Calico in Docker construction

One, multi-host network requirementsTwo articles recommended before starting Http://xelatex.github.io/2015/11/15/Battlefield-Calico-Flannel-Weave-and-Docker-Overlay-Network/http ://mp.weixin.qq.com/s?__biz=mzawmdu1mte1oq==&mid=400983139&idx=1&sn= f033e3dca32ca9f0b7c9779528523e7e&scene=1&srcid=1101jklwco9jnfjdnuum85pg&from=singlemessage& Isappinstalled=0#wechat_redirectdocker in the 1.9 libnetwork team provides multi-host network capabilities to complete the overlay network. However, the network function requires the Linux host kernel to be above 3.16. For users who use CentOS or mint, the kernel of many systems is under 3.16. With the advent of the SDN concept and the growing size of the cloud platform, Docker itself can only single host problems severely limit the future of Docker, although it has countless advantages over VMS. In fact, before the docker1.9 can be implemented in some way multi-host functions, such as the use of Openvswitch, flannel, Calico, weave and other mechanisms. OvS and flannel, weave the bottom of the Vxlan way (including Docker1.9 itself is also using the implementation of Vxlan), are able to complete the overlay network. OvS and flannel and weave subdivision are the different ways to achieve the specific way. OvS is a relatively mature technology, many years of function is also very powerful, but the configuration is complex, for large-scale configuration and project migration, expansion will be a lot of trouble. Flannel, Calico, Weave, Docker1.9 specific differences see I gave above this github blog, Bo Master is very praise.Two, Calico introductionCalico is a pure 3 layer protocol that supports VMS, Docker, Rocket, OpenStack, Kubernetes, or directly on physical machines. The official network gives support for tens of thousands of hosts, millions of workloads (container), because it is a pure three layer protocol, using BGP protocol (based on IP), easier to debug, support IPV6, support flexible security policy. Attach a calico official gives the calico and physical network, OvS performance comparison: http://www.projectcalico.org/calico-dataplane-performance/feel that some of the article "exaggerated their own effect "My own test results are somewhat different from the results in this article, although it is true that TCP has an absolute advantage in the calico of the network itself, but its UDP performance is not very prominent, in the non-IPIP mode can maintain a little lead, but in the IPIP mode, And flannel are basically equivalent, even worse. Here are two tutorials calico used in Docker: official: https://github.com/projectcalico/calico-docker/blob/master/docs/getting-started/ DEFAULT-NETWORKING/DEMONSTRATION.MD a blog: http://xelatex.github.io/2015/09/06/calico-docker/Three, prepare1, two hosts: 10.11.150.72, 10.11.150.74 (I'm here for CentOS) 2,calico-node image two ways to get: 1, self-download from Calico official github: https:// Github.com/projectcalico/calico-docker 2, downloaded directly from the Docker hub, but the version may not be that new: Https://hub.docker.com/search/?q=calico &page=1&isautomated=0&isofficial=0&starcount=0&pullcount=03,etcd:http://pan.baidu.com/s/ 1mgiqn4o here is 2.2.14, a ping command image, anything, the simplest, such as busybox, I use the iperf image here 5,calicoctl: Find a version of yourself, try the latest version, but pay attention to the updated content. Now, the newest is 0.12.0:https://github.com/projectcalico/calico-docker/releases.Four, run ETCD clusterCalico requires a ETCD cluster as the K-V storage to store its own configuration content. Run on 10.11.150.72:

#!/bin/Shexport Localip=10.11.150.72Export name=Calico0export Port1=2381Export Port2=2379Export Port3=4002sudo./Etcd-name $name-initial-advertise-peer-urls http://$localip: $port 1 \-listen-peer-urls http://0.0.0.0: $port 1 \-listen-client-urls http://0.0.0.0: $port 2,http://0.0.0.0: $port 3 \-advertise-client-urls http://$localip: $port 2,http://$localip: $port 3\-initial-cluster-token etcd-Cluster-initial-cluster calico0=http://$localip: $port 1,calico1=http://10.11.150.74: $port 1-initial-cluster-state New &

Note My port and Localip configuration here, in addition-initial-cluster must include-initial-advertise-peer-urls.

Then on the 10.11.150.74 run ETCD, composed of cluster, both machines output published name after the temporary no new output even if it is ETCD cluster build completed. Test: This machine:

127.0. 0.1:2379/version

Cluster:

10.11. 150.74:2379/version

Five, Calico ServiceCalico on each host through one of their own container with other hosts or network communication, that is Calico-node container, this container contains bird routing management, Felix protocol and so on. Description: The http://www.projectcalico.org/learn/is run on two hosts, the IP behind is the host IP

./calicoctl node--ip=10.11. 150.72

After running on two hosts with Docker PS you can see the container that is running Calico-node

Add the available IP pool (running on 72 or 741 hosts) for our calico network below:

172.1. 0.0/ --nat-outgoing

Because my two hosts 72 and 74 are on the same subnet themselves, the hosts do not need to L2 switch between each other. If you need to add the--IPIP option across subnets, across rooms, across public networks, or if you have permission to directly modify the BGP protocol of the router, connect the hosts of the two different subnets to BGP peer.

Six, container start. New two container on host 72:

Docker run--net=none--name worker-1 ---net=none--name worker-2 -tid iperf

Two new on 74

Docker run--net=none--name worker-3 ---net=none--name worker-4 -tid Iperf

Register a separate IP for container in calico:

./calicoctl container Add worker-1172.1. 0.1 . /calicoctl container Add worker-2172.1. 0.2

./calicoctl container Add worker-3172.1. 0.3 . /calicoctl container Add worker-4172.1. 0.4

The calico controls the ACL through the form of profile, which also completes the security policy.

Add two profiles (72 or 74 are available):

./Calicoctl profile add prof_1. /calicoctl profile Add Prof_2

To add a policy to container:

./calicoctl container worker-1 profile append prof_1. /calicoctl container worker-2 profile append prof_1. /calicoctl container worker-3 profile append prof_1. /calicoctl container worker-4 profile Append prof_2

In this way the worker 1 2 3 is in the same profile, worker-4 alone within the prof_2.

Seven, test it.Test the worker-1 and the worker-3 can pass: docker exec worker-1 ping -c 4 172.1.0.3Test it. Worker-1 and worker-4 do not pass under the same profile: docker exec worker-1 ping -c 4 172.1.0.4Eight, performance test:It is recommended to use common command tests such as Iperf, Qperf, SCP, Ping.Nine, Calico defectDirect borrowing http://xelatex.github.io/2015/09/06/calico-docker/

• Calico only supports TCP, UDP, ICMP and ICMPv6 protocol. If you want to use other L4 protocols, you need to choose Flannel, Weave or Docker Overlay Network.
• Calico doesn ' t has encryption data path. It's not safe-to-build overlay network with Calico over untrusted network.
• The performance of Calico with IP-OVER-IP option was quite bad, which --ipip option is a must in a public data center connected with IP network. ( or connect the two hosts through the BGP protocol )
• No IP overlap Support. Though Calico Community is developing a experimental feature the put overlap IPV4 packages into IPV6 package. But it's only a auxiliary solution and doesn ' t fully support IP overlap technically.

Calico the build in Docker