容器化应用: 从外部访问Openshift集群内的MySQL服务

我们知道Openshift容器化平台中, POD有自己的IP地址, 但是它只能在集群的内部可用. 那如果我要从其他物理计算机通过网络访问容器内的MySQL怎么办呢?

我想到了Router, 但是, Router 只支持HTTP协议的转发, 我们要使用TCP. 因此, NodePort出场了!

通过NodePort

这种方式适合长期使用, 对外提供

先看看有DC的名称

➜ oc get dc
NAME                 REVISION   DESIRED   CURRENT   TRIGGERED BY
hello-microservice   1          1         1         config,image(hello-microservice:latest)
mysql-57-centos7     11         1         1         config,image(mysql-57-centos7:latest)
nodejs-ex            1          1         1         config,image(nodejs-ex:latest)

mysql-57-centos7 是我们需要的

暴露指定DC, 暴露类型为 LoadBalancer, 暴露的名称为

oc expose dc mysql-57-centos7 --type=LoadBalancer --name=mysql-ingress

导出

➜ oc export svc mysql-ingress
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: mysql-57-centos7
  name: mysql-ingress
spec:
  deprecatedPublicIPs:
  - 172.29.208.121
  externalIPs:
  - 172.29.208.121
  ports:
  - nodePort: 32621
    port: 3306
    protocol: TCP
    targetPort: 3306
  selector:
    app: mysql-57-centos7
    deploymentconfig: mysql-57-centos7
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

在导出的配置中, 我们看到 spec.ports.nodePort 为 32621, 这个端口就是我们可以从外部访问MySQL的目标端口.

登录MySQL测试连通性

➜ mysql --user=data --password=data --host=$(minishift ip) --port=32621
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.7.16 MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

OK, 看起来没有问题.

注意: 注意分配合适的登录权限. 比如:
ERROR 1045 (28000): Access denied for user 'data'@'172.17.0.1' (using password: NO)

因此需要给登录客户端所在的IP地址分配权限:

CREATE USER 'data'@'172.17.0.1' IDENTIFIED BY 'data';
GRANT ALL PRIVILEGES ON *.* TO 'data'@'172.17.0.1';
FLUSH PRIVILEGES;

通过端口转发

端口转发可以通过你的物理机器所在的网络连接到POD,多用于开发测试环境

开启端口转发

➜ oc port-forward mysql-57-centos7-11-2wfs4 10001:3306
Forwarding from 127.0.0.1:10001 -> 3306
Forwarding from [::1]:10001 -> 3306
Handling connection for 10001

MySQL连接测试

➜ mysql -udata --password=data --host=127.0.0.1 --port=10001
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 5.7.16 MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

上述方法不限于MySQL这样的应用, 各种基于TCP的应用都可以使用这两种方式, 在合适的环境中使用.