069、Calico的默认连通性（2019-04-12 周五）

佚名 6年前 (2019-04-12) 随笔 1458人围观抢沙发百度已收录

参考 https://www.cnblogs.com/CloudMan6/p/7536746.html Calico 跨主机连通性测试 root@host1:~# docker exec bbox1 ping -c 2 bbox2 PING bbox2 (192.168.183.64): 56 data bytes 64 bytes from 192.168.183.64: seq=0 ttl=62 time=0.433 ms 64 bytes from 192.168.183.64: seq=1 ttl=62 time=0.322 ms --- bbox2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.322/0.377/0.433 ms root@host1:~# docker exec bbox1 ip r default via 169.254.1.1 dev cali0 ① 169.254.1.1 dev cali0 scope link root@host1:~# ip r default via 10.12.28.6 dev ens160 onlink 10.2.46.0/24 dev docker0 proto kernel scope link src 10.2.46.1 linkdown 10.12.28.0/22 dev ens160 proto kernel scope link src 10.12.31.211 172.22.0.0/16 via 10.12.28.1 dev ens160 192.168.119.0 dev cali129890bc0f3 scope link blackhole 192.168.119.0/26 proto bird 192.168.183.64/26 via 10.12.31.212 dev ens160 proto bird ② root@host2:~# ip r default via 10.12.28.6 dev ens160 onlink 10.2.44.0/24 dev docker0 proto kernel scope link src 10.2.44.1 linkdown 10.12.28.0/22 dev ens160 proto kernel scope link src 10.12.31.212 172.22.0.0/16 via 10.12.28.1 dev ens160 192.168.119.0/26 via 10.12.31.211 dev ens160 proto bird 192.168.183.64 dev calicb5d10d0884 scope link ③ blackhole 192.168.183.64/26 proto bird

root@host1:~# docker network create --driver calico --ipam-driver calico-ipam cal_net2 cca5ff37f60dc4f6096388ef4d20b5222c8cef32dd9bc0e389f71dd8776a7fdd root@host1:~# docker run -itd --name bbox3 --network cal_net2 busybox 9c942b23532a9a42a6be216b2f7b7b047814f327607a88ce8e54e05c00397cb4 root@host1:~# docker exec bbox3 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 9: cali0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff inet 192.168.119.1/32 brd 192.168.119.1 scope global cali0 valid_lft forever preferred_lft forever root@host1:~# docker exec bbox1 ping -c 2 192.168.119.1 PING 192.168.119.1 (192.168.119.1): 56 data bytes --- 192.168.119.1 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss calico 默认的 policy 规则是：容器只能与同一个calico网络中的容器通信，即使两个容器在同一个 host 上也不行查看calico网络policy，如果calico的配置文件在默认位置（ /etc/calico/calicoctl.cfg），在使用calico命令的时候可以省略指定--config root@host1:~# calicoctl get profile cal_net1 -o yaml --config /etc/calicoctl.cfg - apiVersion: v1 kind: profile metadata: name: cal_net1 tags: - cal_net1 spec: egress: # 出方向，allow any to any - action: allow destination: {} source: {} ingress: # 进方向，allow cal_net1 to any (这里的any只有cal_net1网络)，也就是 allow cal_net1 to cal_net1 - action: allow destination: {} source: tag: cal_net1