āĻŦāĻŋāĻāĻĻā§āĻ°āĻ. āĻ
āĻ¨ā§āĻŦāĻžāĻĻ: āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§ā§āĻ° āĻ˛ā§āĻāĻ - āĻāĻ°āĻāĻžāĻ¨ āĻāĻ°ā§āĻ˛, āĻāĻ¸āĻāĻĒāĻŋ-āĻāĻ° āĻāĻāĻāĻ¨ āĻĒā§āĻ°āĻā§āĻļāĻ˛ā§ - āĻĻāĻ˛ā§āĻ° āĻāĻžāĻ°ā§āĻ¯āĻāĻžāĻ°āĻŋāĻ¤āĻžāĻ° āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻ¤āĻžāĻ° āĻ
āĻ§ā§āĻ¯āĻ¯āĻŧāĻ¨ āĻļā§āĻ¯āĻŧāĻžāĻ° āĻāĻ°ā§āĻā§āĻ¨ kubectl exec, āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ā§āĻ° āĻ¸āĻžāĻĨā§ āĻāĻžāĻ āĻāĻ°ā§ āĻāĻŽāĻ¨ āĻĒā§āĻ°āĻ¤ā§āĻ¯ā§āĻā§āĻ° āĻāĻžāĻā§ āĻā§āĻŦ āĻĒāĻ°āĻŋāĻāĻŋāĻ¤āĨ¤ āĻ¤āĻŋāĻ¨āĻŋ Kubernetes āĻ¸ā§āĻ°ā§āĻ¸ āĻā§āĻĄ (āĻāĻŦāĻ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻāĻŋāĻ¤ āĻĒā§āĻ°āĻāĻ˛ā§āĻĒ) āĻāĻ° āĻ¤āĻžāĻ˛āĻŋāĻāĻž āĻ¸āĻš āĻ¸āĻŽāĻā§āĻ° āĻ
ā§āĻ¯āĻžāĻ˛āĻāĻ°āĻŋāĻĻāĻŽ āĻ¸āĻšāĻ¯āĻžāĻ¨, āĻ¯āĻž āĻāĻĒāĻ¨āĻžāĻā§ āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ āĻŦāĻŋāĻˇāĻ¯āĻŧā§āĻ° āĻāĻā§āĻ°āĻāĻžāĻŦā§ āĻŦā§āĻāĻ¤ā§ āĻĻā§āĻ¯āĻŧāĨ¤
āĻāĻ āĻļā§āĻā§āĻ°āĻŦāĻžāĻ°, āĻāĻāĻāĻ¨ āĻ¸āĻšāĻāĻ°ā§āĻŽā§ āĻāĻŽāĻžāĻ° āĻāĻžāĻā§ āĻāĻ¸ā§ āĻāĻŋāĻā§āĻāĻžāĻ¸āĻž āĻāĻ°āĻ˛ā§āĻ¨ āĻā§āĻāĻžāĻŦā§ āĻāĻāĻāĻŋ āĻĒāĻĄ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻāĻāĻāĻŋ āĻāĻŽāĻžāĻ¨ā§āĻĄ āĻāĻžāĻ˛āĻžāĻ¨ā§ āĻ¯āĻžāĻ¯āĻŧ . āĻāĻŽāĻŋ āĻ¤āĻžāĻā§ āĻāĻ¤ā§āĻ¤āĻ° āĻĻāĻŋāĻ¤ā§ āĻĒāĻžāĻ°āĻŋāĻ¨āĻŋ āĻāĻŦāĻ āĻšāĻ āĻžā§ āĻŦā§āĻāĻ¤ā§ āĻĒāĻžāĻ°āĻŋ āĻ¯ā§ āĻāĻŽāĻŋ āĻ
āĻĒāĻžāĻ°ā§āĻļāĻ¨ā§āĻ° āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻŋāĻā§āĻ āĻāĻžāĻ¨āĻŋ āĻ¨āĻž kubectl exec. āĻšā§āĻ¯āĻžāĻ, āĻāĻ° āĻāĻ āĻ¨ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻŽāĻžāĻ° āĻāĻŋāĻā§ āĻ§āĻžāĻ°āĻŖāĻž āĻāĻŋāĻ˛, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻāĻŽāĻŋ āĻ¤āĻžāĻĻā§āĻ° āĻ¸āĻ āĻŋāĻāĻ¤āĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ 100% āĻ¨āĻŋāĻļā§āĻāĻŋāĻ¤ āĻ¨āĻ āĻāĻŦāĻ āĻ¤āĻžāĻ āĻāĻ āĻ¸āĻŽāĻ¸ā§āĻ¯āĻžāĻāĻŋ āĻŽā§āĻāĻžāĻŦā§āĻ˛āĻž āĻāĻ°āĻžāĻ° āĻ¸āĻŋāĻĻā§āĻ§āĻžāĻ¨ā§āĻ¤ āĻ¨āĻŋāĻ¯āĻŧā§āĻāĻŋāĨ¤ āĻŦā§āĻ˛āĻ, āĻĄāĻā§āĻŽā§āĻ¨ā§āĻā§āĻļāĻ¨ āĻāĻŦāĻ āĻ¸ā§āĻ°ā§āĻ¸ āĻā§āĻĄ āĻ
āĻ§ā§āĻ¯āĻ¯āĻŧāĻ¨ āĻāĻ°āĻžāĻ° āĻĒāĻ°ā§, āĻāĻŽāĻŋ āĻ
āĻ¨ā§āĻ āĻ¨āĻ¤ā§āĻ¨ āĻāĻŋāĻ¨āĻŋāĻ¸ āĻļāĻŋāĻā§āĻāĻŋ, āĻāĻŦāĻ āĻāĻ āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§ā§ āĻāĻŽāĻŋ āĻāĻŽāĻžāĻ° āĻāĻŦāĻŋāĻˇā§āĻāĻžāĻ° āĻāĻŦāĻ āĻŦā§āĻāĻžāĻ° āĻāĻžāĻ āĻāĻ°āĻ¤ā§ āĻāĻžāĻāĨ¤ āĻāĻŋāĻā§ āĻā§āĻ˛ āĻšāĻ˛ā§, āĻāĻŽāĻžāĻ° āĻ¸āĻžāĻĨā§ āĻ¯ā§āĻāĻžāĻ¯ā§āĻ āĻāĻ°ā§āĻ¨ .
āĻĒā§āĻ°āĻļāĻŋāĻā§āĻˇāĻŖ
āĻāĻāĻāĻŋ āĻŽā§āĻ¯āĻžāĻāĻŦā§āĻā§ āĻāĻāĻāĻŋ āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ° āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻ¤ā§, āĻāĻŽāĻŋ āĻā§āĻ˛ā§āĻ¨ āĻāĻ°ā§āĻāĻŋ . āĻ¤āĻžāĻ°āĻĒāĻ°ā§ āĻāĻŽāĻŋ āĻā§āĻŦā§āĻ˛ā§āĻ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ā§ āĻ¨ā§āĻĄāĻā§āĻ˛āĻŋāĻ° āĻāĻāĻĒāĻŋ āĻ āĻŋāĻāĻžāĻ¨āĻžāĻā§āĻ˛āĻŋ āĻ¸āĻāĻļā§āĻ§āĻ¨ āĻāĻ°ā§āĻāĻŋ, āĻ¯ā§āĻšā§āĻ¤ā§ āĻĄāĻŋāĻĢāĻ˛ā§āĻ āĻ¸ā§āĻāĻŋāĻāĻ¸ āĻ
āĻ¨ā§āĻŽāĻ¤āĻŋ āĻĻā§āĻ¯āĻŧ āĻ¨āĻž kubectl exec. āĻāĻĒāĻ¨āĻŋ āĻāĻ° āĻĒā§āĻ°āĻ§āĻžāĻ¨ āĻāĻžāĻ°āĻŖ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻ°āĻ āĻĒāĻĄāĻŧāĻ¤ā§ āĻĒāĻžāĻ°ā§āĻ¨ .
