无法连接到 Google Compute Engine VM 实例上的 HTTP 服务 运行

Unable to connect to HTTP service running on Google Compute Engine VM instance

我在 f1-micro 实例上有一个 VM 实例 运行 COS 版本 'cos-dev-61-9733-0-0'。我已经配置了一个外部 IP 地址 146.xxx.xxx.106 并分配给这个实例。我正在尝试从我的本地工作站测试到此实例的 HTTP 连接,但到目前为止没有成功。

我在 "Firewalls" 下启用了 "Allow HTTP traffic" 和 "Allow HTTPS traffic" 设置,即使它们在我保存后不显示选中的框。然而,网络标记的值 "http-server, https-server" 如下所示:

我还确认 "Networking > Firewall Setups" 有一个默认的 HTTP 规则如下:

我在此处发现了一个类似的问题,但这并没有帮助解决我的问题:任何有关我遗漏的额外设置的建议都将不胜感激。我寻找 OS 级别的防火墙设置,但找不到足够的 Chromium OS.

文档

以下是我遵循的步骤:

在 GCE 实例上:

$ sudo python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

$ sudo netstat -antup

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 638/sshd

tcp 0 0 0.0.0.0:5355 0.0.0.0:*
LISTEN 613/systemd-resolve

tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 12750/python2.7

运行 curl 命令并得到以下响应:

$ curl http://localhost:80 Directory listing for /

Directory listing for /

  • .bash_history
  • .bash_logout
  • .bash_profile
  • .bashrc
  • .docker/
  • .ssh/
  • .viminfo
  • apps/

来自本地工作站:

  1. Ping 外部 IP 地址并收到响应:

$ ping 146.xxx.xxx.106 PING 146.xxx.xxx.106 (146.xxx.xxx.106) 56(84) bytes of data. 64 bytes from 146.xxx.xxx.106: icmp_seq=1 ttl=63 time=1131 ms ^C --- 146.xxx.xxx.106 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2007ms

  1. 成功通过 SSH 连接到实例:

$ ssh 146.xxx.xxx.106 debianuser@cos-dev-61-dockervm1 ~ $

  1. 运行 'nmap' 命令但它只显示 SSH 端口 22 打开:

$ nmap -Pn 146.xxx.xxx.106

Starting Nmap 6.47 ( http://nmap.org ) at 2017-07-20 11:35 CDT Nmap scan report for 106.xxx.xxx.146.bc.googleusercontent.com (146.xxx.xxx.106) Host is up (0.17s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 86.74 seconds

Container-optimized OS 映像在操作系统级别启用了防火墙以阻止所有传入流量(ssh 除外)。默认情况下只允许传出流量。

除了配置 Google Compute Engine 防火墙规则以允许进入您的 VM 的流量外,您还需要确保 VM 中的 OS 运行 也允许它.

这个在docs for Container-Optimized OS

中有提到

Configuring the Host Firewall

By default, the Container-Optimized OS host firewall allows only outgoing connections, and accepts incoming connections only through the SSH service. To accept incoming connections on a Container-Optimized OS instance, you must open the ports your services are listening on.

For example, to accept connections from other instances within the same Compute Engine project, run the following commands on both your development workstation, and on your Container-Optimized OS instance:

# On your workstation:
SUBNETWORK_URI=$(gcloud compute instances describe ${COS_INSTANCE_NAME} | grep -w 'subnetwork:' | awk '{ print  }')
SUBNET_PREFIX=$(gcloud compute networks subnets describe ${SUBNETWORK_URI} | grep -w 'ipCidrRange:' | awk '{ print  }')

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp -s ${SUBNET_PREFIX} -j ACCEPT
sudo iptables -w -A INPUT -p udp -s ${SUBNET_PREFIX} -j ACCEPT
 As another example, if you need to accept HTTP (port 80) connections from any source IP address, run the following commands on

your Container-Optimzied OS instance:

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT

In general, it is recommended you configure the host firewall as a systemd service through cloud-init.