ProHoster > Блог > Gudanarwa > Kurakurai guda biyar Lokacin Sanya Aikace-aikacenku na Farko akan Kubernetes

Kurakurai guda biyar Lokacin Sanya Aikace-aikacenku na Farko akan Kubernetes

Kurakurai guda biyar Lokacin Sanya Aikace-aikacenku na Farko akan KubernetesRashin nasara ta Aris-Dreamer

Mutane da yawa sun gaskata cewa ya isa ya yi ƙaura zuwa Kubernetes (ko dai ta amfani da Helm ko da hannu) kuma za su yi farin ciki. Amma ba haka ba ne mai sauki.

tawagar Mail.ru Cloud Solutions Injiniya DevOps Julian Gindi ya fassara labarin. Yana raba irin matsalolin da kamfaninsa ya fuskanta yayin aikin hijirar don kada ku taka rake iri ɗaya.

Mataki na Daya: Saita Buƙatun Pod da Iyaka

Bari mu fara da kafa yanayi mai tsabta wanda kwas ɗin mu zai gudana. Kubernetes yana yin babban aiki na tsara kwasfan fayiloli da sarrafa yanayin gazawar. Amma ya juya cewa mai tsara jadawalin wani lokaci ba zai iya sanya kwasfa ba idan yana da wahala a kimanta yawan albarkatun da yake buƙatar yin aiki cikin nasara. Wannan shine inda buƙatun albarkatu da iyakoki suka fito. Akwai muhawara da yawa game da mafi kyawun hanyar kafa buƙatu da iyakoki. Wani lokaci yana jin kamar ya fi fasaha fiye da kimiyya. Ga hanyarmu.

Buƙatun Pod - Wannan ita ce babbar ƙimar da mai tsarawa ke amfani da ita don sanya kwafsa mafi kyau.

Daga Dokokin Kubernetes: Matakin tacewa yana ƙayyade saitin nodes inda za'a iya tsara kwaf ɗin. Misali, tacewar PodFitsResources yana bincika ko kumburi yana da isassun albarkatu don gamsar da takamaiman buƙatun albarkatun kundi.

Muna amfani da buƙatun aikace-aikacen don a iya amfani da su don kimanta yawan albarkatun a gaskiya Aikace-aikacen yana buƙatar yin aiki da kyau. Ta wannan hanyar mai tsara jadawalin zai iya sanya nodes da gaske. Da farko muna so mu saita buƙatun tare da gefe don tabbatar da cewa kowane fasfo yana da isassun albarkatu masu yawa, amma mun lura cewa lokutan tsarawa ya ƙaru sosai kuma wasu kwas ɗin ba a taɓa tsara su sosai ba, kamar dai ba a karɓi buƙatun albarkatu ba.

A wannan yanayin, mai tsara jadawalin zai sau da yawa fitar da kwasfa kuma ba zai iya sake tsara su ba saboda jirgin mai sarrafawa ba shi da masaniyar adadin albarkatun da aikace-aikacen zai buƙaci, mahimmin ɓangaren tsara tsarin algorithm.

Iyakance tafki - wannan shi ne mafi bayyana iyaka ga kwafsa. Yana wakiltar iyakar adadin albarkatun da tarin zai keɓe ga akwati.

Sake, daga takardun shaida: Idan kwantena yana da saita iyakacin ƙwaƙwalwar GiB 4, to kubelet (da lokacin aikin ganga) zai tilasta shi. Lokacin aiki baya ƙyale akwati yayi amfani da fiye da ƙayyadaddun iyaka na albarkatu. Misali, lokacin da tsari a cikin kwantena yayi ƙoƙarin yin amfani da fiye da adadin da aka yarda da shi na ƙwaƙwalwar ajiya, kernel ɗin tsarin yana ƙare aikin tare da kuskuren “out of memory” (OOM).

Kwantena koyaushe na iya amfani da ƙarin albarkatu fiye da ƙayyadaddun buƙatun albarkatun, amma ba zai taɓa yin amfani da fiye da ƙayyadaddun iyaka ba. Wannan ƙimar yana da wahala a saita daidai, amma yana da mahimmanci.

Da kyau, muna son abubuwan buƙatun kwafsa su canza tsawon rayuwar tsari ba tare da tsoma baki tare da wasu matakai a cikin tsarin ba—maƙasudin saita iyaka ke nan.

Abin takaici, ba zan iya ba da takamaiman umarni kan abin da za a saita ba, amma mu da kanmu muna bin ƙa'idodi masu zuwa:

  1. Yin amfani da kayan aikin gwajin lodi, muna kwaikwayi matakin ginshiƙi na zirga-zirga da saka idanu akan amfani da albarkatun kwaf (ƙwaƙwalwar ajiya da mai sarrafawa).
  2. Mun saita buƙatun kwas ɗin zuwa ƙarancin ƙima na sabani (tare da iyakar albarkatun kusan sau 5 ƙimar buƙatun) kuma mu kiyaye. Lokacin da buƙatun suka yi ƙasa da ƙasa, tsarin ba zai iya farawa ba, galibi yana haifar da kurakuran lokacin tafiyar lokaci mai ban mamaki.

