Sannu! Sunana Sergey, Ni DevOps ne a Surf. Sashen DevOps a Surf yana nufin ba kawai don kafa hulɗar tsakanin ƙwararru da haɗa hanyoyin aiki ba, har ma don yin bincike da himma da aiwatar da fasahohin zamani duka a cikin abubuwan more rayuwa da na abokin ciniki.
Da ke ƙasa zan yi magana kaɗan game da canje-canje a cikin tarin fasaha don kwantena da muka haɗu yayin nazarin rarraba CentOS 8 kuma game da abin da yake CRI-O da yadda za a hanzarta kafa yanayin aiwatarwa don Kubernetes.
Me yasa ba a haɗa Docker a cikin CentOS 8 ba?
Bayan shigar da sabbin manyan sakewa RHEL 8 ko CentOS 8 mutum ba zai iya taimakawa sai dai lura: waɗannan rarrabawa da ma'ajiyar hukuma ba su ƙunshi aikace-aikacen ba Docker, wanda a akida da aikin maye gurbin kunshin podman, Buildah (yanzu a cikin rarraba ta tsohuwa) da CRI-O. Wannan ya faru ne saboda aiwatar da aikace-aikacen ƙa'idodin da aka haɓaka, a tsakanin sauran abubuwa, ta Red Hat a matsayin wani ɓangare na aikin Buɗaɗɗen Kwantena (OCI).
Manufar OCI, wanda wani ɓangare ne na Gidauniyar Linux, shine ƙirƙirar buɗaɗɗen ka'idojin masana'antu don tsarin kwantena da lokutan aiki waɗanda ke magance matsaloli da yawa a lokaci ɗaya. Da fari dai, ba su saba wa falsafar Linux ba (misali, a cikin ɓangaren da kowane shiri ya kamata ya yi aiki ɗaya, kuma Docker wani nau'in duk-in-daya ne). Na biyu, za su iya kawar da duk gazawar da ke cikin software Docker. Na uku, za su kasance da cikakken jituwa tare da buƙatun kasuwanci na manyan dandamali na kasuwanci don ƙaddamarwa, sarrafawa da kuma ba da aikace-aikacen da aka ajiye (misali, Red Hat OpenShift).
shortcomings Docker kuma an riga an bayyana fa'idodin sabuwar software dalla-dalla a ciki , kuma cikakken bayanin duk tarin software da aka bayar a cikin aikin OCI kuma ana iya samun fasalin fasalinsa a cikin takaddun hukuma da labarai daga Red Hat kanta (ba mara kyau ba). a cikin Red Hat blog) kuma a cikin ɓangare na uku .
Yana da mahimmanci a lura da waɗanne ayyuka abubuwan abubuwan da aka tsara ke da su na tarin:
- podman - hulɗar kai tsaye tare da kwantena da adana hotuna ta hanyar tsarin runC;
- Buildah - taro da loda hotuna zuwa wurin yin rajista;
- CRI-O - yanayi mai aiwatarwa don tsarin kade-kade (misali, Kubernetes).
Ina tsammanin don fahimtar tsarin gaba ɗaya na hulɗar tsakanin abubuwan da ke cikin tari, yana da kyau a samar da tsarin haɗin gwiwa a nan. Kubernetes c runC da ƙananan ɗakunan karatu masu amfani CRI-O:
CRI-O и Kubernetes manne wa wannan sakin da kuma sake zagayowar tallafi (matrix dacewa abu ne mai sauqi qwarai: manyan sigogin Kubernetes и CRI-O yi daidai), kuma wannan, la'akari da mayar da hankali kan cikakken da cikakken gwaji na aikin wannan tari ta masu haɓakawa, yana ba mu haƙƙin tsammanin matsakaicin kwanciyar hankali a cikin aiki a ƙarƙashin kowane yanayin amfani (hasken dangi shima yana da fa'ida anan. CRI-O idan aka kwatanta da Docker saboda ƙayyadaddun ƙayyadaddun ayyuka).
Lokacin shigar Kubernetes Hanyar "daidai" (bisa ga OCI, ba shakka) ta amfani da CRI-O a kan CentOS 8 Mun ci karo da wasu ƙananan matsaloli, waɗanda, duk da haka, mun ci nasara. Zan yi farin cikin raba tare da ku shigarwa da umarnin daidaitawa, wanda a cikin duka zai ɗauki kusan mintuna 10.
Yadda ake tura Kubernetes akan CentOS 8 ta amfani da tsarin CRI-O
Abubuwan da ake buƙata: kasancewar aƙalla runduna ɗaya (2 cores, 4 GB RAM, aƙalla 15 GB ajiya) tare da shigar CentOS 8 (ana ba da shawarar bayanin shigarwa na "Server"), da kuma shigar da shi a cikin DNS na gida (a matsayin makoma ta ƙarshe, za ku iya samun ta tare da shigarwa a /etc/hosts). Kuma kar a manta .
Muna yin duk ayyuka akan mai watsa shiri a matsayin tushen mai amfani, yi hankali.
- A mataki na farko, za mu daidaita OS, shigar da kuma saita abubuwan dogaro na farko don CRI-O.
