前面介绍了Docker管理工具-Swarm部署记录,下面重点说下Swarm基于多主机容器通信的覆盖网络
在Docker版本1.12之后swarm模式原生支持覆盖网络(overlaynetworks),可以先创建一个覆盖网络,然后启动容器的时候启用这个覆盖网络,这样只要是这个覆盖网络内的容器,不管在不在同一个宿主机上都能相互通信,即跨主机通信!不同覆盖网络内的容器组之间是相互隔离的(相互ping不通)。swarm模式的覆盖网络包括以下功能:1)可以附加多个服务到同一个网络。2)默认情况下,servicediscovery为每个swarm服务分配一个虚拟IP地址(vip)和DNS名称,使得在同一个网络中容器之间可以使用服务名称为互相连接。3)可以配置使用DNS轮循而不使用VIP4)为了可以使用swarm的覆盖网络,在启用swarm模式之间你需要在swarm节点之间开放以下端口:5)TCP/UDP端口7946–用于容器网络发现6)UDP端口4789–用于容器覆盖网络实例如下:-----------在Swarm集群中创建overlay网络------------[root@manager-node~]#dockernetworkcreate--driveroverlay--optencrypted--subnet10.10.110.0/24ngx_net参数解释:–optencrypted默认情况下swarm中的节点通信是加密的。在不同节点的容器之间,可选的–optencrypted参数能在它们的vxlan流量启用附加的加密层。--subnet命令行参数指定overlay网络使用的子网网段。当不指定一个子网时,swarm管理器自动选择一个子网并分配给网络。[root@manager-node~]#dockernetworklsNETWORKIDNAMEDRIVERSCOPEca221724531cbridgebridgelocal10d1451ecc8ddocker_gwbridgebridgelocal5764ade8774bhosthostlocal50kipkihuwxyingressoverlayswarmcz4b4ht5refqngx_netoverlayswarmf2af952cd27anonenulllocal由上可知,Swarm当中拥有2套覆盖网络。其中"ngx_net"网络正是我们在部署容器时所创建的成果。而"ingress"覆盖网络则为默认提供。Swarm管理节点会利用ingress负载均衡以将服务公布至集群之外。在将服务连接到这个创建的网络之前,网络覆盖到manager节点。上面输出的SCOPE为swarm表示将服务部署到Swarm时可以使用此网络。在将服务连接到这个网络后,Swarm只将该网络扩展到特定的worker节点,这个worker节点被swarm调度器分配了运行服务的任务。在那些没有运行该服务任务的worker节点上,网络并不扩展到该节点。------------------将服务连接到overlay网络-------------------[root@manager-node~]#dockerservicecreate--replicas5--networkngx_net--namemy-test-p80:80nginx上面名为"my-test"的服务启动了3个task,用于运行每个任务的容器都可以彼此通过overlay网络进行通信。Swarm集群将网络扩展到所有任务处于Running状态的节点上。[root@manager-node~]#dockerservicelsIDNAMEREPLICASIMAGECOMMAND9vgixbn6t2jumy-test5/5nginx在manager-node节点上,通过下面的命令查看哪些节点有处于running状态的任务:[root@manager-node~]#dockerservicepsmy-testIDNAMEIMAGENODEDESIREDSTATECURRENTSTATEERROReh2mo4ei8qah5d9eolx8yapeymy-test.1nginxmanager-nodeRunningRunningaboutaminuteago7gg40e57rko5frttqdx9x7ae2my-test.2nginxnode2RunningRunningaboutaminuteago1vp1d7cwmn8m6a5k0wtq9xi75my-test.3nginxnode1RunningRunningaboutaminuteago03nb3ev2r7sxcilkwizoetx9wmy-test.4nginxnode1RunningRunningaboutaminuteagoa0ibepz0r80mhy4x5cam7i190my-test.5nginxmanager-nodeRunningRunningaboutaminuteago可见三个节点都有处于running状态的任务,所以my-network网络扩展到三个节点上。可以查询某个节点上关于my-network的详细信息:[root@manager-node~]#dockernetworkinspectngx_net[{"Name":"ngx_net","Id":"cz4b4ht5refqxelx0mm871ec6","Scope":"swarm","Driver":"overlay","EnableIPv6":false,"IPAM":{"Driver":"default","Options":null,"Config":[{"Subnet":"10.10.110.0/24","Gateway":"10.10.110.1"}]},"Internal":false,"Containers":{"aa954b709a30be6eaf48e06a6c7c4a0642b75d76e121707df6fc1479d99c7b22":{"Name":"my-test.5.a0ibepz0r80mhy4x5cam7i190","EndpointID":"4841c9c639b876f065d44e0205320f5e990a0678c8d7f4a02e499779af7b5091","MacAddress":"02:42:0a:0a:6e:07","IPv4Address":"10.10.110.7/24","IPv6Address":""},"d7633d4108e88a471e1a1b6759b7c43e3fc09ab64de47e29736de7b9c5031963":{"Name":"my-test.1.eh2mo4ei8qah5d9eolx8yapey","EndpointID":"54e814c87ba0e7df159195067a851a2557ee8010e619db9cc4fdfb3dd6357afa","MacAddress":"02:42:0a:0a:6e:03","IPv4Address":"10.10.110.3/24","IPv6Address":""}},"Options":{"work.driver.overlay.vxlanid_list":"257","encrypted":""},"Labels":{}}]从上面的信息可以看出在manager-node节点上,名为my-test的服务有一个名为my-test.1.eh2mo4ei8qah5d9eolx8yapey和my-test.5.a0ibepz0r80mhy4x5cam7i190的task连接到名为ngx_net的网络上(另外两个节点node1和node2同样可以用上面命令查看)[root@node1~]#dockernetworkinspectngx_net[{"Name":"ngx_net","Id":"cz4b4ht5refqxelx0mm871ec6","Scope":"swarm","Driver":"overlay","EnableIPv6":false,"IPAM":{"Driver":"default","Options":null,"Config":[{"Subnet":"10.10.110.0/24","Gateway":"10.10.110.1"}]},"Internal":false,"Containers":{"8dd2171caa337b3c42f35cd6e4590d69cf8edd58ee03463194d0792199415607":{"Name":"my-test.4.03nb3ev2r7sxcilkwizoetx9w","EndpointID":"dec0675361db102f082798b9e39ed43ca23ae7b795105ae39b90373d42548418","MacAddress":"02:42:0a:0a:6e:06","IPv4Address":"10.10.110.6/24","IPv6Address":""},"f29e274d0709403ea97210ff750cdc32054af6cd963ee838bb695e6268264574":{"Name":"my-test.3.1vp1d7cwmn8m6a5k0wtq9xi75","EndpointID":"e4150c1107a6e52998e3f5417d774d31cdc3d0b24c9aa4305b860cbdf8f78929","MacAddress":"02:42:0a:0a:6e:05","IPv4Address":"10.10.110.5/24","IPv6Address":""}},"Options":{"work.driver.overlay.vxlanid_list":"257","encrypted":""},"Labels":{}}][root@node2~]#dockernetworkinspectngx_net[{"Name":"ngx_net","Id":"cz4b4ht5refqxelx0mm871ec6","Scope":"swarm","Driver":"overlay","EnableIPv6":false,"IPAM":{"Driver":"default","Options":null,"Config":[{"Subnet":"10.10.110.0/24","Gateway":"10.10.110.1"}]},"Internal":false,"Containers":{"fddb6518e2bb8c2c2f9f49f95eb3e054ded2a1eff9ec10732a188166f2a60509":{"Name":"my-test.2.7gg40e57rko5frttqdx9x7ae2","EndpointID":"7263888a54f6211649bef9425aa4acc33ecf838da20d8c93853842e1812f0436","MacAddress":"02:42:0a:0a:6e:04","IPv4Address":"10.10.110.4/24","IPv6Address":""}},"Options":{"work.driver.overlay.vxlanid_list":"257","encrypted":""},"Labels":{}}]可以通过查询服务来获得服务的虚拟IP地址,如下:[root@manager-node~]#dockerserviceinspect--format='{{json.Endpoint.VirtualIPs}}'my-test[{"NetworkID":"50kipkihuwxy5dqf150z7guad","Addr":"10.255.0.2/16"},{"NetworkID":"cz4b4ht5refqxelx0mm871ec6","Addr":"10.10.110.2/24"}]由上结果可知,10.10.110.2其实就是swarm集群内部的vip,整个网络结构如下所示:
