Docker学习笔记(五)Docker跨主机网络--weave方案
2020-04-21 19:55
615 查看
一、系统架构:
| IP | 主机名 | 容器网络 |
|---|---|---|
| 10.1.1.13 | CentOS7 | node1 |
| 10.1.1.14 | CentOS7 | node2 |
| 10.1.1.17 | CentOS7 | node3 |
二、配置weave
下载安装weave:
[root@node1 ~]# wget -O /usr/local/bin/weave https://raw.githubusercontent.com/zettio/weave/master/weave [root@node1 ~]# chmod a+x /usr/local/bin/weave
启动docker:
[root@node1 ~]# systemctl start docker [root@node1 ~]# systemctl enable docker
2、在node1上启动weave路由器,通过观察weave launch的启动过程可以发现,这个路由器其实也是以容器的形式运行的。
[root@node1 ~]# weave launch 04e3b80289417f5f72f5c988e0cdd2088552a2f57ef7894adfcc5537437c4d3c
使用docker ps命令可以看到当前运行了一个weave容器:
使用docker network inspect weave命令可以看到weave的IP地址范围为
10.32.0.0/12:
"Config": [
{
"Subnet": "10.32.0.0/12"
}
]
再部署node2节点:
启动weave路由器,加上node1节点的地址,是为了让两个node加入同一个weave网络。
[root@node1 ~]# weave launch 10.1.1.13 04e3b80289417f5f72f5c988e0cdd2088552a2f57ef7894adfcc5537437c4d3c
三、单机容器测试
1、在node1上启动Ubuntu容器,命名为wea_test1
[root@node2 ~]# eval $(weave env) [root@node2 ~]# docker run -itd --name=wea_test1 ubuntu /bin/bash
首先执行 eval $(weave env) 很重要,其作用是将后续的 docker 命令发给 weave proxy 处理。如果要恢复之前的环境,可执行 eval $(weave env --restore);
再运行一个wea_test2容器:
[root@node2 ~]# docker run -itd --name=wea_test2 ubuntu /bin/bash
因为上面我们执行过一次eval $(weave env),所以这个wea_test2默认仍然是在weave环境下启动的容器。
2、使用docker attach wea_test1和wea_test2命令,分别进入两个容器,执行以下操作,安装相关命令,用于ping测试:
apt-get update && apt-get install net-tools inetutils-ping -y
查看wea_test1和wea_test2的IP
[root@localhost ~]# docker attach wea_test1 root@wea_test1:/# ifconfig ethwe: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1376 inet 10.32.0.2 netmask 255.240.0.0 broadcast 10.47.255.255 inet6 fe80::f8af:8cff:fe83:a8c9 prefixlen 64 scopeid 0x20<link> ether fa:af:8c:83:a8:c9 txqueuelen 0 (Ethernet) RX packets 57 bytes 4434 (4.4 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 21 bytes 1650 (1.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# docker attach wea_test2 root@wea_test2:/# ifconfig ethwe: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1376 inet 10.32.0.1 netmask 255.240.0.0 broadcast 10.47.255.255 inet6 fe80::4c:76ff:fead:bfdd prefixlen 64 scopeid 0x20<link> ether 02:4c:76:ad:bf:dd txqueuelen 0 (Ethernet) RX packets 65 bytes 5090 (5.0 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 21 bytes 1650 (1.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
以上可以看出,两个容器通过weave网络获取的IP分别为10.32.0.1和10.32.0.2,互相是可以ping通的。
四、跨主机网络测试
1、在node2上启动一个容器:
[root@node2 ~]# eval $(weave env) [root@node2 ~]# docker run -itd --name=wea_test3 ubuntu /bin/bash
进入wea_test3查看IP:
[root@localhost ~]# docker attach wea_test3 root@wea_test3:/# ifconfig ethwe: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1376 inet 10.44.0.0 netmask 255.240.0.0 broadcast 10.47.255.255 inet6 fe80::4876:6cff:fef2:b280 prefixlen 64 scopeid 0x20<link> ether 4a:76:6c:f2:b2:80 txqueuelen 0 (Ethernet) RX packets 31 bytes 2390 (2.3 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 21 bytes 1650 (1.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2、在wea_test3上ping一下wea_test1和wea_test2,可以看到都是通的:
