Preface
Now, no matter what new technology, new frame appears, that there is 2
a problem is that we are not open around, including the operating system, including not open around this 2
problem, but also a very basic question - 网络
and 存储
.
Recall the following frameworks learned before, recall the following operating system principles, is it impossible to bypass these two points? These two points are the basis of all procedures and are also Docker
key issues to be solved. Today we will learn Docker
about network solutions together .
Network solution in Docker
In Docker
the network problems are 3
kinds of solutions. as follows:
Flannel
Weave
Calico
Their purpose is nothing more than to solve the same problem: how to make containers communicate with each other? This problem is escalated again, and kubernetes
looking at the cluster, it solves the same problem. However kubernetes
, it has some constraints, all network implementations must follow CNI
standards (standards kubernetes
defined by the community or companies to facilitate expansion). CNI
The norms can be summarized into three chapters and four goals . as follows:
Three chapters:
pod
Withpod
direct communication, no need to display useNAT
node
Withpod
direct communication, no need to display useNAT
pod
The visibleIP
address is indeedpod
owned by others when communicating with it, without display conversion
Four goals:
- Container-like communication
pod
Andpod
communication betweenpod
Andservice
communication between- External
service
communication
Also, in general, major cloud platforms will combine their own network solutions to achieve a solution, and ignore these for now. Let's study the above-mentioned 3
solutions one by one .
Flannel
flannel
It was developed by the coreos
team and was ip
originally designed to solve the re-planning address usage rules of all nodes in the cluster , so that containers on different nodes can be obtained 同一个内网
and 不重复的IP地址
, and containers on different nodes can 内网IP
communicate directly !
The overall structure is as follows:
- Flannel uses etcd to store configuration data and subnet allocation information. After flannel is started, the background process first retrieves the configuration and the list of subnets in use, then selects an available subnet, and then tries to register it.
etcd
Also store this corresponding to each hostip
.flannel
Usingetcd
awatch
mechanism to monitor/coreos.com/network/subnets
the following information for all change elements, and to maintain it in accordance with a routing table. - Each host is configured with an ip segment and the number of subnets. For example, you can configure an overlay network usage
10.100.0.0/16
segment, and each host has/24
a subnet. So主机a
acceptable10.100.5.0/24
,主机B
acceptable10.100.18.0/24
package.flannel
Usedetcd
to maintainip
the mapping between the assigned subnet to the actual address. For the data path,flannel
useudp
to encapsulateip数据报
and forward to the remote host. Theudp
protocol was chosen because it can penetrate the firewall.
A complete communication process is as follows
- The data packet is sent from the source container and
docker0
forwarded toflannel0
- After the source
flanneld
listens to this data packet, to whom should the data packet be parsedflanneld
? A sourceflanneld
frometcd
inside query routing information of the destination address - The source host
flanneld
thenUDP
encapsulates the data packet using the protocol, and then delivers the data packet to the opposite end according to the routing tableflanneld
- The opposite end
flanneld
receives the data packet, unpacks it and sends it to theflannel0
network card, and then forwards it to thedocker0
network card - Finally
docker0
routed to the final container
Flannel concluded that
flannel
it is essentially one kind "覆盖网络(overlay network)"
, which means that a network running on an Internet (application layer network) does not rely on ip addresses to transmit messages, but uses a mapping mechanism to map ip
addresses and identifiers
resources to locate resources. That is, TCP
data packaging in another network packet forwarding and routing inside communication, now supports UDP
, VxLAN
, AWS VPC
and GCE
routing data forwarding mode.
Weave
weave
It was developed by the weaveworks
company, and its purpose is to solve Docker
cross-host communication and connect containers on multiple nodes to form a local area network. No KV Store
storage required .
A weave
network is composed of a series peers
( WRoute
), which WRoute
are stored on different hosts. Connect between different hosts WRoute
through weave connect
commands. This means that you can specify the network topology of the cluster yourself.
The overall architecture diagram is as follows:
- There is one deployed on each deployed
Docker
host (either a physical machine or a virtual machine)WRouter
, and it can also be deployed in the form of a container.weave
The network is composed of theseweave routers
peer endpoints (peer
), and theweave
network topology can be customized through the command line. - A connection
WRoute
will be established between each2
- A
tcp
connection for handshake and exchange of network topology information. The default6783
port. - A
udp
connection for information transfer on the data plane. The default6783
port.
