. Set TOS to NODE_ID in all outgoing packets to INGRESS_SUBNET
[ "$INSTALL" = "1" ] && echo "Adding ingress_sbox iptables mangle rule: iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff"
while nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle -D POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff; do true; done 2>/dev/null
[ "$INSTALL" = "1" ] && nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff
if [ "$INSTALL" = "0" ]; then
echo
echo "Ingress Routing Daemon v2 iptables rules uninstalled, exiting."
exit 0
fi
echo "Ingress Routing Daemon v2 starting ..."
# Watch for container start events, and configure policy routing rules on each container
# to ensure return path traffic for incoming connections is routed back via the correct interface
# and to the correct node from which the incoming connection was received.
docker events \
--format '{{.ID}} {{index .Actor.Attributes "com.docker.swarm.service.name"}}' \
--filter 'event=start' \
--filter 'type=container' | \
while read ID SERVICE
do
if [ -n "$SERVICE" ]; then
NID=$(docker inspect -f '{{.State.Pid}}' $ID)
echo "Container ID=$ID, NID=$NID, SERVICE=$SERVICE started: applying policy routes."
# 3. Map any connection mark on outgoing traffic to a firewall mark on the individual packets.
nsenter -n -t $NID iptables -t mangle -A OUTPUT -p tcp -j CONNMARK --restore-mark
for NODE_IP in $INGRESS_NODE_GATEWAY_IPS
do
NODE_ID=$(echo $NODE_IP | cut -d'.' -f4)
# 2. Map the TOS value on any incoming packets to a connection mark, using the same value.
nsenter -n -t $NID iptables -t mangle -A PREROUTING -m tos --tos $NODE_ID/0xff -j CONNMARK --set-xmark $NODE_ID/0xffffffff
# 4. Select the correct routing table to use, according to the firewall mark on the outgoing packet.
nsenter -n -t $NID ip rule add from $INGRESS_SUBNET fwmark $NODE_ID lookup $NODE_ID prio 32700
