weave网络隔离
默认情况下weave使用一个大的subnet,所有主机的容器都从这个地址空间中分配IP,因为同属一个subnet,容器可以直接通信。
如要实现网络隔离,可以通过环境变量 WEAVE_CIDR 为容器分配不同的subnet的IP
除了分配特定的subnet,还可以直接为容器指定IP地址 -e WEAVE_CIDR=net:10.32.2.9/24
root@host2:~# docker run -itd --name bbox4 -e WEAVE_CIDR=net:10.32.2.0/24 busybox
d791e8c55df9b1df37cf822d288034c8f6c988026995fc0fca0396c02d26124e
root@host2:~# docker exec bbox4 ip r
default via 10.2.44.1 dev eth0
10.2.44.0/24 dev eth0 scope link src 10.2.44.3
10.32.2.0/24 dev ethwe scope link src 10.32.2.128
224.0.0.0/4 dev ethwe scope link
root@host2:~# docker exec bbox4 ping -c 2 bbox3
PING bbox3 (10.44.0.0): 56 data bytes
--- bbox3 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host2:~# docker exec bbox4 ping -c 2 bbox2
PING bbox2 (10.32.0.2): 56 data bytes
--- bbox2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host2:~# docker exec bbox4 ping -c 2 bbox1
PING bbox1 (10.32.0.1): 56 data bytes
--- bbox1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
065、容器在Weave中如何通信和隔离?(2019-04-08 周一)
参考https://www.cnblogs.com/CloudMan6/p/7491831.html
在host2上执行如下命令:
weave launch host1_ip
必须在host2上指定host1的IP地址,这样host1和host2才能加入到同一个weave网络
然后在host2上运行容器 bbox3
eval $(weave env)
docker run --name bbox3 -itd busybox
进行weave网络下的跨主机通信测试
root@host2:~# weave launch 10.12.31.211
991ca22eb2ef47a48d64d5fbcad293756b47a4ff9fa54d4e54bed69f5fb691ba
root@host2:~# eval $(weave env)
root@host2:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
19f77dcbd2e8 bridge bridge local
cf4c89650a1f host host local
39f1aab9f5b8 mac_net1 macvlan local
a90d23d941a9 mac_net10 macvlan local
d73128405403 mac_net20 macvlan local
2f7d79e0114d none null local
186591b0bb3c weave weavemesh local
root@host2:~# docker network inspect weave
[
{
"Name": "weave",
"Id": "186591b0bb3c0dca2062f736eb70126237ced4fee9de259561b7034c9a78e6b1",
"Created": "2019-04-08T14:49:03.190599122+08:00",
"Scope": "local",
"Driver": "weavemesh",
"EnableIPv6": false,
"IPAM": {
"Driver": "weavemesh",
"Options": null,
"Config": [
{
"Subnet": "10.32.0.0/12"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"works.weave.multicast": "true"
},
"Labels": {}
}
]
root@host2:~# docker run -itd --name bbox3 busybox
5df354fedabaac606215513a7d3fd6d1f76e7be61bcfc36dfbdcf4c25be689fd
root@host2:~# docker exec bbox3 ip r
default via 10.2.44.1 dev eth0
10.2.44.0/24 dev eth0 scope link src 10.2.44.2
10.32.0.0/12 dev ethwe scope link src 10.44.0.0
224.0.0.0/4 dev ethwe scope link
root@host2:~# docker exec bbox3 ping -c 2 bbox1
PING bbox1 (10.32.0.1): 56 data bytes
64 bytes from 10.32.0.1: seq=0 ttl=64 time=1.435 ms
64 bytes from 10.32.0.1: seq=1 ttl=64 time=0.422 ms
--- bbox1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.422/0.928/1.435 ms
root@host2:~# docker exec bbox3 ping -c 2 bbox2
PING bbox2 (10.32.0.2): 56 data bytes
64 bytes from 10.32.0.2: seq=0 ttl=64 time=1.616 ms
64 bytes from 10.32.0.2: seq=1 ttl=64 time=0.551 ms
--- bbox2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.551/1.083/1.616 ms
bbox1、bbox2、bbox3 的IP分别为 10.32.0.1/12 、10.32.0.2/12 、10.44.0.0/12 。这三个IP属于同一个subnet 10.32.0.0/12 。通过host1和host2之间的 vxlan隧道,三个容器逻辑上是在同一个lan中,所以就可以直接通信了。下面是bbox3 ping bbox1 的数据流向
weave网络隔离
默认情况下weave使用一个大的subnet,所有主机的容器都从这个地址空间中分配IP,因为同属一个subnet,容器可以直接通信。
如要实现网络隔离,可以通过环境变量 WEAVE_CIDR 为容器分配不同的subnet的IP
除了分配特定的subnet,还可以直接为容器指定IP地址 -e WEAVE_CIDR=net:10.32.2.9/24
root@host2:~# docker run -itd --name bbox4 -e WEAVE_CIDR=net:10.32.2.0/24 busybox
d791e8c55df9b1df37cf822d288034c8f6c988026995fc0fca0396c02d26124e
root@host2:~# docker exec bbox4 ip r
default via 10.2.44.1 dev eth0
10.2.44.0/24 dev eth0 scope link src 10.2.44.3
10.32.2.0/24 dev ethwe scope link src 10.32.2.128
224.0.0.0/4 dev ethwe scope link
root@host2:~# docker exec bbox4 ping -c 2 bbox3
PING bbox3 (10.44.0.0): 56 data bytes
--- bbox3 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host2:~# docker exec bbox4 ping -c 2 bbox2
PING bbox2 (10.32.0.2): 56 data bytes
--- bbox2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host2:~# docker exec bbox4 ping -c 2 bbox1
PING bbox1 (10.32.0.1): 56 data bytes
--- bbox1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
weave网络隔离
默认情况下weave使用一个大的subnet,所有主机的容器都从这个地址空间中分配IP,因为同属一个subnet,容器可以直接通信。
如要实现网络隔离,可以通过环境变量 WEAVE_CIDR 为容器分配不同的subnet的IP
除了分配特定的subnet,还可以直接为容器指定IP地址 -e WEAVE_CIDR=net:10.32.2.9/24
root@host2:~# docker run -itd --name bbox4 -e WEAVE_CIDR=net:10.32.2.0/24 busybox
d791e8c55df9b1df37cf822d288034c8f6c988026995fc0fca0396c02d26124e
root@host2:~# docker exec bbox4 ip r
default via 10.2.44.1 dev eth0
10.2.44.0/24 dev eth0 scope link src 10.2.44.3
10.32.2.0/24 dev ethwe scope link src 10.32.2.128
224.0.0.0/4 dev ethwe scope link
root@host2:~# docker exec bbox4 ping -c 2 bbox3
PING bbox3 (10.44.0.0): 56 data bytes
--- bbox3 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host2:~# docker exec bbox4 ping -c 2 bbox2
PING bbox2 (10.32.0.2): 56 data bytes
--- bbox2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host2:~# docker exec bbox4 ping -c 2 bbox1
PING bbox1 (10.32.0.1): 56 data bytes
--- bbox1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss