Calico 是一個純三層的虛擬網路方案,Calico為每個容器分配一個IP,每個host都是router,把不同host的容器連線起來。與vxlan不同的是,Calico不對資料包做額外封裝,不需要NAT和埠對映,擴充套件性和效能都很好。
與其他容器網路方案相比,Calico還有一大優勢:network policy。使用者可以動態定義CAL規則,控制進出容器的資料包,實現業務需求。
實驗環境描述
Calico依賴etcd在不同主機間共享和交換資訊,儲存Calico網路狀態。我們將在10.12.31.213 上執行etcd。
Calico網路中的每個主機都需要執行Calico元件,提供容器interface管理、動態路由、動態CAL、報告狀態等功能
host1 10.12.31.211
host2 10.12.31.212
etcd 10.12.31.213
# 1、啟動etcd資料庫
[root@etcd ~]# etcd -listen-client-urls http://10.12.31.213:2379 -advertise-client-urls http://10.12.31.213:2379 &
# 2、修改 host1 和 host2 Docker daemon 配置檔案
root@host1:~# cat /etc/systemd/system/docker.service.d/10-machine.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver overlay2 --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=generic --cluster-store=etcd://10.12.31.213:2379
Environment=
root@host1:~# systemctl daemon-reload
root@host1:~# systemctl restart docker.service
root@host2:~# cat /etc/systemd/system/docker.service.d/10-machine.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver overlay2 --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=generic --cluster-store=etcd://10.12.31.213:2379
Environment=
root@host2:~# systemctl daemon-reload
root@host2:~# systemctl restart docker.service
# 3、在 host1 和 host2 上安裝 Calico
root@host1:~# wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.0.2/calicoctl
root@host1:~# chmod +x /usr/local/bin/calicoctl
root@host2:~# wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.0.2/calicoctl
root@host2:~# chmod +x /usr/local/bin/calicoctl
# 4、在 host1 和 host2 上啟動 Calico
root@host1:~# cat /etc/calicoctl.cfg
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType: "etcdv2"
etcdEndpoints: http://10.12.31.213:2379
root@host1:~# calicoctl node run --config=/etc/calicoctl.cfg
Running command to load modules: modprobe -a xt_set ip6_tables
Enabling IPv4 forwarding # 開始host上的路由轉發功能
Enabling IPv6 forwarding
Increasing conntrack limit
Removing old calico-node container (if running).
Running the following command to start calico-node:
# 下載並啟動calico-node容器,calico會以容器的形式執行(與weave類似)
docker run --net=host --privileged --name=calico-node -d --restart=always -e NO_DEFAULT_POOLS= -e CALICO_LIBNETWORK_ENABLED=true -e CALICO_LIBNETWORK_IFPREFIX=cali -e ETCD_ENDPOINTS=http://10.12.31.213:2379 -e ETCD_AUTHORITY= -e ETCD_SCHEME= -e NODENAME=host1 -e CALICO_NETWORKING_BACKEND=bird -v /var/run/docker.sock:/var/run/docker.sock -v /var/run/calico:/var/run/calico -v /lib/modules:/lib/modules -v /var/log/calico:/var/log/calico -v /run/docker/plugins:/run/docker/plugins calico/node:v1.0.2
Image may take a short time to download if it is not available locally.
Container started, checking progress logs.
Waiting for etcd connection... # 連線etcd資料庫
Using auto-detected IPv4 address: 10.12.31.211
No IPv6 address configured
Using global AS number
Calico node name: host1
CALICO_LIBNETWORK_ENABLED is true - start libnetwork service
Calico node started successfully # calico啟動成功
root@host2:~# cat /etc/calicoctl.cfg
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType: "etcdv2"
etcdEndpoints: http://10.12.31.213:2379
root@host2:~# calicoctl node run --config=/etc/calicoctl.cfg
Running command to load modules: modprobe -a xt_set ip6_tables
Enabling IPv4 forwarding
Enabling IPv6 forwarding
Increasing conntrack limit
Removing old calico-node container (if running).
Running the following command to start calico-node:
docker run --net=host --privileged --name=calico-node -d --restart=always -e NODENAME=host2 -e CALICO_NETWORKING_BACKEND=bird -e NO_DEFAULT_POOLS= -e CALICO_LIBNETWORK_ENABLED=true -e CALICO_LIBNETWORK_IFPREFIX=cali -e ETCD_ENDPOINTS=http://10.12.31.213:2379 -e ETCD_AUTHORITY= -e ETCD_SCHEME= -v /var/run/calico:/var/run/calico -v /lib/modules:/lib/modules -v /var/log/calico:/var/log/calico -v /run/docker/plugins:/run/docker/plugins -v /var/run/docker.sock:/var/run/docker.sock calico/node:v1.0.2
Image may take a short time to download if it is not available locally.
Container started, checking progress logs.
Waiting for etcd connection...
Using auto-detected IPv4 address: 10.12.31.212
No IPv6 address configured
Using global AS number
Calico node name: host2
CALICO_LIBNETWORK_ENABLED is true - start libnetwork service
Calico node started successfully
# 5、建立calico網路
--driver calico # 指定使用calico的libnetwork CNM driver
--ipam-driver calico-ipam # 指定使用calico的IPAM driver管理IP
calico網路為global網路,會自動同步到所有主機
root@host1:~# docker network create --driver calico --ipam-driver calico-ipam cal_net1
22fd17cb2e0db50e8ad40b3f1687e40baf26b6f1a16d0486ba6afa4e4cd37291
root@host1:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
29c9c519a9cf bridge bridge local
22fd17cb2e0d cal_net1 calico global
bb03f7574aa2 host host local
d60df792c936 mac_net1 macvlan local
884e50ddfb92 mac_net10 macvlan local
c402380a197d mac_net20 macvlan local
11e39328a6d1 none null local
root@host1:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f80b34d63a07 calico/node:v1.0.2 "start_runit" 12 minutes ago Up 12 minutes calico-node
root@host2:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
14ff2235fb9c bridge bridge local
22fd17cb2e0d cal_net1 calico global
cf4c89650a1f host host local
39f1aab9f5b8 mac_net1 macvlan local
a90d23d941a9 mac_net10 macvlan local
d73128405403 mac_net20 macvlan local
2f7d79e0114d none null local
root@host2:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
428c6c975c73 calico/node:v1.0.2 "start_runit" 6 minutes ago Up 6 minutes calico-node