本文深入探讨了Weave的工作原理,详细解析如何借助Weave实现在Docker容器间进行跨主机通信,并对Weave进行了优化思考。
Weave github:
https://github.com/weaveworks/weave
关于weave原理的描述:
Weave creates a network bridge on the host. Each container is connected to that bridge via a veth pair, the container side of which is given the IP address & netmask supplied in ‘weave run’. Also connected to the bridge is the weave router container.
A weave router captures Ethernet packets from its bridge-connected interface in promiscuous mode, using ‘pcap’. This typically excludes traffic between local containers, and between the host and local containers, all of which is routed straight over the bridge by the kernel. Captured packets are forwarded over UDP to weave router peers running on other hosts. On receipt of such a packet, a router injects the packet on its bridge interface using ‘pcap’ and/or forwards the packet to peers.
Weave routers learn which peer host a particular MAC address resides on. They combine this knowledge with topology information in order to make routing decisions and thus avoid forwarding every packet to every peer. The topology information captures which peers are connected to which other peers; weave can route packets in partially connected networks with changing topology.
Weave routers establish TCP connections to each other, over which they perform a protocol handshake and subsequently exchange topology information. These connections are encrypted if so configured. Peers also establish UDP “connections”, possibly encrypted, for the aforementioned packet forwarding. These “connections” are duplex and can traverse firewalls.
如上图所示,在每一个部署Docker的主机(可能是物理机也可能是虚拟机)上都部署有一个W(即Weave router,它本身也可以以一个容器的形式部署)。Weave网络是由这些weave routers组成的对等端点(peer)构成,每个对等的一端都有自己的名字,其中包括一个可读性好的名字用于表示状态和日志的输出,一个唯一标识符用于运行中相互区别,即使重启Docker主机名字也保持不变,这些名字默认是mac地址。
每个部署了Weave router的主机都需要将TCP和UDP的6783端口的防火墙设置打 开,保证Weave router之间控制面流量和数据面流量的通过。控制面由weave routers之间建立的TCP连接构成,通过它进行握手和拓扑关系信息的交换通信。 这个通信可以被配置为加密通信。而数据面由Weave routers之间建立的UDP连接构成,这些连接大部分都会加密。这些连接都是全双工的,并且可以穿越防火墙。
Weave创建一个网桥,并且在网桥和每个容器之间创建一个veth对,Weave run的时候就可以给每个veth的容器端分配一个ip和相应的掩码。veth的网桥这端就是Weave router容器,并在Weave launch的时候分配好ip和掩码。
说的详细一点就是:Weave router在混杂模式下使用pcap在网桥上截获网络数 据包,他排除由内核直接通过网桥转发的数据流量,例如本子网内部本地容器之间的数据以及宿主机和本地容器之间的流量。捕获的包通过UDP转发到所其他主机的weave router端,在接收端,router通过pcap将包注入到网桥上的接口,通过网桥的接口转发这些包到对应的veth的容器端。
Weave会在主机上创建一个bridge,每一个容器通过veth pair连接到该bridge上,同时bridge上有个Weave router的容器与之连接,该router会通过连接在bridge上的接口来抓取网络包(该接口工作在Promiscuous模式),使用的工具为pcap。
模块间的关系:
数据通道:
它在每个容器会起两个网卡,一个网卡连着自己起的可以跟其他宿主机联通的网桥;另一个网卡绑在原生Docker的一个网桥上,并在这个网桥上监听一个DNS的服务,这个DNS实际上嵌在Router里面,即它可以从Router里学习到一些服务的后端的一些配置。所以这时容器如果发起DNS查询,实际上会被路由导到宿主机上,DNS Server上,然后DNS server做一些响应。
Weave优点
1)支持主机间通信加密;
2)支持container动态加入或者剥离网络;
3)支持跨主机多子网通信。
缺点
1)不支持服务发现,主机不能动态加入节点网络;
2)只能通过weave launch或者weave connect加入weave网络。
新推出的weave plugin可以对接libnetwork remote driver,可以与docker更好的整合。
关于weave原理的描述:
Weave creates a network bridge on the host. Each container is connected to that bridge via a veth pair, the container side of which is given the IP address & netmask supplied in ‘weave run’. Also connected to the bridge is the weave router container.
