虚拟机通过宿主机代理实现从外网拉取镜像的方法

 

先看一下配置前的效果，在拉取镜像时等待了1分钟，毫无进展

root@Y76-K8s-Master01:~# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
ea235d1ccf77: Retrying in 1 second 
e29cef106877: Retrying in 1 second 
e9bf20d5335e: Retrying in 1 second 
1394e86b8f58: Waiting 
7b2b3e0f512f: Waiting 
6a11b5a77155: Waiting 
fb6d6e4aad9c: Waiting

 接下来我们进行配置，打开宿主机上的代理软件（步骤略，切记需要让代理软件允许局域网链接），在宿主机上查看代理软件监听端口

# netstat -ntl |grep 7890
tcp4       0      0  127.0.0.1.7890                                127.0.0.1.60486                               ESTABLISHED
tcp4       0      0  127.0.0.1.60486                               127.0.0.1.7890                                ESTABLISHED
tcp4       0      0  127.0.0.1.7890                                127.0.0.1.60440                               ESTABLISHED
tcp4       0      0  127.0.0.1.60440                               127.0.0.1.7890                                ESTABLISHED
tcp4       0      0  127.0.0.1.7890                                127.0.0.1.60407                               ESTABLISHED
tcp4       0      0  127.0.0.1.60407                               127.0.0.1.7890                                ESTABLISHED
tcp4       0      0  127.0.0.1.7890                                127.0.0.1.59913                               ESTABLISHED
tcp4       0      0  127.0.0.1.59913                               127.0.0.1.7890                                ESTABLISHED
tcp4       0      0  127.0.0.1.60458                               127.0.0.1.7890                                TIME_WAIT  
tcp4       0      0  127.0.0.1.60526                               127.0.0.1.7890                                TIME_WAIT  
tcp4       0      0  127.0.0.1.60508                               127.0.0.1.7890                                TIME_WAIT  
udp4       0      0  127.0.0.1.7890                                *.*                                                      

 

虚拟机端测试是否访问宿主机端口

root@Y76-K8s-Master01:~# ping 172.164.17.100
PING 172.164.17.100 (172.164.17.100): 56 data bytes
64 bytes from 172.164.17.100: icmp_seq=0 ttl=128 time=0.784 ms
64 bytes from 172.164.17.100: icmp_seq=1 ttl=128 time=1.253 ms
^C--- 172.164.17.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.784/1.018/1.253/0.235 ms
root@Y76-K8s-Master01:~# telnet 172.164.17.100 7890
Trying 172.164.17.100...
Connected to 172.164.17.100.
Escape character is '^]'.

 虚拟机能正常访问到宿主机端口，接下来在虚拟机系统内配置Proxy

root@Y76-K8s-Master01:/usr/lib/systemd/system# pwd
/usr/lib/systemd/system
root@Y76-K8s-Master01:/usr/lib/systemd/system# vim docker.service 
# 在[Service]处添加以下两行信息，将流量代理给宿主机的7890端口出外网
Environment="HTTPS_PROXY=http://172.164.17.100:7890"
Environment="HTTP_PROXY=http://172.164.17.100:7890"

root@Y76-K8s-Master01:/usr/lib/systemd/system# systemctl daemon-reload 
root@Y76-K8s-Master01:/usr/lib/systemd/system# systemctl restart docker 
root@Y76-K8s-Master01:/usr/lib/systemd/system# time docker pull nginx 
Using default tag: latest
latest: Pulling from library/nginx
ea235d1ccf77: Pull complete 
e29cef106877: Pull complete 
e9bf20d5335e: Pull complete 
1394e86b8f58: Pull complete 
7b2b3e0f512f: Pull complete 
6a11b5a77155: Pull complete 
fb6d6e4aad9c: Pull complete 
Digest: sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest

real    0m7.408s
user    0m0.028s
sys     0m0.014s

 到这里就可以完成让docker通过宿主机的7890端口出外网拉取镜像了，此种方法适用于K8S中使用Containerd去拉取镜像，但需注意的是，在Containerd中配置代理，可能会导致Pod无法正常进行健康检查，例如 就绪探针下的配置是访问某个IP得到返回值来判断健康检查是否能正常通过。原因在于，配置了Proxy转发后，访问是通过宿主机的7890端口去进行寻址的，而宿主机开启了此端口，意味着从7890端口出去的流量是直接面向internet的。

解决方法：在Containerd下进行地址排除，过滤掉K8S中的网段不通过宿主机的7890端口作为出口地址

# 在Containerd.service下的[Service]配置以下内容
Environment="HTTPS_PROXY=http://172.164.17.100:7890"
Environment="HTTP_PROXY=http://172.164.17.100:7890"
Environment="NO_PROXY=localhost,127.0.0.1,172.16.0.0/12,10.96.0.0/12,10.244.0.0/16"