calico網絡通信 · Kubernetes

[TOC] # 小知識點 - proxy_arp: 原理就是當出現跨網段的ARP請求時，路由器將自己的MAC返回給發送ARP廣播請求發送者，實現MAC地址代理（善意的欺騙），最終使得主機能夠通信。 0為不開啟，1則開啟 > 開啟了proxy_arp(/proc/sys/net/ipv4/conf/[網卡名稱]/proxy_arp) 的情況下。如果請求中的ip地址不是本機網卡接口的地址，且有該地址的路由，則會以自己的mac地址進行回復；如果沒有該地址的路由，不回復。 - 確認容器與宿主機一對veth-pair 1. 登錄容器 `cat /sys/class/net/eth0/iflink` 查看另一個veth設備在宿主機哪個編號 2. 在宿主機 `ip r | grep [容器IP地址]` - IPIP協議對應IP協議4 - tcpdump 抓包: `tcpdump 'ip proto 4'` - Wireshark 過濾 `ip.proto == 4` # 同節點通信 ## 兩個pod背景信息兩個pod分布情況 ```shell $ kubectl get pod -l app=fileserver -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES fileserver-7cb9d7d4d-h99sp 1/1 Running 0 14m 172.26.40.147 192.168.32.127 <none> <none> fileserver-7cb9d7d4d-mssdr 1/1 Running 0 14m 172.26.40.146 192.168.32.127 <none> <none> ``` `fileserver-7cb9d7d4d-mssdr` 容器的信息 ```shell # IP地址信息 $ kubectl exec -it fileserver-7cb9d7d4d-mssdr -- ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 4: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1480 qdisc noqueue state UP link/ether 26:05:c7:19:a8:cf brd ff:ff:ff:ff:ff:ff inet 172.26.40.146/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::2405:c7ff:fe19:a8cf/64 scope link valid_lft forever preferred_lft forever # 路由信息 $ kubectl exec -it fileserver-7cb9d7d4d-mssdr -- ip r default via 169.254.1.1 dev eth0 169.254.1.1 dev eth0 scope link # veth-pair對在宿主機網卡名稱 $ ip r | grep 172.26.40.146 172.26.40.146 dev calie64b9fa939d scope link ``` `fileserver-7cb9d7d4d-h99sp` 容器的信息 ```shell # IP地址信息 $ kubectl exec -it fileserver-7cb9d7d4d-h99sp -- ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 4: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1480 qdisc noqueue state UP link/ether 7a:3a:28:54:4e:03 brd ff:ff:ff:ff:ff:ff inet 172.26.40.147/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::783a:28ff:fe54:4e03/64 scope link valid_lft forever preferred_lft forever # 路由信息 $ kubectl exec -it fileserver-7cb9d7d4d-h99sp -- ip r default via 169.254.1.1 dev eth0 169.254.1.1 dev eth0 scope link # veth-pair對在宿主機網卡名稱 $ ip r | grep 172.26.40.147 172.26.40.147 dev calic40aae79714 scope link ``` ## IPIP 從 `fileserver-7cb9d7d4d-mssdr` 到 `fileserver-7cb9d7d4d-h99sp` 兩個pod在同節點上，數據包流程圖 ![](https://img.kancloud.cn/7b/0a/7b0aae22386b382d94bf4e0168373867_1307x582.png) 抓包驗證 ```shell tcpdump -i calie64b9fa939d -penn tcpdump -i calic40aae79714 -penn ``` ![](https://img.kancloud.cn/a7/ae/a7ae5e64dd64f06b8e28dacb7085a60e_1920x1002.png) ## BGP 從 `fileserver-7cb9d7d4d-mssdr` 到 `fileserver-7cb9d7d4d-h99sp` 兩個pod在同節點上，數據包流程圖 ![](https://img.kancloud.cn/7b/0a/7b0aae22386b382d94bf4e0168373867_1307x582.png) 抓包驗證 ```shell tcpdump -i calie64b9fa939d -penn tcpdump -i calic40aae79714 -penn ``` ![](https://img.kancloud.cn/0a/dd/0add13a632e70dc4f74913da800baee4_1920x842.png) > 三次握手詳細過程與IPIP是一致的，下面截圖就是抓包的數據。因為pod與宿主機在做IPIP協議的時候，已經arp表已經有緩存了。