A weave router captures Ethernet packets from its bridge-connected interface in promiscuous mode, using ‘pcap’. This typically excludes traffic between local containers, and between the host and local containers, all of which is routed straight over the bridge by the kernel. Captured packets are forwarded over UDP to weave router peers running on other hosts. On receipt of such a packet, a router injects the packet on its bridge interface using ‘pcap’ and/or forwards the packet to peers.
Weave routers learn which peer host a particular MAC address resides on. They combine this knowledge with topology information in order to make routing decisions and thus avoid forwarding every packet to every peer. The topology information captures which peers are connected to which other peers; weave can route packets in partially connected networks with changing topology.
Weave routers establish TCP connections to each other, over which they perform a protocol handshake and subsequently exchange topology information. These connections are encrypted if so configured. Peers also establish UDP “connections”, possibly encrypted, for the aforementioned packet forwarding. These “connections” are duplex and can traverse firewalls.
如上图所示,在每一个部署Docker的主机(可能是物理机也可能是虚拟机)上都部署有一个W(即Weave router,它本身也可以以一个容器的形式部署)。Weave网络是由这些weave routers组成的对等端点(peer)构成,每个对等的一端都有自己的名字,其中包括一个可读性好的名字用于表示状态和日志的输出,一个唯一标识符用于运行中相互区别,即使重启Docker主机名字也保持不变,这些名字默认是mac地址。
每个部署了Weave router的主机都需要将TCP和UDP的6783端口的防火墙设置打 开,保证Weave router之间控制面流量和数据面流量的通过。控制面由weave routers之间建立的TCP连接构成,通过它进行握手和拓扑关系信息的交换通信。 这个通信可以被配置为加密通信。而数据面由Weave routers之间建立的UDP连接构成,这些连接大部分都会加密。这些连接都是全双工的,并且可以穿越防火墙。
Weave创建一个网桥,并且在网桥和每个容器之间创建一个veth对,Weave run的时候就可以给每个veth的容器端分配一个ip和相应的掩码。veth的网桥这端就是Weave router容器,并在Weave launch的时候分配好ip和掩码。
说的详细一点就是:Weave router在混杂模式下使用pcap在网桥上截获网络数 据包,他排除由内核直接通过网桥转发的数据流量,例如本子网内部本地容器之间的数据以及宿主机和本地容器之间的流量。捕获的包通过UDP转发到所其他主机的weave router端,在接收端,router通过pcap将包注入到网桥上的接口,通过网桥的接口转发这些包到对应的veth的容器端。
- weave 原理
Weave会在主机上创建一个bridge,每一个容器通过veth pair连接到该bridge上,同时bridge上有个Weave router的容器与之连接,该router会通过连接在bridge上的接口来抓取网络包(该接口工作在Promiscuous模式),使用的工具为pcap。
模块间的关系:
它在每个容器会起两个网卡,一个网卡连着自己起的可以跟其他宿主机联通的网桥;另一个网卡绑在原生Docker的一个网桥上,并在这个网桥上监听一个DNS的服务,这个DNS实际上嵌在Router里面,即它可以从Router里学习到一些服务的后端的一些配置。所以这时容器如果发起DNS查询,实际上会被路由导到宿主机上,DNS Server上,然后DNS server做一些响应。
Weave优点
1)支持主机间通信加密;
2)支持container动态加入或者剥离网络;
3)支持跨主机多子网通信。
缺点
1)不支持服务发现,主机不能动态加入节点网络;
2)只能通过weave launch或者weave connect加入weave网络。
新推出的weave plugin可以对接libnetwork remote driver,可以与docker更好的整合。
最低0.47元/天 解锁文章
扫一扫
1013
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
