Docker 使用Calico插件配置网络

一、环境介绍：

1、操作系统：CentOS 7

2、主机结点：node1（192.168.5.251） node2（192.168.5.252） node3（192.168.5.253）

3、软件版本：calicoctl（version v1.6.1） etcdctl（version: 3.2.15） docker（version：17.12.0-ce）

二、配置ETCD集群

1、安装EPEL源 http://fedoraproject.org/wiki/EPEL 
2、三台结点安装Etcd软件包
[root@node1 ~]# yum install etcd -y

3、三台结点配置ETCD集群模式
[root@node1 ~]# cat /etc/etcd/etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"

# 根据不同主机进行相应修改，分别为node1 node2 node3
ETCD_NAME="node1"

# 根据不同主机进行相应修改，分别为192.168.5.251 192.168.5.252 192.168.5.253
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.5.251:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.5.251:2379"

ETCD_INITIAL_CLUSTER="node1=http://192.168.5.251:2380,node2=http://192.168.5.252:2380,node3=http://192.168.5.253:2380"

3、启用Etcd服务，并测试是集群是否配置正确
[root@node1 ~]# systemctl start etcd
[root@node1 ~]# export ETCDCTL_API=3
[root@node1 ~]# etcdctl member list
24535a04231931b0, started, node3, http://192.168.5.253:2380, http://192.168.5.253:2379
762f75df97deec48, started, node1, http://192.168.5.251:2380, http://192.168.5.251:2379
7d53f37d27d9c631, started, node2, http://192.168.5.252:2380, http://192.168.5.252:2379

二、 安装Docker，配置使用集群存储

1、安装 Docker https://yq.aliyun.com/articles/110806 
2、配置Docker守护程序使用有群集存储
[root@node1 ~]# cat /etc/docker/daemon.json

{
"registry-mirrors": ["https://7i5u59ls.mirror.aliyuncs.com"],
"cluster-store": "etcd://192.168.5.251:2379"
}

3、重启Docker进程，并检查配置是否正确
[root@node1 ~]# systemctl restart docker
[root@node1 ~]# docker info | grep "Cluster Store"
Cluster Store: etcd://192.168.5.251:2379

三、配置calico基于sysinit方式启动

1、三台主机分别添加calico-node配置文件
[root@node1 calico]# cat /etc/calico/calico.env
ETCD_ENDPOINTS="http://192.168.5.251:2379,http://192.168.5.252:2379,http://192.168.5.253:2379"
ETCD_CA_FILE=""
ETCD_CERT_FILE=""
ETCD_KEY_FILE=""
# 根据不同主机进行配置，分别为node1 node2 node3
CALICO_NODENAME="node1"
CALICO_NO_DEFAULT_POOLS=""
CALICO_IP=""
CALICO_IP6=""
CALICO_AS=""
CALICO_LIBNETWORK_ENABLED=true
CALICO_NETWORKING_BACKEND=bird

2、三台主机分别添加calico-node sysinit配置文件
[root@node1 calico]# cat /etc/systemd/system/calico-node.service
[Unit]
Description=calico-node
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/etc/calico/calico.env
ExecStartPre=-/usr/bin/docker rm -f calico-node
ExecStart=/usr/bin/docker run --net=host --privileged \
--name=calico-node \
-e NODENAME=${CALICO_NODENAME} \
-e IP=${CALICO_IP} \
-e IP6=${CALICO_IP6} \
-e CALICO_NETWORKING_BACKEND=${CALICO_NETWORKING_BACKEND} \
-e AS=${CALICO_AS} \
-e NO_DEFAULT_POOLS=${CALICO_NO_DEFAULT_POOLS} \
-e CALICO_LIBNETWORK_ENABLED=${CALICO_LIBNETWORK_ENABLED} \
-e ETCD_ENDPOINTS=${ETCD_ENDPOINTS} \
-e ETCD_CA_CERT_FILE=${ETCD_CA_CERT_FILE} \
-e ETCD_CERT_FILE=${ETCD_CERT_FILE} \
-e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/log/calico:/var/log/calico \
-v /run/docker/plugins:/run/docker/plugins \
-v /lib/modules:/lib/modules \
-v /var/run/calico:/var/run/calico \
calico/node:v2.6.1

ExecStop=-/usr/bin/docker stop calico-node

Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

3、三台主机分别启动calico-node服务
[root@node1 calico]# systemctl daemon-reload
[root@node1 calico]# systemctl start calico-node
[root@node1 calico]# tail -f /var/log/messages
...
Mar 11 12:23:46 node1 docker: Starting libnetwork service
Mar 11 12:23:46 node1 docker: Calico node started successfully

4、下载calicoctl二进制文件，并添加执行权限
[root@node1 calico]# wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.6.1/calicoctl [root@node1 calico]# chmod +x /usr/local/bin/calicoctl

5、检查calico-node是否正常
[root@node1 calico]# calicoctl node status
Calico process is running.

