calico docker 应用实例
在上一篇文章《quay.io/coreos/etcd 基于Docker镜像的集群搭建》中,介绍了ETCD集群的搭建。在此基础上,我们进一步实践calico docker的应用。
PaaS 平台的网络需求:
在使用Docker构建PaaS平台的过程中,我们首先遇到的问题是需要选择一个满足需求的网络模型:
1)让每个容器拥有自己的网络栈,特别是独立的 IP 地址;
2)能够进行跨服务器的容器间通讯,同时不依赖特定的网络设备;
3)有访问控制机制,不同应用之间互相隔离,有调用关系的能够通讯。
调研了几个主流的网络模型:
1)Docker原生的Bridge模型:NAT机制导致无法使用容器IP进行跨服务器通讯;
2)Docker原生的Host模型:大家都使用和服务器相同的IP,端口冲突问题很麻烦;
3)Weave OVS等基于隧道的模型:由于是基于隧道的技术,在用户态进行封包解包,性能折损比较大,同时出现问题时网络抓包调试会很不便。
在对上述模型都不怎么满意的情况下,发现了一个还不怎么被大家关注的新项目:Project Calico。Project Calico是纯三层的SDN实现,它基于BPG协议和Linux自己的路由转发机制,不依赖特殊硬件,没有使用NAT或Tunnel等技术。能够方便的部署在物理服务器,虚拟机(如 OpenStack)或者容器环境下。同时它自带的基于Iptables的ACL管理组件非常灵活,能够满足比较复杂的安全隔离需求。
传统overlay网络架构
Calico提供的网络解决方案
本次搭建的基础环境:
底层OS:Centos7
docker版本:1.8.-el7.centos
IP:
服务器A:192.168.7.168
服务器B:192.168.7.170
服务器C:192.168.7.172 三台机器上搭建基于docker的ETCD集群——参见《quay.io/coreos/etcd 基于Docker镜像的集群搭建》
具体操作步骤:(注,请仔细观察命令,[root@AAA ~]# calicoctl node 表示在A主机上运行的命令,同理B、C)
1、下载calicoctl及docker.io/calico/node镜像(三台机器均需要相同操作)
下载calicoctl,地址如下。为下载之后的文件赋予可执行权限,并复制到/usr/bin/下
链接:http://pan.baidu.com/s/1nuHn5hB 密码:7yce 下载calico-node镜像
[root@AAA ~]# docker pull docker.io/calico/node
2、启动calico-node
[root@AAA ~]# calicoctl node
No IP provided. Using detected IP: 192.168.7.168
Calico node is running with id: 6e754df308342753b259e89850f51b3e002780958bbc3f7c0803436548666560
[root@AAA ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e754df30834 calico/node:latest "/sbin/start_runit" About a minute ago Up About a minute calico-node
0b5f487c20ae quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
[root@BBB ~]# calicoctl node
No IP provided. Using detected IP: 192.168.7.170
Calico node is running with id: 836bb8208dd992333c4ebc81d6312d1c0e53acffeca1b2ab3942a9483744fdf0
[root@BBB ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
836bb8208dd9 calico/node:latest "/sbin/start_runit" seconds ago Up seconds calico-node
fa52ef61ccee quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, /tcp, 0.0.0.0:-->-/tcp etcd
[root@CCC ~]# calicoctl node
No IP provided. Using detected IP: 192.168.7.172
Calico node is running with id: ff71c5939b119e724fca59e24039c7bbbc2adba9078f0b6c5ffa89359df92e2d
[root@CCC ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ff71c5939b11 calico/node:latest "/sbin/start_runit" seconds ago Up seconds calico-node
eb29998e8e92 quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
3、处理calico 的IP资源池
[root@AAA ~]# calicoctl pool show
+----------------+---------+
| IPv4 CIDR | Options |
+----------------+---------+
| 192.168.0.0/ | |
+----------------+---------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
[root@AAA ~]# calicoctl pool remove 192.168.0.0/
[root@AAA ~]# calicoctl pool show
+-----------+---------+
| IPv4 CIDR | Options |
+-----------+---------+
+-----------+---------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
[root@AAA ~]# calicoctl pool add 10.0.238.0/ --nat-outgoing --ipip
(支持跨子网的主机上的Docker间网络互通,需要添加--ipip参数;如果要Docker访问外网,需要添加--nat-outgoing参数。)
[root@AAA ~]# calicoctl pool show
+---------------+-------------------+
| IPv4 CIDR | Options |
+---------------+-------------------+
| 10.0.238.0/ | ipip,nat-outgoing |
+---------------+-------------------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
[root@BBB ~]# calicoctl pool show
+---------------+-------------------+
| IPv4 CIDR | Options |
+---------------+-------------------+
| 10.0.238.0/ | ipip,nat-outgoing |
