github.phpd.cn/cilium/cilium@v1.6.12/examples/demo/demo2.sh (about) 1 #!/usr/bin/env bash 2 3 . $(dirname ${BASH_SOURCE})/../../contrib/shell/util.sh 4 5 NETWORK="cilium" 6 CLIENT_LABEL="id.client" 7 SERVER_LABEL="id.server" 8 9 function cleanup { 10 docker rm -f server client 2> /dev/null || true 11 } 12 13 trap cleanup EXIT 14 15 cilium policy delete --all 2> /dev/null && true 16 17 desc "Demo: Create network, attach container, import policy" 18 desc "" 19 20 docker network rm $NETWORK > /dev/null 2>&1 21 22 desc "Create network \"cilium\"" 23 desc "This step is only required once, all containers can be attached to the same network," 24 desc "thus creating a single flat network. Isolation can then be defined based on labels." 25 run "docker network create --ipv6 --subnet ::1/112 --driver cilium --ipam-driver cilium $NETWORK" 26 27 desc "Policy enforcement is disabled by default, enable it." 28 desc "Policy enforcement is also enabled as soon as you load a policy into the daemon." 29 run "cilium config PolicyEnforcement=always" 30 31 desc "Start a container with label $SERVER_LABEL" 32 run "docker run -d --net cilium --name server -l $SERVER_LABEL tgraf/netperf" 33 34 desc "List local endpoints" 35 run "cilium endpoint list" 36 37 run "docker inspect --format '{{ .NetworkSettings.Networks.cilium.GlobalIPv6Address }}' server" 38 SERVER_IP=$(docker inspect --format '{{ .NetworkSettings.Networks.cilium.GlobalIPv6Address }}' server) 39 SERVER_ID=$(cilium endpoint list | grep $SERVER_LABEL | awk '{ print $1}') 40 41 desc "Ping will still fail due to missing policy" 42 run "ping6 -c 2 $SERVER_IP" 43 44 desc "Import policy" 45 desc "The policy allows containers with label client to talk to containers with label server" 46 desc "It also allows the local node to reach containers with label server" 47 run "cat $(relative policy.json)" 48 run "cilium policy import $(relative policy.json)" 49 50 desc "Ping from local node to server container now succeeds" 51 run "ping6 -c 2 $SERVER_IP" 52 53 desc "Start another container with label $CLIENT_LABEL" 54 run "docker run -d --net cilium --name client -l $CLIENT_LABEL tgraf/netperf" 55 sleep 3 56 57 CLIENT_IP=$(docker inspect --format '{{ .NetworkSettings.Networks.cilium.GlobalIPv6Address }}' client) 58 CLIENT_ID=$(cilium endpoint list | grep $CLIENT_LABEL | awk '{ print $1}') 59 60 desc "A client and server container are now running on the local node" 61 run "cilium endpoint list" 62 63 desc "The client container can reach the server container" 64 run "docker exec -ti client ping6 -c 4 $SERVER_IP" 65 66 desc "Show policy table of server container" 67 desc "The table maintains a packets/bytes counter for each allowed consumer" 68 run "sudo cilium bpf policy get $SERVER_ID" 69 70 desc "Policies are directional and stateful, allowing client->server does not" 71 desc "automatically allow the reverse direction server->client. Only reply" 72 desc "packets are permitted. Ping will fail." 73 run "docker exec -ti server ping6 -c 4 $CLIENT_IP" 74 75 desc "Disabling connection tracking will disable directional policies and enable" 76 desc "automatic bidirectional policies. Compile out the connection tracking code" 77 desc "at runtime:" 78 run "cilium endpoint config $CLIENT_ID Conntrack=false" 79 run "cilium endpoint config $SERVER_ID Conntrack=false" 80 81 desc "Cilium has automatically allowed the server->client direction." 82 desc "Ping now succeeds in both directions" 83 run "docker exec -ti server ping6 -c 4 $CLIENT_IP" 84 run "docker exec -ti client ping6 -c 4 $SERVER_IP" 85 86 desc "Clean up" 87 run "docker rm -f server client"