calico docker 应用实例
在上一篇文章《quay.io/coreos/etcd 基于Docker镜像的集群搭建》中,介绍了ETCD集群的搭建。在此基础上,我们进一步实践calico docker的应用。
PaaS 平台的网络需求:
在使用Docker构建PaaS平台的过程中,我们首先遇到的问题是需要选择一个满足需求的网络模型:
1)让每个容器拥有自己的网络栈,特别是独立的 IP 地址;
2)能够进行跨服务器的容器间通讯,同时不依赖特定的网络设备;
3)有访问控制机制,不同应用之间互相隔离,有调用关系的能够通讯。
调研了几个主流的网络模型:
1)Docker原生的Bridge模型:NAT机制导致无法使用容器IP进行跨服务器通讯;
2)Docker原生的Host模型:大家都使用和服务器相同的IP,端口冲突问题很麻烦;
3)Weave OVS等基于隧道的模型:由于是基于隧道的技术,在用户态进行封包解包,性能折损比较大,同时出现问题时网络抓包调试会很不便。
在对上述模型都不怎么满意的情况下,发现了一个还不怎么被大家关注的新项目:Project Calico。Project Calico是纯三层的SDN实现,它基于BPG协议和Linux自己的路由转发机制,不依赖特殊硬件,没有使用NAT或Tunnel等技术。能够方便的部署在物理服务器,虚拟机(如 OpenStack)或者容器环境下。同时它自带的基于Iptables的ACL管理组件非常灵活,能够满足比较复杂的安全隔离需求。
传统overlay网络架构
Calico提供的网络解决方案
本次搭建的基础环境:
底层OS:Centos7
docker版本:1.8.-el7.centos
IP:
服务器A:192.168.7.168
服务器B:192.168.7.170
服务器C:192.168.7.172 三台机器上搭建基于docker的ETCD集群——参见《quay.io/coreos/etcd 基于Docker镜像的集群搭建》
具体操作步骤:(注,请仔细观察命令,[root@AAA ~]# calicoctl node 表示在A主机上运行的命令,同理B、C)
1、下载calicoctl及docker.io/calico/node镜像(三台机器均需要相同操作)
下载calicoctl,地址如下。为下载之后的文件赋予可执行权限,并复制到/usr/bin/下
链接:http://pan.baidu.com/s/1nuHn5hB 密码:7yce 下载calico-node镜像
[root@AAA ~]# docker pull docker.io/calico/node
2、启动calico-node
[root@AAA ~]# calicoctl node
No IP provided. Using detected IP: 192.168.7.168
Calico node is running with id: 6e754df308342753b259e89850f51b3e002780958bbc3f7c0803436548666560
[root@AAA ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e754df30834 calico/node:latest "/sbin/start_runit" About a minute ago Up About a minute calico-node
0b5f487c20ae quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
[root@BBB ~]# calicoctl node
No IP provided. Using detected IP: 192.168.7.170
Calico node is running with id: 836bb8208dd992333c4ebc81d6312d1c0e53acffeca1b2ab3942a9483744fdf0
[root@BBB ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
836bb8208dd9 calico/node:latest "/sbin/start_runit" seconds ago Up seconds calico-node
fa52ef61ccee quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, /tcp, 0.0.0.0:-->-/tcp etcd
[root@CCC ~]# calicoctl node
No IP provided. Using detected IP: 192.168.7.172
Calico node is running with id: ff71c5939b119e724fca59e24039c7bbbc2adba9078f0b6c5ffa89359df92e2d
[root@CCC ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ff71c5939b11 calico/node:latest "/sbin/start_runit" seconds ago Up seconds calico-node
eb29998e8e92 quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
3、处理calico 的IP资源池
[root@AAA ~]# calicoctl pool show
+----------------+---------+
| IPv4 CIDR | Options |
+----------------+---------+
| 192.168.0.0/ | |
+----------------+---------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
[root@AAA ~]# calicoctl pool remove 192.168.0.0/
[root@AAA ~]# calicoctl pool show
+-----------+---------+
| IPv4 CIDR | Options |
+-----------+---------+
+-----------+---------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
[root@AAA ~]# calicoctl pool add 10.0.238.0/ --nat-outgoing --ipip
(支持跨子网的主机上的Docker间网络互通,需要添加--ipip参数;如果要Docker访问外网,需要添加--nat-outgoing参数。)
[root@AAA ~]# calicoctl pool show
+---------------+-------------------+
| IPv4 CIDR | Options |
+---------------+-------------------+
| 10.0.238.0/ | ipip,nat-outgoing |
+---------------+-------------------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
[root@BBB ~]# calicoctl pool show
+---------------+-------------------+
| IPv4 CIDR | Options |
+---------------+-------------------+
| 10.0.238.0/ | ipip,nat-outgoing |
+---------------+-------------------+
+--------------------------+---------+
