第一步,安裝etcd:
第二步,下載下傳calico:
sudo wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.6.3/calicoctl
sudo chmod +x /usr/local/bin/calicoctl 第三步,編寫calico配置檔案:
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType: "etcdv2"
etcdEndpoints: "http://etcd:2379" 第四步,運作calico node:
root@Docker003:~# sudo calicoctl node run --node-image=quay.io/calico/node:v2.6.8
sudo: unable to resolve host Docker003
Running command to load modules: modprobe -a xt_set ip6_tables
Enabling IPv4 forwarding
Enabling IPv6 forwarding
Increasing conntrack limit
Removing old calico-node container (if running).
Running the following command to start calico-node:
docker run --net=host --privileged --name=calico-node -d --restart=always -e NODENAME=Docker003 -e CALICO_NETWORKING_BACKEND=bird -e CALICO_LIBNETWORK_ENABLED=true -e ETCD_ENDPOINTS=http://172.16.65.151:2379 -v /var/log/calico:/var/log/calico -v /var/run/calico:/var/run/calico -v /lib/modules:/lib/modules -v /run:/run -v /run/docker/plugins:/run/docker/plugins -v /var/run/docker.sock:/var/run/docker.sock quay.io/calico/node:v2.6.8
Image may take a short time to download if it is not available locally.
Container started, checking progress logs.
2018-03-25 14:40:40.421 [INFO][7] startup.go 173: Early log level set to info
2018-03-25 14:40:40.422 [INFO][7] client.go 202: Loading config from environment
2018-03-25 14:40:40.422 [INFO][7] startup.go 83: Skipping datastore connection test
2018-03-25 14:40:40.424 [INFO][7] startup.go 259: Building new node resource Name="Docker003"
2018-03-25 14:40:40.424 [INFO][7] startup.go 273: Initialise BGP data
2018-03-25 14:40:40.425 [INFO][7] startup.go 467: Using autodetected IPv4 address on interface ens33: 172.16.65.153/24
2018-03-25 14:40:40.425 [INFO][7] startup.go 338: Node IPv4 changed, will check for conflicts
2018-03-25 14:40:40.431 [INFO][7] startup.go 530: No AS number configured on node resource, using global value
2018-03-25 14:40:40.434 [INFO][7] etcd.go 111: Ready flag is already set
2018-03-25 14:40:40.435 [INFO][7] client.go 139: Using previously configured cluster GUID
2018-03-25 14:40:40.450 [INFO][7] compat.go 796: Returning configured node to node mesh
2018-03-25 14:40:40.460 [INFO][7] startup.go 131: Using node name: Docker003
2018-03-25 14:40:40.529 [INFO][14] client.go 202: Loading config from environment
Starting libnetwork service
Calico node started successfully calico node會以container方式運作
第五步,檢視運作結果:
root@Docker003:~# calicoctl node status
Calico process is running.
IPv4 BGP status
+---------------+-------------------+-------+----------+-------------+
| PEER ADDRESS | PEER TYPE | STATE | SINCE | INFO |
+---------------+-------------------+-------+----------+-------------+
| 172.16.65.152 | node-to-node mesh | up | 14:40:44 | Established |
+---------------+-------------------+-------+----------+-------------+
IPv6 BGP status
No IPv6 peers found. 第六步,建立calico網絡
建立的calico網絡會自動同步到其他Docker主機上
root@Docker003:~# docker network create --driver calico --ipam-driver calico-ipam calico_network01
0765e8cf3d7867715783f607d5fc1d8b54ef972ff697960c63aaf532d2900c51 root@Docker003:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
d3436c79a405 bridge bridge local
0765e8cf3d78 calico_network01 calico global
5de037f95399 host host local
f4305d9ce150 none null local 第七步,運作container
root@Docker003:~# docker run -itd --network calico_network01 --name bbox1 busybox // calico并沒有在Docker主機上建立bridge
root@Docker003:~# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242c840a49d no // 多了一個calico veth pair
root@Docker003:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:0f:79:b7 brd ff:ff:ff:ff:ff:ff
inet 172.16.65.153/24 brd 172.16.65.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe0f:79b7/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:c8:40:a4:9d brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: calia9212856e7c@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 92:3c:80:31:7e:18 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::903c:80ff:fe31:7e18/64 scope link
valid_lft forever preferred_lft forever // container的網絡和Docker主機通過calico veth pair連接配接
root@Docker003:~# docker exec bbox1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: cali0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff
inet 192.168.109.128/32 brd 192.168.109.128 scope global cali0
valid_lft forever preferred_lft forever 在其他Docker主機上也運作Container并加入相同的Calico網絡
root@Docker003:~# ip route
default via 172.16.65.2 dev ens33 onlink
172.16.65.0/24 dev ens33 proto kernel scope link src 172.16.65.153
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.109.128 dev calia9212856e7c scope link
blackhole 192.168.109.128/26 proto bird
192.168.214.64/26 via 172.16.65.152 dev ens33 proto bird 在多個Docker主機上運作Container連接配接到同一個calico網絡測試連通性
root@Docker002:~# docker exec bbox2 ping -c 2 bbox1
PING bbox1 (192.168.109.128): 56 data bytes
64 bytes from 192.168.109.128: seq=0 ttl=62 time=0.447 ms
64 bytes from 192.168.109.128: seq=1 ttl=62 time=1.328 ms
--- bbox1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.447/0.887/1.328 ms calico為Container提供DNS服務。
第八步,為calico配置Policy
calico 預設的 policy 規則是:容器隻能與同一個 calico 網絡中的容器通信。
root@Docker002:~# calicoctl get profile calico_network01 -o yaml
- apiVersion: v1
kind: profile
metadata:
name: calico_network01
tags:
- calico_network01
spec:
egress:
- action: allow
destination: {}
source: {}
ingress:
- action: allow
destination: {}
source:
tag: calico_network01 編寫policy yml檔案
root@Docker003:~# vim test_ping.yml
- apiVersion: v1
kind: profile
metadata:
name: calico_network02
spec:
ingress:
- action: allow
protocol: icmp
source:
tag: calico_network01
destination: {} 應用policy
root@Docker003:~# calicoctl apply -f test_ping.yml
Successfully applied 1 'profile' resource(s) ![Cesium格式3dtile制作工具[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)