一个简单的demo,模拟IPIP之间的通信
服务器1(假设IP为192.168.1.1)
服务器2(假设IP为192.168.1.2)
- 启用IP转发
在两台服务器上启用IP转发:
echo 1 > /proc/sys/net/ipv4/ip_forward
永久启用IP转发,可以修改/etc/sysctl.conf:
net.ipv4.ip_forward = 1
应用更改:
sysctl -p
- 配置IPIP隧道
在两台服务器上配置IPIP隧道:
服务器1配置(192.168.1.1)
创建IPIP隧道接口:
ip tunnel add ipip1 mode ipip remote 192.168.1.2 local 192.168.1.1 dev eth0
ip addr add 10.0.0.1/24 dev ipip1
ip link set ipip1 up
添加路由以通过IPIP隧道转发流量:
ip route add 10.0.0.0/24 dev ipip1
服务器2配置(192.168.1.2)
创建IPIP隧道接口:
ip tunnel add ipip1 mode ipip remote 192.168.1.1 local 192.168.1.2 dev eth0
ip addr add 10.0.0.2/24 dev ipip1
ip link set ipip1 up
添加路由以通过IPIP隧道转发流量:
ip route add 10.0.0.0/24 dev ipip1
- 验证IPIP隧道
在两台服务器上验证IPIP隧道的连接:
从服务器1 ping服务器2:
ping 10.0.0.2
从服务器2 ping服务器1:
ping 10.0.0.1
calico ipip
IPIP模式是calico的默认网络架构,其实这也是一种overlay的网络架构,但是比overlay更常用的vxlan模式相比更加轻量化。IPinIP就是把一个IP数据包又套在一个IP包里,即把 IP 层封装到 IP 层的一个 tunnel它的作用其实基本上就相当于一个基于IP层的网桥!一般来说,普通的网桥是基于mac层的,根本不需 IP,而这个 ipip 则是通过两端的路由做一个 tunnel,把两个本来不通的网络通过点对点连接起来.
实例信息
主机 | 容器 | ip |
---|---|---|
node01 7.7.250.91 | tcpdump1-6b94c59cb4-khtbb | 10.244.103.93 |
node02 7.7.250.207 | tcpdump1-6b94c59cb4-khtbb | 10.244.232.180 |
node网络结构
1.pod网络
通过kubectl exec -it tcpdump1-6b94c59cb4-khtbb – ip a进入到容器中去,查看容器内部网络
root@k8s-new-master:~/jin# kubectl exec -it tcpdump1-6b94c59cb4-khtbb -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if1694: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1480 qdisc noqueue state UP
link/ether de:9a:ba:1c:2b:60 brd ff:ff:ff:ff:ff:ff
inet 10.244.103.93/32 scope global eth0
valid_lft forever preferred_lft forever
2.node网络
ip a 在node上查看网络可以看到
eth0网卡
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:55:db:0f brd ff:ff:ff:ff:ff:ff
inet 7.7.250.91/24 brd 7.7.250.255 scope global dynamic eth0
valid_lft 80801sec preferred_lft 80801sec
inet6 fe80::f816:3eff:fe55:db0f/64 scope link
valid_lft forever preferred_lft forever
tunl0网卡
5: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
inet 10.244.103.64/32 scope global tunl0
valid_lft forever preferred_lft forever
1694号的calif118cc83606网卡
1694: calif118cc83606@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 21
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
node中除了eth0外,多了tunl0和calif118cc83606@if4,tunl0就是Calico在IPIP模式下的隧道名称 ,而calif118cc83606@if4,注意到,该设备的编号为1694。让我们回到pod1中,查看pod1内的ip a
root@k8s-new-master:~/jin# kubectl exec -it tcpdump1-6b94c59cb4-khtbb -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if1694: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1480 qdisc noqueue state UP