- āĻ¯ā§āĻā§āĻ¨ā§ āĻāĻžāĻĄāĻŧāĻŋ = āĻāĻŽāĻžāĻ° āĻŽā§āĻ¯āĻžāĻāĻŦā§āĻ
- āĻŽāĻžāĻ¸ā§āĻāĻžāĻ° āĻ¨ā§āĻĄ āĻāĻāĻĒāĻŋ = 192.168.205.10
- āĻāĻ¯āĻŧāĻžāĻ°ā§āĻāĻžāĻ° āĻ¨ā§āĻĄ āĻāĻāĻĒāĻŋ = 192.168.205.11
- API āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻĒā§āĻ°ā§āĻ = 6443
āĻāĻĒāĻžāĻĻāĻžāĻ¨
- kubectl exec āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž: āĻ¯āĻāĻ¨ āĻāĻŽāĻ°āĻž "kubectl exec..." āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻ°āĻŋ āĻ¤āĻāĻ¨ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻāĻŋ āĻļā§āĻ°ā§ āĻšāĻ¯āĻŧāĨ¤ āĻāĻāĻŋ K8s API āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻ¸āĻš āĻ¯ā§āĻā§āĻ¨ā§ āĻŽā§āĻļāĻŋāĻ¨ā§ āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤ āĻŦāĻŋāĻāĻĻā§āĻ°āĻ āĻ āĻ¨ā§āĻŦāĻžāĻĻ: āĻāĻ°āĻ āĻāĻ¨āĻ¸ā§āĻ˛ āĻ¤āĻžāĻ˛āĻŋāĻāĻžāĻ¯āĻŧ, āĻ˛ā§āĻāĻ "āĻ¯ā§āĻā§āĻ¨ āĻŽā§āĻļāĻŋāĻ¨" āĻŽāĻ¨ā§āĻ¤āĻŦā§āĻ¯ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§āĻ¨, āĻ¯āĻž āĻŦā§āĻāĻžāĻ¯āĻŧ āĻ¯ā§ āĻĒāĻ°āĻŦāĻ°ā§āĻ¤ā§ āĻāĻŽāĻžāĻ¨ā§āĻĄāĻā§āĻ˛āĻŋ āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻ¸āĻš āĻāĻ āĻāĻžāĻ¤ā§āĻ¯āĻŧ āĻ¯ā§ āĻā§āĻ¨āĻ āĻŽā§āĻļāĻŋāĻ¨ā§ āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤
- : āĻŽāĻžāĻ¸ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§āĻ° āĻāĻāĻāĻŋ āĻāĻĒāĻžāĻĻāĻžāĻ¨ āĻ¯āĻž Kubernetes API-āĻ¤ā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻĒā§āĻ°āĻĻāĻžāĻ¨ āĻāĻ°ā§āĨ¤ āĻāĻāĻŋ Kubernetes āĻ āĻāĻ¨ā§āĻā§āĻ°ā§āĻ˛ āĻĒā§āĻ˛ā§āĻ¨ā§āĻ° āĻĢā§āĻ°āĻ¨ā§āĻāĻāĻ¨ā§āĻĄāĨ¤
- : āĻāĻāĻāĻŋ āĻāĻā§āĻ¨ā§āĻ āĻ¯āĻž āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ°ā§āĻ° āĻĒā§āĻ°āĻ¤āĻŋāĻāĻŋ āĻ¨ā§āĻĄā§ āĻāĻ˛ā§āĨ¤ āĻāĻāĻŋ āĻĒāĻĄā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻĒāĻžāĻ¤ā§āĻ°ā§āĻ° āĻ āĻĒāĻžāĻ°ā§āĻļāĻ¨ āĻ¨āĻŋāĻļā§āĻāĻŋāĻ¤ āĻāĻ°ā§āĨ¤
- (āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽ): āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻāĻžāĻ˛āĻžāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĻāĻžāĻ¯āĻŧā§ āĻ¸āĻĢā§āĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ°āĨ¤ āĻāĻĻāĻžāĻšāĻ°āĻŖ: āĻĄāĻāĻžāĻ°, āĻ¸āĻŋāĻāĻ°āĻāĻ-āĻ, āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ°āĻĄâĻ
- āĻļāĻžāĻāĻ¸: āĻāĻ¯āĻŧāĻžāĻ°ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§ āĻāĻāĻ¸ āĻāĻžāĻ°ā§āĻ¨ā§āĻ˛; āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻĒāĻ°āĻŋāĻāĻžāĻ˛āĻ¨āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻĻāĻžāĻ¯āĻŧā§āĨ¤
- āĻ˛āĻā§āĻˇā§āĻ¯ (āĻ˛āĻā§āĻˇā§āĻ¯) āĻāĻ§āĻžāĻ°: āĻāĻāĻāĻŋ āĻ§āĻžāĻ°āĻ āĻ¯āĻž āĻāĻāĻāĻŋ āĻĒāĻĄā§āĻ° āĻ āĻāĻļ āĻāĻŦāĻ āĻāĻ°ā§āĻŽā§ āĻ¨ā§āĻĄāĻā§āĻ˛āĻŋāĻ° āĻāĻāĻāĻŋāĻ¤ā§ āĻāĻ˛ā§āĨ¤
āĻ¯āĻž āĻāĻŦāĻŋāĻˇā§āĻāĻžāĻ° āĻāĻ°āĻ˛āĻžāĻŽ
1. āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ āĻ¸āĻžāĻāĻĄ āĻāĻžāĻ°ā§āĻ¯āĻāĻ˛āĻžāĻĒ
āĻāĻāĻāĻŋ āĻ¨āĻžāĻŽāĻ¸ā§āĻĨāĻžāĻ¨ā§ āĻāĻāĻāĻŋ āĻĒāĻĄ āĻ¤ā§āĻ°āĻŋ āĻāĻ°ā§āĻ¨ default:
// any machine
$ kubectl run exec-test-nginx --image=nginxāĻ¤āĻžāĻ°āĻĒāĻ°ā§ āĻāĻŽāĻ°āĻž exec āĻāĻŽāĻžāĻ¨ā§āĻĄ āĻāĻžāĻ˛āĻžāĻ āĻāĻŦāĻ āĻāĻ°āĻ āĻĒāĻ°ā§āĻ¯āĻŦā§āĻā§āĻˇāĻŖā§āĻ° āĻāĻ¨ā§āĻ¯ 5000 āĻ¸ā§āĻā§āĻ¨ā§āĻĄ āĻ āĻĒā§āĻā§āĻˇāĻž āĻāĻ°āĻŋ:
// any machine
$ kubectl exec -it exec-test-nginx-6558988d5-fgxgg -- sh
# sleep 5000kubectl āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻĒā§āĻ°āĻĻāĻ°ā§āĻļāĻŋāĻ¤ āĻšāĻ¯āĻŧ (āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ pid=8507 āĻ¸āĻš):
// any machine
$ ps -ef |grep kubectl
501 8507 8409 0 7:19PM ttys000 0:00.13 kubectl exec -it exec-test-nginx-6558988d5-fgxgg -- shāĻ¯āĻĻāĻŋ āĻāĻŽāĻ°āĻž āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻāĻŋāĻ° āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻ āĻāĻžāĻ°ā§āĻ¯āĻāĻ˛āĻžāĻĒ āĻĒāĻ°ā§āĻā§āĻˇāĻž āĻāĻ°āĻŋ, āĻ¤āĻžāĻšāĻ˛ā§ āĻāĻŽāĻ°āĻž āĻĻā§āĻāĻ¤ā§ āĻĒāĻžāĻŦ āĻ¯ā§ āĻāĻāĻŋāĻ° api-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻ¸āĻžāĻĨā§ āĻ¸āĻāĻ¯ā§āĻ āĻ°āĻ¯āĻŧā§āĻā§ (192.168.205.10.6443):
// any machine
$ netstat -atnv |grep 8507
tcp4 0 0 192.168.205.1.51673 192.168.205.10.6443 ESTABLISHED 131072 131768 8507 0 0x0102 0x00000020
tcp4 0 0 192.168.205.1.51672 192.168.205.10.6443 ESTABLISHED 131072 131768 8507 0 0x0102 0x00000028āĻāĻ° āĻā§āĻĄ āĻ¤āĻžāĻāĻžāĻ¨. Kubectl exec āĻ¸āĻžāĻŦāĻ°āĻŋāĻ¸ā§āĻ°ā§āĻ¸ā§āĻ° āĻ¸āĻžāĻĨā§ āĻāĻāĻāĻŋ POST āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻ¤ā§āĻ°āĻŋ āĻāĻ°ā§ āĻāĻŦāĻ āĻāĻāĻāĻŋ REST āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻĒāĻžāĻ āĻžāĻ¯āĻŧ:
req := restClient.Post().
