CH3CHO
commented
7 months ago 你的docker是root运行吗,是不是没有监听80的权限?
Closed huangye123 closed 7 months ago
CH3CHO
commented
7 months ago 你的docker是root运行吗,是不是没有监听80的权限?
huangye123
commented
7 months ago 你的docker是root运行吗,是不是没有监听80的权限?
是root运行,有80的权限,截图为端口映射的方式,也是使用80端口
CH3CHO
commented
7 months ago 你的操作系统、内核版本、Docker版本贴一下。看上去是容器内不能监听80端口。你也可以查一下docker的相关文档。
huangye123
commented
7 months ago 你的操作系统、内核版本、Docker版本贴一下。看上去是容器内不能监听80端口。你也可以查一下docker的相关文档。
操作系统 Debian12.5 内核版本 6.1 Docker版本26.0.0
相同服务器下,将另一个nginx容器,80端口 host 模式也可以正常绑定使用,可排除docker环境问题
CH3CHO
commented
7 months ago @johnlanni 一起帮忙看看呢
johnlanni
commented
7 months ago host网络模式运行 80端口肯定是需要root权限的,我怀疑应该是因为目前镜像里设置了user不是root导致的 @CH3CHO,不知道docker compose是否有参数可以覆盖dockerfile里设置的user
CH3CHO
commented
7 months ago host网络模式运行 80端口肯定是需要root权限的,我怀疑应该是因为目前镜像里设置了user不是root导致的 @CH3CHO,不知道docker compose是否有参数可以覆盖dockerfile里设置的user
有一个 user 字段的。可以试试看。@huangye123
https://docs.docker.com/compose/compose-file/05-services/#user
huangye123
commented
7 months ago host网络模式运行 80端口肯定是需要root权限的,我怀疑应该是因为目前镜像里设置了user不是root导致的 @CH3CHO,不知道docker compose是否有参数可以覆盖dockerfile里设置的user
有一个 user 字段的。可以试试看。@huangye123
https://docs.docker.com/compose/compose-file/05-services/#user
感谢技术支持,增加user指定root,解决了。
higress: image: www.myhuangye.com:8443/basic/higress:1.3.5 container_name: jnpf-cloud-higress network_mode: host user: root volumes:
1、docker compose 启动命令 higress: image: www.myhuangye.com:8443/basic/higress:1.3.5 container_name: cloud-higress network_mode: host privileged: true
ports:
2、采用容器端口映射80:80,使用正常,采用host网络模式,无法使用80端口,8080端口可以登录管理后
3、后台gateway.log日志 2024-04-24T07:28:36.886844Z info Using existing certs 2024-04-24T07:28:36.893623Z info CA Endpoint 127.0.0.1:15012, provider Citadel 2024-04-24T07:28:36.893650Z info Using CA 127.0.0.1:15012 cert with certs: /etc/certs/root-cert.pem 2024-04-24T07:28:36.893682Z info citadelclient Citadel client using custom root cert: 127.0.0.1:15012 2024-04-24T07:28:36.893693Z info Opening status port 15020 2024-04-24T07:28:36.901017Z info ads All caches have been synced up in 16.590657ms, marking server ready 2024-04-24T07:28:36.901148Z info sds SDS server for workload certificates started, listening on "etc/istio/proxy/SDS" 2024-04-24T07:28:36.901158Z info xdsproxy Initializing with upstream address "127.0.0.1:15012" and cluster "Kubernetes" 2024-04-24T07:28:36.901198Z info sds Starting SDS grpc server 2024-04-24T07:28:36.901283Z info Pilot SAN: [127.0.0.1] 2024-04-24T07:28:36.901396Z info starting Http service at 127.0.0.1:15004 2024-04-24T07:28:36.901696Z info Pilot SAN: [127.0.0.1] 2024-04-24T07:28:36.902552Z info Starting proxy agent 2024-04-24T07:28:36.902563Z info Epoch 0 starting 2024-04-24T07:28:36.902569Z info Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --local-address-ip-version v4 --file-flush-interval-msec 1000 --disable-hot-restart --log-format [Envoy (Epoch 0)] [%Y-%m-%d %T.%e][%t][%l][%n] %v -l warning --component-log-level misc:error] 2024-04-24T07:28:37.001734Z info cache adding watcher for file certificate etc/certs/cert-chain.pem 2024-04-24T07:28:37.001752Z info cache read certificate from file resource=default 2024-04-24T07:28:37.001788Z info cache adding watcher for file certificate etc/certs/root-cert.pem 2024-04-24T07:28:37.001792Z info cache read certificate from file resource=ROOTCA 2024-04-24T07:28:37.014204Z info xdsproxy connected to upstream XDS server: 127.0.0.1:15012 [Envoy (Epoch 0)] [2024-04-24 07:28:37.285][171][error][config] listener '0.0.0.0_80' failed to bind or apply socket options: cannot bind '0.0.0.0:80': Permission denied [Envoy (Epoch 0)] [2024-04-24 07:28:37.297][171][warning][config] gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_80: cannot bind '0.0.0.0:80': Permission denied