+---------------+-------------------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
4、处理calico profile(类似于VLAN)
[root@AAA ~]# calicoctl profile add p1
Created profile p1
[root@AAA ~]# calicoctl profile add p2
Created profile p2
[root@AAA ~]# calicoctl profile show
+------+
| Name |
+------+
| p1 |
| p2 |
+------+
[root@CCC ~]# calicoctl profile show
+------+
| Name |
+------+
| p1 |
| p2 |
+------+
5、启动net=none的容器
[root@AAA ~]# docker run -tid --name redis --restart=always --log-driver=none --net=none redis /run.sh
b6d894f4cfcf36f5d19f3798447825730c80e95d1a9f98f326b77fae0ed85277
[root@AAA ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6d894f4cfcf redis "/run.sh" seconds ago Up seconds redis
6e754df30834 calico/node:latest "/sbin/start_runit" minutes ago Up minutes calico-node
0b5f487c20ae quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
[root@BBB ~]# docker run -tid --name redis --restart=always --log-driver=none --net=none redis /run.sh
4de1a0e2b2af5ad6c7f33138161105d46a07ce70d0b90b513125b28390a6a185
[root@BBB ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4de1a0e2b2af redis "/run.sh" seconds ago Up seconds redis
836bb8208dd9 calico/node:latest "/sbin/start_runit" minutes ago Up minutes calico-node
fa52ef61ccee quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
[root@CCC ~]# docker run -tid --name redis --restart=always --log-driver=none --net=none redis /run.sh
b6801f99494ada054a8ef00fc5b74ff4aba4e156e506d94c0b781fa20f8b6f50
[root@CCC ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6801f99494a redis "/run.sh" seconds ago Up seconds redis
ff71c5939b11 calico/node:latest "/sbin/start_runit" minutes ago Up minutes calico-node
eb29998e8e92 quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
6、为容器配置IP及VLAN
[root@AAA ~]# calicoctl container add redis 10.0.238.1
IP 10.0.238.1 added to redis
[root@AAA ~]# docker exec -ti redis ip a
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: tunl0: <NOARP> mtu qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether :b7:::: brd ff:ff:ff:ff:ff:ff
inet 10.0.238.1/ scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::10b7:51ff:fe07:/ scope link
valid_lft forever preferred_lft forever
[root@AAA ~]# calicoctl container redis profile append p1
Profile(s) p1 appended.
[root@BBB ~]# calicoctl container add redis 10.0.238.2
IP 10.0.238.2 added to redis
[root@BBB ~]# docker exec -ti redis ip a
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: tunl0: <NOARP> mtu qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ca::::: brd ff:ff:ff:ff:ff:ff
inet 10.0.238.2/ scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::c819:45ff:fe10:/ scope link
valid_lft forever preferred_lft forever
[root@BBB ~]# calicoctl container redis profile append p1
Profile(s) p1 appended. [root@BBB ~]# calicoctl container redis profile append p2
Profile(s) p2 appended.
[root@CCC ~]# calicoctl container add redis 10.0.238.3
IP 10.0.238.3 added to redis
[root@CCC ~]# docker exec -ti redis ip a
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: tunl0: <NOARP> mtu qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ca:6b:e2::: brd ff:ff:ff:ff:ff:ff
inet 10.0.238.3/ scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::c86b:e2ff:fe63:/ scope link
valid_lft forever preferred_lft forever
[root@CCC ~]# calicoctl container redis profile append p2
Profile(s) p2 appended.