加入ngx_net网络的容器彼此之间可以通过IP地址通信,也可以通过名称通信。
[root@node2~]#dockerpsCONTAINERIDIMAGECOMMANDCREATEDSTATUSPORTSNAMESfddb6518e2bbnginx:latest"nginx-g'daemonoff"5minutesagoUp5minutes80/tcpmy-test.2.7gg40e57rko5frttqdx9x7ae2[root@node2~]#dockerexec-tifddb6518e2bb/bin/bashroot@fddb6518e2bb:/#apt-getupdate&&apt-getinstalliprouteiputils-ping-yroot@fddb6518e2bb:/#ipaddr1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultlink/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever246:eth0@if247:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1450qdiscnoqueuestateUPgroupdefaultlink/ether02:42:0a:ff:00:07brdff:ff:ff:ff:ff:fflink-netnsid0inet10.255.0.7/16scopeglobaleth0valid_lftforeverpreferred_lftforeverinet10.255.0.2/32scopeglobaleth0valid_lftforeverpreferred_lftforeverinet6fe80::42:aff:feff:7/64scopelinkvalid_lftforeverpreferred_lftforever248:eth1@if249:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuestateUPgroupdefaultlink/ether02:42:ac:12:00:03brdff:ff:ff:ff:ff:fflink-netnsid1inet172.18.0.3/16scopeglobaleth1valid_lftforeverpreferred_lftforeverinet6fe80::42:acff:fe12:3/64scopelinkvalid_lftforeverpreferred_lftforever251:eth2@if252:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1424qdiscnoqueuestateUPgroupdefaultlink/ether02:42:0a:0a:6e:04brdff:ff:ff:ff:ff:fflink-netnsid2inet10.10.110.4/24scopeglobaleth2valid_lftforeverpreferred_lftforeverinet10.10.110.2/32scopeglobaleth2valid_lftforeverpreferred_lftforeverinet6fe80::42:aff:fe0a:6e04/64scopelinkvalid_lftforeverpreferred_lftforeverroot@fddb6518e2bb:/#ping10.10.110.3PING10.10.110.3(10.10.110.3)56(84)bytesofdata.64bytesfrom10.10.110.3:icmp_seq=1ttl=64time=0.437ms64bytesfrom10.10.110.3:icmp_seq=2ttl=64time=0.310ms.....---10.10.110.3pingstatistics---2packetstransmitted,2received,0%packetloss,time999msrttmin/avg/max/mdev=0.310/0.373/0.437/0.066msroot@fddb6518e2bb:/#ping10.10.110.5PING10.10.110.5(10.10.110.5)56(84)bytesofdata.64bytesfrom10.10.110.5:icmp_seq=1ttl=64time=0.438ms64bytesfrom10.10.110.5:icmp_seq=2ttl=64time=0.329ms64bytesfrom10.10.110.5:icmp_seq=3ttl=64time=0.359ms.....---10.10.110.5pingstatistics---3packetstransmitted,3received,0%packetloss,time1999msrttmin/avg/max/mdev=0.329/0.375/0.438/0.048ms----------------------------使用swarm模式的服务发现--------------------------默认情况下,当创建了一个服务并连接到某个网络后,swarm会为该服务分配一个VIP。此VIP根据服务名映射到DNS。在网络上的容器共享该服务的DNS映射,所以网络上的任意容器可以通过服务名访问服务。在同一overlay网络中,不用通过端口映射来使某个服务可以被其它服务访问。Swarm内部的负载均衡器自动将请求发送到服务的VIP上,然后分发到所有的active的task上。