Resource("pods").
Name(pod.Name).
Namespace(pod.Namespace).
SubResource("exec")
req.VersionedParams(&corev1.PodExecOptions{
Container: containerName,
Command: p.Command,
Stdin: p.Stdin,
Stdout: p.Out != nil,
Stderr: p.ErrOut != nil,
TTY: t.Raw,
}, scheme.ParameterCodec)
return p.Executor.Execute("POST", req.URL(), p.Config, p.In, p.Out, p.ErrOut, t.Raw, sizeQueue)()
2. āĻŽāĻžāĻ¸ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§āĻ° āĻĻāĻŋāĻā§ āĻāĻžāĻ°ā§āĻ¯āĻāĻ˛āĻžāĻĒ
āĻāĻŽāĻ°āĻž āĻāĻĒāĻŋāĻāĻ-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ¸āĻžāĻāĻĄā§ āĻ āĻ¨ā§āĻ°ā§āĻ§āĻāĻŋāĻ āĻĒāĻ°ā§āĻ¯āĻŦā§āĻā§āĻˇāĻŖ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°āĻŋ:
handler.go:143] kube-apiserver: POST "/api/v1/namespaces/default/pods/exec-test-nginx-6558988d5-fgxgg/exec" satisfied by gorestful with webservice /api/v1
upgradeaware.go:261] Connecting to backend proxy (intercepting redirects) https://192.168.205.11:10250/exec/default/exec-test-nginx-6558988d5-fgxgg/exec-test-nginx?command=sh&input=1&output=1&tty=1
Headers: map[Connection:[Upgrade] Content-Length:[0] Upgrade:[SPDY/3.1] User-Agent:[kubectl/v1.12.10 (darwin/amd64) kubernetes/e3c1340] X-Forwarded-For:[192.168.205.1] X-Stream-Protocol-Version:[v4.channel.k8s.io v3.channel.k8s.io v2.channel.k8s.io channel.k8s.io]]āĻ¨ā§āĻ āĻāĻ°ā§āĻ¨ āĻ¯ā§ HTTP āĻ āĻ¨ā§āĻ°ā§āĻ§ā§ āĻĒā§āĻ°ā§āĻā§āĻāĻ˛ āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨ āĻāĻ°āĻžāĻ° āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻ āĻ¨ā§āĻ¤āĻ°ā§āĻā§āĻā§āĻ¤ āĻ°āĻ¯āĻŧā§āĻā§āĨ¤ āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻāĻāĻŋ āĻāĻāĻ TCP āĻ¸āĻāĻ¯ā§āĻā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻĒā§āĻĨāĻ stdin/stdout/stderr/spdy-āĻāĻ°āĻ° "āĻ¸ā§āĻā§āĻ°āĻŋāĻŽ" āĻŽāĻžāĻ˛ā§āĻāĻŋāĻĒā§āĻ˛ā§āĻā§āĻ¸ āĻāĻ°āĻžāĻ° āĻ āĻ¨ā§āĻŽāĻ¤āĻŋ āĻĻā§āĻ¯āĻŧāĨ¤
API āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ
āĻ¨ā§āĻ°ā§āĻ§āĻāĻŋ āĻā§āĻ°āĻšāĻŖ āĻāĻ°ā§ āĻāĻŦāĻ āĻāĻ¤ā§ āĻ°ā§āĻĒāĻžāĻ¨ā§āĻ¤āĻ° āĻāĻ°ā§ PodExecOptions:
// PodExecOptions is the query options to a Pod's remote exec call
type PodExecOptions struct {
metav1.TypeMeta
// Stdin if true indicates that stdin is to be redirected for the exec call
Stdin bool
// Stdout if true indicates that stdout is to be redirected for the exec call
Stdout bool
// Stderr if true indicates that stderr is to be redirected for the exec call
Stderr bool
// TTY if true indicates that a tty will be allocated for the exec call
TTY bool
// Container in which to execute the command.
Container string
// Command is the remote command to execute; argv array; not executed within a shell.
Command []string
}()
āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻ¸āĻŽā§āĻĒāĻžāĻĻāĻ¨ āĻāĻ°āĻ¤ā§, āĻāĻĒāĻŋāĻāĻ-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°āĻā§ āĻ āĻŦāĻļā§āĻ¯āĻ āĻāĻžāĻ¨āĻ¤ā§ āĻšāĻŦā§ āĻā§āĻ¨ āĻĒāĻĄā§āĻ° āĻ¸āĻžāĻĨā§ āĻ¯ā§āĻāĻžāĻ¯ā§āĻ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§:
// ExecLocation returns the exec URL for a pod container. If opts.Container is blank
// and only one container is present in the pod, that container is used.