| IPv6 CIDR | Options |
+--------------------------+---------+
| fd80:24e2:f998:72d6::/ | |
+--------------------------+---------+
4、处理calico profile(类似于VLAN)
[root@AAA ~]# calicoctl profile add p1
Created profile p1
[root@AAA ~]# calicoctl profile add p2
Created profile p2
[root@AAA ~]# calicoctl profile show
+------+
| Name |
+------+
| p1 |
| p2 |
+------+
[root@CCC ~]# calicoctl profile show
+------+
| Name |
+------+
| p1 |
| p2 |
+------+
5、启动net=none的容器
[root@AAA ~]# docker run -tid --name redis --restart=always --log-driver=none --net=none redis /run.sh
b6d894f4cfcf36f5d19f3798447825730c80e95d1a9f98f326b77fae0ed85277
[root@AAA ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6d894f4cfcf redis "/run.sh" seconds ago Up seconds redis
6e754df30834 calico/node:latest "/sbin/start_runit" minutes ago Up minutes calico-node
0b5f487c20ae quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
[root@BBB ~]# docker run -tid --name redis --restart=always --log-driver=none --net=none redis /run.sh
4de1a0e2b2af5ad6c7f33138161105d46a07ce70d0b90b513125b28390a6a185
[root@BBB ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4de1a0e2b2af redis "/run.sh" seconds ago Up seconds redis
836bb8208dd9 calico/node:latest "/sbin/start_runit" minutes ago Up minutes calico-node
fa52ef61ccee quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
[root@CCC ~]# docker run -tid --name redis --restart=always --log-driver=none --net=none redis /run.sh
b6801f99494ada054a8ef00fc5b74ff4aba4e156e506d94c0b781fa20f8b6f50
[root@CCC ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6801f99494a redis "/run.sh" seconds ago Up seconds redis
ff71c5939b11 calico/node:latest "/sbin/start_runit" minutes ago Up minutes calico-node
eb29998e8e92 quay.io/coreos/etcd "/etcd -name qf2200-c" minutes ago Up minutes /tcp, 0.0.0.0:-->-/tcp, /tcp etcd
6、为容器配置IP及VLAN
[root@AAA ~]# calicoctl container add redis 10.0.238.1
IP 10.0.238.1 added to redis
[root@AAA ~]# docker exec -ti redis ip a
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: tunl0: <NOARP> mtu qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether :b7:::: brd ff:ff:ff:ff:ff:ff
inet 10.0.238.1/ scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::10b7:51ff:fe07:/ scope link
valid_lft forever preferred_lft forever
[root@AAA ~]# calicoctl container redis profile append p1
Profile(s) p1 appended.
[root@BBB ~]# calicoctl container add redis 10.0.238.2
IP 10.0.238.2 added to redis
[root@BBB ~]# docker exec -ti redis ip a
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: tunl0: <NOARP> mtu qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ca::::: brd ff:ff:ff:ff:ff:ff
inet 10.0.238.2/ scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::c819:45ff:fe10:/ scope link
valid_lft forever preferred_lft forever
[root@BBB ~]# calicoctl container redis profile append p1
Profile(s) p1 appended. [root@BBB ~]# calicoctl container redis profile append p2
Profile(s) p2 appended.
[root@CCC ~]# calicoctl container add redis 10.0.238.3
IP 10.0.238.3 added to redis
[root@CCC ~]# docker exec -ti redis ip a
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: tunl0: <NOARP> mtu qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ca:6b:e2::: brd ff:ff:ff:ff:ff:ff
inet 10.0.238.3/ scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::c86b:e2ff:fe63:/ scope link
valid_lft forever preferred_lft forever
[root@CCC ~]# calicoctl container redis profile append p2
Profile(s) p2 appended.
