3.5.2. 节点实例间的连接
默认情况下,SDN 在节点上连接 pod 通信时使用 UDP 端口 4789。
要验证节点主机功能,请创建新应用。以下示例确保节点可以提供容器镜像 registry,该镜像 registry 在基础架构节点上运行:
流程
创建一个新项目
$ oc new-project sdn-test
部署 httpd 应用程序:
$ oc new-app centos/httpd-24-centos7~https://github.com/sclorg/httpd-ex
等待构建完成:
$ oc get pods NAME READY STATUS RESTARTS AGE httpd-ex-1-205hz 1/1 Running 0 34s httpd-ex-1-build 0/1 Completed 0 1m
连接到正在运行的 pod:
$ oc rsh po/<pod-name>
例如:
$ oc rsh po/httpd-ex-1-205hz
检查内部 registry 服务的
healthz路径:$ curl -kv https://docker-registry.default.svc.cluster.local:5000/healthz * About to connect() to docker-registry.default.svc.cluster.locl port 5000 (#0) * Trying 172.30.150.7... * Connected to docker-registry.default.svc.cluster.local (172.30.150.7) port 5000 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=172.30.150.7 * start date: Nov 30 17:21:51 2017 GMT * expire date: Nov 30 17:21:52 2019 GMT * common name: 172.30.150.7 * issuer: CN=openshift-signer@1512059618 > GET /healthz HTTP/1.1 > User-Agent: curl/7.29.0 > Host: docker-registry.default.svc.cluster.local:5000 > Accept: */* > < HTTP/1.1 200 OK < Cache-Control: no-cache < Date: Mon, 04 Dec 2017 16:26:49 GMT < Content-Length: 0 < Content-Type: text/plain; charset=utf-8 < * Connection #0 to host docker-registry.default.svc.cluster.local left intact sh-4.2$ *exit*
HTTP/1.1 200 OK响应表示节点正确连接。清理 test 项目:
$ oc delete project sdn-test project "sdn-test" deleted
节点主机正在侦听
TCP端口10250。此端口需要可以被任何节点上的所有 master 主机访问,如果在集群中部署了监控,基础架构节点也必须可以访问所有实例上的所有端口。可以通过以下命令检测到这个端口上的通信中断:$ oc get nodes NAME STATUS AGE VERSION ocp-infra-node-1clj Ready 4d v1.6.1+5115d708d7 ocp-infra-node-86qr Ready 4d v1.6.1+5115d708d7 ocp-infra-node-g8qw Ready 4d v1.6.1+5115d708d7 ocp-master-94zd Ready,SchedulingDisabled 4d v1.6.1+5115d708d7 ocp-master-gjkm Ready,SchedulingDisabled 4d v1.6.1+5115d708d7 ocp-master-wc8w Ready,SchedulingDisabled 4d v1.6.1+5115d708d7 ocp-node-c5dg Ready 4d v1.6.1+5115d708d7 ocp-node-ghxn Ready 4d v1.6.1+5115d708d7 ocp-node-w135 NotReady 4d v1.6.1+5115d708d7
在上面的输出中,master 服务无法访问
ocp-node-w135节点上的节点服务,该服务由其NotReady状态表示。最后一个服务是路由器,它负责将连接路由到 OpenShift Container Platform 集群中运行的正确服务。路由器在基础架构节点上的
TCP端口80和443上侦听入口流量。在路由器可以开始工作前,必须配置 DNS:$ dig *.apps.example.com ; <<>> DiG 9.11.1-P3-RedHat-9.11.1-8.P3.fc27 <<>> *.apps.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45790 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;*.apps.example.com. IN A ;; ANSWER SECTION: *.apps.example.com. 3571 IN CNAME apps.example.com. apps.example.com. 3561 IN A 35.xx.xx.92 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 05 16:03:52 CET 2017 ;; MSG SIZE rcvd: 105
IP 地址(本例中为
35.xx.xx.92)应指向将入口流量分发到所有基础架构节点的负载均衡器。要验证路由器的功能,请再次检查 registry 服务,但这次它们来自集群外部:$ curl -kv https://docker-registry-default.apps.example.com/healthz * Trying 35.xx.xx.92... * TCP_NODELAY set * Connected to docker-registry-default.apps.example.com (35.xx.xx.92) port 443 (#0) ... < HTTP/2 200 < cache-control: no-cache < content-type: text/plain; charset=utf-8 < content-length: 0 < date: Tue, 05 Dec 2017 15:13:27 GMT < * Connection #0 to host docker-registry-default.apps.example.com left intact
