wordpress - 每个其他请求的 Kubernetes Traefik 内部服务器错误
问题描述
所以我使用的是 traefik 2.2,我运行一个带有单节点主节点的裸机 kubernetes 集群。我没有物理或虚拟负载均衡器,因此 traefik pod 接收端口 80 和 443 上的所有请求。我有一个安装了 helm 的示例 wordpress。正如您在此处看到的,所有其他请求都是 500 错误。http://wp-example.cryptexlabs.com/feed/。我可以确认 500 错误的请求永远不会到达 wordpress 容器,所以我知道这与 traefik 有关。在 traefik 日志中,它只显示有 500 错误。所以我在 traefik 命名空间中有 1 个 pod,在默认服务中有一个服务,在默认命名空间中有一个外部名称服务,它指向一个 wp-example 命名空间的示例 wordpress 站点。
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: traefik
chart: traefik-0.2.0
heritage: Tiller
release: traefik
name: traefik
namespace: traefik
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: traefik
release: traefik
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: traefik
chart: traefik-0.2.0
heritage: Tiller
release: traefik
spec:
containers:
- args:
- --api.insecure
- --accesslog
- --entrypoints.web.Address=:80
- --entrypoints.websecure.Address=:443
- --providers.kubernetescrd
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.email=foo@you.com
- --certificatesresolvers.default.acme.storage=acme.json
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
image: traefik:2.2
imagePullPolicy: IfNotPresent
name: traefik
ports:
- containerPort: 80
hostPort: 80
name: web
protocol: TCP
- containerPort: 443
hostPort: 443
name: websecure
protocol: TCP
- containerPort: 8088
name: admin
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: traefik-service-account
serviceAccountName: traefik-service-account
terminationGracePeriodSeconds: 60
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: wp-example.cryptexlabs.com
namespace: wp-example
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`wp-example.cryptexlabs.com`)
services:
- name: wp-example
port: 80
- name: wp-example
port: 443
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: wp-example
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: wordpress
helm.sh/chart: wordpress-9.3.14
name: wp-example-wordpress
namespace: wp-example
spec:
clusterIP: 10.101.142.74
externalTrafficPolicy: Cluster
ports:
- name: http
nodePort: 31862
port: 80
protocol: TCP
targetPort: http
- name: https
nodePort: 32473
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/instance: wp-example
app.kubernetes.io/name: wordpress
sessionAffinity: None
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: wp-example
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: wordpress
helm.sh/chart: wordpress-9.3.14
name: wp-example-wordpress
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: wp-example
app.kubernetes.io/name: wordpress
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/instance: wp-example
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: wordpress
helm.sh/chart: wordpress-9.3.14
spec:
containers:
- env:
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MARIADB_HOST
value: wp-example-mariadb
- name: MARIADB_PORT_NUMBER
value: "3306"
- name: WORDPRESS_DATABASE_NAME
value: bitnami_wordpress
- name: WORDPRESS_DATABASE_USER
value: bn_wordpress
- name: WORDPRESS_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: mariadb-password
name: wp-example-mariadb
- name: WORDPRESS_USERNAME
value: user
- name: WORDPRESS_PASSWORD
valueFrom:
secretKeyRef:
key: wordpress-password
name: wp-example-wordpress
- name: WORDPRESS_EMAIL
value: user@example.com
- name: WORDPRESS_FIRST_NAME
value: FirstName
- name: WORDPRESS_LAST_NAME
value: LastName
- name: WORDPRESS_HTACCESS_OVERRIDE_NONE
value: "no"
- name: WORDPRESS_HTACCESS_PERSISTENCE_ENABLED
value: "no"
- name: WORDPRESS_BLOG_NAME
value: "User's Blog!"
