07-部署Flanneld网络

部署Flanneld网络

  • Flanneld:用于解决容器之间网络互通,这里我们要配置TLS认证。
  • Docker1.12.5:docker的安装很简单,这里也不说了。

配置Flanneld

  • 这里我们使用yum的方式部署Flanneld和docker # yum install flannel docker -y service配置文件/etc/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/flanneld
EnvironmentFile=-/etc/sysconfig/docker-network
ExecStart=/usr/bin/flanneld-start $FLANNEL_OPTIONS
ExecStartPost=/usr/libexec/flannel/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
Restart=on-failure

[Install]
WantedBy=multi-user.target
RequiredBy=docker.service

/etc/sysconfig/flanneld配置文件

# Flanneld configuration options  

# etcd url location.  Point this to the server where etcd runs
FLANNEL_ETCD_ENDPOINTS="https://192.168.1.121:2379,https://192.168.1.122:2379,https://192.168.1.123:2379"

# etcd config key.  This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/k8s-ks/network"

# Any additional options that you want to pass
FLANNEL_OPTIONS="-etcd-cafile=/etc/kubernetes/ssl/ca.pem -etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem -etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem"

在FLANNEL_OPTIONS中增加TLS的配置

在etcd中创建网络配置

执行下面的命令为docker分配IP地址段

# etcdctl --endpoints=https://192.168.1.121:2379,https://192.168.1.122:2379,https://192.168.1.123:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  mkdir /k8s-ks/network
# etcdctl --endpoints=https://192.168.1.121:2379,https://192.168.1.122:2379,https://192.168.1.123:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  mk /k8s-ks/network/config "{ \"Network\": \"172.30.0.0/16\", \"SubnetLen\": 24, \"Backend\": { \"Type\": \"vxlan\" } }"
  • 注意:vxlan的性能损耗大约是40%~50%,如果将Type设置为host-gw,网络性能损耗只有10%左右,而配置没有什么不同,只是要保证kubernetes的所有node都在同一个二层网络中。
  • 注意:这两条语句只需要在其中一台机器上执行即可

启动flanneld

在各节点上启动flanneld

# systemctl  enable flanneld
# systemctl  start flanneld
  • 启动flanneld后会在/run/flannel目录下生成subnet.env和docker文件 # ls /run/flannel/ docker subnet.env Flannel的文档中有写Docker Integration

Docker daemon accepts --bip argument to configure the subnet of the docker0 bridge. It also accepts --mtu to set the MTU for docker0 and veth devices that it will be creating. Since flannel writes out the acquired subnet and MTU values into a file, the script starting Docker can source in the values and pass them to Docker daemon:

执行如下命令:

# source /run/flannel/subnet.env

Systemd users can use EnvironmentFile directive in the .service file to pull in /run/flannel/subnet.env

  • 如果你不是使用yum安装的flanneld,那么需要下载flannel github release中的tar包,解压后会获得一个mk-docker-opts.sh文件。

这个文件是用来Generate Docker daemon options based on flannel env file

执行./mk-docker-opts.sh -i将会生成如下两个文件环境变量文件。

/run/flannel/subnet.env

FLANNEL_NETWORK=172.30.0.0/16
FLANNEL_SUBNET=172.30.46.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false

/run/docker_opts.env

DOCKER_OPT_BIP="--bip=172.30.46.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=true"
DOCKER_OPT_MTU="--mtu=1450"

启动docker

# systemctl enable docker
# systemctl start docker #各节点上执行
# systemctl status docker

现在查询etcd中的内容可以看到:

ETCD_ENDPOINTS=https://192.168.1.121:2379,https://192.168.1.122:2379,https://192.168.1.123:2379 
# etcdctl --endpoints=${ETCD_ENDPOINTS} \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  ls /k8s-ks/network/subnets
2017-07-25 09:57:47.969181 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
/k8s-ks/network/subnets/172.30.25.0-24
/k8s-ks/network/subnets/172.30.99.0-24
/k8s-ks/network/subnets/172.30.59.0-24

# etcdctl --endpoints=${ETCD_ENDPOINTS} \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  get /k8s-ks/network/config
2017-07-25 10:03:01.516739 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
{ "Network": "172.30.0.0/16", "SubnetLen": 24, "Backend": { "Type": "vxlan" } }

