Docker Swarm routing mesh connections time out

问题

I have two machines running Ubuntu 16.04 LTS, on which I've installed Docker 18.03.1-ce. I created a swarm between the two hosts which is mostly working (I can deploy services and they show up, etc.). The only problem is that I'm not able to connect to the published ports of the services via any of the nodes' IPs, as described multiple times in the Docker documentation, unless the service is running on that particular node.

In other words, if a service is deployed on node A and listening on port 9000, I cannot connect to node B on port 9000 and access that service; the connection times out. If I try to connect to different port, say port 9001, I get "Connection refused", which means that the ingress network is at least listening on port 9000, and I can verify this with netstat.

Both of these machines are on the same physical network and the firewalls are disabled (ufw status says Status: inactive).

The ingress network appears on both nodes:

nodeA $ docker network ls
NETWORK ID          NAME                      DRIVER              SCOPE
345229fb3285        bridge                    bridge              local
09758f66413a        docker_gwbridge           bridge              local
3bf43f750513        host                      host                local
fq3cc4bfawp3        ingress                   overlay             swarm
9dbe769a1420        none                      null                local
kk67tdjc96vo        portainer_agent-network   overlay             swarm
m8fholkq3tmy        portal_default            overlay             swarm

nodeB $ docker network ls
NETWORK ID          NAME                      DRIVER              SCOPE
f8a837effb76        bridge                    bridge              local
e4521f7a132a        docker_gwbridge           bridge              local
312d6e547ec5        host                      host                local
fq3cc4bfawp3        ingress                   overlay             swarm
85da22f22522        none                      null                local
kk67tdjc96vo        portainer_agent-network   overlay             swarm

And docker network inspect fq3 shows that I have three containers on the network, one of them ingress-endpoint and the other two my own, and it shows both nodes under Peers.

If a service is publishing port 9000, and both nodes are listening on port 9000 as a result, why can I only connect to port 9000 on Node A (where the container is running) and the connection times out on Node B?

How can I diagnose why the ingress routing is not working as described?

来源：https://stackoverflow.com/questions/50337007/docker-swarm-routing-mesh-connections-time-out