# 5. Route outgoing traffic to the correct node's ingress network IP, according to its firewall mark
# (which in turn came from its connection mark, its TOS value, and ultimately its IP).
nsenter -n -t $NID ip route add table $NODE_ID default via $NODE_IP dev eth0
done
fi
done
ããã«ã¡ã¯@ struanb ãv2ã¹ã¯ãªããã§ã¢ã³ã€ã³ã¹ããŒã«ã»ã¯ã·ã§ã³ãã©ã®ããã«æ©èœããã®ãããããŸãããäœã足ããªããã®ããããŸããïŒ
ããã«ã¡ã¯@jrbecartã ç§ã¯ããããªãããšãæã¿ãŸãã iptablesã«ãŒã«ãã€ã³ã¹ããŒã«ããåã«ã iptables -D
ã䜿çšããŠæ¢åã®ã«ãŒã«ãåé€ããwhileã«ãŒãã2ã€ããããšãããããŸãã ããã¯ãã¹ã¯ãªããã--install
é£ç¶ããŠè€æ°åå®è¡ããã --uninstall
åŒã³åºããä»åšããªãå Žåã®ãå®å
šå¯Ÿçã§ãã
ãã®ãããã¹ã¯ãªããã--uninstallã§åŒã³åºããããšãã¹ã¯ãªãããçµäºãããŸã§ã«ãããã®ã«ãŒã«ã¯åé€ãããæ°ããã«ãŒã«ã¯ãŸã è¿œå ãããŠããŸããã
ãããããªãã®è³ªåã«çããããšãé¡ã£ãŠããŸãã
ã¿ãªãããããã«ã¡ã¯ãNGINXæ§æãé©åã«å®çŸ©ãã以å€ã«äœãã€ã³ã¹ããŒã«ããã³æ§æããã«ããã®åé¡ã®ä¿®æ£ãçºèŠããããšããäŒãããããšæããŸãã ç§ãã¡ã¯çãããŸããŸãªã¢ãããŒããè©Šã¿ãŠããããšãç¥ã£ãŠããŸãã ããã¯èª€ã£ãŠçºèŠãããŸããã æ£çŽããã£ãšåã«è«ŠããŸããã ããŠãä»æ¥ãŸã§ã ç£èŠã·ã¹ãã ãå®è£ ããŠãããšãã«ãNGINXãã°ã䜿çšããŠå®éã®ãœãŒã¹IPã§ãããœãŒã¹IPãååŸã§ããã®ã§ããããã©ã®ããã«å¯èœã§ãããããããã°ãå§ããŸããã
ããããã®çš®ã®ãã°ã®äŸã§ã
10.0.0.2 - - [19/Nov/2020:04:56:31 +0000] "GET / HTTP/1.1" 200 58 "-" req_t=0.003 upstream_t=0.004 "<browser-info>" "<source-ip-1,source-ip2,....>"
泚ïŒãããã·ïŒCloudfareãªã©ïŒã䜿çšããŠããå Žåã¯ãè€æ°ã®ãœãŒã¹IPããããŸãã
æ å ±ã¯ããã«ãããç§ã®æ¬åœã®IPã¯ããã«ãããŸããã 次ã«ããã®ã³ã°NGINX圢åŒã確èªããŠãéæ³ãã©ã®ããã«å¯èœã§ãããã確èªããŸããããããèŠã€ããŸããã
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'req_t=$request_time upstream_t=$upstream_response_time '
'"$http_user_agent" "$http_x_forwarded_for"';
ã€ãŸããéæ³ã¯ããã«ãããŸã-> $http_x_forwarded_for
ãã®åŸã proxy_set_header X-Real-IP $http_x_forwarded_for;
ãããªãããã·ããããŒãå€æŽããŸããã
ãããŠæåŸã«ãNodeJSãããžã§ã¯ãã§ãã®æ å ±ã䜿çšããæ¬çªç°å¢ã®ãããªã·ã¹ãã å ã§ããªãŒããŒã¬ã€ãããã¯ãŒã¯ãšçŽ4ã€ã®VMãåããDocker Swarmã䜿çšããæåŸã®ãã¹ãã§ãäœãæ©èœããããæšæž¬ããŸãã ããããå®éã®IPã¢ãã¬ã¹ãååŸã§ããŸããã
ãã®å·ã¯é·ãééãããŠããã®ã§ãšãŠãå¬ããã§ããããããçãã ãšæããŸãã ç§ã䜿çšããããŒãžã§ã³ã¯æ¬¡ã®ãšããã§ãã
Docker version: 19.03.8
NGINX version: nginx/1.14.2