func ExecLocation(
getter ResourceGetter,
connInfo client.ConnectionInfoGetter,
ctx context.Context,
name string,
opts *api.PodExecOptions,
) (*url.URL, http.RoundTripper, error) {
return streamLocation(getter, connInfo, ctx, name, opts, opts.Container, "exec")
}()
āĻ āĻŦāĻļā§āĻ¯āĻ, āĻļā§āĻˇ āĻĒāĻ¯āĻŧā§āĻ¨ā§āĻ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻĄā§āĻāĻž āĻ¨ā§āĻĄ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻ¤āĻĨā§āĻ¯ āĻĨā§āĻā§ āĻ¨ā§āĻāĻ¯āĻŧāĻž āĻšāĻ¯āĻŧ:
nodeName := types.NodeName(pod.Spec.NodeName)
if len(nodeName) == 0 {
// If pod has not been assigned a host, return an empty location
return nil, nil, errors.NewBadRequest(fmt.Sprintf("pod %s does not have a host assigned", name))
}
nodeInfo, err := connInfo.GetConnectionInfo(ctx, nodeName)()
āĻšā§āĻ°āĻ°ā§! āĻā§āĻŦā§āĻ˛ā§āĻā§āĻ° āĻāĻāĻ¨ āĻāĻāĻāĻŋ āĻŦāĻ¨ā§āĻĻāĻ° āĻ°āĻ¯āĻŧā§āĻā§ (node.Status.DaemonEndpoints.KubeletEndpoint.Port), āĻ¯āĻžāĻ° āĻ¸āĻžāĻĨā§ API āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ¸āĻāĻ¯ā§āĻ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§:
// GetConnectionInfo retrieves connection info from the status of a Node API object.
func (k *NodeConnectionInfoGetter) GetConnectionInfo(ctx context.Context, nodeName types.NodeName) (*ConnectionInfo, error) {
node, err := k.nodes.Get(ctx, string(nodeName), metav1.GetOptions{})
if err != nil {
return nil, err
}
// Find a kubelet-reported address, using preferred address type
host, err := nodeutil.GetPreferredNodeAddress(node, k.preferredAddressTypes)
if err != nil {
return nil, err
}
// Use the kubelet-reported port, if present
port := int(node.Status.DaemonEndpoints.KubeletEndpoint.Port)
if port <= 0 {
port = k.defaultPort
}
return &ConnectionInfo{
Scheme: k.scheme,
Hostname: host,
Port: strconv.Itoa(port),
Transport: k.transport,
}, nil
}()
āĻĄāĻā§āĻŽā§āĻ¨ā§āĻā§āĻļāĻ¨ āĻĨā§āĻā§ :
āĻāĻ āĻ¸āĻāĻ¯ā§āĻāĻā§āĻ˛āĻŋ āĻā§āĻŦā§āĻ˛ā§āĻā§āĻ° HTTPS āĻāĻ¨ā§āĻĄāĻĒāĻ¯āĻŧā§āĻ¨ā§āĻā§ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻž āĻšāĻ¯āĻŧāĨ¤ āĻĄāĻŋāĻĢāĻ˛ā§āĻāĻ°ā§āĻĒā§, apiserver āĻā§āĻŦā§āĻ˛ā§āĻā§āĻ° āĻļāĻāĻ¸āĻžāĻĒāĻ¤ā§āĻ° āĻ¯āĻžāĻāĻžāĻ āĻāĻ°ā§ āĻ¨āĻž, āĻ¯āĻž āĻ¸āĻāĻ¯ā§āĻāĻāĻŋāĻā§ āĻŽā§āĻ¯āĻžāĻ¨-āĻāĻ¨-āĻĻā§āĻ¯-āĻŽāĻŋāĻĄāĻ˛ (MITM) āĻāĻā§āĻ°āĻŽāĻŖā§āĻ° āĻāĻ¨ā§āĻ¯ āĻā§āĻāĻāĻŋāĻĒā§āĻ°ā§āĻŖ āĻāĻ°ā§ āĻ¤ā§āĻ˛ā§ āĻāĻŦāĻ āĻ āĻ¨āĻŋāĻ°āĻžāĻĒāĻĻ āĻ āĻŦāĻŋāĻļā§āĻŦāĻ¸ā§āĻ¤ āĻāĻŦāĻ/āĻ āĻĨāĻŦāĻž āĻĒāĻžāĻŦāĻ˛āĻŋāĻ āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻā§ āĻāĻžāĻ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯āĨ¤
āĻāĻāĻ¨ API āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻļā§āĻˇ āĻŦāĻŋāĻ¨ā§āĻĻā§ āĻāĻžāĻ¨ā§ āĻāĻŦāĻ āĻ¸āĻāĻ¯ā§āĻ āĻ¸ā§āĻĨāĻžāĻĒāĻ¨ āĻāĻ°ā§:
// Connect returns a handler for the pod exec proxy
func (r *ExecREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
execOpts, ok := opts.(*api.PodExecOptions)
if !ok {
return nil, fmt.Errorf("invalid options object: %#v", opts)
}
location, transport, err := pod.ExecLocation(r.Store, r.KubeletConn, ctx, name, execOpts)
if err != nil {
return nil, err
}
return newThrottledUpgradeAwareProxyHandler(location, transport, false, true, true, responder), nil
}()
āĻāĻ˛ā§āĻ¨ āĻĻā§āĻāĻŋ āĻŽāĻžāĻ¸ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§ āĻāĻŋ āĻāĻāĻā§āĨ¤
āĻĒā§āĻ°āĻĨāĻŽāĻ¤, āĻāĻŽāĻ°āĻž āĻāĻ°ā§āĻŽā§ āĻ¨ā§āĻĄā§āĻ° āĻāĻāĻĒāĻŋ āĻā§āĻāĻā§ āĻŦā§āĻ° āĻāĻ°āĻŋāĨ¤ āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ āĻāĻāĻŋ 192.168.205.11:
// any machine
$ kubectl get nodes k8s-node-1 -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node-1 Ready <none> 9h v1.15.3 192.168.205.11 <none> Ubuntu 16.04.6 LTS 4.4.0-159-generic docker://17.3.3āĻ¤āĻžāĻ°āĻĒāĻ° āĻā§āĻŦā§āĻ˛ā§āĻ āĻĒā§āĻ°ā§āĻ āĻ¸ā§āĻ āĻāĻ°ā§āĻ¨ (āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ 10250):
// any machine
$ kubectl get nodes k8s-node-1 -o jsonpath='{.status.daemonEndpoints.kubeletEndpoint}'
map[Port:10250]
āĻāĻāĻ¨ āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻ āĻā§āĻ āĻāĻ°āĻžāĻ° āĻĒāĻžāĻ˛āĻžāĨ¤ āĻāĻ¯āĻŧāĻžāĻ°ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§āĻ° (192.168.205.11) āĻ¸āĻžāĻĨā§ āĻāĻāĻāĻŋ āĻ¸āĻāĻ¯ā§āĻ āĻāĻā§ āĻāĻŋ? āĻāĻāĻāĻž! āĻ¯āĻĻāĻŋ āĻāĻĒāĻ¨āĻŋ āĻāĻāĻāĻŋ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻšāĻ¤ā§āĻ¯āĻž exec, āĻāĻāĻŋ āĻ