如下示例:在同一个网络中添加了一个centos服务,此服务可以通过名称my-test访问前面创建的nginx服务:[root@manager-node~]#dockerservicecreate--namemy-centos--networkngx_netcentossleep3000查询centos运行在哪个节点上(上面创建命令执行后,需要一段时间才能完成这个centos服务的创建)[root@node2~]#dockerpsCONTAINERIDIMAGECOMMANDCREATEDSTATUSPORTSNAMESece4ac2e6cc1centos:latest"sleep3000"42secondsagoUp40secondsmy-centos.1.5qwknsxmtr1zhclx9d0f0fx4m登录centos运行的节点(由上可知是node2节点),打开centos的交互shell:[root@node2~]#dockerpsCONTAINERIDIMAGECOMMANDCREATEDSTATUSNAMESe4554490d891centos:latest"/bin/bash"AboutanhouragoUpAboutanhourmy-centos.1.9yk5ie28gwk9mw1h1jovb68ki[root@node2~]#dockerexec-itmy-centos.1.5qwknsxmtr1zhclx9d0f0fx4m/bin/bash[root@ece4ac2e6cc1/]#yuminstallbind-utils-y[root@ece4ac2e6cc1/]#nslookupmy-testServer:127.0.0.11Address:127.0.0.11#53Non-authoritativeanswer:Name:my-testAddress:10.10.110.2从centos容器内部,使用特殊查询查询DNS,来找到my-test服务的所有容器的IP地址:[root@ece4ac2e6cc1/]#nslookuptasks.my-testServer:127.0.0.11Address:127.0.0.11#53Non-authoritativeanswer:Name:tasks.my-testAddress:10.10.110.3Name:tasks.my-testAddress:10.10.110.7Name:tasks.my-testAddress:10.10.110.5Name:tasks.my-testAddress:10.10.110.4Name:tasks.my-testAddress:10.10.110.6从centos容器内部,通过wget来访问my-test服务中运行的nginx网页服务器[root@ece4ac2e6cc1/]#wget-O-my-test---02-0801:57:26--http://my-test/Resolvingmy-test(my-test)...10.10.110.2Connectingtomy-test(my-test)|10.10.110.2|:80...connected.HTTPrequestsent,awaitingresponse...200OKLength:612[text/html]Savingto:'STDOUT'0%[]0--.-K/s<!DOCTYPEhtml><html><head><title>Welcometonginx!</title>...Swarm的负载均衡器自动将HTTP请求路由到VIP上,然后到一个active的task容器上。它根据round-robin选择算法将后续的请求分发到另一个active的task上。-----------------------------------为服务使用DNSround-robin-----------------------------在创建服务时,可以配置服务直接使用DNSround-robin而无需使用VIP。这是通过在创建服务时指定--endpoint-modednsrr命令行参数实现的。当你想要使用自己的负载均衡器时可以使用这种方式。如下示例(注意:使用DNSround-robin方式创建服务,不能直接在命令里使用-p指定端口)[root@manager-node~]#dockerservicecreate--replicas3--namemy-dnsrr-nginx--networkngx_net--endpoint-modednsrrnginx[root@manager-node~]#dockerservicepsmy-dnsrr-nginxIDNAMEIMAGENODEDESIREDSTATECURRENTSTATEERROR8ffi3rs8fg3k4obrvbxg4uwiymy-dnsrr-nginx.1nginxnode2RunningRunning7secondsagoamgmv0kgdopc70z2dr97vn7qqmy-dnsrr-nginx.2nginxnode1RunningRunning7secondsago2p7obdb3h7yicggsbiv5qmvjxmy-dnsrr-nginx.3nginxmanager-nodeRunningRunning7secondsago当通过服务名称查询DNS时,DNS服务返回所有任务容器的IP地址:[root@ece4ac2e6cc1/]#nslookupmy-dnsrr-nginxServer:127.0.0.11Address:127.0.0.11#53Non-authoritativeanswer:Name:my-dnsrr-nginxAddress:10.10.110.12Name:my-dnsrr-nginxAddress:10.10.110.11Name:my-dnsrr-nginxAddress:10.10.110.10需要注意的是:一定要确认VIP的连通性通常Docker官方推荐使用dig,nslookup或其它DNS查询工具来查询通过DNS对服务名的访问。因为VIP是逻辑IP,ping并不是确认VIP连通性的正确的工具。