ãã£ãŒãããã¯ããåŸ ã¡ããŠãããŸãã ç§ãšåãçµæãåŸãããããšãé¡ã£ãŠããŸãã
也æ¯ïŒ
ã»ãã¹ãã£ã³ã
PSïŒå®éã®IPã¢ãã¬ã¹ã®ä»£ããã«ã-ãããã°ã«è¡šç€ºããããããå¥ã®ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ã€ã¹ãã€ãŸãããŒã«ã«ãã¹ãã®å€éšã䜿çšããŠãããè©ŠããŠãã ããã å®å šã«ããŒã ãããã¯ãŒã¯ã®å€ã§ãã€ã³ã¿ãŒãããã«æ²¿ã£ãŠãã¹ãããŠã¿ãŠãã ããã
ããŒãã¹ïŒã«ãã¯ã¢ããããŒãã«ã䜿çšããŠIPã¢ãã¬ã¹ããžãªãã±ãŒã·ã§ã³ã«ãããã³ã°ããããããã«ãŠã³ãããŠãããã«é 眮ããããšãã§ããã®ã§ãçãã¯ãã¯ããã§ãããããç§ãã¡ãæ¢ããŠãããã®ã§ã:)
@sebastianfelipeããã¯äœå¹Žã«ã
@sebastianfelipeããã¯äœå¹Žã«ã
ç§ã¯ç¢ºä¿¡ããŠããŸãã æ¥ç¶ãããŠãããã¹ãŠã®ãµãŒãã¹ã§ãããã¯ãŒã¯ãã¹ãã䜿çšããŠããããã§ã¯ãããŸããã Digital OceanããŒããã©ã³ãµãŒãå«ãæ¬çªç°å¢ã®ãããªç°å¢ã«ãªãŒããŒã¬ã€ãããã¯ãŒã¯ãåããã¹ã¿ãã¯ããããã€ãããšãããæ©èœããŸããã ã€ãŸãããã以äžãã¹ãããããšã¯ã§ããŸããã 100ïŒ æ¬ç©ã§ãã
@sebastianfelipe DigitalOceanããŒããã©ã³ãµãŒããŠãŒã¶ãŒã®IPã¢ãã¬ã¹ãX-Forwarded-ForããããŒã«è¿œå ããŠãããšæããŸãã ããã¯æ¢ç¥ã®åé¿çã§ãããã¹ã¿ã³ãã¢ãã³ã®DockerSwarmã¢ãŒãã§ãŠãŒã¶ãŒã®IPãååŸããåé¡ã解決ããŸããã
@beornfç§ã¯$http_x_forwarded_for
å€æ°ã«èµ·ãããŸãã Digital OceanããŒããã©ã³ãµãŒã¯ãDockerSwarmã«ãã£ãŠçŽæ¥è¿œå ãããªãæ
å ±ãå¥ã®NGINXå€æ°ã«è¿œå ããŸãã ããããããã¯ãããããã±ãŒã¹ã«çã®è§£æ±ºçãããããããããŒã®ãããªãã¢ãããŒãã«ã€ãªããå¯èœæ§ããããŸãã å°ãªããšãDigitalOceanã®ã客æ§ã¯ãçŸæç¹ã§ããã«å¯ŸåŠããæ¹æ³ãåãã§ç¥ã£ãŠããã¯ãã§ãã
@beornf @sebastianfelipeã³ã³ããã¹ãã«å ããŠãCloudFlareã¯X-Forwarded-For
ãè¿œå ããã»ãšãã©ç¡æã§ãã
@beornf @sebastianfelipeã³ã³ããã¹ãã«å ããŠãCloudFlareã¯
X-Forwarded-For
ãè¿œå ããã»ãšãã©ç¡æã§ãã
ããã¯ãå®éã®IPãååŸããæ¹æ³ãå¿ èŠãšããå€ãã®äººã«ãšã£ãŠã¯ããŸããããšæããŸãã Cloudfareã¯ããããã·ãšããŠããŸãã¯DNSã®ã¿ãšããŠèª¿æŽã§ããŸãã DigitalOceanã®ã客æ§ã«ã¯æé©ã§ã¯ãããŸããã ããã¯ããããŸã§ã®ããã¯ãªãŒã³ãªåé¿çã§ãã ããããç§ã¯@beornfã«åæããŸãããããå®çŸããããã«ãDigital OceanãCloudfareã«äŸåããããšãªããå®éã®ãœãªã¥ãŒã·ã§ã³ãå¿ èŠã§ãã
ããããšãïŒ
æãåèã«ãªãã³ã¡ã³ã
logstashãswarmã¢ãŒãã§å®è¡ããããšãããšãã«ãåé¡ãçºçããŸããïŒããŸããŸãªãã¹ãããsyslogã¡ãã»ãŒãžãåéããããïŒã logstashã®ãhostããã£ãŒã«ãã¯ãæ¥ç¶ããŠãããã¹ãã®å®éã®IPã§ã¯ãªããåžžã«10.255.0.xãšããŠè¡šç€ºãããŸãã ããã«ããããã°ã¡ãã»ãŒãžã®éä¿¡å ãããããªãããããŸã£ãã䜿çšã§ããªããªããŸãã ãœãŒã¹IPã®å€æãåé¿ããæ¹æ³ã¯ãããŸããïŒ