āĻĻā§āĻļā§āĻ¯ āĻšāĻ¯āĻŧā§ āĻ¯āĻžāĻŦā§, āĻ¤āĻžāĻ āĻāĻŽāĻŋ āĻāĻžāĻ¨āĻŋ āĻ¯ā§ exec āĻāĻŽāĻžāĻ¨ā§āĻĄ āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻ°āĻžāĻ° āĻĢāĻ˛ā§ āĻ¸āĻāĻ¯ā§āĻāĻāĻŋ api-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻĻā§āĻŦāĻžāĻ°āĻž āĻĒā§āĻ°āĻ¤āĻŋāĻˇā§āĻ āĻŋāĻ¤ āĻšāĻ¯āĻŧā§āĻāĻŋāĻ˛āĨ¤
// master node
$ netstat -atn |grep 192.168.205.11
tcp 0 0 192.168.205.10:37870 192.168.205.11:10250 ESTABLISHED
âĻ
kubectl āĻāĻŦāĻ api-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻ¸āĻāĻ¯ā§āĻ āĻāĻāĻ¨āĻ āĻā§āĻ˛āĻž āĻāĻā§āĨ¤ āĻ
āĻ¤āĻŋāĻ°āĻŋāĻā§āĻ¤āĻāĻžāĻŦā§, āĻāĻ°ā§āĻāĻāĻŋ āĻ¸āĻāĻ¯ā§āĻ āĻ°āĻ¯āĻŧā§āĻā§ āĻ¯āĻž āĻāĻĒāĻŋāĻāĻ-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻāĻŦāĻ āĻā§āĻŦā§āĻ˛ā§āĻāĻā§ āĻ˛āĻŋāĻā§āĻ āĻāĻ°ā§āĨ¤
3. āĻāĻ°ā§āĻŽā§ āĻ¨ā§āĻĄā§ āĻāĻžāĻ°ā§āĻ¯āĻāĻ˛āĻžāĻĒ
āĻāĻāĻ¨ āĻāĻ°ā§āĻŽā§ āĻ¨ā§āĻĄā§āĻ° āĻ¸āĻžāĻĨā§ āĻ¸āĻāĻ¯ā§āĻ āĻāĻ°āĻž āĻ¯āĻžāĻ āĻāĻŦāĻ āĻāĻāĻŋāĻ¤ā§ āĻā§ āĻāĻāĻā§ āĻ¤āĻž āĻĻā§āĻā§āĻ¨āĨ¤
āĻĒā§āĻ°āĻĨāĻŽāĻ¤, āĻāĻŽāĻ°āĻž āĻĻā§āĻāĻ¤ā§ āĻĒāĻžāĻ āĻ¯ā§ āĻāĻāĻŋāĻ° āĻ¸āĻžāĻĨā§ āĻ¸āĻāĻ¯ā§āĻāĻ āĻĒā§āĻ°āĻ¤āĻŋāĻˇā§āĻ āĻŋāĻ¤ āĻšāĻ¯āĻŧā§āĻā§ (āĻĻā§āĻŦāĻŋāĻ¤ā§āĻ¯āĻŧ āĻ˛āĻžāĻāĻ¨); 192.168.205.10 āĻšāĻ˛ āĻŽāĻžāĻ¸ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§āĻ° IP:
// worker node
$ netstat -atn |grep 10250
tcp6 0 0 :::10250 :::* LISTEN
tcp6 0 0 192.168.205.11:10250 192.168.205.10:37870 ESTABLISHED
āĻāĻŽāĻžāĻĻā§āĻ° āĻĻāĻ˛ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻŋ sleep? āĻšā§āĻ°āĻ°ā§, āĻ¸ā§āĻ āĻ¸ā§āĻāĻžāĻ¨ā§ āĻāĻā§!
// worker node
$ ps -afx
...
31463 ? Sl 0:00 _ docker-containerd-shim 7d974065bbb3107074ce31c51f5ef40aea8dcd535ae11a7b8f2dd180b8ed583a /var/run/docker/libcontainerd/7d974065bbb3107074ce31c51
31478 pts/0 Ss 0:00 _ sh
31485 pts/0 S+ 0:00 _ sleep 5000
âĻāĻāĻŋāĻ¨ā§āĻ¤ā§ āĻ āĻĒā§āĻā§āĻˇāĻž āĻāĻ°ā§āĻ¨: āĻā§āĻŦā§āĻ˛ā§āĻ āĻā§āĻāĻžāĻŦā§ āĻāĻāĻŋ āĻŦāĻ¨ā§āĻ§ āĻāĻ°ā§ āĻĻāĻŋāĻ˛? āĻā§āĻŦā§āĻ˛ā§āĻā§āĻ° āĻāĻāĻāĻŋ āĻĄā§āĻŽāĻ¨ āĻ°āĻ¯āĻŧā§āĻā§ āĻ¯āĻž āĻāĻĒāĻŋāĻāĻ-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ āĻ¨ā§āĻ°ā§āĻ§ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĒā§āĻ°ā§āĻā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ API-āĻ¤ā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻĒā§āĻ°āĻĻāĻžāĻ¨ āĻāĻ°ā§:
// Server is the library interface to serve the stream requests.
type Server interface {
http.Handler
// Get the serving URL for the requests.
// Requests must not be nil. Responses may be nil iff an error is returned.
GetExec(*runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error)
GetAttach(req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error)
GetPortForward(*runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error)
// Start the server.
// addr is the address to serve on (address:port) stayUp indicates whether the server should
// listen until Stop() is called, or automatically stop after all expected connections are
// closed. Calling Get{Exec,Attach,PortForward} increments the expected connection count.
// Function does not return until the server is stopped.
Start(stayUp bool) error
// Stop the server, and terminate any open connections.
Stop() error
}()
āĻā§āĻŦā§āĻ˛ā§āĻ exec āĻ āĻ¨ā§āĻ°ā§āĻ§ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻļā§āĻˇ āĻĒāĻ¯āĻŧā§āĻ¨ā§āĻ āĻāĻŖāĻ¨āĻž āĻāĻ°ā§:
func (s *server) GetExec(req *runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) {
if err := validateExecRequest(req); err != nil {
return nil, err
}
token, err := s.cache.Insert(req)
if err != nil {
return nil, err
}
return &runtimeapi.ExecResponse{
Url: s.buildURL("exec", token),
}, nil
}()
āĻŦāĻŋāĻā§āĻ°āĻžāĻ¨ā§āĻ¤ āĻšāĻŦā§āĻ¨ āĻ¨āĻžāĨ¤ āĻāĻāĻŋ āĻāĻŽāĻžāĻ¨ā§āĻĄā§āĻ° āĻĢāĻ˛āĻžāĻĢāĻ˛ āĻĢā§āĻ°āĻ¤ āĻĻā§āĻ¯āĻŧ āĻ¨āĻž, āĻ¤āĻŦā§ āĻ¯ā§āĻāĻžāĻ¯ā§āĻā§āĻ° āĻāĻ¨ā§āĻ¯ āĻļā§āĻˇ āĻĒāĻ¯āĻŧā§āĻ¨ā§āĻ:
type ExecResponse struct {
// Fully qualified URL of the exec streaming server.
Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_sizecache int32 `json:"-"`
}()
āĻā§āĻŦā§āĻ˛ā§āĻ āĻāĻ¨ā§āĻāĻžāĻ°āĻĢā§āĻ¸ āĻĒā§āĻ°āĻ¯āĻŧā§āĻ āĻāĻ°ā§ RuntimeServiceClient, āĻ¯āĻž āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽ āĻāĻ¨ā§āĻāĻžāĻ°āĻĢā§āĻ¸ā§āĻ° āĻ
āĻāĻļ (āĻāĻŽāĻ°āĻž āĻāĻāĻŋ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻ°āĻ āĻ˛āĻŋāĻā§āĻāĻŋ, āĻāĻĻāĻžāĻšāĻ°āĻŖāĻ¸ā§āĻŦāĻ°ā§āĻĒ, - āĻĒā§āĻ°āĻžāĻ¯āĻŧ. āĻ
āĻ¨ā§āĻŦāĻžāĻĻāĨ¤):
kubernetes/kubernetes-āĻ cri-api āĻĨā§āĻā§ āĻĻā§āĻ°ā§āĻ āĻ¤āĻžāĻ˛āĻŋāĻāĻž
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type RuntimeServiceClient interface {
// Version returns the runtime name, runtime version, and runtime API version.
Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error)
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
// the sandbox is in the ready state on success.
RunPodSandbox(ctx context.Context, in *RunPodSandboxRequest, opts ...grpc.CallOption) (*RunPodSandboxResponse, error)
// StopPodSandbox stops any running process that is part of the sandbox and
// reclaims network resources (e.g., IP addresses) allocated to the sandbox.
// If there are any running containers in the sandbox, they must be forcibly
// terminated.
// This call is idempotent, and must not return an error if all relevant
// resources have already been reclaimed. kubelet will call StopPodSandbox
// at least once before calling RemovePodSandbox. It will also attempt to
// reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
// multiple StopPodSandbox calls are expected.
StopPodSandbox(ctx context.Context, in *StopPodSandboxRequest, opts ...grpc.CallOption) (*StopPodSandboxResponse, error)
// RemovePodSandbox removes the sandbox. If there are any running containers
// in the sandbox, they must be forcibly terminated and removed.
// This call is idempotent, and must not return an error if the sandbox has
// already been removed.
RemovePodSandbox(ctx context.Context, in *RemovePodSandboxRequest, opts ...grpc.CallOption) (*RemovePodSandboxResponse, error)
// PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
// present, returns an error.
PodSandboxStatus(ctx context.Context, in *PodSandboxStatusRequest, opts ...grpc.CallOption) (*PodSandboxStatusResponse, error)
// ListPodSandbox returns a list of PodSandboxes.
ListPodSandbox(ctx context.Context, in *ListPodSandboxRequest, opts ...grpc.CallOption) (*ListPodSandboxResponse, error)
// CreateContainer creates a new container in specified PodSandbox
CreateContainer(ctx context.Context, in *CreateContainerRequest, opts ...grpc.CallOption) (*CreateContainerResponse, error)
// StartContainer starts the container.
StartContainer(ctx context.Context, in *StartContainerRequest, opts ...grpc.CallOption) (*StartContainerResponse, error)
// StopContainer stops a running container with a grace period (i.e., timeout).
// This call is idempotent, and must not return an error if the container has
// already been stopped.
// TODO: what must the runtime do after the grace period is reached?
StopContainer(ctx context.Context, in *StopContainerRequest, opts ...grpc.CallOption) (*StopContainerResponse, error)
// RemoveContainer removes the container. If the container is running, the
// container must be forcibly removed.
// This call is idempotent, and must not return an error if the container has
// already been removed.
RemoveContainer(ctx context.Context, in *RemoveContainerRequest, opts ...grpc.CallOption) (*RemoveContainerResponse, error)
// ListContainers lists all containers by filters.
ListContainers(ctx context.Context, in *ListContainersRequest, opts ...grpc.CallOption) (*ListContainersResponse, error)
// ContainerStatus returns status of the container. If the container is not
// present, returns an error.
ContainerStatus(ctx context.Context, in *ContainerStatusRequest, opts ...grpc.CallOption) (*ContainerStatusResponse, error)
// UpdateContainerResources updates ContainerConfig of the container.
UpdateContainerResources(ctx context.Context, in *UpdateContainerResourcesRequest, opts ...grpc.CallOption) (*UpdateContainerResourcesResponse, error)
// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. This is often called after the log file has been
// rotated. If the container is not running, container runtime can choose
// to either create a new log file and return nil, or return an error.
// Once it returns error, new container log file MUST NOT be created.
ReopenContainerLog(ctx context.Context, in *ReopenContainerLogRequest, opts ...grpc.CallOption) (*ReopenContainerLogResponse, error)
// ExecSync runs a command in a container synchronously.
ExecSync(ctx context.Context, in *ExecSyncRequest, opts ...grpc.CallOption) (*ExecSyncResponse, error)
// Exec prepares a streaming endpoint to execute a command in the container.
Exec(ctx context.Context, in *ExecRequest, opts ...grpc.CallOption) (*ExecResponse, error)
// Attach prepares a streaming endpoint to attach to a running container.
Attach(ctx context.Context, in *AttachRequest, opts ...grpc.CallOption) (*AttachResponse, error)
// PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
PortForward(ctx context.Context, in *PortForwardRequest, opts ...grpc.CallOption) (*PortForwardResponse, error)
// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
ContainerStats(ctx context.Context, in *ContainerStatsRequest, opts ...grpc.CallOption) (*ContainerStatsResponse, error)
// ListContainerStats returns stats of all running containers.
ListContainerStats(ctx context.Context, in *ListContainerStatsRequest, opts ...grpc.CallOption) (*ListContainerStatsResponse, error)
// UpdateRuntimeConfig updates the runtime configuration based on the given request.
UpdateRuntimeConfig(ctx context.Context, in *UpdateRuntimeConfigRequest, opts ...grpc.CallOption) (*UpdateRuntimeConfigResponse, error)
// Status returns the status of the runtime.
Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
}
()
āĻāĻ¨āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽ āĻāĻ¨ā§āĻāĻžāĻ°āĻĢā§āĻ¸ā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻāĻāĻāĻŋ āĻĒāĻĻā§āĻ§āĻ¤āĻŋ āĻāĻ˛ āĻāĻ°āĻ¤ā§ āĻāĻāĻŋ āĻ¸āĻšāĻāĻāĻžāĻŦā§ gRPC āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§:
type runtimeServiceClient struct {
cc *grpc.ClientConn
}()
func (c *runtimeServiceClient) Exec(ctx context.Context, in *ExecRequest, opts ...grpc.CallOption) (*ExecResponse, error) {
out := new(ExecResponse)
err := c.cc.Invoke(ctx, "/runtime.v1alpha2.RuntimeService/Exec", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}()
āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽ āĻŦāĻžāĻ¸ā§āĻ¤āĻŦāĻžāĻ¯āĻŧāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĻāĻžāĻ¯āĻŧā§ RuntimeServiceServer:
kubernetes/kubernetes-āĻ cri-api āĻĨā§āĻā§ āĻĻā§āĻ°ā§āĻ āĻ¤āĻžāĻ˛āĻŋāĻāĻž
// RuntimeServiceServer is the server API for RuntimeService service.
type RuntimeServiceServer interface {
// Version returns the runtime name, runtime version, and runtime API version.
Version(context.Context, *VersionRequest) (*VersionResponse, error)
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
// the sandbox is in the ready state on success.
RunPodSandbox(context.Context, *RunPodSandboxRequest) (*RunPodSandboxResponse, error)
// StopPodSandbox stops any running process that is part of the sandbox and
// reclaims network resources (e.g., IP addresses) allocated to the sandbox.
// If there are any running containers in the sandbox, they must be forcibly
// terminated.
// This call is idempotent, and must not return an error if all relevant
// resources have already been reclaimed. kubelet will call StopPodSandbox
// at least once before calling RemovePodSandbox. It will also attempt to
// reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
// multiple StopPodSandbox calls are expected.
