Mataki na farko na tura zuwa Kubernetes shine sanya aikace-aikacen ku a cikin akwati. A cikin wannan silsilar, za mu kalli yadda zaku iya ƙirƙirar ƙaramin hoto mai amintacce.
Godiya ga Docker, ƙirƙirar hotunan kwantena bai taɓa yin sauƙi ba. Ƙayyade hoton tushe, ƙara canje-canjenku, kuma ƙirƙirar akwati.
Duk da yake wannan fasaha yana da kyau don farawa, yin amfani da hotunan tushe na asali na iya haifar da aiki mara lafiya tare da manyan hotuna masu cike da rashin ƙarfi.
Bugu da ƙari, yawancin hotuna a cikin Docker suna amfani da Debian ko Ubuntu don hoton tushe, kuma yayin da wannan yana ba da kyakkyawar dacewa da sauƙi mai sauƙi (fayil ɗin Docker yana ɗaukar layi biyu kawai), hotunan tushe na iya ƙara ɗaruruwan megabyte na ƙarin kaya a cikin akwati. Misali, fayil mai sauƙi na node.js don aikace-aikacen Go "hello-world" kusan megabytes 700 ne, yayin da ainihin aikace-aikacenku 'yan megabytes ne kawai a girman.
Don haka duk wannan ƙarin aikin ɓarna ne na sararin dijital da babban wurin ɓoye don raunin tsaro da kwari. Don haka bari mu dubi hanyoyi biyu don rage girman hoton akwati.
Na farko shine amfani da ƙananan hotuna na tushe, na biyu shine amfani da Tsarin Gine-gine. Yin amfani da ƙananan hotuna na tushe tabbas ita ce hanya mafi sauƙi don rage girman akwati. Mafi mahimmanci, yaren ko tari da kuke amfani da shi yana ba da ainihin hoton aikace-aikacen da ya fi ƙanƙanta da ainihin hoton. Bari mu kalli kwandon mu node.js.
Ta hanyar tsoho a Docker, kumburi: girman hoton tushe 8 shine 670 MB, kuma kumburi: girman hoton 8-alpine shine kawai 65 MB, wato, sau 10 karami. Ta amfani da ƙaramin hoton gindin Alpine, zaku rage girman gandun ku sosai. Alpine ƙananan rarraba Linux ne mai sauƙi kuma mai sauƙi wanda ya shahara tsakanin masu amfani da Docker saboda yana dacewa da aikace-aikace da yawa yayin da yake ajiye ƙananan kwantena. Ba kamar madaidaicin hoton "node" na Docker, "node:alpine" yana cire yawancin fayilolin sabis da shirye-shirye, yana barin waɗanda suka isa gudanar da aikace-aikacen ku.
Don matsawa zuwa ƙaramin hoton tushe, kawai sabunta Dockerfile don fara aiki tare da sabon hoton tushe:
Yanzu, ba kamar tsohon hoton onbuild ba, kuna buƙatar kwafin lambar ku cikin akwati kuma shigar da kowane abin dogaro. A cikin sabon Dockerfile, akwati yana farawa da kumburi: hoto mai tsayi, sannan ƙirƙirar kundin adireshi don lambar, shigar da abin dogaro ta amfani da mai sarrafa fakitin NPM, kuma a ƙarshe yana gudanar da uwar garken.js.
Wannan haɓakawa yana haifar da akwati wanda ya fi girma sau 10. Idan yaren shirye-shiryen ku ko tari ba shi da aikin rage hoto na tushe, yi amfani da Alpine Linux. Hakanan zai ba da ikon sarrafa abubuwan da ke cikin akwati gabaɗaya. Yin amfani da ƙananan hotunan tushe hanya ce mai kyau don ƙirƙirar ƙananan kwantena da sauri. Amma har ma za a iya samun raguwa mafi girma ta amfani da Tsarin Gine-gine.
A cikin harsunan da aka fassara, ana fara ƙaddamar da lambar tushe ga mai fassara sannan a aiwatar da ita kai tsaye. A cikin harsunan da aka haɗa, an fara canza lambar tushe zuwa lambar da aka haɗa. Koyaya, harhadawa yakan yi amfani da kayan aikin da a zahiri ba a buƙata don gudanar da lambar. Wannan yana nufin cewa zaku iya cire waɗannan kayan aikin gaba ɗaya daga akwati na ƙarshe. Kuna iya amfani da Tsarin Gine-gine don wannan.
An ƙirƙiri lambar a cikin akwati na farko kuma an haɗa shi. Sannan ana tattara lambar da aka haɗa a cikin akwati na ƙarshe ba tare da masu tarawa da kayan aikin da ake buƙata don haɗa wannan lambar ba. Bari mu gudanar da aikace-aikacen Go ta wannan tsari. Da farko, za mu matsa daga hoton kan ginin zuwa Alpine Linux.
