google-compute-engine - 无法连接到在 Google Compute Engine 虚拟机实例上运行的 HTTP 服务

Question

我有一个在 f1-micro 实例上运行 COS 版本“cos-dev-61-9733-0-0”的 VM 实例。我已经配置了一个外部 IP 地址 146.xxx.xxx.106 并分配给这个实例。我正在尝试从我的本地工作站测试到此实例的 HTTP 连接，但到目前为止没有成功。

我在“防火墙”下启用了“允许 HTTP 流量”和“允许 HTTPS 流量”设置，即使它们在我保存后没有显示选中的框。然而，网络标签的值为“http-server, https-server”，如下所示:



我还确认“网络 > 防火墙设置”有一个默认的 HTTP 规则，如下所示:



我发现这里报告了一个类似的问题，但并没有帮助解决我的问题:Cannot access Google Cloud Compute Instance External IP . 关于其他设置的任何建议 我想念的将不胜感激。我查找了操作系统级别的防火墙设置，但找不到足够的 Chromium OS 文档。

以下是我遵循的步骤:

在 GCE 实例上:

$ sudo python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

$ sudo netstat -antup

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 638/sshd

tcp 0 0 0.0.0.0:5355 0.0.0.0:*
LISTEN 613/systemd-resolve

tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 12750/python2.7

运行 curl 命令并得到以下响应:

$ curl http://localhost:80 Directory listing for /

Directory listing for /

---

• .bash_history
• .bash_logout
• .bash_profile
• .bashrc
• .docker/
• .ssh/
• .viminfo
• apps/

---

从本地工作站:

Ping 外部 IP 地址并收到响应:

$ ping 146.xxx.xxx.106 PING 146.xxx.xxx.106 (146.xxx.xxx.106) 56(84) bytes of data. 64 bytes from 146.xxx.xxx.106: icmp_seq=1 ttl=63 time=1131 ms ^C --- 146.xxx.xxx.106 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2007ms

成功通过 SSH 连接到实例:

$ ssh 146.xxx.xxx.106 debianuser@cos-dev-61-dockervm1 ~ $

运行“nmap”命令，但它只显示 SSH 端口 22 打开:

$ nmap -Pn 146.xxx.xxx.106

Starting Nmap 6.47 ( http://nmap.org ) at 2017-07-20 11:35 CDT Nmap scan report for 106.xxx.xxx.146.bc.googleusercontent.com (146.xxx.xxx.106) Host is up (0.17s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 86.74 seconds

Answer 1

Container-optimized OS图像在操作系统级别启用了防火墙以阻止所有传入流量(ssh 除外)。默认情况下只允许传出流量。

除了配置 Google Compute Engine 防火墙规则以允许传入 VM 的流量之外，您还需要确保在 VM 中运行的操作系统也允许它。

这在 docs for Container-Optimized OS 中提到

Configuring the Host Firewall

By default, the Container-Optimized OS host firewall allows only outgoing connections, and accepts incoming connections only through the SSH service. To accept incoming connections on a Container-Optimized OS instance, you must open the ports your services are listening on.

For example, to accept connections from other instances within the same Compute Engine project, run the following commands on both your development workstation, and on your Container-Optimized OS instance:

# On your workstation:
SUBNETWORK_URI=$(gcloud compute instances describe ${COS_INSTANCE_NAME} | grep -w 'subnetwork:' | awk '{ print $2 }')
SUBNET_PREFIX=$(gcloud compute networks subnets describe ${SUBNETWORK_URI} | grep -w 'ipCidrRange:' | awk '{ print $2 }')

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp -s ${SUBNET_PREFIX} -j ACCEPT
sudo iptables -w -A INPUT -p udp -s ${SUBNET_PREFIX} -j ACCEPT
 As another example, if you need to accept HTTP (port 80) connections from any source IP address, run the following commands on

your Container-Optimzied OS instance:

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT

In general, it is recommended you configure the host firewall as a systemd service through cloud-init.