- Bari mu sabunta OS:
dnf -y update
- Na gaba kuna buƙatar saita Tacewar zaɓi da SELinux. A nan komai ya dogara da yanayin da mai masaukinmu ko masu masaukinmu za su yi aiki. Kuna iya ko dai saita bangon wuta bisa ga shawarwarin daga , ko, idan kana kan amintaccen cibiyar sadarwa ko amfani da Tacewar zaɓi na ɓangare na uku, canza tsohuwar yankin zuwa amintaccen ko kashe Tacewar zaɓi:
firewall-cmd --set-default-zone trusted firewall-cmd --reloadDon kashe Tacewar zaɓi zaka iya amfani da umarni mai zuwa:
systemctl disable --now firewalldSELinux yana buƙatar kashewa ko canza shi zuwa yanayin "mai izini":
setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
- Load ɗin samfuran kwaya da fakitin da suka dace, saita nauyin atomatik na “br_netfilter” a farkon tsarin:
modprobe overlay modprobe br_netfilter echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf dnf -y install iproute-tc
- Don kunna fakitin turawa da daidaita sarrafa zirga-zirga, za mu yi saitunan da suka dace:
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOFyi amfani da saitunan da aka yi:
sysctl --system
- saita sigar da ake buƙata CRI-O (babban sigar CRI-O, kamar yadda aka riga aka ambata, daidaita sigar da ake buƙata Kubernetes), tun da latest barga version Kubernetes a halin yanzu 1.18:
export REQUIRED_VERSION=1.18ƙara ma'ajiyar da ake buƙata:
dnf -y install 'dnf-command(copr)' dnf -y copr enable rhcontainerbot/container-selinux curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo
- yanzu za mu iya shigarwa CRI-O:
dnf -y install cri-oKula da nuance na farko da muka ci karo da shi yayin aiwatar da shigarwa: kuna buƙatar gyara saitin CRI-O kafin fara sabis ɗin, tunda abubuwan haɗin haɗin da ake buƙata suna da wurin daban fiye da ƙayyadaddun:
sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.confYanzu zaku iya kunna kuma fara daemon CRI-O:
systemctl enable --now crioKuna iya duba halin daemon:
systemctl status crio
- Bari mu sabunta OS:
- Shigarwa da kunnawa Kubernetes.
- Bari mu ƙara ma'ajiyar da ake buƙata:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg exclude=kubelet kubeadm kubectl EOFYanzu za mu iya shigarwa Kubernetes (Sigar 1.18, kamar yadda aka ambata a sama):
dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes
- Mahimmancin mahimmanci na biyu: tun da ba mu amfani da daemon Docker, amma muna amfani da daemon CRI-O, kafin ƙaddamarwa da ƙaddamarwa Kubernetes kuna buƙatar yin saitunan da suka dace a cikin fayil ɗin sanyi /var/lib/kubelet/config.yaml, tun da farko ƙirƙiri littafin da ake so:
mkdir /var/lib/kubelet cat <<EOF > /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd EOF
- Batu na uku mai mahimmanci da muke fuskanta yayin shigarwa: duk da cewa mun nuna direban ya yi amfani da shi ƙungiya, da kuma tsarinta ta hanyar muhawara sun wuce cubelet ya tsufa (kamar yadda aka bayyana a sarari a cikin takaddun), muna buƙatar ƙara muhawara a cikin fayil ɗin, in ba haka ba ba za a fara fara gungu na mu ba:
cat /dev/null > /etc/sysconfig/kubelet cat <<EOF > /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock' EOF
- Yanzu za mu iya kunna daemon cubelet:
sudo systemctl enable --now kubeletDon keɓancewa sarrafa-jirgin sama ko ma'aikacin nodes a cikin minti, zaka iya amfani .
- Bari mu ƙara ma'ajiyar da ake buƙata:
- Lokaci ya yi da za mu ƙaddamar da tarin mu.
- Don fara gungu, gudanar da umarni:
kubeadm init --pod-network-cidr=10.244.0.0/16Tabbatar rubuta umarnin don haɗawa da gungu "kubeadm join...", wanda aka umarce ku don amfani da shi a ƙarshen fitarwa, ko aƙalla ƙayyadaddun alamun.
- Bari mu shigar da plugin (CNI) don cibiyar sadarwar Pod. Ina ba da shawarar amfani Calico. Yiwuwa ya fi shahara Flannel yana da matsalolin daidaitawa tare da nftables, iya i Calico - kawai aiwatar da CNI da aka ba da shawarar kuma an gwada cikakken aikin Kubernetes:
kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
- Don haɗa kullin ma'aikaci zuwa gungu namu, kuna buƙatar saita shi bisa ga umarnin 1 da 2, ko amfani , sa'an nan kuma gudanar da umarni daga "kubeadm init..." fitarwa wanda muka rubuta a mataki na baya:
kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN --discovery-token-ca-cert-hash $TOKEN_HASH
- Bari mu duba cewa gunkin mu an fara aiki kuma ya fara aiki:
kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
Shirya! Kuna iya riga kun karɓi nauyin kaya akan gungu na K8s.
- Don fara gungu, gudanar da umarni:
Me ke jiran mu a gaba
Ina fatan cewa umarnin da ke sama ya taimaka ya cece ku ɗan lokaci da jijiyoyi.
Sakamakon tafiyar matakai da ke faruwa a cikin masana'antu sau da yawa ya dogara da yadda yawancin masu amfani da ƙarshen ke karɓar su da masu haɓaka wasu software a cikin madaidaicin ma'auni. Har yanzu ba a bayyana cikakken abin da shirye-shiryen OCI za su haifar a cikin 'yan shekaru ba, amma za mu kasance muna kallo da jin daɗi. Kuna iya raba ra'ayin ku a yanzu a cikin sharhi.
Tsaya saurare!
Wannan labarin ya bayyana godiya ga maɓuɓɓuka masu zuwa:
- Sashe game da lokutan Rundunan kwantena
- Aikin CRI-O akan Intanet
- Labarun blog na Red Hat: , da sauran su
source: www.habr.com