[Envoy (Epoch 0)] [2024-04-24 07:28:37.298][171][warning][config] Ignoring unwatched type URL type.googleapis.com/envoy.config.route.v3.ScopedRouteConfiguration
4、后台pilot.log日志 2024-04-24T07:39:34.123162Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/DestinationRule cnt=0 nonce=3ddb2d54-e66c-4b57-b753-8eb53a6fdb19 2024-04-24T07:39:34.123202Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/Sidecar cnt=0 nonce=daf7b09a-8db9-4aed-9f4f-c7b05dd0d7ea 2024-04-24T07:39:34.123213Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/VirtualService cnt=1 nonce=eec4c9e8-a5c0-49df-a6b9-3f0323ca8d1b 2024-04-24T07:39:34.123250Z info adsc Received 127.0.0.1:15051 type core/v1alpha1/MeshConfig cnt=0 nonce=3f875cad-a28c-4985-b857-dd9fd998a5ab 2024-04-24T07:39:34.123262Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/ServiceEntry cnt=14 nonce=401a8713-3903-4310-917e-359296aeeac7 2024-04-24T07:39:34.123335Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/ServiceSubscriptionList cnt=0 nonce=8630f5a7-e219-4966-b072-9160ad55b084 2024-04-24T07:39:34.123341Z info adsc Received 127.0.0.1:15051 type security.istio.io/v1beta1/PeerAuthentication cnt=0 nonce=453f0988-5e81-471a-b5b3-1c652d6abb8e 2024-04-24T07:39:34.123347Z info adsc Received 127.0.0.1:15051 type extensions.istio.io/v1alpha1/WasmPlugin cnt=0 nonce=881f7dd6-5d78-4800-99f4-2aa749d96067 2024-04-24T07:39:34.123352Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/Gateway cnt=1 nonce=e9a6c66d-3f29-4bb6-97bc-d9d46a148a21 2024-04-24T07:39:34.123362Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/WorkloadEntry cnt=0 nonce=26302b60-1e6c-41bd-8582-f7aae1c5d546 2024-04-24T07:39:34.123367Z info adsc Received 127.0.0.1:15051 type security.istio.io/v1beta1/RequestAuthentication cnt=0 nonce=769f3d27-4ed1-4085-8140-1068886be171 2024-04-24T07:39:34.123372Z info adsc Received 127.0.0.1:15051 type telemetry.istio.io/v1alpha1/Telemetry cnt=0 nonce=0d549c22-7bbd-4be7-9a23-fc0124a17f13 2024-04-24T07:39:34.123377Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/EnvoyFilter cnt=1 nonce=b54c70da-45ed-4ceb-889c-a8a1e1bd2698 2024-04-24T07:39:34.123393Z info adsc Received 127.0.0.1:15051 type networking.istio.io/v1alpha3/WorkloadGroup cnt=0 nonce=da6d0130-c7b8-4937-8900-294b6dbfa0d6 2024-04-24T07:39:34.123398Z info adsc Received 127.0.0.1:15051 type security.istio.io/v1beta1/AuthorizationPolicy cnt=0 nonce=ee94d84e-37e9-4850-9389-bd7cd94ad1d4 2024-04-24T07:39:34.123696Z info ads Full push, new service mcp/jnpf-message.DEFAULT-GROUP.dev.nacos 2024-04-24T07:39:34.123708Z info ads full push happen, reason:[service] 2024-04-24T07:39:34.223814Z info ads Push debounce stable[5] 14 for config ServiceEntry/mcp/jnpf-visualdata.DEFAULT-GROUP.dev.nacos and 13 more configs: 100.011488ms since last change, 100.173333ms since last push, full=true 2024-04-24T07:39:34.224049Z info ads XDS: Pushing:2024-04-24T07:39:34Z/5 Services:15 ConnectedEndpoints:1 Version:2024-04-24T07:39:34Z/5 2024-04-24T07:39:34.224299Z info ads CDS: PUSH for node:higress-gateway.higress-system resources:17 size:6.2kB cached:2/16 2024-04-24T07:39:34.224392Z info ads EDS: PUSH for node:higress-gateway.higress-system resources:15 size:1.9kB empty:0 cached:2/15 2024-04-24T07:39:34.224645Z info ads LDS: PUSH for node:higress-gateway.higress-system resources:1 size:3.8kB 2024-04-24T07:39:34.224682Z info ads SRDS: PUSH for node:higress-gateway.higress-system resources:1 size:37B 2024-04-24T07:39:34.240244Z info ads EDS: PUSH request for node:higress-gateway.higress-system resources:16 size:2.0kB empty:0 cached:15/16 2024-04-24T07:39:34.250094Z warn ads ADS:LDS: ACK ERROR higress-gateway.higress-system-1 Internal:Error adding/updating listener(s) 0.0.0.0_80: cannot bind '0.0.0.0:80': Permission denied