IPv4 BGP status
+---------------+-------------------+-------+----------+-------------+
| PEER ADDRESS  |     PEER TYPE     | STATE |  SINCE   |    INFO     |
+---------------+-------------------+-------+----------+-------------+
| 192.168.5.252 | node-to-node mesh | up    | 04:23:50 | Established |
| 192.168.5.253 | node-to-node mesh | up    | 04:23:50 | Established |
+---------------+-------------------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.

[root@node1 calico]# calicoctl get node
NAME
node1
node2
node3

三、测试calico网络

1、创建网络
[root@node1 ~]# docker network create --driver calico --ipam-driver calico-ipam net1
#在任意一台主机，都可以看到新增的网络插件
[root@node1 ~]# docker network ls
...
9316f6603268        net1                calico              global
...
2、在node1 node2 node3分别建立一个容器，查看IP地址
[root@node1 ~]# docker run --net net1 --name workload-A -tid busybox
[root@node1 ~]# docker exec -it workload-A ip addr
...
inet 192.168.166.136/32 brd 192.168.166.136 scope global cali0
...

[root@node2 ~]# docker run --net net1 --name workload-B -tid busybox
[root@node1 ~]# docker exec -it workload-A ip addr
...
inet 192.168.104.2/32 brd 192.168.104.2 scope global cali0
...

[root@node3 ~]# docker run --net net1 --name workload-C -tid busybox
[root@node1 ~]# docker exec -it workload-A ip addr
...
inet 192.168.135.7/32 brd 192.168.135.7 scope global cali0
...

3、在node1的容器中(workload-A)，ping各结点的容器IP，测试网络是否正常

/ # ping 192.168.135.7
PING 192.168.135.7 (192.168.135.7): 56 data bytes
64 bytes from 192.168.135.7: seq=77 ttl=62 time=0.797 ms

/ # ping 192.168.104.2
PING 192.168.104.2 (192.168.104.2): 56 data bytes
64 bytes from 192.168.104.2: seq=0 ttl=62 time=56.072 ms

4、查看各结点的路由表

[root@node1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.2     0.0.0.0         UG    100    0        0 ens33
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.5.0     0.0.0.0         255.255.255.0   U     100    0        0 ens33
192.168.104.0   192.168.5.252   255.255.255.192 UG    0      0        0 ens33
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
192.168.135.0   192.168.5.253   255.255.255.192 UG    0      0        0 ens33
192.168.166.128 0.0.0.0         255.255.255.192 U     0      0        0 *
192.168.166.136 0.0.0.0         255.255.255.255 UH    0      0        0 calia42c5f1e64a

[root@node2 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.2     0.0.0.0         UG    100    0        0 ens33
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.5.0     0.0.0.0         255.255.255.0   U     100    0        0 ens33
192.168.104.0   0.0.0.0         255.255.255.192 U     0      0        0 *
192.168.104.2   0.0.0.0         255.255.255.255 UH    0      0        0 calic7493c5fa1e
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
192.168.135.0   192.168.5.253   255.255.255.192 UG    0      0        0 ens33
192.168.166.128 192.168.5.251   255.255.255.192 UG    0      0        0 ens33

[root@node3 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.2     0.0.0.0         UG    100    0        0 ens33
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.5.0     0.0.0.0         255.255.255.0   U     100    0        0 ens33
192.168.104.0   192.168.5.252   255.255.255.192 UG    0      0        0 ens33
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
192.168.135.0   0.0.0.0         255.255.255.192 U     0      0        0 *
192.168.135.7   0.0.0.0         255.255.255.255 UH    0      0        0 cali4a45031fc02
192.168.166.128 192.168.5.251   255.255.255.192 UG    0      0        0 ens33