7、宿主机及容器网络拓扑
8、测试
[root@AAA ~]# docker exec -ti redis /bin/bash
[root@b6d894f4cfcf /]# ping 10.0.238.1 (本机,可达)
PING 10.0.238.1 (10.0.238.1) () bytes of data.
bytes from 10.0.238.1: icmp_seq= ttl= time=0.113 ms
bytes from 10.0.238.1: icmp_seq= ttl= time=0.052 ms
^C
--- 10.0.238.1 ping statistics ---
packets transmitted, received, % packet loss, time 999ms
rtt min/avg/max/mdev = 0.052/0.082/0.113/0.031 ms
[root@b6d894f4cfcf /]# ping 10.0.238.2 (同VLAN,可达)
PING 10.0.238.2 (10.0.238.2) () bytes of data.
bytes from 10.0.238.2: icmp_seq= ttl= time=1.02 ms
bytes from 10.0.238.2: icmp_seq= ttl= time=0.533 ms
^C
--- 10.0.238.2 ping statistics ---
packets transmitted, received, % packet loss, time 1002ms
rtt min/avg/max/mdev = 0.533/0.776/1.020/0.245 ms
[root@b6d894f4cfcf /]# ping 10.0.238.3 (不同VLAN,不可达)
PING 10.0.238.3 (10.0.238.3) () bytes of data.
^C
--- 10.0.238.3 ping statistics ---
packets transmitted, received, % packet loss, time 3022ms
[root@BBB ~]# docker exec -ti redis /bin/bash
[root@4de1a0e2b2af /]# ping 10.0.238.1 (同VLAN,可达)
PING 10.0.238.1 (10.0.238.1) () bytes of data.
bytes from 10.0.238.1: icmp_seq= ttl= time=2.08 ms
bytes from 10.0.238.1: icmp_seq= ttl= time=1.02 ms
^C
--- 10.0.238.1 ping statistics ---
packets transmitted, received, % packet loss, time 1001ms
rtt min/avg/max/mdev = 1.027/1.555/2.084/0.529 ms
[root@4de1a0e2b2af /]# ping 10.0.238.2 (本机,可达)
PING 10.0.238.2 (10.0.238.2) () bytes of data.
bytes from 10.0.238.2: icmp_seq= ttl= time=0.154 ms
bytes from 10.0.238.2: icmp_seq= ttl= time=0.066 ms
^C
--- 10.0.238.2 ping statistics ---
packets transmitted, received, % packet loss, time 1000ms
rtt min/avg/max/mdev = 0.066/0.110/0.154/0.044 ms
[root@4de1a0e2b2af /]# ping 10.0.238.3 (同VLAN,可达)
PING 10.0.238.3 (10.0.238.3) () bytes of data.
bytes from 10.0.238.3: icmp_seq= ttl= time=1.06 ms
bytes from 10.0.238.3: icmp_seq= ttl= time=0.442 ms
^C
--- 10.0.238.3 ping statistics ---
packets transmitted, received, % packet loss, time 1001ms
rtt min/avg/max/mdev = 0.442/0.752/1.062/0.310 ms
[root@CCC ~]# docker exec -ti redis /bin/bash
[root@b6801f99494a /]# ping 10.0.238.1 (不同VLAN,不可达)
PING 10.0.238.1 (10.0.238.1) () bytes of data.
^C
--- 10.0.238.1 ping statistics ---
packets transmitted, received, % packet loss, time 2001ms [root@b6801f99494a /]# ping 10.0.238.2 (同VLAN,可达)
PING 10.0.238.2 (10.0.238.2) () bytes of data.
bytes from 10.0.238.2: icmp_seq= ttl= time=0.384 ms
bytes from 10.0.238.2: icmp_seq= ttl= time=0.460 ms
^C
--- 10.0.238.2 ping statistics ---
packets transmitted, received, % packet loss, time 1016ms
rtt min/avg/max/mdev = 0.384/0.422/0.460/0.038 ms
[root@b6801f99494a /]# ping 10.0.238.3 (本机,可达)
PING 10.0.238.3 (10.0.238.3) () bytes of data.
bytes from 10.0.238.3: icmp_seq= ttl= time=0.055 ms
bytes from 10.0.238.3: icmp_seq= ttl= time=0.054 ms
^C
--- 10.0.238.3 ping statistics ---
packets transmitted, received, % packet loss, time 999ms
rtt min/avg/max/mdev = 0.054/0.054/0.055/0.007 ms
calico docker 应用实例的更多相关文章
- 自己挖的坑自己填--docker创建实例出现Waiting for SSH to be available…
在之前使用Docker for Windows Installer.exe直接安装,通过docker-machine-driver-vmwareworkstation.exe实现docker和VM的共 ...