- name: WORDPRESS_SKIP_INSTALL
value: "no"
- name: WORDPRESS_TABLE_PREFIX
value: wp_
- name: WORDPRESS_SCHEME
value: http
image: docker.io/bitnami/wordpress:5.4.2-debian-10-r6
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /wp-login.php
port: http
scheme: HTTP
initialDelaySeconds: 120
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: wordpress
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 6
httpGet:
path: /wp-login.php
port: http
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
requests:
cpu: 300m
memory: 512Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /bitnami/wordpress
name: wordpress-data
subPath: wordpress
dnsPolicy: ClusterFirst
hostAliases:
- hostnames:
- status.localhost
ip: 127.0.0.1
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1001
runAsUser: 1001
terminationGracePeriodSeconds: 30
volumes:
- name: wordpress-data
persistentVolumeClaim:
claimName: wp-example-wordpress
的输出kubectl describe svc wp-example-wordpress -n wp-example
Name: wp-example-wordpress
Namespace: wp-example
Labels: app.kubernetes.io/instance=wp-example
app.kubernetes.io/managed-by=Tiller
app.kubernetes.io/name=wordpress
helm.sh/chart=wordpress-9.3.14
Annotations: <none>
Selector: app.kubernetes.io/instance=wp-example,app.kubernetes.io/name=wordpress
Type: LoadBalancer
IP: 10.101.142.74
Port: http 80/TCP
TargetPort: http/TCP
NodePort: http 31862/TCP
Endpoints: 10.32.0.17:8080
Port: https 443/TCP
TargetPort: https/TCP
NodePort: https 32473/TCP
Endpoints: 10.32.0.17:8443
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
josh@Joshs-MacBook-Pro-2:$ ab -n 10000 -c 10 http://wp-example.cryptexlabs.com/
This is ApacheBench, Version 2.3 <$Revision: 1874286 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking wp-example.cryptexlabs.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: Apache/2.4.43
Server Hostname: wp-example.cryptexlabs.com
Server Port: 80
Document Path: /
Document Length: 26225 bytes
Concurrency Level: 10
Time taken for tests: 37.791 seconds
Complete requests: 10000
Failed requests: 5000
(Connect: 0, Receive: 0, Length: 5000, Exceptions: 0)
Non-2xx responses: 5000
Total transferred: 133295000 bytes
HTML transferred: 131230000 bytes
Requests per second: 264.61 [#/sec] (mean)
Time per request: 37.791 [ms] (mean)
Time per request: 3.779 [ms] (mean, across all concurrent requests)
Transfer rate: 3444.50 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 2 6 8.1 5 239
Processing: 4 32 29.2 39 315
Waiting: 4 29 26.0 34 307
Total: 7 38 31.6 43 458
Percentage of the requests served within a certain time (ms)
50% 43
66% 49
75% 51
80% 52
90% 56
95% 60
98% 97
99% 180
100% 458 (longest request)
Traefik 调试日志:https ://pastebin.com/QUaAR6G0显示了有关 SSL 和 x509 证书的信息,尽管我是通过 http 而不是 https 发出请求。
我对使用相同模式的 nginx 容器进行了测试,没有任何问题。所以这与wordpress和traefik之间的关系有一定的关系。
我还在 traefik 上看到了关于下游服务器上未启用 Keep-Alive 并且 traefik 默认启用 Keep-Alive 的事实的参考。我还尝试通过扩展 wordpress 图像并在 wordpress 上启用 Keep-Alive 来启用 Keep-Alive。当我通过 `kubectl port-forward 访问 wordpress 容器时,我可以看到正在发送 Keep-Alive 标头,因此我知道它已启用,但我仍然看到 50% 的请求失败。
解决方案
我在 traefik 日志中看到 HTTP 连接很好,但是当网站图标等发生 HTTPS 重定向时,你会得到 x509 证书无效。那是因为 wordpress pod 的 ssl 证书无效。
您可以--serversTransport.insecureSkipVerify=true
在集群内部安全使用,因为流量将被加密,外部流量是 HTTP。
如果您将来需要使用受信任的证书,请使用 wordpress 应用程序部署它,并使用带有 ssl passthrough 的 traefik,以便在 pod 级别解密流量。然后您可以删除 traefik 上的不安全选项。
推荐阅读
- opengl - 无法理解 OpenGL SSBO 的对齐规则
- python - 如何选择数据框中的特定数据并删除所有其他数据?
- c - 时间价值的增加
- google-cloud-platform - 将服务帐号或 IAM 角色分配给 Google 计算实例
- angular - 如何将文件从角度发送到 dotnet 核心控制器
- java - 导致活动不工作的片段中的按钮(更新)
- python - 生成长度分布为 exp(-x/lambda) 的各向同性步长
- mysql - 如何将用户日志从 NAS My Cloud 保存到 phpMyAdmin 数据库中?
- html - HTML 锚应该包裹标题还是独立存在?
- c# - 如何使用托管的 ASP.NET Core 发布 Blazor WebAssembly