- On the data side, it
weave
isudp
realized through encapsulationL2 Overlay
. Data encapsulation support2
modes
sleeve mode
: User mode, throughpcap
the device inLinux bridge
the intercepted data packets by thewRouter
completeUDP
package, supportsL2 traffic
encryption, supportsPartial Connection
, but significant loss of performancefastpath mode
: Kernel mode, throughOVS
theodp
packagingVxlan
, MPLS,WRouter
not directly involved in forwarding, this approach can significantly improve the throughput, does not support encryption
sleeve mode
The pattern is as follows:
fastpath mode
The pattern is as follows:
The above is really weave
the basic information and general structure under the introduction , let's come to a more detailed flowchart, as follows:
weave
Each container is required to have two network cards, one is connected to the bridge to handleL2
traffic, and the other is connecteddocker0
toweave-bridge
: Theweave
created bridge, one end of the bridge is connected to the container, and one end isweave
docker0
:docker
Native network, used to communicate with the host container,Docker0
behind it is stilliptables nat
implementation
The steps for communication between containers in the above figure are as follows:
container1
Byveth1
passing traffic to the host'sweave-bridge
network bridgeWRoute
Usepcap
intercepted data packets and exclude data traffic directly forwarded by the kernel through the bridge (traffic within this subnet, local container, container and host). The captured packets areWRoute
encapsulated intoUDP
data packets and transferred to all other hosts- On other hosts,
WRoute
decapsulate the packet after receiving it, thenpcap
inject the packet into the bridge interface, and thenveth
forward the traffic to the container through the bridge
Calico
calico
Think of the protocol stack of each operating system as a router, and then regard all containers as terminals connected to this router, run standard routing protocols between routers BGP协议
, and let them learn the topology of the network by themselves How to forward.
Therefore, the calico
solution is a pure three-tier solution (not required Overlay
), which means that the three layers of each node ensure the three-tier connectivity between the two containers on the local machine and between the two containers across the host. Need etcd
to store network metadata.
The overall structure is as follows:
Felix
:calico agent
, Responsible for configuring routing andACL
(access control), etc.etcd
: Network metadata storage to ensurecalico
consistent network statusBGP Client(BIDR)
: Mainly responsible for theFelix
writekernel
and distribute routing information to the currentCalico
network to ensureworkload
the effectiveness of communication betweenBGP Route Reflector(BIRD)
: The deployment of large-scale use, get rid of all the nodes interconnectedmesh
mode, one or moreBGP Route Reflector
to complete the centralized route distributioncalico-ipam
: Mainly used forkubernetes-cni
plug-ins, not written here
It will run two main programs on each node. One is Felix
that it will monitor ECTD
the storage of the center and get events from it. For example, the user adds one to this machine IP
or allocates a container. Next, a container will be created on this machine, and it will 网卡、IP、MAC
be set up, and then write an entry in the routing table of the kernel, indicating that this IP
should go to this network card. BGP Client
It is a standard routing program. It will obtain from the kernel which IP
routes have changed, and then BGP
spread to the entire other hosts through the standard routing protocol, so that the outside world knows this IP
is here, and you get here when you route. Come.
Calico
Network method:
calico
There are two types of network methods, as follows:
IPinIP
: It is equivalent to a basic network bridge. Just oneip隧道
BGP
: Border Gateway Protocol, a core decentralized autonomous routing protocol on the Internet
Calico concludes:
Because it Calico
is a pure three-layer implementation, it can avoid the operation of data packet encapsulation related to the two-layer scheme. There is nothing in the middle NAT
, and there is no any overlay
, so its forwarding efficiency may be the highest among all schemes, because of its The package goes directly to the original TCP/IP协议栈
, and its isolation is also easy to do because of this stack. Because it TCP/IP协议栈
provides a complete set of firewall rules, it can achieve more complex isolation logic through the rules of `IPTABLES.
to sum up
The advantages and disadvantages of the three options:
Program | advantage | Disadvantage |
---|---|---|
Flannel | 1. Simple and stable 2. No need for NAT 3. Overlay mode and pure 3-layer mode |
1. DNS function is not provided, and the containers can only be accessed through ip 2. etcd is required 3. Network policy is not supported |
Weave | 1. Support hostname access 2. No need for NAT 3. Exchange network information by yourself without storage 4. Support encryption |
1. Overlay network 2. Complex configuration, weave connect or weave launch is required to join the network |
Calico | 1. Pure three-layer, no overlay, high efficiency 2. Support hostname access 3. No need for NAT 4. Perfect network strategy |
1. Need to store 2. Because it is in the third layer, currently supports tcp and udp 3. There are requirements for the underlying network, and the second layer MAC address is required to communicate |