zoukankan      html  css  js  c++  java
  • docker跨主机通信--模拟flannel host-gw直接路由

    模拟flannel host-gw 直接路由,实现不同主机之间docker容器互相通信

    0、实验环境:

    • macos 10.15.7
    • virtual box 6.1.18
    • vagrant 2.2.14

    vagrant教程参考 https://zhuanlan.zhihu.com/p/259833884
    可以手动安装配置虚拟机,不用vagrant。

    • centos7
    • docker 19.03.15

    一、虚拟机创建

    1、docker1 虚拟机Vagrantfile

    # -*- mode: ruby -*-
    # vi: set ft=ruby :
    
    # All Vagrant configuration is done below. The "2" in Vagrant.configure
    # configures the configuration version (we support older styles for
    # backwards compatibility). Please don't change it unless you know what
    # you're doing.
    Vagrant.configure("2") do |config|
      # The most common configuration options are documented and commented below.
      # For a complete reference, please see the online documentation at
      # https://docs.vagrantup.com.
    
      # Every Vagrant development environment requires a box. You can search for
      # boxes at https://vagrantcloud.com/search.
      config.vm.box = "centos-7"
    
      # Disable automatic box update checking. If you disable this, then
      # boxes will only be checked for updates when the user runs
      # `vagrant box outdated`. This is not recommended.
      # config.vm.box_check_update = false
    
      # Create a forwarded port mapping which allows access to a specific port
      # within the machine from a port on the host machine. In the example below,
      # accessing "localhost:8080" will access port 80 on the guest machine.
      # NOTE: This will enable public access to the opened port
      # config.vm.network "forwarded_port", guest: 80, host: 8080
    
      # Create a forwarded port mapping which allows access to a specific port
      # within the machine from a port on the host machine and only allow access
      # via 127.0.0.1 to disable public access
      # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
    
      # Create a private network, which allows host-only access to the machine
      # using a specific IP.
      config.vm.network "private_network", ip: "192.168.33.12"
    
      # Create a public network, which generally matched to bridged network.
      # Bridged networks make the machine appear as another physical device on
      # your network.
      # config.vm.network "public_network"
    
      # Share an additional folder to the guest VM. The first argument is
      # the path on the host to the actual folder. The second argument is
      # the path on the guest to mount the folder. And the optional third
      # argument is a set of non-required options.
      # config.vm.synced_folder "../data", "/vagrant_data"
    
      # Provider-specific configuration so you can fine-tune various
      # backing providers for Vagrant. These expose provider-specific options.
      # Example for VirtualBox:
      #
      # config.vm.provider "virtualbox" do |vb|
      #   # Display the VirtualBox GUI when booting the machine
      #   vb.gui = true
      #
      #   # Customize the amount of memory on the VM:
      #   vb.memory = "1024"
      # end
      #
      # View the documentation for the provider you are using for more
      # information on available options.
    
      # Enable provisioning with a shell script. Additional provisioners such as
      # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
      # documentation for more information about their specific syntax and use.
      config.vm.provision "shell", inline: <<-SHELL
      #   apt-get update
      #   apt-get install -y apache2
      sudo yum install -y yum-utils lvm2
      sudo curl -fsSL https://repo.huaweicloud.com/docker-ce/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
      sudo sed -i 's+download.docker.com+repo.huaweicloud.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
      sudo yum makecache fast
      sudo yum install -y docker-ce-19.03.15 docker-ce-cli-19.03.15 containerd.io
      sudo rm -f /etc/localtime
      sudo ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
      SHELL
    end
    

    2、docker2虚拟机Vagrantfile

    # -*- mode: ruby -*-
    # vi: set ft=ruby :
    
    # All Vagrant configuration is done below. The "2" in Vagrant.configure
    # configures the configuration version (we support older styles for
    # backwards compatibility). Please don't change it unless you know what
    # you're doing.
    Vagrant.configure("2") do |config|
      # The most common configuration options are documented and commented below.
      # For a complete reference, please see the online documentation at
      # https://docs.vagrantup.com.
    
      # Every Vagrant development environment requires a box. You can search for
      # boxes at https://vagrantcloud.com/search.
      config.vm.box = "centos-7"
    
      # Disable automatic box update checking. If you disable this, then
      # boxes will only be checked for updates when the user runs
      # `vagrant box outdated`. This is not recommended.
      # config.vm.box_check_update = false
    
      # Create a forwarded port mapping which allows access to a specific port
      # within the machine from a port on the host machine. In the example below,
      # accessing "localhost:8080" will access port 80 on the guest machine.
      # NOTE: This will enable public access to the opened port
      # config.vm.network "forwarded_port", guest: 80, host: 8080
    
      # Create a forwarded port mapping which allows access to a specific port
      # within the machine from a port on the host machine and only allow access
      # via 127.0.0.1 to disable public access
      # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
    
      # Create a private network, which allows host-only access to the machine
      # using a specific IP.
      config.vm.network "private_network", ip: "192.168.33.11"
    
      # Create a public network, which generally matched to bridged network.
      # Bridged networks make the machine appear as another physical device on
      # your network.
      # config.vm.network "public_network"
    
      # Share an additional folder to the guest VM. The first argument is
      # the path on the host to the actual folder. The second argument is
      # the path on the guest to mount the folder. And the optional third
      # argument is a set of non-required options.
      # config.vm.synced_folder "../data", "/vagrant_data"
    
      # Provider-specific configuration so you can fine-tune various
      # backing providers for Vagrant. These expose provider-specific options.
      # Example for VirtualBox:
      #
      # config.vm.provider "virtualbox" do |vb|
      #   # Display the VirtualBox GUI when booting the machine
      #   vb.gui = true
      #
      #   # Customize the amount of memory on the VM:
      #   vb.memory = "1024"
      # end
      #
      # View the documentation for the provider you are using for more
      # information on available options.
    