StopPodSandbox(context.Context, *StopPodSandboxRequest) (*StopPodSandboxResponse, error)
// RemovePodSandbox removes the sandbox. If there are any running containers
// in the sandbox, they must be forcibly terminated and removed.
// This call is idempotent, and must not return an error if the sandbox has
// already been removed.
RemovePodSandbox(context.Context, *RemovePodSandboxRequest) (*RemovePodSandboxResponse, error)
// PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
// present, returns an error.
PodSandboxStatus(context.Context, *PodSandboxStatusRequest) (*PodSandboxStatusResponse, error)
// ListPodSandbox returns a list of PodSandboxes.
ListPodSandbox(context.Context, *ListPodSandboxRequest) (*ListPodSandboxResponse, error)
// CreateContainer creates a new container in specified PodSandbox
CreateContainer(context.Context, *CreateContainerRequest) (*CreateContainerResponse, error)
// StartContainer starts the container.
StartContainer(context.Context, *StartContainerRequest) (*StartContainerResponse, error)
// StopContainer stops a running container with a grace period (i.e., timeout).
// This call is idempotent, and must not return an error if the container has
// already been stopped.
// TODO: what must the runtime do after the grace period is reached?
StopContainer(context.Context, *StopContainerRequest) (*StopContainerResponse, error)
// RemoveContainer removes the container. If the container is running, the
// container must be forcibly removed.
// This call is idempotent, and must not return an error if the container has
// already been removed.
RemoveContainer(context.Context, *RemoveContainerRequest) (*RemoveContainerResponse, error)
// ListContainers lists all containers by filters.
ListContainers(context.Context, *ListContainersRequest) (*ListContainersResponse, error)
// ContainerStatus returns status of the container. If the container is not
// present, returns an error.
ContainerStatus(context.Context, *ContainerStatusRequest) (*ContainerStatusResponse, error)
// UpdateContainerResources updates ContainerConfig of the container.
UpdateContainerResources(context.Context, *UpdateContainerResourcesRequest) (*UpdateContainerResourcesResponse, error)
// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. This is often called after the log file has been
// rotated. If the container is not running, container runtime can choose
// to either create a new log file and return nil, or return an error.
// Once it returns error, new container log file MUST NOT be created.
ReopenContainerLog(context.Context, *ReopenContainerLogRequest) (*ReopenContainerLogResponse, error)
// ExecSync runs a command in a container synchronously.
ExecSync(context.Context, *ExecSyncRequest) (*ExecSyncResponse, error)
// Exec prepares a streaming endpoint to execute a command in the container.
Exec(context.Context, *ExecRequest) (*ExecResponse, error)
// Attach prepares a streaming endpoint to attach to a running container.
Attach(context.Context, *AttachRequest) (*AttachResponse, error)
// PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
PortForward(context.Context, *PortForwardRequest) (*PortForwardResponse, error)
// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
ContainerStats(context.Context, *ContainerStatsRequest) (*ContainerStatsResponse, error)
// ListContainerStats returns stats of all running containers.
ListContainerStats(context.Context, *ListContainerStatsRequest) (*ListContainerStatsResponse, error)
// UpdateRuntimeConfig updates the runtime configuration based on the given request.
UpdateRuntimeConfig(context.Context, *UpdateRuntimeConfigRequest) (*UpdateRuntimeConfigResponse, error)
// Status returns the status of the runtime.
Status(context.Context, *StatusRequest) (*StatusResponse, error)
}
()
āĻ¯āĻĻāĻŋ āĻ¤āĻžāĻ āĻšāĻ¯āĻŧ, āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻŦā§āĻ˛ā§āĻ āĻāĻŦāĻ āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻāĻāĻāĻŋ āĻ¸āĻāĻ¯ā§āĻ āĻĻā§āĻāĻ¤ā§ āĻšāĻŦā§, āĻ¤āĻžāĻ āĻ¨āĻž? āĻāĻ° āĻā§āĻ āĻāĻ°āĻž āĻ¯āĻžāĻ.
exec āĻāĻŽāĻžāĻ¨ā§āĻĄā§āĻ° āĻāĻā§ āĻāĻŦāĻ āĻĒāĻ°ā§ āĻāĻ āĻāĻŽāĻžāĻ¨ā§āĻĄāĻāĻŋ āĻāĻžāĻ˛āĻžāĻ¨ āĻāĻŦāĻ āĻĒāĻžāĻ°ā§āĻĨāĻā§āĻ¯āĻā§āĻ˛āĻŋ āĻĻā§āĻā§āĻ¨āĨ¤ āĻāĻŽāĻžāĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ āĻĒāĻžāĻ°ā§āĻĨāĻā§āĻ¯ āĻšāĻ˛:
// worker node
$ ss -a -p |grep kubelet
...
u_str ESTAB 0 0 * 157937 * 157387 users:(("kubelet",pid=5714,fd=33))
...āĻšā§āĻŽ... āĻāĻāĻāĻŋ āĻā§āĻŦā§āĻ˛ā§āĻ (āĻĒāĻŋāĻĄ=5714) āĻāĻŦāĻ āĻ āĻāĻžāĻ¨āĻž āĻāĻŋāĻā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻāĻāĻ¨āĻŋāĻā§āĻ¸ āĻ¸āĻā§āĻā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻāĻāĻāĻŋ āĻ¨āĻ¤ā§āĻ¨ āĻ¸āĻāĻ¯ā§āĻāĨ¤ āĻāĻāĻž āĻā§ āĻšāĻ¤ā§ āĻĒāĻžāĻ°āĻ¤ā§? āĻāĻāĻž āĻ āĻŋāĻ, āĻāĻāĻž āĻĄāĻāĻžāĻ° (pid=1186)!
// worker node
$ ss -a -p |grep 157387
...
u_str ESTAB 0 0 * 157937 * 157387 users:(("kubelet",pid=5714,fd=33))
u_str ESTAB 0 0 /var/run/docker.sock 157387 * 157937 users:(("dockerd",pid=1186,fd=14))
...āĻāĻĒāĻ¨āĻžāĻ° āĻŽāĻ¨ā§ āĻāĻā§, āĻāĻāĻŋ āĻšāĻ˛ āĻĄāĻāĻžāĻ° āĻĄā§āĻŽāĻ¨ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž (pid=1186) āĻ¯āĻž āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻŽāĻžāĻ¨ā§āĻĄ āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻ°ā§:
// worker node
$ ps -afx
...