root@wea_test3:/# ping -c 4 wea_test1 PING wea_test1.weave.local (10.32.0.2): 56 data bytes 64 bytes from 10.32.0.2: icmp_seq=0 ttl=64 time=1.672 ms --- wea_test1.weave.local ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.666/1.044/1.672/0.400 ms root@wea_test3:/# ping -c 4 wea_test2 PING wea_test2.weave.local (10.32.0.1): 56 data bytes 64 bytes from 10.32.0.1: icmp_seq=0 ttl=64 time=1.325 ms --- wea_test2.weave.local ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.407/0.996/1.581/0.475 ms root@wea_test3:/#
我们从三个容器的IP分别为 10.32.0.1/12、10.32.0.2/12 和 10.44.0.0/12,注意掩码为 12 位,实际上这三个 IP 位于同一个 subnet 10.32.0.0/12。通过 host1 和 host2 之间的 VxLAN 隧道,三个容器逻辑上是在同一个 LAN 中的,当然能直接通信了。bbox3 ping bbox1 的数据流向如下图所示:
3、查看wea_test的路由:
root@wea_test3:/# ip route default via 172.17.0.1 dev eth0 10.32.0.0/12 dev ethwe proto kernel scope link src 10.44.0.0 172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2 224.0.0.0/4 dev ethwe scope link
①数据包目的地址为 10.32.0.1,根据 wea_test3 的路由表,数据从 ethwe 发送出去。
②node2 weave 查询到目的地主机,将数据通过 VxLAN 发送给 node1。
③node1 weave 接受到数据,根据目的 IP 将数据转发给 wea_test1。
五、weave网络隔离
默认网络配置下,weave是一个大的subnet,接入到同一个weave网络的所有主机的容器都从这个大的范围内获取IP,因为同属于一个subnet,容器可以直接通信。如果要实现网络隔离,可以通过环境变量WEAVE_CIDR为容器分配指定的IP。看示例:
1、在node2上创建容器wea_test4
[root@node2 ~]# eval $(weave env) [root@localhost ~]# docker run -e WEAVE_CIDR=net:10.32.2.0/24 -itd --name=wea_test4 ubuntu /bin/bash 04a748878783a4438fbe3bcf5b917609c5cf0cd36b58eb5ac9856f0529e30521
这里-e WEAVE_CIDR=net:10.32.2.0/24参数的作用是让容器分配到10.32.2.0网段的地址,由于10.32.0.0/12和10.32.2.0/24属于不同的subnet,所以无法ping通:
进入容器:
[root@localhost ~]# docker attach wea_test4 root@04a748878783:/# apt-get update && apt-get install net-tools inetutils-ping -y
2、在wea_test4上ping wea_test3:
root@wea_test4:/# ping -c 2 wea_test3 PING wea_test3.weave.local (10.44.0.0): 56 data bytes --- wea_test3.weave.local ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss root@wea_test4:/#
3、除了使用-e WEAVE_CIDR=net:10.32.2.0/24参数指定subnet,我们还可以指定IP地址,如:
创建wea_test5容器:
[root@localhost ~]# docker run -e WEAVE_CIDR=ip:10.32.6.5/12 --name=wea_test5 -itd ubuntu /bin/bash 535d3b1909759c50b88c75dfbf600f71f66b009ac187503aa972eb3fa88da45c [root@localhost ~]# docker attach wea_test5 root@wea_test5:/# apt-get update && apt-get install net-tools inetutils-ping -y
我们指定的IP为10.32.6.5/12,和wea_test1-3的subnet一样,就可以ping通:
root@wea_test5:/# ping -c 2 wea_test1 PING wea_test1.weave.local (10.32.0.2): 56 data bytes 64 bytes from 10.32.0.2: icmp_seq=0 ttl=64 time=1.440 ms 64 bytes from 10.32.0.2: icmp_seq=1 ttl=64 time=0.557 ms --- wea_test1.weave.local ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.557/0.998/1.440/0.442 ms root@wea_test5:/# ping -c 2 wea_test2 PING wea_test2.weave.local (10.32.0.1): 56 data bytes 64 bytes from 10.32.0.1: icmp_seq=0 ttl=64 time=3.167 ms 64 bytes from 10.32.0.1: icmp_seq=1 ttl=64 