- docker-compose 管理多个docker容器实例
Compose 安装 运行此命令下载最新版本的Docker Compose $ curl -L https://github.com/docker/compose/releases/download/ ...
- docker入门实例(转载)
1.Docker 是什么?Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux 或 Windows 机器上( 摘自百度 ) ...
- docker 创建实例
docker创建mysql实例要注意表名大小写和端口号映射的问题.下面是使用文件挂载解决表名大小写问题. docker run --name mysql-1 -e MYSQL_ROOT_PASSWOR ...
- MySQL Docker容器实例创建并进入MySQL命令行
首先需要明白的一点是: docker镜像是一个模版,docker容器是一个实例,它可以被启动与关闭. 我们需要先有MySQL的docker镜像,使用命令: docker pull mysql 拉取最新 ...
- docker入门实例
Docker 是什么? 我们在理解 Docker 之前,首先得先区分清楚两个概念,容器和虚拟机. 每台虚拟机都需要有自己的操作系统,虚拟机一旦被开启,预分配给它的资源将全部被占用. 每一台虚拟机包括应 ...
- docker应用实例——httpd
docker可以用来创建虚拟环境跑应用,各个应用能起到隔离作用. 步骤也很简单,就是获取(下拉镜像)应用,然后进行安装就可以了 1.搜索镜像,比如我想虚拟一个httpd应用,可以看到,有httpd这个 ...
- docker swarm 实例
1.配置三台虚拟机 先在virtualbox上生成三个Linux主机,一个manager1(管理节点),两个工作节点worker1和worker2 1)manager1 userdeMacBook-P ...
- Docker 应用实例
Docker安装Nginx 方法一.通过 Dockerfile构建 创建Dockerfile 首先,创建目录nginx,用于存放后面的相关东西. runoob@runoob:~$ mkdir -p ~ ...
随机推荐
- cocos2d-x渲染流程
Cocos2Dx之渲染流程 发表于8个月前(2014-08-08 22:46) 阅读(3762) | 评论(2) 17人收藏此文章, 我要收藏 赞2 如何快速提高你的薪资?-实力拍“跳槽吧兄弟”梦 ...
- 如果使用 Excel5 ,输出的内容应该是GBK编码
下面就是php导出excel的程序 <?phpini_set("display_errors",1);//是否显示报错信息set_include_path(get_inclu ...
- Android课程---String、StringBuffer 、StringBuilder 的区别(转)
String 字符串常量 StringBuffer 字符串变量(线程安全) StringBuilder 字符串变量(非线程安全) 简要的说, String 类型和 StringBuffer 类型的主 ...
- 【iCore3 双核心板_FPGA】例程八:触发器实验——触发器的使用
实验指导书及代码包下载: http://pan.baidu.com/s/1bswW3c iCore3 购买链接: https://item.taobao.com/item.htm?id=5242294 ...
- spring log4j.properties 没有日志的问题
一. log4j.properties 1. log4j.properties放在spring工程的src/main/rescours目录下无法读取. 测试后发现需要把log4j.properti ...
- java.lang.UnsupportedClassVersionError: Bad version number in .class file异常
java.lang.UnsupportedClassVersionError: Bad version number in .class file异常 部署工程时也出现过因为版本不同引起的问题,那时我 ...
- Objective-c 代理模式(delegate)
Objective-c 代理模式(delegate) (2012-07-31 22:04:39) 转载▼ 标签: 杂谈 分类: iOS Objective-c 代理模式(delegate) 一 ...
- 《UML大战需求分析》阅读笔记02
软件应能真正的对客户的工作提供帮助,只有客户使用并真正对其有用才能说我们做的软件成功了.客户从开始提出需求时到后期的工作过程中,需求总是不停变化的,所以这就需要需求人员对需求领先于客户.所以活用UML ...
- Tomcat负载均衡配置-未完成
集群技术是目前非常流行的提高系统服务能力与高可靠性( HA- High Availability )的手段,通过把多个独立的服务器组成一个集群可以实现失效无缝转移.也就是说当有某一台集群中的服务器当机 ...
- List<T> 添加 DataTable
public System.Data.DataTable getDataTable() { System.Data.DataTable dt = new System.Data.DataTable() ...