1186 ? Ssl 0:55 /usr/bin/dockerd -H fd://
17784 ? Sl 0:00 _ docker-containerd-shim 53a0a08547b2f95986402d7f3b3e78702516244df049ba6c5aa012e81264aa3c /var/run/docker/libcontainerd/53a0a08547b2f95986402d7f3
17801 pts/2 Ss 0:00 _ sh
17827 pts/2 S+ 0:00 _ sleep 5000
...4. āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽā§ āĻāĻžāĻ°ā§āĻ¯āĻāĻ˛āĻžāĻĒ
āĻāĻŋ āĻāĻāĻā§ āĻ¤āĻž āĻŦā§āĻāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¸ā§āĻ¨ CRI-O āĻ¸ā§āĻ°ā§āĻ¸ āĻā§āĻĄ āĻĒāĻ°ā§āĻā§āĻˇāĻž āĻāĻ°āĻŋāĨ¤ āĻĄāĻāĻžāĻ°ā§ āĻ¯ā§āĻā§āĻ¤āĻŋ āĻāĻāĻ āĻ°āĻāĻŽāĨ¤
āĻŦāĻžāĻ¸ā§āĻ¤āĻŦāĻžāĻ¯āĻŧāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĻāĻžāĻ¯āĻŧā§ āĻāĻāĻāĻŋ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻāĻā§ RuntimeServiceServer:
// Server implements the RuntimeService and ImageService
type Server struct {
config libconfig.Config
seccompProfile *seccomp.Seccomp
stream StreamService
netPlugin ocicni.CNIPlugin
hostportManager hostport.HostPortManager
appArmorProfile string
hostIP string
bindAddress string
*lib.ContainerServer
monitorsChan chan struct{}
defaultIDMappings *idtools.IDMappings
systemContext *types.SystemContext // Never nil
updateLock sync.RWMutex
seccompEnabled bool
appArmorEnabled bool
}()
// Exec prepares a streaming endpoint to execute a command in the container.
func (s *Server) Exec(ctx context.Context, req *pb.ExecRequest) (resp *pb.ExecResponse, err error) {
const operation = "exec"
defer func() {
recordOperation(operation, time.Now())
recordError(operation, err)
}()
resp, err = s.getExec(req)
if err != nil {
return nil, fmt.Errorf("unable to prepare exec endpoint: %v", err)
}
return resp, nil
}()
āĻā§āĻāĻ¨ā§āĻ° āĻļā§āĻˇā§, āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽ āĻāĻ¯āĻŧāĻžāĻ°ā§āĻāĻžāĻ° āĻ¨ā§āĻĄā§ āĻāĻŽāĻžāĻ¨ā§āĻĄāĻāĻŋ āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻ°ā§:
// ExecContainer prepares a streaming endpoint to execute a command in the container.
func (r *runtimeOCI) ExecContainer(c *Container, cmd []string, stdin io.Reader, stdout, stderr io.WriteCloser, tty bool, resize <-chan remotecommand.TerminalSize) error {
processFile, err := prepareProcessExec(c, cmd, tty)
if err != nil {
return err
}
defer os.RemoveAll(processFile.Name())
args := []string{rootFlag, r.root, "exec"}
args = append(args, "--process", processFile.Name(), c.ID())
execCmd := exec.Command(r.path, args...)
if v, found := os.LookupEnv("XDG_RUNTIME_DIR"); found {
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", v))
}
var cmdErr, copyError error
if tty {
cmdErr = ttyCmd(execCmd, stdin, stdout, resize)
} else {
if stdin != nil {
// Use an os.Pipe here as it returns true *os.File objects.
// This way, if you run 'kubectl exec <pod> -i bash' (no tty) and type 'exit',
// the call below to execCmd.Run() can unblock because its Stdin is the read half
// of the pipe.
r, w, err := os.Pipe()
if err != nil {
return err
}
go func() { _, copyError = pools.Copy(w, stdin) }()
execCmd.Stdin = r
}
if stdout != nil {
execCmd.Stdout = stdout
}
if stderr != nil {
execCmd.Stderr = stderr
}
cmdErr = execCmd.Run()
}
if copyError != nil {
return copyError
}
if exitErr, ok := cmdErr.(*exec.ExitError); ok {
return &utilexec.ExitErrorWrapper{ExitError: exitErr}
}
return cmdErr
}()
āĻ
āĻŦāĻļā§āĻˇā§, āĻāĻžāĻ°ā§āĻ¨ā§āĻ˛ āĻāĻŽāĻžāĻ¨ā§āĻĄāĻā§āĻ˛āĻŋ āĻāĻžāĻ˛āĻžāĻ¯āĻŧ:
āĻ¨āĻžāĻŽ
- āĻāĻĒāĻŋāĻāĻ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°āĻ āĻā§āĻŦā§āĻ˛ā§āĻā§āĻ° āĻ¸āĻžāĻĨā§ āĻāĻāĻāĻŋ āĻ¸āĻāĻ¯ā§āĻ āĻļā§āĻ°ā§ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤
- āĻāĻ¨ā§āĻāĻžāĻ°ā§āĻā§āĻāĻŋāĻ āĻāĻā§āĻ¸āĻŋāĻ āĻ¸ā§āĻļāĻ¨ āĻļā§āĻˇ āĻ¨āĻž āĻšāĻāĻ¯āĻŧāĻž āĻĒāĻ°ā§āĻ¯āĻ¨ā§āĻ¤ āĻ¨āĻŋāĻŽā§āĻ¨āĻ˛āĻŋāĻāĻŋāĻ¤ āĻ¸āĻāĻ¯ā§āĻāĻā§āĻ˛āĻŋ āĻāĻŋāĻā§ āĻĨāĻžāĻā§:
- kubectl āĻāĻŦāĻ api-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻŽāĻ§ā§āĻ¯ā§;
- api-server āĻāĻŦāĻ kubectl āĻāĻ° āĻŽāĻ§ā§āĻ¯ā§;
- āĻā§āĻŦā§āĻ˛ā§āĻ āĻāĻŦāĻ āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽā§āĻ° āĻŽāĻ§ā§āĻ¯ā§āĨ¤
- Kubectl āĻŦāĻž api-āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻāĻ°ā§āĻŽā§ āĻ¨ā§āĻĄāĻā§āĻ˛āĻŋāĻ¤ā§ āĻāĻŋāĻā§ āĻāĻžāĻ˛āĻžāĻ¤ā§ āĻĒāĻžāĻ°ā§ āĻ¨āĻžāĨ¤ āĻā§āĻŦā§āĻ˛ā§āĻ āĻāĻžāĻ˛āĻžāĻ¤ā§ āĻĒāĻžāĻ°ā§, āĻ¤āĻŦā§ āĻāĻāĻŋ āĻ¸ā§āĻ āĻāĻŋāĻ¨āĻŋāĻ¸āĻā§āĻ˛āĻŋ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ°āĻžāĻ¨āĻāĻžāĻāĻŽā§āĻ° āĻ¸āĻžāĻĨā§āĻ āĻāĻ¨ā§āĻāĻžāĻ°āĻ ā§āĻ¯āĻžāĻā§āĻ āĻāĻ°ā§āĨ¤
āĻ¸āĻŽā§āĻĒāĻĻ
- āĻāĻ˛ā§āĻāĻ¨āĻž"" kubernetes-dev āĻ¤ā§;
- āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§ "";
- āĻāĻ˛ā§āĻāĻ¨āĻž"" āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻ¤ā§āĻ°ā§āĻāĻŋāĻ° āĻāĻĒāĻ°āĨ¤
āĻ āĻ¨ā§āĻŦāĻžāĻĻāĻ āĻĨā§āĻā§ PS
āĻāĻŽāĻžāĻĻā§āĻ° āĻŦā§āĻ˛āĻā§āĻ āĻĒāĻĄāĻŧā§āĻ¨:
- "āĻāĻĒāĻ¨āĻŋ āĻ¯āĻāĻ¨ kubectl āĻ°āĻžāĻ¨ āĻāĻžāĻ˛āĻžāĻ¨ āĻ¤āĻāĻ¨ āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ā§ āĻāĻŋ āĻšāĻ¯āĻŧ?" и ;
- ÂĢ";
- ÂĢ";
- ÂĢÂģ.
āĻāĻ¤ā§āĻ¸: www.habr.com