A cikin sabon Dockerfile, kwandon yana farawa da golan: hoto mai tsayi. Sannan ya ƙirƙiri kundin adireshi don lambar, ya kwafe shi cikin lambar tushe, ya gina waccan lambar tushe, kuma yana gudanar da aikace-aikacen. Wannan kwandon ya fi ƙanƙanta fiye da kwandon da ake ginawa, amma har yanzu yana ɗauke da na'ura mai haɗawa da sauran kayan aikin Go waɗanda ba ma buƙatar gaske. Don haka kawai mu cire shirin da aka haɗa mu sanya shi a cikin kwandonsa.
Kuna iya lura da wani bakon abu a cikin wannan fayil ɗin Docker: ya ƙunshi layi guda biyu DAGA FROM. Sashin layi na 4 na farko yayi daidai da Dockerfile na baya sai dai yana amfani da kalmar AS don suna wannan matakin. Sashe na gaba yana da sabon layin FROM don fara sabon hoto, inda maimakon golan: hoton alpine za mu yi amfani da Raw alpine azaman hoton tushe.
Raw Alpine Linux ba shi da wasu takaddun shaida na SSL da aka shigar, wanda zai sa yawancin kiran API akan HTTPS ya gaza, don haka bari mu shigar da wasu takaddun shaida na CA.
Yanzu ɓangaren nishaɗi ya zo: don kwafin lambar da aka haɗa daga akwati na farko zuwa na biyu, kawai kuna iya amfani da umarnin COPY wanda ke kan layi na 5 na sashe na biyu. Zai kwafi fayil ɗin aikace-aikacen guda ɗaya kawai kuma ba zai shafi kayan aikin Go mai amfani ba. Sabon fayil ɗin Docker mai matakai da yawa zai ƙunshi hoton akwati mai girman megabytes 12 kawai, idan aka kwatanta da ainihin hoton ganga mai girman megabytes 700, wanda ke da babban bambanci!
Don haka amfani da ƙananan hotuna na tushe da Tsarin Gine-gine sune manyan hanyoyi don ƙirƙirar ƙananan kwantena ba tare da aiki mai yawa ba.
Yana yiwuwa ya danganta da tarin aikace-aikacen, akwai ƙarin hanyoyin da za a rage girman hoto da girman akwati, amma shin da gaske ƙananan kwantena suna da fa'idar aunawa? Bari mu dubi wurare biyu inda ƙananan kwantena ke da tasiri sosai - aiki da tsaro.
Don kimanta karuwar aikin, yi la'akari da tsawon lokacin aikin ƙirƙirar akwati, saka shi a cikin wurin yin rajista (turawa), sa'an nan kuma dawo da shi daga can (jawo). Kuna iya ganin cewa ƙaramin akwati yana da fa'ida ta musamman akan babban akwati.
Docker zai adana yadudduka don haka ginin na gaba zai yi sauri sosai. Koyaya, yawancin tsarin CI da ake amfani da su don ginawa da gwada kwantena ba sa ɓoye yadudduka, don haka akwai mahimman tanadin lokaci. Kamar yadda kake gani, lokacin da za a gina babban akwati, dangane da ƙarfin injin ku, yana daga 34 zuwa 54 seconds, kuma lokacin amfani da akwati an rage ta amfani da Tsarin Ginin - daga 23 zuwa 28 seconds. Don ayyukan irin wannan, karuwar yawan aiki zai zama 40-50%. Don haka kawai kuyi tunanin sau nawa kuka gina kuma ku gwada lambar ku.
Bayan an gina akwati, kuna buƙatar tura hotonsa (hoton akwati) cikin rajistar akwati domin ku iya amfani da shi a cikin gungu na Kubernetes. Ina ba da shawarar yin amfani da Registry Container.
Tare da Google Container Registry (GCR), kawai kuna biyan kuɗi don ɗanyen ajiya da hanyar sadarwa, kuma babu ƙarin kuɗin sarrafa kwantena. Yana da sirri, amintacce kuma yana da sauri sosai. GCR yana amfani da dabaru da yawa don haɓaka aikin ja. Kamar yadda kuke gani, saka kwandon Hoton Docker Container ta amfani da go:onbuild zai ɗauki daga 15 zuwa 48 seconds, dangane da aikin kwamfutar, kuma aiki iri ɗaya tare da ƙaramin akwati zai ɗauki daga 14 zuwa 16 seconds, kuma don ƙarancin injuna. Amfani a cikin saurin aiki yana ƙaruwa sau 3. Don manyan injuna, lokacin kusan iri ɗaya ne, tunda GCR yana amfani da cache na duniya don raba bayanan hotuna, ma'ana ba kwa buƙatar loda su kwata-kwata. A cikin kwamfutar da ba ta da ƙarfi, CPU ita ce ƙulli, don haka fa'idar amfani da ƙananan kwantena ya fi girma a nan.
