使用weave管理docker网络

简介:

weave简介


Weave creates a virtual network that connects Docker containers deployed across multiple hosts.

Weave Virtual Network

Applications use the network just as if the containers were all plugged into the same network switch, with no need to configure port mappings, links, etc. Services provided by application containers on the weave network can be made accessible to the outside world, regardless of where those containers are running. Similarly, existing internal systems can be exposed to application containers irrespective of their location.

Weave Deployment

Weave can traverse firewalls and operate in partially connected networks. Traffic can be encrypted, allowing hosts to be connected across an untrusted network.

With weave you can easily construct applications consisting of multiple containers, running anywhere.

Weave works alongside Docker's existing (single host) networking capabilities, so these can continue to be used by containers.

 

weave简单使用


sudo wget -O /usr/local/bin/weave https://raw.githubusercontent.com/zettio/weave/master/weave
sudo chmod a+x /usr/local/bin/weave
启动weave路由器,这个路由器其实也是在docker中启动的:

[root@h-46mow360 ~]# weave launch
Unable to find image 'zettio/weave' locally
3b3a3db2c186fccb5203dcc269b3febbbbf126591a7ebd8117a8a5250683749f
[root@h-46mow360 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.56847afe9799 no veth801050a
weave 8000.7afc2a03325e no vethwepl2146
[root@h-46mow360 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3b3a3db2c186 zettio/weave:git-a34e214201cb "/home/weave/weaver About a minute ago Up About a minute 0.0.0.0:6783->6783/tcp, 0.0.0.0:6783->6783/udp weave
在两台物理机上分别启动一个容器:
c1=$(weave run 10.0.3.3/24 -t -i -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /tmp/$(mktemp -d):/run systemd:systemd /usr/lib/systemd/systemd)
c2=$(weave run 10.0.3.5/24 -t -i -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /tmp/$(mktemp -d):/run systemd:systemd /usr/lib/systemd/systemd)
这个时候,两个容器之间是不通的,需要在两台weave的路由器之间建立连接:( if there is a firewall between $HOST1 and $HOST2, you must open port 6783 for TCP and UDP)
weave connect 10.33.0.9
这样,两台容器之间通了:
# nsenter --mount --uts --ipc --net --pid --target $(docker inspect --format "{{.State.Pid}}" "$c2")
-bash-4.2# ping -c 3 10.0.3.3
PING 10.0.3.3 (10.0.3.3) 56(84) bytes of data.
64 bytes from 10.0.3.3: icmp_seq=1 ttl=64 time=2.34 ms
64 bytes from 10.0.3.3: icmp_seq=2 ttl=64 time=1.52 ms
64 bytes from 10.0.3.3: icmp_seq=3 ttl=64 time=1.13 ms

--- 10.0.3.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.131/1.667/2.345/0.505 ms
但容器内部还是无法与宿主机之间通信。如果想让容器与宿主机网络联通,需要将weave路由器与宿主机网络联通,即执行:  weave expose 10.0.3.102/24
 
weave其他特性
 
  • 应用隔离:不同子网容器之间默认隔离的,即便它们位于同一台物理机上也相互不通;不同物理机之间的容器默认也是隔离的
  • 物理机之间容器互通:weave connect $OTHER_HOST
  • 动态添加网络:对于不是通过weave启动的容器,可以通过weave attach 10.0.1.1/24 $id来添加网络(detach删除网络)
  • 安全性:可以通过weave launch -password wEaVe设置一个密码用于weave peers之间加密通信
  • 与宿主机网络通信:weave expose 10.0.1.102/24,这个IP会配在weave网桥上
  • 查看weave路由状态:weave ps
  • 通过NAT实现外网访问docker容器
 
实现原理
 

Weave creates a network bridge on the host. Each container is connected to that bridge via a veth pair, the container side of which is given the IP address & netmask supplied in ‘weave run’. Also connected to the bridge is the weave router container.

A weave router captures Ethernet packets from its bridge-connected interface in promiscuous mode, using ‘pcap’. This typically excludes traffic between local containers, and between the host and local containers, all of which is routed straight over the bridge by the kernel. Captured packets are forwarded over UDP to weave router peers running on other hosts. On receipt of such a packet, a router injects the packet on its bridge interface using ‘pcap’ and/or forwards the packet to peers.

Weave routers learn which peer host a particular MAC address resides on. They combine this knowledge with topology information in order to make routing decisions and thus avoid forwarding every packet to every peer. The topology information captures which peers are connected to which other peers; weave can route packets in partially connected networks with changing topology.

Weave routers establish TCP connections to each other, over which they perform a protocol handshake and subsequently exchange topology information. These connections are encrypted if so configured. Peers also establish UDP “connections”, possibly encrypted, for the aforementioned packet forwarding. These “connections” are duplex and can traverse firewalls.

 
 
其他需要注意的问题
 
1. MTU considerations
 
MTU is the payload size of an ethernet frame. The ethernet headers are
not included in this and add a further 14 bytes (an ethernet header is
really at least 22 bytes. However only 14 bytes actually carry data -
the two mac fields and a type/length field. The other parts of the
header are there for signalling at the electrical layer and thus don't
get captured by pcap, nor need forwarding). We are then passing this
over UDP which adds a further 8 bytes, and over IP, which adds at
least another 20 bytes of headers (IP can have variable header
length. Yay). We also include the namehash as a 32 byte prefix.
 