      # Enable provisioning with a shell script. Additional provisioners such as
      # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
      # documentation for more information about their specific syntax and use.
      config.vm.provision "shell", inline: <<-SHELL
      #   apt-get update
      #   apt-get install -y apache2
      sudo yum install -y yum-utils lvm2
      sudo curl -fsSL https://repo.huaweicloud.com/docker-ce/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
      sudo sed -i 's+download.docker.com+repo.huaweicloud.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
      sudo yum makecache fast
      sudo yum install -y docker-ce-19.03.15 docker-ce-cli-19.03.15 containerd.io
      sudo rm -f /etc/localtime
      sudo ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
      SHELL
    end
    

    二、docker网络配置

    3、docker1虚拟机 daemon.json 的配置

    bip: docker0 网卡的ip
    fixed-cidr: docker run默认的ip地址
    default-address-pools: 创建其他bridge网桥如docker-compose的网桥,会从这里挑地址

    
      
    {
      
      "bip": "173.17.0.1/16",
      "fixed-cidr": "173.17.0.1/16",
      "default-address-pools": [
        {
          "base": "173.18.0.0/16",
          "size": 24
        },
        {
          "base": "173.19.0.0/16",
          "size": 24
        }
      ],
    
      "registry-mirrors": [
          "https://docker.mirrors.ustc.edu.cn"
        ]
    
    
    }
    

    4、docker机器2 daemon.json 的配置

    {
      "bip": "174.17.0.1/16",
      "fixed-cidr": "174.17.0.1/16",
      "default-address-pools": [
        {
          "base": "174.18.0.0/16",
          "size": 24
        },
        {
          "base": "174.19.0.0/16",
          "size": 24
        }
      ],
    
      "registry-mirrors": [
          "https://docker.mirrors.ustc.edu.cn"
        ]
    
    
    }
    

    三、虚拟机路由表配置

    5、docker1虚拟机 的路由表配置

    
    # 添加docker2上容器的ip范围和docker2虚拟机的ip
    ip route add 174.0.0.0/8 via 192.168.33.11
    
    

    6、docker2虚拟机 的路由表配置

    
    # 添加docker1上容器的ip范围和docker1虚拟机的ip
    
    ip route add 173.0.0.0/8 via 192.168.33.12
    
    

    阶段成果:

    首先分别在两台主机上创建一个容器

    docker run --rm -d  --name nginx1 nginx:alpine
    docker run --rm -d  --name nginx2 nginx:alpine
    

    这时已经能 traceroute到另一台机器上的容器ip了。

    也能ping通另一台机器上的docker0了,因为docker0的ip时算local的,机器的default网络栈直接给应答了,流量都不会走到docker0。

    但是还不能ping通 另一台主机上的容器,因为docker默认的iptables规则FORWARD链做了限制:
    在docker版本19.03.15中,iptables filter表 FORWARD链中DOCKER-USER会把所有流量都RETURN。

    • 疑问:为什么只有另一台主机来的会走到这里?本地主机ping容器ip不会走到FORWARD链?

    在docker1虚拟机上ping docker2上的nginx2,这时流量会走到docker2的FORWARD-》DOCKER-USER 被RETURN
    在docker2虚拟机上ping nginx2,这时流量不会走到FORWARD,直接会走到nginx2.

    可能:因为本地主机中有 arp记录,没有走routing路由,在二层直接发给docker0 ,没有走iptables?

    你能帮帮我吗?

    四、虚拟机iptables规则配置

    7、docker1虚拟机 的iptables配置

    iptables -I DOCKER-USER -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG  --log-level 4
    iptables -I DOCKER-USER -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
    
    

    8、docker2虚拟机 的iptables配置

    iptables -I DOCKER-USER -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG  --log-level 4
    iptables -I DOCKER-USER -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
    

    9、ping

    # 在docker1 上
    docker exec nginx1 ip a
    173.17.0.2/16
    # 在docker2 上
    docker exec nginx2  ip a 
    174.17.0.2/16
    
    # 在docker1 上 nginx1 ping docker2上的nginx2
    docker exec nginx1 ping 174.17.0.2
    

  • 相关阅读:
    Linux连接字符串
    【aws】
    运行mlflow命令报错 The 'nose' distribution was not found and is required by nose-exclude
    【apt install】Unable to locate package python3-pip
    python package打包发布,安装
    【mlflow】mlflow打包、启动、换用mysql backend、mysql配置
    【mlflow】打包:npm run build + python setup.py sdist
    【css flex】将多个<div>放在同一行
    【react 条件渲染】在render的html中使用 三元运算符 进行条件渲染
    由于无法验证发布者 所以windows阻止此软件
  • 原文地址:https://www.cnblogs.com/leaderjs/p/14392492.html
Copyright © 2011-2022 走看看