#etcdctl --endpoints=${ETCD_ENDPOINTS} \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  get /k8s-ks/network/subnets/172.30.0.0-24
2017-07-25 10:12:17.911371 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
{"PublicIP":"192.168.1.121","BackendType":"vxlan","BackendData":{"VtepMAC":"b2:bf:15:fb:f8:14"}}
# etcdctl --endpoints=${ETCD_ENDPOINTS} \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  get /k8s-ks/network/subnets/172.30.99.0-24
2017-07-25 10:20:22.044716 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
{"PublicIP":"192.168.1.122","BackendType":"vxlan","BackendData":{"VtepMAC":"42:5d:f5:9c:72:ae"}}

# etcdctl --endpoints=${ETCD_ENDPOINTS} \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  get /k8s-ks/network/subnets/172.30.59.0-24
2017-07-25 10:20:27.175817 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
{"PublicIP":"192.168.1.123","BackendType":"vxlan","BackendData":{"VtepMAC":"52:ad:8d:17:23:7a"}}
  • 可以使用ip addr查看网卡ip,比如如下:
  • 使用docker0的ip能互相ping通flanneld就算搭建完毕 3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN link/ether b2:bf:15:fb:f8:14 brd ff:ff:ff:ff:ff:ff inet 172.30.25.0/32 scope global flannel.1 valid_lft forever preferred_lft forever 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 02:42:c2:bd:a6:ae brd ff:ff:ff:ff:ff:ff inet 172.30.25.1/24 scope global docker0 valid_lft forever preferred_lft forever ``` 3: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN link/ether 42:5d:f5:9c:72:ae brd ff:ff:ff:ff:ff:ff inet 172.30.99.0/32 scope global flannel.1 valid_lft forever preferred_lft forever 4: docker0: mtu 1500 qdisc noqueue state DOWN link/ether 02:42:38:28:40:88 brd ff:ff:ff:ff:ff:ff inet 172.30.99.1/24 scope global docker0 valid_lft forever preferred_lft forever

```

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏贾志刚-OpenCV学堂

Android NDK层编译OpenCV代码开发详解

Android NDK层编译OpenCV代码开发详解 使用Android NDK开发编译OpenCV C++代码,这个在OpenCV4Android开发中会经常...

6338
来自专栏林冠宏的技术文章

Android各类权限意思祥解

1. android.permission.ACCESS_CHECKIN_PROPERTIES     允许读写访问”properties”表在 checkin...

1839
来自专栏Kubernetes

原 荐 Flannel是如何工作的

Author: xidianwangtao@gmail.com 概述 最近我们的TaaS平台遇到很多的网络问题,事实证明“contiv + ovs + v...

82611
来自专栏Flutter入门到实战

Android适配全面总结(二)----版本适配

版权声明:本文为博主原创文章(部分引用他人博文,已加上引用说明),未经博主允许不得转载。https://www.jianshu.com/p/49fa8ebc01...

2061
来自专栏鬼谷君

03-创建高可用 etcd 集群

1172
来自专栏非著名程序员

Android M 权限最佳实践

前言 Google在Android 6.0 上开始原生支持应用权限管理,再不是安装应用时的一刀切。权限管理虽然很大程度上增加了用户的可操作性,但是却苦了广大An...

2089
来自专栏从零学习云计算

kubernetes学习记录(4)——创建kubernetes覆盖网络

Kubernetes的网络模型要求每一个Pod都拥有一个扁平化共享网络命名空间的IP,称为PodIP,Pod能够直接通过PodIP跨网络与其他物理机和Pod进行...

2330
来自专栏FreeBuf

EE 4GEE Mini本地提权漏洞(CVE-2018-14327)分析

我在前段时间从买了一个4G调制解调器。这是一个便携式4G WiFi移动宽带调制解调器。有一天,我查看了安装在电脑上的用于故障排除的服务,我看到了一个奇怪的服务,...

693
来自专栏along的开发之旅

因为Android M权限问题导致的"Permission Denial: reading com.android.providers.media.MediaProvider"解决办法

最后查明是因为API过高权限访问有修改, 在API级别>=23时, 权限访问被分为三个级别, 分别为”PROTECTION_NORMAL, PROTECTION...

1052
来自专栏向治洪

多线程下载

楼主三年磨剑(当然不是磨着一把剑),倾血奉献Android多线程下载Demo。有的人就问了“怎么写来写去还是Demo?”,因为老哥我实在太忙了, 每天写一点...

1848

扫码关注云+社区