7.6 progress load balancing of routing mesh

Time:2021-10-20

function

  • Load balancing for external access
  • The service port is exposed to each swarm node
  • Internal load balancing through IPVS

Port exposure

#For the service list, pay attention to the * sign in port forwarding ` *: 8000 - > 8000 / TCP '
[[email protected] ~]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zq7ulpxk83nq busybox replicated 1/1 busybox:latest
q1j2ddophtom whoami replicated 1/1 jwilder/whoami:latest *:8000->8000/tcp

#Service distribution
[[email protected] ~]$ docker service ps whoami
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1diq1k8h38o5 whoami.1 jwilder/whoami:latest swarm-work1 Running Running about an hour ago

#According to the service test, whoamI is only distributed on the swarm-work1 node, but the 8000 port on the curl swarm manager node can also be accessed normally
[[email protected] ~]$ curl 127.0.0.1:8000
I'm 299a5ba408cd

As for why, we can take a look at iptables

[[email protected] ~]$ sudo iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER-INGRESS all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

DOCKER-INGRESS all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0

Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-INGRESS (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.18.0.2:8000
RETURN all -- 0.0.0.0/0 0.0.0.0/0

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.18.0.2:8000 That’s the key

Get the current host IP in docker_ The gwbridge network is 172.18.0.1, and 172.18.0.2 must be on the same network as the current host. Therefore, we can confirm it by executing the following statement172.18.0.2This is the IP address of the ingress Sbox container

docker network inspect docker_gwbridge
{
    "Containers": {
        "ingress-sbox": {
            "Name": "gateway_ingress-sbox",
            "EndpointID": "ac6e9807282e4884f07f6ebeefa2fa5d836a98b09f57efb2d147862c46ff1cc7",
            "MacAddress": "02:42:ac:12:00:02",
            "IPv4Address": "172.18.0.2/16",
            "IPv6Address": ""
        }
    }
}

Two embodiments of routing mesh

  • Internal containers and access between containers is via overlay network (VIP)
  • Ingres if the service has a binding interface, the service can be accessed through the corresponding interface of any swarm node