7、宿主机及容器网络拓扑
8、测试
[root@AAA ~]# docker exec -ti redis /bin/bash
[root@b6d894f4cfcf /]# ping 10.0.238.1 (本机,可达)
PING 10.0.238.1 (10.0.238.1) () bytes of data.
bytes from 10.0.238.1: icmp_seq= ttl= time=0.113 ms
bytes from 10.0.238.1: icmp_seq= ttl= time=0.052 ms
^C
--- 10.0.238.1 ping statistics ---
packets transmitted, received, % packet loss, time 999ms
rtt min/avg/max/mdev = 0.052/0.082/0.113/0.031 ms
[root@b6d894f4cfcf /]# ping 10.0.238.2 (同VLAN,可达)
PING 10.0.238.2 (10.0.238.2) () bytes of data.
bytes from 10.0.238.2: icmp_seq= ttl= time=1.02 ms
bytes from 10.0.238.2: icmp_seq= ttl= time=0.533 ms
^C
--- 10.0.238.2 ping statistics ---
packets transmitted, received, % packet loss, time 1002ms
rtt min/avg/max/mdev = 0.533/0.776/1.020/0.245 ms
[root@b6d894f4cfcf /]# ping 10.0.238.3 (不同VLAN,不可达)
PING 10.0.238.3 (10.0.238.3) () bytes of data.
^C
--- 10.0.238.3 ping statistics ---
packets transmitted, received, % packet loss, time 3022ms
[root@BBB ~]# docker exec -ti redis /bin/bash
[root@4de1a0e2b2af /]# ping 10.0.238.1 (同VLAN,可达)
PING 10.0.238.1 (10.0.238.1) () bytes of data.
bytes from 10.0.238.1: icmp_seq= ttl= time=2.08 ms
bytes from 10.0.238.1: icmp_seq= ttl= time=1.02 ms
^C
--- 10.0.238.1 ping statistics ---
packets transmitted, received, % packet loss, time 1001ms
rtt min/avg/max/mdev = 1.027/1.555/2.084/0.529 ms
[root@4de1a0e2b2af /]# ping 10.0.238.2 (本机,可达)
PING 10.0.238.2 (10.0.238.2) () bytes of data.
bytes from 10.0.238.2: icmp_seq= ttl= time=0.154 ms
bytes from 10.0.238.2: icmp_seq= ttl= time=0.066 ms
^C
--- 10.0.238.2 ping statistics ---
packets transmitted, received, % packet loss, time 1000ms
rtt min/avg/max/mdev = 0.066/0.110/0.154/0.044 ms
[root@4de1a0e2b2af /]# ping 10.0.238.3 (同VLAN,可达)
PING 10.0.238.3 (10.0.238.3) () bytes of data.
bytes from 10.0.238.3: icmp_seq= ttl= time=1.06 ms
bytes from 10.0.238.3: icmp_seq= ttl= time=0.442 ms
^C
--- 10.0.238.3 ping statistics ---
packets transmitted, received, % packet loss, time 1001ms
rtt min/avg/max/mdev = 0.442/0.752/1.062/0.310 ms
[root@CCC ~]# docker exec -ti redis /bin/bash
[root@b6801f99494a /]# ping 10.0.238.1 (不同VLAN,不可达)
PING 10.0.238.1 (10.0.238.1) () bytes of data.
^C
--- 10.0.238.1 ping statistics ---
packets transmitted, received, % packet loss, time 2001ms [root@b6801f99494a /]# ping 10.0.238.2 (同VLAN,可达)
PING 10.0.238.2 (10.0.238.2) () bytes of data.
bytes from 10.0.238.2: icmp_seq= ttl= time=0.384 ms
bytes from 10.0.238.2: icmp_seq= ttl= time=0.460 ms
^C
--- 10.0.238.2 ping statistics ---
packets transmitted, received, % packet loss, time 1016ms
rtt min/avg/max/mdev = 0.384/0.422/0.460/0.038 ms
[root@b6801f99494a /]# ping 10.0.238.3 (本机,可达)
PING 10.0.238.3 (10.0.238.3) () bytes of data.
bytes from 10.0.238.3: icmp_seq= ttl= time=0.055 ms
bytes from 10.0.238.3: icmp_seq= ttl= time=0.054 ms
^C
--- 10.0.238.3 ping statistics ---
packets transmitted, received, % packet loss, time 999ms
rtt min/avg/max/mdev = 0.054/0.054/0.055/0.007 ms
calico docker 应用实例的更多相关文章
- 自己挖的坑自己填--docker创建实例出现Waiting for SSH to be available…
在之前使用Docker for Windows Installer.exe直接安装,通过docker-machine-driver-vmwareworkstation.exe实现docker和VM的共 ...