Lura cewa mafi girman iyakoki na albarkatu yana sa tsara tsarawa ya fi wahala saboda kwafsa yana buƙatar kumburin manufa tare da isassun albarkatu.

Ka yi tunanin yanayin da kake da sabar gidan yanar gizo mara nauyi tare da iyakacin albarkatu, in ji 4 GB na ƙwaƙwalwar ajiya. Wataƙila wannan tsari zai yi ma'auni a kwance, kuma kowane sabon ƙirar dole ne a tsara shi akan kumburi tare da aƙalla 4 GB na ƙwaƙwalwar ajiya. Idan babu irin wannan kumburin, gungu dole ne ya gabatar da sabon kumburi don sarrafa wannan kwaf ɗin, wanda zai ɗauki ɗan lokaci. Yana da mahimmanci a kiyaye bambanci tsakanin buƙatun albarkatu da iyaka zuwa mafi ƙanƙanta don tabbatar da sikeli mai sauri da santsi.

Mataki na biyu: saita gwajin Rayuwa da Shiryewa

Wannan wani batu ne na dabara wanda galibi ana tattaunawa a cikin al'ummar Kubernetes. Yana da mahimmanci a sami kyakkyawar fahimta game da gwaje-gwajen Rayuwa da Shiryewa yayin da suke samar da hanyar software don gudanar da aiki lafiya da rage raguwar lokaci. Duk da haka, suna iya haifar da mummunan aiki ga aikace-aikacenku idan ba a daidaita su daidai ba. Da ke ƙasa akwai taƙaitaccen abin da samfuran duka biyu suke.

Rayuwa ya nuna ko kwandon yana gudana. Idan ya kasa, kubelet yana kashe akwati kuma an kunna tsarin sake farawa don shi. Idan akwati ba a sanye shi da bincike na Liveness, to, yanayin da aka saba zai yi nasara - wannan shine abin da ya fada a ciki Dokokin Kubernetes.

Binciken rayuwa ya kamata ya zama mai arha, ma'ana kada su cinye albarkatu masu yawa, saboda suna gudana akai-akai kuma suna buƙatar sanar da Kubernetes cewa aikace-aikacen yana gudana.

Idan kun saita zaɓi don gudanar da kowane daƙiƙa, wannan zai ƙara buƙata 1 a cikin sakan daya, don haka ku sani cewa za a buƙaci ƙarin albarkatun don sarrafa wannan zirga-zirga.

A kamfaninmu, gwaje-gwajen Liveness suna duba ainihin abubuwan da ke cikin aikace-aikacen, ko da bayanan (misali, daga ma'ajin bayanai na nesa ko cache) ba su da cikakken isa.

Mun saita ƙa'idodin tare da ƙarshen "lafiya" wanda kawai ke dawo da lambar amsawa ta 200. Wannan nuni ne cewa tsarin yana gudana kuma yana iya sarrafa buƙatun (amma ba tukuna ba).

Samfurodi Shiryawa yana nuna ko kwandon yana shirye don ba da buƙatun. Idan binciken shirye-shiryen ya gaza, mai sarrafa ƙarshen ƙarshen yana cire adireshin IP na pods daga ƙarshen duk ayyukan da suka dace da kwaf ɗin. Hakanan an bayyana wannan a cikin takaddun Kubernetes.

Binciken shirye-shiryen yana cinye ƙarin albarkatu saboda dole ne a aika su zuwa baya ta hanyar da ke nuna aikace-aikacen yana shirye don karɓar buƙatun.

Ana ta cece-kuce a tsakanin al’umma kan ko za a shiga rumbun adana bayanai kai tsaye. Idan aka yi la'akari da sama (ana yin rajista akai-akai, amma ana iya daidaita su), mun yanke shawarar cewa don wasu aikace-aikacen, shirye-shiryen yin hidimar zirga-zirgar ababen hawa ana ƙidaya su ne kawai bayan tabbatar da cewa an dawo da bayanan daga bayanan. Gwaje-gwajen shirye-shiryen da aka tsara da kyau sun tabbatar da mafi girman matakan samuwa da kuma kawar da raguwa a lokacin turawa.

Idan kun yanke shawarar tambayar bayanan don gwada shirye-shiryen aikace-aikacenku, tabbatar da cewa ba shi da tsada sosai. Bari mu ɗauki wannan buƙatar:

SELECT small_item FROM table LIMIT 1

Ga misalin yadda muke saita waɗannan dabi'u biyu a cikin Kubernetes:

livenessProbe: 
 httpGet:   
   path: /api/liveness    
   port: http 
readinessProbe:  
 httpGet:    
   path: /api/readiness    
   port: http  periodSeconds: 2

Kuna iya ƙara wasu ƙarin zaɓuɓɓukan sanyi:

  • initialDelaySeconds - daƙiƙa nawa za su wuce tsakanin ƙaddamar da akwati da farkon samfuran.
  • periodSeconds - tazarar jira tsakanin samfurin gudanar.
  • timeoutSeconds - adadin dakikoki bayan haka ana ɗaukar naúrar gaggawa. Lokaci na yau da kullun.
  • failureThreshold - adadin gazawar gwajin kafin a aika siginar sake farawa zuwa kwafsa.
  • successThreshold - yawan binciken da aka yi nasara kafin kwaf ɗin ya shiga cikin shirye-shiryen (bayan gazawar, lokacin da kwaf ɗin ya fara ko ya dawo).

