安装部署 flanneld

通过给每台宿主机分配一个子网的方式为容器提供虚拟网络(覆盖网络),该网络中的结点可以看作通过虚拟或逻辑链路而连接起来的

我们生产上的集群宿主机/容器之间必须是互通的,因为只有互通才能形成集群,要是集群间的宿主机和容器都不互通,那就没有做集群的必要了
# 你可以做如下尝试,21机器:
~]# kubectl get pods -o wide
~]# ping 172.7.21.2
~]# ping 172.7.22.2

你可以发现,两个容器的宿主机之间是不互通的,更别说进入容器里面了。(当然ping10.4.7.22是没问题的)

这时候我们就需要CNI网络插件,CNI最主要的功能是实现POD资源能够跨宿主机进行通信,当然CNI网络插件有很多种,如Flannel、Calico等,而Flannel是目前市场上最为火热的

# 21/22机器:
~]# cd /opt/src/
src]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz
src]# mkdir /opt/flannel-v0.11.0
src]# tar xf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/flannel-v0.11.0/
src]# ln -s /opt/flannel-v0.11.0/ /opt/flannel
src]# cd /opt/flannel
flannel]# ll
# out:总用量 34436
flannel]# mkdir cert
flannel]# cd cert/
cert]# scp hdss7-200:/opt/certs/ca.pem . 
cert]# scp hdss7-200:/opt/certs/client.pem .
cert]# scp hdss7-200:/opt/certs/client-key.pem .
cert]# cd ..
# 注意机器名,需要改一处:SUBNET=172.7.21.1/24,需要改成SUBNET=172.7.22.1/24
flannel]# vi subnet.env
FLANNEL_NETWORK=172.7.0.0/16
FLANNEL_SUBNET=172.7.21.1/24
FLANNEL_MTU=1500
FLANNEL_IPMASQ=false

# 21/22机器,注意,我的网络是eth0,新版的是ens33,如果是ens33,则需要改iface,其它需要改一处机器名:ip=10.4.7.21
flannel]# vi flanneld.sh
#!/bin/sh
./flanneld \
  --public-ip=10.4.7.21 \
  --etcd-endpoints=https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
  --etcd-keyfile=./cert/client-key.pem \
  --etcd-certfile=./cert/client.pem \
  --etcd-cafile=./cert/ca.pem \
  --iface=eth0 \
  --subnet-file=./subnet.env \
  --healthz-port=2401
  
flannel]# chmod +x flanneld.sh
flannel]# mkdir -p /data/logs/flanneld
flannel]# cd /opt/etcd
# 下面这一步在一部机器上执行即可,只需执行一次,我在21机器做的:
etcd]# ./etcdctl set /coreos.com/network/config '{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}'
etcd]# ./etcdctl get /coreos.com/network/config
# out:{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}
# 有一处要修改,21/22机器:flanneld-7-21]
etcd]# vi /etc/supervisord.d/flannel.ini
[program:flanneld-7-21]
command=/opt/flannel/flanneld.sh                             ; the program (relative uses PATH, can take args)
numprocs=1                                                   ; number of processes copies to start (def 1)
directory=/opt/flannel                                       ; directory to cwd to before exec (def no cwd)
autostart=true                                               ; start at supervisord start (default: true)
autorestart=true                                             ; retstart at unexpected quit (default: true)
startsecs=30                                                 ; number of secs prog must stay running (def. 1)
startretries=3                                               ; max # of serial start failures (default 3)
exitcodes=0,2                                                ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                              ; signal used to kill process (default TERM)
stopwaitsecs=10                                              ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                    ; setuid to this UNIX account to run the program
redirect_stderr=true                                         ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/flanneld/flanneld.stdout.log       ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                 ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                     ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                  ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                  ; emit events on stdout writes (default false)
etcd]# supervisorctl update
etcd]# supervisorctl status
# 查看细节信息
etcd]# tail -fn 200 /data/logs/flanneld/flanneld.stdout.log 
# 两部机器完成后,在21和22机器ping对方,已经可以ping通

flannel原理:添加静态路由(前提条件,必须处在同一网关之下)利用10.4.7.x本来互通的前提,172先去找10再转到其下面的172,形成互通

再次复习一遍,10的21机器对应的172的21,这样方便知道那些pod在那些机器上

下一节:使得容器之间的透明访问

解决两宿主机容器之间的透明访问,如不进行优化,容器之间的访问,日志记录为宿主机的IP地址