参考

 

Calico 跨主机连通性测试

 

root@host1:~# docker exec bbox1 ping -c 2 bbox2

PING bbox2 (192.168.183.64): 56 data bytes

64 bytes from 192.168.183.64: seq=0 ttl=62 time=0.433 ms

64 bytes from 192.168.183.64: seq=1 ttl=62 time=0.322 ms

--- bbox2 ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 0.322/0.377/0.433 ms

 

root@host1:~# docker exec bbox1 ip r

default via 169.254.1.1 dev cali0   

①

169.254.1.1 dev cali0 scope link

 

root@host1:~# ip r

default via 10.12.28.6 dev ens160 onlink

10.2.46.0/24 dev docker0  proto kernel  scope link  src 10.2.46.1 linkdown

10.12.28.0/22 dev ens160  proto kernel  scope link  src 10.12.31.211

172.22.0.0/16 via 10.12.28.1 dev ens160

192.168.119.0 dev cali129890bc0f3  scope link

blackhole 192.168.119.0/26  proto bird

192.168.183.64/26 via 10.12.31.212 dev ens160  proto bird   

②

 

root@host2:~# ip r

default via 10.12.28.6 dev ens160 onlink

10.2.44.0/24 dev docker0  proto kernel  scope link  src 10.2.44.1 linkdown

10.12.28.0/22 dev ens160  proto kernel  scope link  src 10.12.31.212

172.22.0.0/16 via 10.12.28.1 dev ens160

192.168.119.0/26 via 10.12.31.211 dev ens160  proto bird

192.168.183.64 dev calicb5d10d0884  scope link   

③

blackhole 192.168.183.64/26  proto bird

 

 

 

 

root@host1:~# docker network create --driver calico --ipam-driver calico-ipam cal_net2

cca5ff37f60dc4f6096388ef4d20b5222c8cef32dd9bc0e389f71dd8776a7fdd

root@host1:~# docker run -itd --name bbox3 --network cal_net2 busybox

9c942b23532a9a42a6be216b2f7b7b047814f327607a88ce8e54e05c00397cb4

root@host1:~# docker exec bbox3 ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

9: cali0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue

    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff

    inet 192.168.119.1/32 brd 192.168.119.1 scope global cali0

       valid_lft forever preferred_lft forever

root@host1:~# docker exec bbox1 ping -c 2 192.168.119.1

PING 192.168.119.1 (192.168.119.1): 56 data bytes

--- 192.168.119.1 ping statistics ---

2 packets transmitted, 0 packets received, 100% packet loss

 

 

calico 默认的 policy 规则是：容器只能与同一个calico网络中的容器通信，即使两个容器在同一个 host 上也不行

 

查看calico网络policy，如果calico的配置文件在默认位置（

/etc/calico/calicoctl.cfg），在使用calico命令的时候可以省略指定--config 

 

root@host1:~# calicoctl get profile cal_net1 -o yaml --config /etc/calicoctl.cfg

- apiVersion: v1

  kind: profile

  metadata:

    name: cal_net1

    tags:

    - cal_net1

  spec:

    egress:   

#    出方向，allow any to any

    - action: allow

      destination: {}

      source: {}

    ingress:   

#    进方向，allow cal_net1 to any (这里的any只有cal_net1网络)，也就是 allow cal_net1 to cal_net1

    - action: allow

      destination: {}

      source:

        tag: cal_net1