# Weave Weave Net是一个多主机容器网络方案,支持去中心化的控制平面,各个host上的wRouter间通过建立Full Mesh的TCP链接,并通过Gossip来同步控制信息。这种方式省去了集中式的K/V Store,能够在一定程度上减低部署的复杂性,Weave将其称为“data centric”,而非RAFT或者Paxos的“algorithm centric”。 数据平面上,Weave通过UDP封装实现L2 Overlay,封装支持两种模式: * 运行在user space的sleeve mode:通过pcap设备在Linux bridge上截获数据包并由wRouter完成UDP封装,支持对L2 traffic进行加密,还支持Partial Connection,但是性能损失明显。 * 运行在kernal space的 fastpath mode:即通过OVS的odp封装VxLAN并完成转发,wRouter不直接参与转发,而是通过下发odp 流表的方式控制转发,这种方式可以明显地提升吞吐量,但是不支持加密等高级功能。 Sleeve Mode: ![](https://1674448607-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDAOok5ngY4pc1lEDes-887967055%2Fuploads%2Fgit-blob-03b368a2bd3445614a16c0f67cde3b09ac4fe4e8%2F1%20\(2\).png?alt=media) Fastpath Mode: ![](https://1674448607-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDAOok5ngY4pc1lEDes-887967055%2Fuploads%2Fgit-blob-a5a8902568aa4f59eec79375f3da6749b71ac195%2F2%20\(2\).png?alt=media) 关于Service的发布,weave做的也比较完整。首先,wRouter集成了DNS功能,能够动态地进行服务发现和负载均衡,另外,与libnetwork 的overlay driver类似,weave要求每个POD有两个网卡,一个就连在lb/ovs上处理L2 流量,另一个则连在docker0上处理Service流量,docker0后面仍然是iptables作NAT。 ![](https://1674448607-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDAOok5ngY4pc1lEDes-887967055%2Fuploads%2Fgit-blob-aba1b2af43e79e3cf3c3a65eb1e9445af7d27874%2F3%20\(3\).png?alt=media) Weave已经集成了主流的容器系统 * Docker: * Kubernetes: * `kubectl apply -f https://git.io/weave-kube` * CNI: * Prometheus: ## Weave Kubernetes ```bash kubectl apply -n kube-system -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')" ``` 这会在所有Node上启动Weave插件以及Network policy controller: ```bash $ ps -ef | grep weave | grep -v grep root 25147 25131 0 16:22 ? 00:00:00 /bin/sh /home/weave/launch.sh root 25204 25147 0 16:22 ? 00:00:00 /home/weave/weaver --port=6783 --datapath=datapath --host-root=/host --http-addr=127.0.0.1:6784 --status-addr=0.0.0.0:6782 --docker-api= --no-dns --db-prefix=/weavedb/weave-net --ipalloc-range=10.32.0.0/12 --nickname=ubuntu-0 --ipalloc-init consensus=2 --conn-limit=30 --expect-npc 10.146.0.2 10.146.0.3 root 25669 25654 0 16:22 ? 00:00:00 /usr/bin/weave-npc ``` 这样,容器网络为 * 所有容器都连接到weave网桥 * weave网桥通过veth pair连到内核的openvswitch模块 * 跨主机容器通过openvswitch vxlan通信 * policy controller通过配置iptables规则为容器设置网络策略 ![](https://1674448607-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDAOok5ngY4pc1lEDes-887967055%2Fuploads%2Fgit-blob-b73de1666dd8258654c12415a8ac3c7b10acc0c8%2Fweave-flow%20\(3\).png?alt=media) ## Weave Scope Weave Scope是一个容器监控和故障排查工具,可以方便的生成整个集群的拓扑并智能分组(Automatic Topologies and Intelligent Grouping)。 Weave Scope主要由scope-probe和scope-app组成 ``` +--Docker host----------+ | +--Container------+ | .---------------. | | | | | Browser | | | +-----------+ | | |---------------| | | | scope-app |<---------| | | | +-----------+ | | | | | | ^ | | | | | | | | | '---------------' | | +-------------+ | | | | | scope-probe | | | | | +-------------+ | | | | | | | +-----------------+ | +-----------------------+ ``` ## 优点 * 去中心化 * 故障自动恢复 * 加密通信 * Multicast networking ## 缺点 * UDP模式性能损失较大 **参考文档** * * * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kubernetes.feisky.xyz/extension/network/weave.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.