Shulou(Shulou.com)06/03 Report--

What is the purpose of SNAT? How to solve the access problem of nginx container? These problems may be encountered in our daily work. Through these questions, I hope you can gain more. Here are the details of uncovering these problems.

1. SNAT planning optimization solves the transparent access between two host containers. If not optimized, the access between containers is recorded as the IP address of the host. 1. Host accesses nginx container of 172.7.22.2

2. 172.7.22.2 View nginx access log

3. Enter the container of 172.7.21.2 and access the nginx container of 172.7.22.2 to view the log.

4. Check the nginx access log of 172.7.22.2 again.

5. Solve the problem: when container 172.7.21.2 accesses the nginx container of 172.7.22.2 The log displayed should be 172.7.22.2, solution 1, Install iptables-services component [root@test-nodes1 ~] # yum-y install iptables-services [root@test-nodes1 ~] # systemctl start iptables [root@test-nodes1 ~] # systemctl enable iptablesCreated symlink from / etc/systemd/system/basic.target.wants/iptables.service to / usr/lib/systemd/system/iptables.service.-- -2. Change the camouflage of the following iptable records to delete [root@test-nodes1 ~] # iptables-save | grep-I postrouting:POSTROUTING ACCEPT [68grep 4098]: KUBE-POSTROUTING- [0:0]-A POSTROUTING- m comment-- comment "kubernetes postrouting rules"-j KUBE-POSTROUTING-A POSTROUTING- s 172.7.21.0 KUBE-POSTROUTING-A POSTROUTING- 24!-o docker0-j MASQUERADE # Delete this entry-A KUBE-POSTROUTING- m comment-- comment "kubernetes service traffic requiring SNAT"-m mark -- mark 0x4000/0x4000-j MASQUERADE-3 Delete the record [root@test-nodes1 ~] # iptables-t nat-D POSTROUTING-s 172.7.21.0 MASQUERADE----!-o docker0-j MASQUERADE -4. Insert a new record (excluding the camouflage of network access to 172.7.0.0 nat 16) [root@test-nodes1] # iptables-t nat-I POSTROUTING-s 172.7.21.0 MASQUERADE--- 24!-d 172.7.0.0 docker0 16!-o docker0-j MASQUERADE -5. Check whether it works [root@test-nodes1 ~] # iptables-save | grep-I postrouting:POSTROUTING ACCEPT [13 KUBE-POSTROUTING-A KUBE-POSTROUTING- 814]: KUBE-POSTROUTING- [0:0]-A POSTROUTING- s 172.7.21.0 MASQUERADE-A POSTROUTING- 24!-d 172.7.0.0 MASQUERADE-A POSTROUTING- m comment-- comment "kubernetes postrouting rules"-j KUBE-POSTROUTING-A KUBE-POSTROUTING- m comment-- comment "kubernetes service traffic requiring SNAT"-mm ark-- Mark 0x4000/0x4000-j MASQUERADE-6, Delete all reject rejection rules on iptables [root@test-nodes1 ~] # iptables-save | grep-I reject-An INPUT-j REJECT-- reject-with icmp-host-prohibited-A FORWARD-j REJECT-- reject-with icmp-host-prohibited [root@test-nodes1 ~] # iptables- t filter-D INPUT-j REJECT-- reject-with icmp-host-prohibited [root@test-nodes1 ~] # iptables- t filter-D FORWARD-j REJECT-reject-with icmp-host-prohibited [root @ test-nodes1 ~] # iptables-save | grep-I reject-7, Save iptables rule [root@test-nodes1 ~] # iptables-save > / etc/sysconfig/iptables III, verify result 1, access 172.7.22.2 through container 172.7.21.2

2. View the container log of 172.7.22.2

Note: test-nodes needs to have the same operation.

What is described above is the use of SNAT and how to solve the problem of accessing the nginx container to report an error. The specific usage needs to be used by everyone in a hands-on experiment. If you want to know more about it, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.