- docker-compose 管理多个docker容器实例
Compose 安装 运行此命令下载最新版本的Docker Compose $ curl -L https://github.com/docker/compose/releases/download/ ...
- docker入门实例(转载)
1.Docker 是什么?Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux 或 Windows 机器上( 摘自百度 ) ...
- docker 创建实例
docker创建mysql实例要注意表名大小写和端口号映射的问题.下面是使用文件挂载解决表名大小写问题. docker run --name mysql-1 -e MYSQL_ROOT_PASSWOR ...
- MySQL Docker容器实例创建并进入MySQL命令行
首先需要明白的一点是: docker镜像是一个模版,docker容器是一个实例,它可以被启动与关闭. 我们需要先有MySQL的docker镜像,使用命令: docker pull mysql 拉取最新 ...
- docker入门实例
Docker 是什么? 我们在理解 Docker 之前,首先得先区分清楚两个概念,容器和虚拟机. 每台虚拟机都需要有自己的操作系统,虚拟机一旦被开启,预分配给它的资源将全部被占用. 每一台虚拟机包括应 ...
- docker应用实例——httpd
docker可以用来创建虚拟环境跑应用,各个应用能起到隔离作用. 步骤也很简单,就是获取(下拉镜像)应用,然后进行安装就可以了 1.搜索镜像,比如我想虚拟一个httpd应用,可以看到,有httpd这个 ...
- docker swarm 实例
1.配置三台虚拟机 先在virtualbox上生成三个Linux主机,一个manager1(管理节点),两个工作节点worker1和worker2 1)manager1 userdeMacBook-P ...
- Docker 应用实例
Docker安装Nginx 方法一.通过 Dockerfile构建 创建Dockerfile 首先,创建目录nginx,用于存放后面的相关东西. runoob@runoob:~$ mkdir -p ~ ...
随机推荐
- UniversalAndroidImageLoader出现异常:ImageLoader: Unable to resolve host "https": No address associated with host
问题描述 使用ImageLoader时,出现如下错误,始终加载图片错误,显示img_error的图片.UniversalAndroidImageLoader出现异常:ImageLoader: Unab ...
- [CareerCup] 17.6 Sort Array 排列数组
17.6 Given an array of integers, write a method to find indices m and n such that if you sorted elem ...
- android-ListView控件的使用
一.深刻理解ListView 1.职责:将数据填充到布局.响应用户操作 2.ListView的实现需要:布局.数据源.适配器 3.常见适配器: ArrayAdapter<T> 用来绑定一 ...
- CentOS7配置双网卡绑定
配置team0配置文件: [root@CentOS7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0DEVICE=team0DEVICETYPE= ...
- Rocky4.2下安装达梦(DM)6数据库
1.准备操作系统 1.1 系统登录界面 1.2 操作系统版本信息 jdbh:~ # uname -ra Linux jdbh -x86_64 # SMP Fri Dec :: CST x86_64 G ...
- 配置非默认端口的监听Listener
- MySQL配置文件改变了datadir值
从Noinstall Zip Archive中安装MySQL正在从Noinstall软件包安装MySQL的用户可以使用这个说明来手动安装MySQL.从Zip archive 中安装MySQL的 步骤如 ...
- Matlab里面的SVM
支持向量机是建立在统计学习理论基础之上的新一代机器学习算法,支持向量机的优势主要体现在解决线性不可分问题,它通过引入核函数,巧妙地解决了在高维空间中的内积运算,从而很好地解决了非线性分类问题. 构造出 ...
- matlab函数bwareaopen的详解
matlab函数_连通区域 1. matlab函数bwareaopen──删除小面积对象格式:BW2 = bwareaopen(BW,P,conn)作用:删除二值图像BW中面积小于P的对象,默认情况下 ...
- 转载~kxcfzyk:Linux C语言多线程库Pthread中条件变量的的正确用法逐步详解
Linux C语言多线程库Pthread中条件变量的的正确用法逐步详解 多线程c语言linuxsemaphore条件变量 (本文的读者定位是了解Pthread常用多线程API和Pthread互斥锁 ...