link/ether de:9a:ba:1c:2b:60 brd ff:ff:ff:ff:ff:ff
inet 10.244.103.93/32 scope global eth0
valid_lft forever preferred_lft forever
eth0@if1694:这里eth0连接的设备号也是1694,其实这个设备就是veth pair,K8s在创建Pod的时候,会创建一个veth pair设备。设备的一端是pod的网卡,另一端就是我们在node中看见的calif118cc83606@if4
node2的网络与node1的结构一样,这里就不在赘述,接着,我们在看看node的route
node1
root@k8s-node-cpu-1:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 7.7.250.1 0.0.0.0 UG 100 0 0 eth0
7.7.250.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.244.54.64 7.7.250.112 255.255.255.192 UG 0 0 0 tunl0
10.244.103.64 0.0.0.0 255.255.255.192 U 0 0 0 *
10.244.103.76 0.0.0.0 255.255.255.255 UH 0 0 0 cali28b497ab82c
10.244.103.87 0.0.0.0 255.255.255.255 UH 0 0 0 cali98ef874e28b
10.244.103.91 0.0.0.0 255.255.255.255 UH 0 0 0 cali63d9a5db526
10.244.103.93 0.0.0.0 255.255.255.255 UH 0 0 0 calif118cc83606
10.244.103.108 0.0.0.0 255.255.255.255 UH 0 0 0 cali727b4dbb755
10.244.103.111 0.0.0.0 255.255.255.255 UH 0 0 0 calib9e39c47403
10.244.103.112 0.0.0.0 255.255.255.255 UH 0 0 0 calib41209c5fbf
10.244.103.113 0.0.0.0 255.255.255.255 UH 0 0 0 cali56756115774
10.244.103.115 0.0.0.0 255.255.255.255 UH 0 0 0 cali686493f32f5
10.244.103.116 0.0.0.0 255.255.255.255 UH 0 0 0 calib887b40925e
10.244.103.118 0.0.0.0 255.255.255.255 UH 0 0 0 cali2800bb83c8d
10.244.103.119 0.0.0.0 255.255.255.255 UH 0 0 0 cali3d3cdd474b2
10.244.103.120 0.0.0.0 255.255.255.255 UH 0 0 0 cali9db0936d821
10.244.103.121 0.0.0.0 255.255.255.255 UH 0 0 0 cali7276057dd49
10.244.103.122 0.0.0.0 255.255.255.255 UH 0 0 0 cali29f515035f9
10.244.103.123 0.0.0.0 255.255.255.255 UH 0 0 0 cali0b51b9ea0fe
10.244.119.0 7.7.250.56 255.255.255.192 UG 0 0 0 tunl0
10.244.132.128 7.7.250.99 255.255.255.192 UG 0 0 0 tunl0
10.244.154.192 7.7.250.140 255.255.255.192 UG 0 0 0 tunl0
10.244.162.0 7.7.250.154 255.255.255.192 UG 0 0 0 tunl0
10.244.206.128 7.7.250.216 255.255.255.192 UG 0 0 0 tunl0
10.244.232.128 7.7.250.207 255.255.255.192 UG 0 0 0 tunl0
10.244.248.128 7.7.250.133 255.255.255.192 UG 0 0 0 tunl0
10.244.252.64 7.7.250.173 255.255.255.192 UG 0 0 0 tunl0
169.254.169.254 7.7.250.10 255.255.255.255 UGH 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
node2
root@k8s-node-cpu-2:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 7.7.250.1 0.0.0.0 UG 100 0 0 eth0
7.7.250.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.244.54.64 7.7.250.112 255.255.255.192 UG 0 0 0 tunl0
10.244.103.64 7.7.250.91 255.255.255.192 UG 0 0 0 tunl0
10.244.119.0 7.7.250.56 255.255.255.192 UG 0 0 0 tunl0
