docker-weave网络
weave
- weave网络属于第三方网络
- weave在docker主机之间实现的是overlay网络,使用vxlan封装,基于udp传输,也可以加密传输
- weave网络再开启时,会创建一个连接多个docker主机的虚拟网络,类似于以太网交换机,所有容器都连接在上面,互相通信
weave网络转发原理
在创建weave网络时,会在本机自动创建一个虚拟空间,这个空间里面有一个,datapath网卡功能类似于openvswitch交换机,和主机中的weave网卡
datapath中vxlan-6784和vethwe-datapath通过master桥接datapath的方式相连
weave中,容器通过veth_pair的方式和weave网卡相连,weave网卡通过vethwe-bridge网卡的veth_pair方式连接到vethwe-datapath中,vethwe-datapath和datapath已经通过master接口形式连接,再通过vxlan-6784将数据转发出主机到对端主机的datapath中
weave和datapath分工不同
weave负责将容器接入weave网络,datapath负责在主机建立vxlan隧道并收发数据
也就是说,容器发送数据会经过weave创建的虚拟空间,通过datapath将数据转发的到对端主机的网卡中,对端主机weave需要和本机是一个weave网络,同一个虚拟空间,才能实现通信
weave单主机通信
- 安装weave网络
# 下载weave [root@localhost ~]# curl -L git.io/weave -o /usr/local/bin/weave # 给weave执行权限 [root@localhost ~]# chmod +x /usr/local/bin/weave - 启动weave网络
[root@localhost ~]# weave launch # 下载完后查看网卡 [root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 7fb6ebcd58bb bridge bridge local dc088ea51e19 host host local cec68349a7d5 none null local 393257be6e00 weave weavemesh local会下载三个docker镜像
[root@localhost ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6caa8e9362ce weaveworks/weave:2.7.0 "/home/weave/weaver …" 2 minutes ago Up 2 minutes weave [root@localhost ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE weaveworks/weavedb latest c0b9094fe80b 4 months ago 698B weaveworks/weaveexec 2.7.0 376d0f04c22a 4 months ago 97.4MB weaveworks/weave 2.7.0 2459c1a2593f 4 months ago 82.6MB [root@localhost ~]# weave 是主程序 ,负责建立weave网络 提供dns服务等 weaveexec 是libnetwork CNM driver 实现docker网络 weavedb 提供docker命令代理服务,当用户使用weave集群中的docker创建容器时,它会自动将容器添加到weave网络查看weave网卡的信息
[root@localhost ~]# docker network inspect weave "Config": [ { "Subnet": "10.32.0.0/12" } ] # 默认网段为10.32.0.0/12 - 让容器使用weave网络
# 执行以下命令,类似于进入一个网络的命名空间,在此模式下创建的容器将会默认使用weave网络的ip网段 [root@localhost ~]# eval $(weave env)运行容器
[root@localhost ~]# docker run -itd --name bbox1 busybox 64382908c9d7e9a8c691a78fa53719e0142d12fdfbd62110a6978cb9d7e83660 [root@localhost ~]# docker exec -it bbox1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 16: ethwe@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue link/ether 86:05:49:1b:7b:9e brd ff:ff:ff:ff:ff:ff inet 10.32.0.1/12 brd 10.47.255.255 scope global ethwe valid_lft forever preferred_lft forever # 可以看到一共有两个网段的网卡,一个是用于和docker0网卡桥接,可以连接外网,一个是weave网络 - 退出weave
# 执行该命令后,创建容器不会加入到weave网络了 [root@localhost ~]# eval $(weave env --restore)
weave网络分析
- 进入bbox1
[root@localhost ~]# docker exec -it bbox1 sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 16: ethwe@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue link/ether 86:05:49:1b:7b:9e brd ff:ff:ff:ff:ff:ff inet 10.32.0.1/12 brd 10.47.255.255 scope global ethwe valid_lft forever preferred_lft forever - 这里ethwe16通过veth_pair连接到主机的17号网卡
[root@localhost ~]# ip a 17: vethwepl69667@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default link/ether ae:f0:40:e1:e9:fb brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::acf0:40ff:fee1:e9fb/64 scope link valid_lft forever preferred_lft forever查看桥接网卡信息
