英文:
dial tcp <REMOTE-IP>:6379: connect: connection refused
问题
我正在使用GKE(Google Kubernetes Engine)构建一个应用程序,并使用GCE实例的Redis系统。
当我尝试从GKE上的应用程序Pod连接到GCE上的Redis时,我收到连接被拒绝的错误消息(dial tcp <REMOTE-IP>:6379: connect: connection refused)。
应用程序是用Go语言编写的,使用的是go-redis(v8)库。
为什么我无法连接?
连接部分和出现错误的部分的源代码如下所示。
redisServerName = os.Getenv("REDIS_SERVER") // "sample.com:6379"
redisClient = redis.NewClient(&redis.Options{
Addr: redisServerName,
Password: "",
DB: 0,
})
p, err := redisClient.Ping(ctx).Result()
log.Println(p, err)
主机名已解析,所以不是DNS问题,并且redis-cli命令可执行,所以似乎不是防火墙问题。
# redis-cli -h <REMOTE_IP> ping
PONG
- 后记
以下是在运行Go应用程序的Pod中运行该命令的结果。
/# redis-cli -h redis.sample.com
redis.sample.com:6379> // 可以连接
/# nc redis.sample.com 6379
// 没有响应。
英文:
I'm building an application on GKE (Google Kubernetes Engine) and a system using GCE instances of Redis.
When I try to connect from the application pod on GKE to Redis on GCE, I get connection refused.(dial tcp <REMOTE-IP>:6379: connect: connection refused)
The application is written in Go, and the redis library is go-redis(v8).
Why can't I connect?
The source code for the connection part and the part where the error occurs is as follows.
redisServerName = os.Getenv("REDIS_SERVER") // "sample.com:6379"
redisClient = redis.NewClient(&redis.Options{
Addr: redisServerName,
Password: "",
DB: 0,
})
p, err := redisClient.Ping(ctx).Result()
log.Println(p, err)
The hostname is resolved, so it is not a DNS problem, and the redis-cli commands are executable, so it does not seem to be a Firewall problem.
# redis-cli -h <REMOTE_IP> ping
PONG
- Postscript
Here is the result of running the command from the Pod with the Go application running
/# redis-cli -h redis.sample.com
redis.sample.com:6379> // can connect
/# nc redis.sample.com 6379
// There is NO response.
答案1
得分: 1
我断言容器中的每个应用程序都将具有相同的第四层(对于Redis来说是TCP)网络访问。由于Redis没有提供重要的访问控制,这意味着如果容器中的一个应用程序可以访问Redis服务器,那么同一容器中的所有其他应用程序也可以。如果一个应用程序无法联系到Redis,其他应用程序也将无法联系到Redis。
在同一个容器中进行测试会变得棘手,因为在这里无法复制您的k8s和gke配置,这对测试没有帮助,也不可行。
ICMP Ping和tcp/6379是不同的。仅仅因为ping命令可以工作,并不意味着Redis也可以工作,反之亦然。在k8s和gke中,不同的容器将具有不同的网络访问权限。
在应用程序容器上进行此测试,以尽可能排除其他因素的影响。
当我进行测试时,apk add redis只会拉取几个软件包,仅占用8MB,并提供redis-cli,但您不需要任何Redis的客户端应用程序;可以使用简单的工具,比如netcat来完成。您也不必发出有效的Redis命令-如果您收到-ERR unknown command的响应,那么说明网络是正常的:
/ # echo "hi, redis!" |nc localhost 6379
-ERR unknown command `hi,`, with args beginning with: `redis!`,
如果在这里可以工作而在Go中无法工作,那很可能是因为环境变量REDIS_SERVER没有正确设置。因此,您可能还想在命令行上测试那个变量。
nc $REDIS_SERVER 6379
英文:
I assert that every application in a container will have the same layer 4 (for redis, TCP) access to the network. Since Redis provides no significant access control, this means that if one app on your container has network access to redis server, all other apps on the same container will too. And if one can't contact redis, neither will the other.
On the same container. This is where testing gets tricky, because it isn't helpful or feasible to reproduce your k8s and gke config here.
ICMP Ping and tcp/6379 are different. Just because ping works, doesn't mean Redis can, and vise versa. And different containers will have different network access in k8s and gke.
Do this test on the app container, to take everything possible out of he equation.
apk add redis only pulls in a few packages, only 8MB and provides redis-cli when I tested, but you don't need any client app for redis; it's simple enough to be done with, say, netcat
. You don't have to issue a valid redis cmd, either - if you get an -ERR unknown command response, you know network works:
/ # echo "hi, redis!" |nc localhost 6379
-ERR unknown command `hi,`, with args beginning with: `redis!`,
If it works there and not in Go, it's probably because the environment variable REDIS_SERVER isn't set properly. So you might want to test that at the command line, as well.
nc $REDIS_SERVER 6379
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论