文章目录

  • 实验环境
  • 配置环境
  • 安装openvswitch
  • 配置OVS
  • 测试


实验环境

docker 自身ip docker ipvs_网络

本文在VMware workstation上安装两台centos7,在系统上安装openvswitch-2.12.0,实现不同主机间docker容器的通信

两台centos7都有一张nat网卡和仅主机网卡,nat网卡仅用于访问外网下载软件依赖包,仅主机网卡用于两主机间的容器进行通信

配置环境

docker0是docker启动时默认的网桥,我们这里可以去设定一下它的IP地址段

[root@client ~]# vim /etc/docker/daemon.json
{
    "registry-mirrors": ["https://5n1jgjzk.mirror.aliyuncs.com"],
    "bip":"172.16.0.1/16"   # 添加bip属性,设置docker0默认IP地址段
}

两台主机都进行修改,读者可根据实际环境进行设置

设置完成后重启docker服务

systemctl restart docker

本文的系统环境IP地址设置如下

主机1 ens33 192.168.10.4 —— docker0 172.17.0.1/16

主机2 ens36 192.168.10.5 —— docker0 172.16.0.1/16

docker容器访问外部网络,还需将两台主机的IP转发打开

[root@client ~]# vim /etc/sysctl.conf
net.ipv4.conf.all.forwarding = 1
# 注意,两台主机都要设置

sysctl -p

安装openvswitch

下载环境依赖

yum -y install make gcc openssl-devel autoconf automake rpm-build redhat-rpm-config
yum -y install python-devel openssl-devel kernel-devel kernel-debug-devel libtool wget
yum -y install selinux-policy-devel python-sphinx unbound-devel bridge-utils

下载openvswitch包

wget https://www.openvswitch.org/releases/openvswitch-2.12.0.tar.gz
mkdir -p ~/rpmbuild/SOURCES
cp openvswitch-2.12.0.tar.gz ~/rpmbuild/SOURCES/ 
cd ~/rpmbuild/SOURCES
tar xvfz openvswitch-2.12.0.tar.gz
sed 's/openvswitch-kmod, //g' openvswitch-2.12.0/rhel/openvswitch.spec > openvswitch-2.12.0/rhel/openvswitch_no_kmod.spec

构建rpm包

rpmbuild -bb --nocheck openvswitch-2.12.0/rhel/openvswitch_no_kmod.spec

安装

yum localinstall ~/rpmbuild/RPMS/x86_64/openvswitch-2.12.0-1.x86_64.rpm -y

启动openvswitch

systemctl start openvswitch

配置OVS

  • 建立OVS网桥
  • 添加gre连接
  • 配置 docker容器虚拟网桥
  • 为虚拟网桥添加ovs接口
  • 添加不同 Docker容器网段路由

在主机1上

# 建立OVS网桥
ovs-vsctl add-br obr0
# 添加gre连接,remote_ip为主机2的仅主机网卡地址
ovs-vsctl add-port obr0 gre1 -- set interface gre1 type=gre option:remote_ip=192.168.10.5
# docker绑定到obr0上
brctl addif docker0 obr0
# 开启obr0
ip link set dev obr0 up
# 开启docker0
ip link set dev docker0 up
# 添加路由,访问主机2的docker0网段的流量从本地的docker0网卡走
ip route add 172.16.0.0/16 dev docker0

在主机2上

# 建立OVS网桥
ovs-vsctl add-br obr0
# 添加gre连接,remote_ip为主机1的仅主机网卡地址
ovs-vsctl add-port obr0 gre1 -- set interface gre1 type=gre option:remote_ip=192.168.10.4
# docker绑定到obr0上
brctl  addif docker0 obr0
# 开启obr0
ip link set dev obr0 up
# 开启docker0
ip link set dev docker0 up
# 添加路由,访问主机1的docker0网段的流量从本地的docker0网卡走
ip route add 172.17.0.0/16 dev docker0

测试

在主机1上,以centos为镜像新建一个容器

[root@docker ~]# docker run -it --name centos1 centos /bin/bash
# 查看centos1的IP地址
[root@e3e08c47e84b /]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
    link/gre 0.0.0.0 brd 0.0.0.0
3: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
189: eth0@if190: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

可以看到,容器centos1的IP地址以是172.17.0.0/16网段

再到主机2上以centos为镜像新建一个容器

[root@client ~]# docker run -it --name centos2 centos /bin/bash
# 查看IP地址
[root@8d6442418f27 /]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
    link/gre 0.0.0.0 brd 0.0.0.0
3: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:10:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.16.0.2/16 brd 172.16.255.255 scope global eth0
       valid_lft forever preferred_lft forever

可以看到,容器centos2的IP地址也已经符合要求,是我们设置的172.16.0.0/16网段

下面在主机1上的centos1容器中进行连通性测试

# ping主机2上的centos2容器的IP地址
[root@e3e08c47e84b /]# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=63 time=1.82 ms
From 172.17.0.1 icmp_seq=2 Redirect Host(New nexthop: 172.16.0.2)
From 172.17.0.1: icmp_seq=2 Redirect Host(New nexthop: 172.16.0.2)
64 bytes from 172.16.0.2: icmp_seq=2 ttl=63 time=1.47 ms
From 172.17.0.1 icmp_seq=3 Redirect Host(New nexthop: 172.16.0.2)
From 172.17.0.1: icmp_seq=3 Redirect Host(New nexthop: 172.16.0.2)
64 bytes from 172.16.0.2: icmp_seq=3 ttl=63 time=0.926 ms
^C
--- 172.16.0.2 ping statistics ---
3 packets transmitted, 3 received, +2 errors, 0% packet loss, time 10ms
rtt min/avg/max/mdev = 0.926/1.406/1.820/0.370 ms

可以看到连通性是没有问题的,且从输出中看到icmp请求被主机1的docker0做了一次redirect

到此,已完成跨主机的容器间通信