Idan kuna amfani da GCR, Ina ba da shawarar sosai ta amfani da Google Container Builder (GCB) azaman ɓangaren tsarin ginin ku.
Kamar yadda kake gani, amfani da shi yana ba ka damar samun sakamako mafi kyau a cikin rage tsawon lokacin aikin Gina + Push fiye da na'ura mai amfani - a cikin wannan yanayin, tsarin ginin da aika kwantena ga mai gida yana kusan sau 2 cikin sauri. Bugu da kari, kuna samun mintunan gini na kyauta 120 kowace rana, wanda ke rufe buƙatun ginin kwandon ku a mafi yawan lokuta.
Na gaba yana zuwa mafi mahimmancin awo na aiki - saurin maidowa, ko zazzagewa, Ja da kwantena. Kuma idan ba ku damu da yawa game da lokacin da aka kashe akan aikin turawa ba, to, tsayin tsarin ja yana da tasiri mai tsanani akan aikin tsarin gaba ɗaya. Bari mu ce kuna da gungu na nodes uku kuma ɗaya daga cikinsu ya gaza. Idan kana amfani da tsarin gudanarwa kamar Google Kubernetes Engine, zai maye gurbin mataccen kumburi da sabon abu kai tsaye. Koyaya, wannan sabon kullin zai zama fanko gaba ɗaya kuma dole ne ku ja duk kwantena ɗin ku a ciki don fara aiki. Idan aikin ja ya ɗauki lokaci mai tsawo, tarin ku zai yi aiki a ƙasan aikin gabaɗayan lokaci.
Akwai lokuta da yawa inda wannan zai iya faruwa: ƙara sabon kumburi zuwa gungu, haɓaka nodes, ko ma canzawa zuwa sabon akwati don turawa. Don haka, rage girman lokacin cirewa ya zama maɓalli mai mahimmanci. Babu shakka cewa ƙaramin akwati yana saukewa da sauri fiye da babba. Idan kuna gudanar da kwantena da yawa a cikin gungun Kubernetes, tanadin lokaci na iya zama mahimmanci.
Dubi wannan kwatancen: aikin ja akan ƙananan kwantena yana ɗaukar sau 4-9 ƙasa da lokaci, dangane da ƙarfin injin, fiye da aiki iri ɗaya ta amfani da go:onbuild. Yin amfani da rabawa, ƙananan hotuna na tushe na ganga suna haɓaka lokaci da sauri waɗanda za a iya tura sabbin nodes na Kubernetes kuma su zo kan layi.
Mu duba batun tsaro. Ana ɗaukar ƙananan kwantena mafi aminci fiye da waɗanda suka fi girma saboda suna da ƙaramin saman kai hari. Da gaske ne? Ɗaya daga cikin mafi fa'ida mafi fa'ida na Google Container Registry shine ikon bincika kwantena ta atomatik don rashin lahani. Bayan 'yan watannin da suka gabata na ƙirƙira duka kwantena na kan ginin da kuma multistage, don haka bari mu ga ko akwai wasu lahani a wurin.
Sakamakon yana da ban mamaki: kawai 3 matsakaitan raunin da aka samu a cikin ƙaramin akwati, kuma 16 masu mahimmanci da 376 an gano su a cikin babban akwati. Idan muka duba abin da ke cikin babban kwantena, za mu ga cewa galibin matsalolin tsaro ba su da alaka da aikace-aikacenmu, illa dai suna da alaka da shirye-shiryen da ba ma amfani da su. Don haka lokacin da mutane ke magana game da babban filin hari, abin da suke nufi ke nan.
Abin da ake ɗauka a bayyane yake: gina ƙananan kwantena saboda suna ba da aiki na gaske da fa'idodin tsaro ga tsarin ku.
Wasu tallace-tallace 🙂
Na gode da kasancewa tare da mu. Kuna son labaran mu? Kuna son ganin ƙarin abun ciki mai ban sha'awa? Goyon bayan mu ta hanyar ba da oda ko ba da shawara ga abokai, , analog na musamman na sabar matakin shigarwa, wanda mu muka ƙirƙira muku: (akwai tare da RAID1 da RAID10, har zuwa 24 cores kuma har zuwa 40GB DDR4).
Dell R730xd 2x mai rahusa a cibiyar bayanan Equinix Tier IV a Amsterdam? Nan kawai a cikin Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - daga $99! Karanta game da
source: www.habr.com