所以少一些arp廣報播文 # 跨節點通信 ## 兩個pod背景信息兩個pod分布情況 ```shell $ kubectl get pod -owide -l app=fileserver NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES fileserver-595ccd77dd-hh8c7 1/1 Running 0 7s 172.26.40.161 192.168.32.127 <none> <none> fileserver-595ccd77dd-k9bzv 1/1 Running 0 8s 172.26.122.151 192.168.32.128 <none> <none> ``` `fileserver-595ccd77dd-hh8c7` 容器的信息 ```shell # IP地址信息 $ kubectl exec -it fileserver-595ccd77dd-hh8c7 -- ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 4: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 82:de:a5:aa:e4:41 brd ff:ff:ff:ff:ff:ff inet 172.26.40.161/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::80de:a5ff:feaa:e441/64 scope link valid_lft forever preferred_lft forever # 路由信息 $ kubectl exec -it fileserver-595ccd77dd-hh8c7 -- ip r default via 169.254.1.1 dev eth0 169.254.1.1 dev eth0 scope link # veth-pair對在宿主機網卡名稱 $ ip r | grep 172.26.40.150 172.26.40.161 dev cali5e8dd2e9d68 scope link ``` `fileserver-595ccd77dd-k9bzv` 容器的信息 ```shell # IP地址信息 $ kubectl exec -it fileserver-595ccd77dd-k9bzv -- ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 4: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 12:ec:00:00:e6:71 brd ff:ff:ff:ff:ff:ff inet 172.26.122.151/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::10ec:ff:fe00:e671/64 scope link valid_lft forever preferred_lft forever # 路由信息 $ kubectl exec -it fileserver-595ccd77dd-k9bzv -- ip r default via 169.254.1.1 dev eth0 169.254.1.1 dev eth0 scope link # veth-pair對在宿主機網卡名稱 $ ip r | grep 172.26.122.141 172.26.122.151 dev cali7b1def0e886 scope link ``` ## IPIP 從 `fileserver-595ccd77dd-hh8c7` 到 `fileserver-595ccd77dd-k9bzv` 兩個pod在跨節點上，數據包流程圖 ![](https://img.kancloud.cn/89/43/894399fcfaa2aa21cb49b7594d5710c4_1815x610.png) 抓包驗證 ```shell # 192.168.32.127 主機抓包 tcpdump -i ens33 -penn host 192.168.32.128 and 'ip proto 4' tcpdump -i tunl0 -penn host 172.26.122.151 tcpdump -i cali5e8dd2e9d68 -penn # 192.168.32.128 主機抓包 tcpdump -i ens33 -penn host 192.168.32.127 and 'ip proto 4' tcpdump -i tunl0 -penn host 172.26.40.161 tcpdump -i cali7b1def0e886 -penn ``` ![](https://img.kancloud.cn/b6/68/b6681dc66d4cb76ed21c9fe0e32bb48a_1920x1019.png) ![](https://img.kancloud.cn/1d/61/1d61e9b467040b012b4bd9e31943726f_1920x1014.png) ## BGP 從 `fileserver-595ccd77dd-hh8c7` 到 `fileserver-595ccd77dd-k9bzv` 兩個pod在跨節點上，數據包流程圖 ![](https://img.kancloud.cn/42/4c/424c443378afb0bd68d4d60178b13b96_1804x591.png) 抓包驗證 ```shell # 192.168.32.127 主機抓包 tcpdump -i ens33 -penn host 172.26.122.151 tcpdump -i cali5e8dd2e9d68 -penn # 192.168.32.128 主機抓包 tcpdump -i ens33 -penn host 172.26.40.161 tcpdump -i cali7b1def0e886 -penn ``` ![](https://img.kancloud.cn/a4/1f/a41f3346d8714845c46a9eb55803c2d8_1920x1016.png) ![](https://img.kancloud.cn/65/99/6599e0cadadb2d556f79dd178b1a30ef_1920x967.png) # 總結 - 同節點：無論是IPIP，BGP協議封裝，網絡通信過程都是一樣的。查宿主機路由表轉發請求 - 跨節點 - IPIP封裝：`tunl0` 網卡有數據包通過且封裝數據包(宿主機IP)；宿主機網卡抓到 **數據包網絡層** 是兩層的(第一層源宿主機，目的宿主機；第二層源容器，目的容器)；**數據包數據鏈路層** 是分別是源宿主機與目的宿主機MAC地址； - BGP封裝：數據包不經過 `tunl0` 網卡；宿主機網卡抓到 **數據包網絡層** 分別是客戶端容器IP地址與服務端容器IP地址；**數據包數據鏈路層** 是分別是源宿主機與目的宿主機MAC地址； - 從抓包層面來看：只有網絡層有區別，IPIP協議多一層宿主機之間的IP地址封裝，而BGP協議是沒有的