10.244.132.128 7.7.250.99 255.255.255.192 UG 0 0 0 tunl0
10.244.154.192 7.7.250.140 255.255.255.192 UG 0 0 0 tunl0
10.244.162.0 7.7.250.154 255.255.255.192 UG 0 0 0 tunl0
10.244.206.128 7.7.250.216 255.255.255.192 UG 0 0 0 tunl0
10.244.232.128 0.0.0.0 255.255.255.192 U 0 0 0 *
10.244.232.129 0.0.0.0 255.255.255.255 UH 0 0 0 cali791ba3ae326
10.244.232.131 0.0.0.0 255.255.255.255 UH 0 0 0 caliabd8e32ae9b
10.244.232.134 0.0.0.0 255.255.255.255 UH 0 0 0 cali1a871390354
10.244.232.136 0.0.0.0 255.255.255.255 UH 0 0 0 cali2902dace78d
10.244.232.137 0.0.0.0 255.255.255.255 UH 0 0 0 calid3549ba9763
10.244.232.140 0.0.0.0 255.255.255.255 UH 0 0 0 calid75abf4f5e0
10.244.232.145 0.0.0.0 255.255.255.255 UH 0 0 0 cali2448ba71d7b
10.244.232.159 0.0.0.0 255.255.255.255 UH 0 0 0 cali00c062a9b0f
10.244.232.161 0.0.0.0 255.255.255.255 UH 0 0 0 cali8ee22f188ce
10.244.232.162 0.0.0.0 255.255.255.255 UH 0 0 0 cali6bc7c9b388a
10.244.232.163 0.0.0.0 255.255.255.255 UH 0 0 0 cali767b53297be
10.244.232.167 0.0.0.0 255.255.255.255 UH 0 0 0 calid244a185e38
10.244.232.173 0.0.0.0 255.255.255.255 UH 0 0 0 cali2904ebea0d8
10.244.232.177 0.0.0.0 255.255.255.255 UH 0 0 0 cali113cc1d4e7a
10.244.232.179 0.0.0.0 255.255.255.255 UH 0 0 0 cali10092744c78
10.244.232.180 0.0.0.0 255.255.255.255 UH 0 0 0 cali761e373fe81
10.244.248.128 7.7.250.133 255.255.255.192 UG 0 0 0 tunl0
10.244.252.64 7.7.250.173 255.255.255.192 UG 0 0 0 tunl0
169.254.169.254 7.7.250.10 255.255.255.255 UGH 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
结合上面的信息,我们可以得到如下的拓扑
梳理路由规则
如上图显示,
1.pod1中的eth0(即图中的vthe0)与calif118cc83606是一对veth pair,因此,calif118cc83606接收到的ip流向与vthe0相同,
2.查看node1 路由表,发现有一条 去往10.244.232.128/255.255.255.192的ip经过tunl0,以7.7.250.207作为网关发送到node2,node2 eth0的地址正是7.7.250.207。
3.经过tunl0的ip报会被再封上一层ip。通过node1 的路由规则,会发往eth0,因此我们在eth0处的抓包结果为
7.7.250.91> 7.7.250.207: IP 10.244.103.93> 10.244.232.180
node1
Destination Gateway Genmask Flags Metric Ref Use Iface
10.244.232.128 7.7.250.207 255.255.255.192 UG 0 0 0 tunl0
0.0.0.0 7.7.250.1 0.0.0.0 UG 100 0 0 eth0
10.244.103.93 0.0.0.0 255.255.255.255 UH 0 0 0 calif118cc83606
同样,node2的路由大致结构与node1类似,这里贴出路由表,不在赘述
node2
Destination Gateway Genmask Flags Metric Ref Use Iface
10.244.103.64 7.7.250.91 255.255.255.192 UG 0 0 0 tunl0
0.0.0.0 7.7.250.1 0.0.0.0 UG 100 0 0 eth0
10.244.232.180 0.0.0.0 255.255.255.255 UH 0 0 0 cali761e373fe81
总结
1.IPIP模式下,node间的Pod访问会使用IPIP技术对出node的ip报进行隧道封装
2.Pod的ip都是由calico-node设置的IP地址池进行分配的,docker0对kubernetes设置的Pod的IP地址将不再起作用。
、