Calico 是一个纯三层的虚拟网络方案,Calico为每个容器分配一个IP,每个host都是router,把不同host的容器连接起来。与vxlan不同的是,Calico不对数据包做额外封装,不需要NAT和端口映射,扩展性和性能都很好。
与其他容器网络方案相比,Calico还有一大优势:network policy。用户可以动态定义CAL规则,控制进出容器的数据包,实现业务需求。
实验环境描述
Calico依赖etcd在不同主机间共享和交换信息,存储Calico网络状态。我们将在10.12.31.213 上运行etcd。
Calico网络中的每个主机都需要运行Calico组件,提供容器interface管理、动态路由、动态CAL、报告状态等功能
host1 10.12.31.211
host2 10.12.31.212
etcd 10.12.31.213
# 1、启动etcd数据库
[root@etcd ~]# etcd -listen-client-urls http://10.12.31.213:2379 -advertise-client-urls http://10.12.31.213:2379 &
# 2、修改 host1 和 host2 Docker daemon 配置文件
root@host1:~# cat /etc/systemd/system/docker.service.d/10-machine.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver overlay2 --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=generic --cluster-store=etcd://10.12.31.213:2379
Environment=
root@host1:~# systemctl daemon-reload
root@host1:~# systemctl restart docker.service
root@host2:~# cat /etc/systemd/system/docker.service.d/10-machine.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver overlay2 --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=generic --cluster-store=etcd://10.12.31.213:2379
Environment=
root@host2:~# systemctl daemon-reload
root@host2:~# systemctl restart docker.service
# 3、在 host1 和 host2 上安装 Calico
root@host1:~# wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.0.2/calicoctl
root@host1:~# chmod +x /usr/local/bin/calicoctl
root@host2:~# wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.0.2/calicoctl
root@host2:~# chmod +x /usr/local/bin/calicoctl
# 4、在 host1 和 host2 上启动 Calico
root@host1:~# cat /etc/calicoctl.cfg
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType: "etcdv2"
etcdEndpoints: http://10.12.31.213:2379
root@host1:~# calicoctl node run --config=/etc/calicoctl.cfg
Running command to load modules: modprobe -a xt_set ip6_tables
Enabling IPv4 forwarding # 开始host上的路由转发功能
Enabling IPv6 forwarding
Increasing conntrack limit
Removing old calico-node container (if running).
Running the following command to start calico-node:
# 下载并启动calico-node容器,calico会以容器的形式运行(与weave类似)
docker run --net=host --privileged --name=calico-node -d --restart=always -e NO_DEFAULT_POOLS= -e CALICO_LIBNETWORK_ENABLED=true -e CALICO_LIBNETWORK_IFPREFIX=cali -e ETCD_ENDPOINTS=http://10.12.31.213:2379 -e ETCD_AUTHORITY= -e ETCD_SCHEME= -e NODENAME=host1 -e CALICO_NETWORKING_BACKEND=bird -v /var/run/docker.sock:/var/run/docker.sock -v /var/run/calico:/var/run/calico -v /lib/modules:/lib/modules -v /var/log/calico:/var/log/calico -v /run/docker/plugins:/run/docker/plugins calico/node:v1.0.2
Image may take a short time to download if it is not available locally.
Container started, checking progress logs.
Waiting for etcd connection... # 连接etcd数据库
Using auto-detected IPv4 address: 10.12.31.211
No IPv6 address configured
Using global AS number
Calico node name: host1
CALICO_LIBNETWORK_ENABLED is true - start libnetwork service
Calico node started successfully # calico启动成功
root@host2:~# cat /etc/calicoctl.cfg
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType: "etcdv2"
etcdEndpoints: http://10.12.31.213:2379
root@host2:~# calicoctl node run --config=/etc/calicoctl.cfg
Running command to load modules: modprobe -a xt_set ip6_tables
Enabling IPv4 forwarding
Enabling IPv6 forwarding
Increasing conntrack limit
Removing old calico-node container (if running).
Running the following command to start calico-node:
docker run --net=host --privileged --name=calico-node -d --restart=always -e NODENAME=host2 -e CALICO_NETWORKING_BACKEND=bird -e NO_DEFAULT_POOLS= -e CALICO_LIBNETWORK_ENABLED=true -e CALICO_LIBNETWORK_IFPREFIX=cali -e ETCD_ENDPOINTS=http://10.12.31.213:2379 -e ETCD_AUTHORITY= -e ETCD_SCHEME= -v /var/run/calico:/var/run/calico -v /lib/modules:/lib/modules -v /var/log/calico:/var/log/calico -v /run/docker/plugins:/run/docker/plugins -v /var/run/docker.sock:/var/run/docker.sock calico/node:v1.0.2
Image may take a short time to download if it is not available locally.
Container started, checking progress logs.
Waiting for etcd connection...
Using auto-detected IPv4 address: 10.12.31.212
No IPv6 address configured
Using global AS number
Calico node name: host2
CALICO_LIBNETWORK_ENABLED is true - start libnetwork service
Calico node started successfully
# 5、创建calico网络
--driver calico # 指定使用calico的libnetwork CNM driver
--ipam-driver calico-ipam # 指定使用calico的IPAM driver管理IP
calico网络为global网络,会自动同步到所有主机
root@host1:~# docker network create --driver calico --ipam-driver calico-ipam cal_net1
22fd17cb2e0db50e8ad40b3f1687e40baf26b6f1a16d0486ba6afa4e4cd37291
root@host1:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
29c9c519a9cf bridge bridge local
22fd17cb2e0d cal_net1 calico global
bb03f7574aa2 host host local
d60df792c936 mac_net1 macvlan local
884e50ddfb92 mac_net10 macvlan local
c402380a197d mac_net20 macvlan local
11e39328a6d1 none null local
root@host1:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f80b34d63a07 calico/node:v1.0.2 "start_runit" 12 minutes ago Up 12 minutes calico-node
root@host2:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
14ff2235fb9c bridge bridge local
22fd17cb2e0d cal_net1 calico global
cf4c89650a1f host host local
39f1aab9f5b8 mac_net1 macvlan local
a90d23d941a9 mac_net10 macvlan local
d73128405403 mac_net20 macvlan local
2f7d79e0114d none null local
root@host2:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
428c6c975c73 calico/node:v1.0.2 "start_runit" 6 minutes ago Up 6 minutes calico-node