如何解决在aws vpc网络模式下ECS任务出现“连接被拒绝”错误?
0
【以下的问题经过翻译处理】 我设置了containerPort和hostPort,但在从容器外部连接到ECS任务时遇到了问题(即使主机EC2实例也无法访问)。
任务定义的摘录:
network_mode = "awsvpc" //需要使用A记录进行服务发现
network_configuration {
subnets = [module.subnet_private.id]
}
容器定义的摘录:
portMappings = [
{
hostPort = 80, //由于使用awsvpc网络模式,必须等于containerPort
containerPort = 80, //参见nginx.conf
protocol = "tcp"
}
]
完整的docker inspect:
portMappings = [
{
hostPort = 80, //由于使用awsvpc网络模式,必须等于containerPort
containerPort = 80, //参见nginx.conf
protocol = "tcp"
}
]
完整的docker inspect:
[
{
"Id": "f852e5f1f50154f3fab574eac406fd91038a2e5514053d777d21f81c5614dc79",
"Created": "2022-01-03T18:52:30.356339157Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 15694,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-01-03T18:52:30.866257409Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"NetworkMode": "container:389dbe8d2c45cbb0ddddbbf2a8f46e62483124023880b96ef04319b7050ff5c5",
"PortBindings": {},
"RestartPolicy": {
"Name": "",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": [],
"CapAdd": [],
"CapDrop": [],
"CgroupnsMode": "host",
"Dns": null,
"DnsOptions": null,
"DnsSearch": null,
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "shareable",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 1024,
"Memory": 1073741824,
"NanoCpus": 0,
"CgroupParent": "/ecs/acafdacf06b9475b83e080cbd637f0fc",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": null,
"DeviceCgroupRules": null,
"DeviceRequests": null,
"KernelMemory": 0,
"KernelMemoryTCP": 0,
"MemoryReservation": 0,
"MemorySwap": 2147483648,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": [
{
"Name": "nofile",
"Hard": 65536,
"Soft": 32768
}
],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"Config": {
"Hostname": "[REDACTED]",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Cmd": [
"nginx",
"-g",
"daemon off;"
],
"Image": "[REDACTED]",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": [
"/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"com.amazonaws.ecs.cluster": "Nginx_Build_agent_proxy",
"com.amazonaws.ecs.container-name": "buildagent-proxy",
"com.amazonaws.ecs.task-arn": "[REDACTED]",
"com.amazonaws.ecs.task-definition-family": "buildagent-proxy",
"com.amazonaws.ecs.task-definition-version": "20",
"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
},
"StopSignal": "SIGQUIT"
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {}
}
}
]
1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 在awsvpc 网络模式下,ECS为EC2实例的任务分配了专用的ENI。从文档中可以得知:
任务ENI完全由Amazon ECS管理。Amazon ECS创建ENI并将其附加到指定安全组的主机Amazon EC2实例上。任务通过ENI发送和接收网络流量,就像Amazon EC2实例使用其主网络接口一样。默认情况下,每个任务ENI分配私有IPv4地址。
在EC2实例的终端上对 http://localhost 的请求将不会到达容器,因为它不会监听 localhost 接口,而是在专用的ENI上监听。
您仍然可以通过使用ENI的IP地址来进行请求,可以通过以下方式找到ENI的IP地址:
- 通过curl获取容器代理详情使用命令:
curl -s http://localhost:51678/v1/tasks | python -mjson.tool - 在ECS控制台中查找任务。
- 在EC2控制台中查找任务使用的ENI。
请注意,您必须确保与该ENI关联的安全组允许从源IP进行访问;即与EC2实例关联的主接口。
另外,正如文档中所提到的,在使用awsvpc网络模式时,应从容器定义中省略hostPort字段。
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前