[root@localhost ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.02421ed6a0f7 no veth212afa4 virbr0 8000.525400bb511b yes virbr0-nic weave 8000.021a4a6a8971 no vethwe-bridge vethwepl69667 - 主机中的17号网卡vethwepl69667桥接到了weave网卡中,而weave网卡还桥接了vethwe-bridge网卡,这个网卡也在主机中
12: vethwe-bridge@vethwe-datapath: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default link/ether 62:40:29:cc:50:27 brd ff:ff:ff:ff:ff:ff inet6 fe80::6040:29ff:fecc:5027/64 scope link valid_lft forever preferred_lft forever - 12号网卡通过veth_pair的方式连接到vethwe-datapath,而datapath通过master桥接接口的方式连接到了datapath网卡,而且vxlan-6784也连接着datapath
13: vxlan-6784: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65535 qdisc noqueue master datapath state UNKNOWN group default qlen 1000 link/ether e2:d3:b4:28:26:2c brd ff:ff:ff:ff:ff:ff
weave跨主机通信
- 第一台主机创建好weave网络后
- 第二台主机加入到第一台主机的weave网络
第二台主机安装好weave网络
# 启动weave网络时加入ip就可以加入对端主机的weave网络了 [root@localhost ~]# weave launch 192.168.100.211 [root@localhost ~]# eval $(weave env) - 启动容器
[root@localhost ~]# docker run -itd --name bbox2 busybox 5e4846b1b2b51d91c5b42459eaec56e08ce6dddea070e2e69af888f7999004f7 [root@localhost ~]# docker exec -it bbox2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 18: ethwe@if19: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue link/ether 4e:f3:7b:73:2f:a8 brd ff:ff:ff:ff:ff:ff inet 10.44.0.0/12 brd 10.47.255.255 scope global ethwe valid_lft forever preferred_lft forever - ping主机1的bbox1
[root@localhost ~]# docker exec -it bbox2 ping bbox1 PING bbox1 (10.32.0.1): 56 data bytes 64 bytes from 10.32.0.1: seq=0 ttl=64 time=1.729 ms 64 bytes from 10.32.0.1: seq=1 ttl=64 time=0.509 ms
weave网络隔离(手动指定)
- 指定地址参数WEAVE_CIDR
指定网段:WEAVE_CIDR=net:10.10.0.0/24
指定ip:WEAVE_CIDR=ip:10.10.10.10/24
weave指定网段
- 指定网段不能超出10.32.0.0/12的范围
# 创建10.32.2.0/24网段 [root@localhost ~]# docker run --name bbox3 -itd -e WEAVE_CIDR=net:10.32.2.0/24 busybox 8545e4532631d0b761d9d7945702223487687c97eb8d187979473bd75d4c6777 [root@localhost ~]# docker exec -it bbox3 sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 26: ethwe@if27: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue link/ether ca:55:f1:3e:83:29 brd ff:ff:ff:ff:ff:ff inet 10.32.2.128/24 brd 10.32.2.255 scope global ethwe valid_lft forever preferred_lft forever # ping bbox2 试一下 / # ping bbox2 PING bbox2 (10.44.0.0): 56 data bytes # 通不了,因为不在一个网段了
weave指定ip
[root@localhost ~]# docker run -itd --name bbox5 -e WEAVE_CIDR=ip:10.32.6.6/24 busybox
bce396bbd378a76538d506daf9c37800606e1fa8c07b64936bd154e8e76c36b4
[root@localhost ~]# docker exec -it bbox5 sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
28: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
30: ethwe@if31: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue
link/ether d6:a5:9f:ce:3d:b5 brd ff:ff:ff:ff:ff:ff
inet 10.32.6.6/24 brd 10.32.6.255 scope global ethwe
valid_lft forever preferred_lft forever将主机加入weave网络
前面的实验中,可能有的人回去尝试ping使用物理机去ping容器的weave网络的ip,实则是ping不同的,因为weave网络还没有网关
一般来说桥接卡都会有一个地址
但是weave 是一个私有的 VxLAN 网络,默认与外部网络隔离。
