无法弄清楚为什么在 Windows Server 2016 上运行的 Docker 容器无法访问其主机的 AWS 实例元数据端点。在 Linux 上,我没有遇到提取容器主机元数据的问题,但我是一名 Windows 菜鸟,不确定为什么这不起作用。我搜索了答案,但找不到答案。
容器能够 ping 通互联网(8.8.8.8)
PS C:\> invoke-webrequest -uri "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
invoke-webrequest : Unable to connect to the remote server
At line:1 char:1
+ invoke-webrequest -uri "http://169.254.169.254/latest/meta-data/iam/s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
答案1
即使路由器不应该路由本地链接地址,但如果您为其提供良好的静态路由,Windows 也可以路由。这只是一些网络规则……而不是 RFC 违规。
解决方案来自:https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows_task_IAM_roles.html
# Fetch the default gateway IP of container (bridge to host)
$gateway = (Get-NetRoute | Where { $_.DestinationPrefix -eq '0.0.0.0/0' } | Sort-Object RouteMetric | Select NextHop).NextHop
# Fetch the container internal IP interface index
$ifIndex = (Get-NetAdapter -InterfaceDescription "Hyper-V Virtual Ethernet*" | Sort-Object | Select ifIndex).ifIndex
# Create a new route similar to "169.254.169.254 255.255.255.255 172.30.42.1 172.30.42.82 5256"
New-NetRoute -DestinationPrefix 169.254.169.254/32 -InterfaceIndex $ifIndex -NextHop $gateway