记录一次客户私有镜像下载遭遇504的排障记录,简单脱敏。
登录某云前端页面和服务器终端
海外流量访问公网IP A252, 有一个80端口 ,它后面是 某云 内网A230 里面的5000端口
A230里面有一个docker-compose启动的nginx和registry,compose.yml配置如下:
root@A230:~ #cat registry_china_prod/docker-compose.yml
version: '2'
services:
registry:
container_name: hub_registry
restart: always
image: xyz/registry:v1.1
network_mode: host
volumes:
- "./key-pair:/key-pair"
- "./registry-china.yml:/etc/docker/registry/config.yml"
logging:
driver: gelf
options:
gelf-address: udp://A172:12202
nginx:
container_name: hub_nginx
restart: always
image: xyz/nginx:1.11-alpine
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
network_mode: host
logging:
driver: gelf
options:
gelf-address: udp://A172:12202
root@A230:~# cat registry_china_prod/registry-china.yml
registry使用了6000端口,主要是指向一个某云的镜像存放文件地址 file对应的bucket
version: 0.1
log:
level: info
formatter: text
storage:
maintenance:
uploadpurging:
enabled: false
delete:
enabled: false
file:
driver: file
publickey: 略
privatekey: 略
bucket: 略
uploadendpoint: 略
redirect:
disable: false
cache:
blobdescriptor: inmemory
reporting:
newrelic:
licensekey: 略
name: Hub-Registry
http:
addr: :6000
host: https://xyz
secret: thesecrethahah
headers:
X-Content-Type-Options: [nosniff]
compatibility:
schema1:
signingkeyfile: /etc/docker/registry/key.json
auth:
token:
realm: https://xyz/auth
service: xyz
issuer: hub
rootcertbundle: /key-pair/public.cert
notifications:
endpoints:
- name: A_notify
url: http://A239:4000/event
timeout: 5s
backoff: 1s
ignoredmediatypes:
- application/octet-stream
接着从头看配置文件,找到nginx 配置有 graylog 的日志部分,请教了同事F 如何查看,F发现 graylog 有组件挂了一阵,启动临时文件被锁定,F顺手修复了。
接着查看 graylog ,边做测试,没有 504 日志,说明这个504不是我们沿途服务器打出来的。
F开始使用 神器 tcpdump 抓包,果然有发现,504是某云 cdn这边给出的。
文章评论