Therefore, we have 20(ip) + 8(udp) + 32(namehash) + 2(length prefix) +
14(ethernet) = 76 bytes of overhead. Thus we should make sure the
internal MTU is 76 bytes lower than the external MTU. So on a normal
1500 byte ethernet MTU, we should ensure the other containers use
nothing greater than 1424.
 
2. 重启容器
 
如果使用weave,则就不能再使用docker自带的auto-restart feature(如docker run --restart=always redis),因为weave是在docker之外为容器配置的网络,容器重启的时候docker本身不会做这些事情。因而,还需额外的工具来管理容器的状态(比如systemd, upstart等),这些工具要调用weave命令(weave run/start/attach)来启动容器。

3. 为了便于开机自动启动weave,可以创建一个weave.service:
 
[Unit]
Description=Weave Network
Documentation= http://zettio.github.io/weave/
After=docker.service
 
[Service]
ExecStartPre=/usr/local/bin/weave launch
ExecStart=/usr/bin/docker logs -f weave
SuccessExitStatus=2
ExecStop=/usr/local/bin/weave stop
 
[Install]
WantedBy=multi-user.target

本文转自feisky博客园博客,原文链接:http://www.cnblogs.com/feisky/p/4093717.html,如需转载请自行联系原作者
相关文章
|
15天前
|
监控 Linux PHP
【02】客户端服务端C语言-go语言-web端PHP语言整合内容发布-优雅草网络设备监控系统-2月12日优雅草简化Centos stream8安装zabbix7教程-本搭建教程非docker搭建教程-优雅草solution
【02】客户端服务端C语言-go语言-web端PHP语言整合内容发布-优雅草网络设备监控系统-2月12日优雅草简化Centos stream8安装zabbix7教程-本搭建教程非docker搭建教程-优雅草solution
65 20
|
2月前
|
NoSQL 关系型数据库 MySQL
《docker高级篇(大厂进阶):4.Docker网络》包括:是什么、常用基本命令、能干嘛、网络模式、docker平台架构图解
《docker高级篇(大厂进阶):4.Docker网络》包括:是什么、常用基本命令、能干嘛、网络模式、docker平台架构图解
207 56
《docker高级篇(大厂进阶):4.Docker网络》包括:是什么、常用基本命令、能干嘛、网络模式、docker平台架构图解
|
2月前
|
安全 Docker 容器
docker的默认网络模式有哪些
Docker 默认网络模式包括:1) bridge:默认模式,各容器分配独立IP,可通过名称或IP通信;2) host:容器与宿主机共享网络命名空间,性能最优但有安全风险;3) none:容器隔离无网络配置,适用于仅需本地通信的场景。
89 6
|
2月前
|
存储 缓存 监控
Docker容器性能调优的关键技巧,涵盖CPU、内存、网络及磁盘I/O的优化策略,结合实战案例,旨在帮助读者有效提升Docker容器的性能与稳定性。
本文介绍了Docker容器性能调优的关键技巧,涵盖CPU、内存、网络及磁盘I/O的优化策略,结合实战案例,旨在帮助读者有效提升Docker容器的性能与稳定性。
271 7
|
3月前
|
安全 网络安全 数据安全/隐私保护
利用Docker的网络安全功能来保护容器化应用
通过综合运用这些 Docker 网络安全功能和策略,可以有效地保护容器化应用,降低安全风险,确保应用在安全的环境中运行。同时,随着安全威胁的不断变化,还需要持续关注和研究新的网络安全技术和方法,不断完善和强化网络安全保护措施,以适应日益复杂的安全挑战。
72 5
|
3月前
|
Docker 容器
【赵渝强老师】Docker的None网络模式
Docker容器在网络方面实现了逻辑隔离,提供了四种网络模式:bridge、container、host和none。其中,none模式下容器具有独立的网络命名空间,但不包含任何网络配置,仅能通过Local Loopback网卡(localhost或127.0.0.1)进行通信。适用于不希望容器接收任何网络流量或运行无需网络连接的特殊服务。
|
3月前
|
Docker 容器
【赵渝强老师】Docker的Host网络模式
Docker容器在网络环境中是隔离的,可通过配置不同网络模式(如bridge、container、host和none)实现容器间或与宿主机的网络通信。其中,host模式使容器与宿主机共享同一网络命名空间,提高性能但牺牲了网络隔离性。
100 0
|
3月前
|
Kubernetes Docker 容器
【赵渝强老师】Docker的Container网络模式
Docker容器在网络环境中彼此隔离,但可通过配置不同网络模式实现容器间通信。其中,container模式使容器共享同一网络命名空间,通过localhost或127.0.0.1互相访问,提高传输效率。本文介绍了container模式的特点及具体示例。
|
2月前
|
SQL 安全 网络安全
网络安全与信息安全:知识分享####
【10月更文挑战第21天】 随着数字化时代的快速发展,网络安全和信息安全已成为个人和企业不可忽视的关键问题。本文将探讨网络安全漏洞、加密技术以及安全意识的重要性,并提供一些实用的建议,帮助读者提高自身的网络安全防护能力。 ####
90 17
|
2月前
|
存储 SQL 安全
网络安全与信息安全:关于网络安全漏洞、加密技术、安全意识等方面的知识分享
随着互联网的普及,网络安全问题日益突出。本文将介绍网络安全的重要性,分析常见的网络安全漏洞及其危害,探讨加密技术在保障网络安全中的作用,并强调提高安全意识的必要性。通过本文的学习,读者将了解网络安全的基本概念和应对策略,提升个人和组织的网络安全防护能力。

热门文章

最新文章