[root@localhost ~]# ip a 8: weave: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue state UP group default qlen 1000 link/ether 02:1a:4a:6a:89:71 brd ff:ff:ff:ff:ff:ff inet6 fe80::1a:4aff:fe6a:8971/64 scope link valid_lft forever preferred_lft forever要想外部网络访问到weave的容器的话
将主机加入到weave网络
把主机当做访问weave1的网关
# 给主机的 weave网络分配一个ip [root@localhost ~]# weave expose 10.32.0.2 [root@localhost ~]# ip a 8: weave: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue state UP group default qlen 1000 link/ether 02:1a:4a:6a:89:71 brd ff:ff:ff:ff:ff:ff inet 10.32.0.2/12 brd 10.47.255.255 scope global weave valid_lft forever preferred_lft forever inet6 fe80::1a:4aff:fe6a:8971/64 scope link valid_lft forever preferred_lft forever这时候主机就会多出来一个路由条目
[root@localhost ~]# ip r 10.32.0.0/12 dev weave proto kernel scope link src 10.32.0.2 # 表示外部访问10.32.0.0/12网段中的地址时,由weave网卡10.32.0.3作为网关来转发
指定weave网络的网段地址
启动服务后,默认会使用10.32.0.0/12地址段的所有网络,如果想去自定义网段,请执行weave launch –ipalloc-range x.x.x.x/xx即可
weave跨网段通讯
两台主机的weave网络没有相连
第一台主机 是 原地址 10.32.0.0/12地址
第二台主机 是 10.10.10.0/24地址
主机1
# 开启weave网络 [root@localhost ~]# weave launch # 使创建的容器为weave网络中的容器 [root@localhost ~]# eval $(weave env) # 创建容器 [root@localhost ~]# docker run -itd --name bbox1 busybox 8e8e11712b1995e7d9f43900e19d988a9e46858ea95b3f906121a2218b5eb210 [root@localhost ~]# docker exec -it bbox1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 16: ethwe@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue link/ether 16:b1:9c:c2:c2:a4 brd ff:ff:ff:ff:ff:ff inet 10.32.0.1/12 brd 10.47.255.255 scope global ethwe valid_lft forever preferred_lft forever主机2
# 开启weave指定10网段 [root@localhost ~]# weave launch --ipalloc-range 10.10.10.0/24 # 使创建的容器为weave网络中的容器 [root@localhost ~]# eval $(weave env) # 创建容器 [root@localhost ~]# docker run -itd --name bbox2 busybox 20d198e78e7f897eefaf7b7e07889b8fc05c468230f1b889ac97e3dc79cab61b [root@localhost ~]# docker exec -it bbox2 sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 16: ethwe@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1376 qdisc noqueue link/ether d6:c8:d0:6d:6b:59 brd ff:ff:ff:ff:ff:ff inet 10.10.10.1/24 brd 10.10.10.255 scope global ethwe valid_lft forever preferred_lft forever两个容器是互相ping不通的
10.10.10.1 ping 10.32.0.1 / # ping 10.32.0.1 PING 10.32.0.1 (10.32.0.1): 56 data bytes要添加路由条目
主机2
# 主机加入到weave网络 [root@localhost ~]# weave expose 10.10.10.2 [root@localhost ~]# ip route add 10.32.0.0/12 via 192.168.100.211 dev ens33 # 表示要访问 10.32.0.0/12 就要先经过 192.168.100.211 的ens33网卡 # 因为这个网段地址在对端主机,所以要指向对端主机的ip主机1
[root@localhost ~]# weave expose 10.32.0.2 [root@localhost ~]# ip route add 10.10.10.0/24 via 192.168.100.212 dev ens33 # 表示要访问 10.10.10.0/24 就要先经过 102.168.100.212 的 ens33 # 因为这个网段地址在对端主机,所以要指向对端主机的ipbbox2 ping bbox1
[root@localhost ~]# docker exec -it bbox2 sh / # ping 10.32.0.1 PING 10.32.0.1 (10.32.0.1): 56 data bytes 64 bytes from 10.32.0.1: seq=0 ttl=62 time=0.393 ms 64 bytes from 10.32.0.1: seq=1 ttl=62 time=0.385 ms # 可以ping通了
本博客所有文章是以学习为目的,如果有不对的地方可以一起交流沟通共同学习 邮箱:1248287831@qq.com!