如何解决在aws vpc网络模式下ECS任务出现“连接被拒绝”错误?

0

【以下的问题经过翻译处理】 我设置了containerPorthostPort,但在从容器外部连接到ECS任务时遇到了问题(即使主机EC2实例也无法访问)。

任务定义的摘录:

network_mode          = "awsvpc" //需要使用A记录进行服务发现
network_configuration {
    subnets = [module.subnet_private.id]
}

容器定义的摘录:

portMappings = [
  {
    hostPort      = 80, //由于使用awsvpc网络模式,必须等于containerPort
    containerPort = 80, //参见nginx.conf
    protocol      = "tcp"
  }
]

完整的docker inspect:

portMappings = [
  {
    hostPort      = 80, //由于使用awsvpc网络模式,必须等于containerPort
    containerPort = 80, //参见nginx.conf
    protocol      = "tcp"
  }
]

完整的docker inspect:

[
    {
        "Id": "f852e5f1f50154f3fab574eac406fd91038a2e5514053d777d21f81c5614dc79",
        "Created": "2022-01-03T18:52:30.356339157Z",
        "Path": "/docker-entrypoint.sh",
        "Args": [
            "nginx",
            "-g",
            "daemon off;"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 15694,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2022-01-03T18:52:30.866257409Z",
            "FinishedAt": "0001-01-01T00:00:00Z"
        },
            "NetworkMode": "container:389dbe8d2c45cbb0ddddbbf2a8f46e62483124023880b96ef04319b7050ff5c5",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": [],
            "CapAdd": [],
            "CapDrop": [],
            "CgroupnsMode": "host",
            "Dns": null,
            "DnsOptions": null,
            "DnsSearch": null,
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "shareable",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 1024,
            "Memory": 1073741824,
            "NanoCpus": 0,
            "CgroupParent": "/ecs/acafdacf06b9475b83e080cbd637f0fc",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": null,
            "DeviceCgroupRules": null,
            "DeviceRequests": null,
            "KernelMemory": 0,
            "KernelMemoryTCP": 0,
            "MemoryReservation": 0,
            "MemorySwap": 2147483648,
            "MemorySwappiness": null,
            "OomKillDisable": false,
            "PidsLimit": null,
            "Ulimits": [
                {
                    "Name": "nofile",
                    "Hard": 65536,
                    "Soft": 32768
                }
            ],
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/asound",
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware"
            ],
            "ReadonlyPaths": [
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "Config": {
            "Hostname": "[REDACTED]",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "80/tcp": {}
            },
            "Cmd": [
                "nginx",
                "-g",
                "daemon off;"
            ],
            "Image": "[REDACTED]",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": [
                "/docker-entrypoint.sh"
            ],
            "OnBuild": null,
            "Labels": {
                "com.amazonaws.ecs.cluster": "Nginx_Build_agent_proxy",
                "com.amazonaws.ecs.container-name": "buildagent-proxy",
                "com.amazonaws.ecs.task-arn": "[REDACTED]",
                "com.amazonaws.ecs.task-definition-family": "buildagent-proxy",
                "com.amazonaws.ecs.task-definition-version": "20",
                "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
            },
            "StopSignal": "SIGQUIT"
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {},
            "SandboxKey": "",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {}
        }
    }
]
profile picture
专家
已提问 2 年前53 查看次数
1 回答
0

【以下的回答经过翻译处理】 在awsvpc 网络模式下,ECS为EC2实例的任务分配了专用的ENI。从文档中可以得知:

任务ENI完全由Amazon ECS管理。Amazon ECS创建ENI并将其附加到指定安全组的主机Amazon EC2实例上。任务通过ENI发送和接收网络流量,就像Amazon EC2实例使用其主网络接口一样。默认情况下,每个任务ENI分配私有IPv4地址。

在EC2实例的终端上对 http://localhost 的请求将不会到达容器,因为它不会监听 localhost 接口,而是在专用的ENI上监听。

您仍然可以通过使用ENI的IP地址来进行请求,可以通过以下方式找到ENI的IP地址:

  • 通过curl获取容器代理详情使用命令:curl -s http://localhost:51678/v1/tasks | python -mjson.tool
  • 在ECS控制台中查找任务。
  • 在EC2控制台中查找任务使用的ENI。

请注意,您必须确保与该ENI关联的安全组允许从源IP进行访问;即与EC2实例关联的主接口。

另外,正如文档中所提到的,在使用awsvpc网络模式时,应从容器定义中省略hostPort字段。

profile picture
专家
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则