time=0.796 ms --- wea_test2.weave.local ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.796/1.982/3.167/1.186 ms root@wea_test5:/# ping -c 2 wea_test3 PING wea_test3.weave.local (10.44.0.0): 56 data bytes 64 bytes from 10.44.0.0: icmp_seq=0 ttl=64 time=0.203 ms 64 bytes from 10.44.0.0: icmp_seq=1 ttl=64 time=0.285 ms --- wea_test3.weave.local ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.203/0.244/0.285/0.041 ms root@wea_test5:/#
六、weave与外网的连通性
weave是一个私有的VxLAN网络,默认与外部网络隔离。外部网络如果需要访问weave中的容器需要以下操作:
(1)首先将主机加入到weave网络,其实就是让主机获取一个weave网络的地址;
(2)把主机当做weave网络的网关。
1、将主机加入到weave网络,执行weave expose:
[root@localhost ~]# weave expose 10.32.0.3
这个10.32.0.3会被配置到node1的weave网桥上,:
[root@localhost ~]# ip addr show weave 6: weave: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue state UP group default qlen 1000 link/ether 42:a7:b7:28:cc:bc brd ff:ff:ff:ff:ff:ff inet 10.32.0.3/12 brd 10.47.255.255 scope global weave valid_lft forever preferred_lft forever inet6 fe80::40a7:b7ff:fe28:ccbc/64 scope link valid_lft forever preferred_lft forever
weave网桥位于root namespace,它负责将容器接入到weave网络。给weave配置同一subnet的IP,其本质就是将node1接入weave网络。node1 现在已经可以和同一weave网络的容器进行通信了:
[root@localhost ~]# ping -c 2 10.32.0.1 PING 10.32.0.1 (10.32.0.1) 56(84) bytes of data. 64 bytes from 10.32.0.1: icmp_seq=1 ttl=64 time=0.048 ms 64 bytes from 10.32.0.1: icmp_seq=2 ttl=64 time=0.040 ms --- 10.32.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.040/0.044/0.048/0.004 ms [root@localhost ~]# ping -c 2 10.32.0.2 PING 10.32.0.2 (10.32.0.2) 56(84) bytes of data. 64 bytes from 10.32.0.2: icmp_seq=1 ttl=64 time=0.137 ms 64 bytes from 10.32.0.2: icmp_seq=2 ttl=64 time=0.087 ms --- 10.32.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.087/0.112/0.137/0.025 ms [root@localhost ~]# ping -c 2 10.44.0.0 PING 10.44.0.0 (10.44.0.0) 56(84) bytes of data. 64 bytes from 10.44.0.0: icmp_seq=1 ttl=64 time=1.71 ms 64 bytes from 10.44.0.0: icmp_seq=2 ttl=64 time=2.16 ms --- 10.44.0.0 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.718/1.941/2.164/0.223 ms [root@localhost ~]# ping -c 2 10.32.6.5 PING 10.32.6.5 (10.32.6.5) 56(84) bytes of data. 64 bytes from 10.32.6.5: icmp_seq=1 ttl=64 time=3.14 ms 64 bytes from 10.32.6.5: icmp_seq=2 ttl=64 time=0.934 ms --- 10.32.6.5 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.934/2.038/3.142/1.104 ms [root@localhost ~]#
- 点赞
- 收藏
- 分享
- 文章举报
你说亮不亮
发布了38 篇原创文章 · 获赞 6 · 访问量 3207
私信
关注
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Docker学习笔记之Weave实现跨主机容器互联
- Docker学习笔记 — Weave实现跨主机容器互联
- docker 学习笔记之docker连接网络的设置
- Docker学习笔记 — Docker网络总结
- docker多主机网络方案
- 学习笔记1——Linux(CentOS)在虚拟机上最小化安装之后的网络配置及其与主机的连接
- Docker 跨主机网络方案分析
- docker 学习笔记21:docker连接网络的设置
- docker学习笔记3 - 网络配置
- Docker学习笔记七:Docker网络
- docker网络方案之weave实战篇
- Docker 网络学习笔记
- Docker学习笔记 - Docker容器的网络基础
- Docker学习笔记之容器的四种网络模式
- Docker学习笔记 - Docker容器与外部网络的连接
- 【鸟哥的linux私房菜-学习笔记】网络安全与主机基本防护
- Docker跨主机网络通信方案
- 初学Docker容器网络不得不看的学习笔记
- Docker 多主机网络方案比较