Mataki na uku: kafa tsoffin manufofin hanyar sadarwa don kwafsa

Kubernetes yana da fasalin cibiyar sadarwa na “leburbura”; ta tsohuwa, duk kwas ɗin suna sadarwa kai tsaye da juna. A wasu lokuta wannan ba kyawawa bane.

Matsalar tsaro mai yuwuwa ita ce maharin zai iya amfani da aikace-aikacen da ba shi da rauni guda ɗaya don aika zirga-zirga zuwa duk kwas ɗin kan hanyar sadarwa. Kamar yadda yake tare da yawancin wuraren tsaro, ƙa'idar mafi ƙarancin gata tana aiki anan. Mahimmanci, manufofin cibiyar sadarwa yakamata su fayyace wace haɗin kai tsakanin kwas ɗin da aka yarda da waɗanda ba a yarda dasu ba.

Misali, a ƙasa akwai tsari mai sauƙi wanda ke hana duk zirga-zirgar zirga-zirgar shigowa don takamaiman sunan suna:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:  
 name: default-deny-ingress
spec:  
 podSelector: {}  
 policyTypes:  
   - Ingress

Ganin wannan saitin:

Kurakurai guda biyar Lokacin Sanya Aikace-aikacenku na Farko akan Kubernetes
(https://miro.medium.com/max/875/1*-eiVw43azgzYzyN1th7cZg.gif)
A cikin cikakkun bayanai a nan.

Mataki na hudu: hali na al'ada ta amfani da ƙugiya da kwantena init

Ɗaya daga cikin manyan manufofinmu shine samar da turawa zuwa Kubernetes ba tare da raguwa ba ga masu haɓakawa. Wannan yana da wahala saboda akwai zaɓuɓɓuka da yawa don rufe aikace-aikacen da kuma 'yantar da albarkatun da suka yi amfani da su.

Matsaloli na musamman sun taso tare da Nginx. Mun lura cewa lokacin da aka tura waɗannan kwas ɗin bi-da-bi, an watsar da haɗin kai kafin nasarar kammalawa.

Bayan bincike mai zurfi akan layi, ya zama cewa Kubernetes baya jiran haɗin Nginx don ƙare kansa kafin ya ƙare kwafsa. Yin amfani da ƙugiya ta tsayawa, mun aiwatar da ayyuka masu zuwa kuma mun kawar da ƙarancin lokaci gaba ɗaya:

lifecycle: 
 preStop:
   exec:
     command: ["/usr/local/bin/nginx-killer.sh"]

Amma nginx-killer.sh:

#!/bin/bash
sleep 3
PID=$(cat /run/nginx.pid)
nginx -s quit
while [ -d /proc/$PID ]; do
   echo "Waiting while shutting down nginx..."
   sleep 10
done

Wani madaidaicin fa'ida mai fa'ida shine amfani da kwantena init don sarrafa fara takamaiman aikace-aikace. Wannan yana da amfani musamman idan kuna da tsarin ƙaura mai tarin albarkatu wanda ke buƙatar aiki kafin fara aikace-aikacen. Hakanan zaka iya ƙayyade iyakar albarkatu mafi girma don wannan tsari ba tare da saita irin wannan iyaka ga babban aikace-aikacen ba.

Wani tsari na gama gari shi ne samun damar sirri a cikin akwati init wanda ke ba da waɗannan takaddun shaida ga babban tsarin, wanda ke hana damar samun sirri ba tare da izini ba daga babban tsarin aikace-aikacen kansa.

Kamar yadda aka saba, ambato daga takardun: Akwatunan init suna gudanar da lambar al'ada ko kayan aikin da ba haka ba zai rage amincin hoton kwandon aikace-aikacen. Ta hanyar keɓance kayan aikin da ba dole ba, kuna iyakance saman harin hoton kwandon aikace-aikacen.

Mataki na biyar: Saita Kernel

A ƙarshe, bari muyi magana game da fasaha mafi ci gaba.

Kubernetes dandamali ne mai sauƙin sassauƙa wanda ke ba ku damar gudanar da ayyukan aiki yadda kuka ga ya dace. Muna da manyan aikace-aikacen aikace-aikacen da yawa waɗanda ke da matuƙar amfani da albarkatu. Bayan gudanar da gwaje-gwaje masu yawa, mun gano cewa aikace-aikacen ɗaya yana kokawa don ɗaukar nauyin zirga-zirgar da ake tsammani lokacin da saitunan Kubernetes ke aiki.

Koyaya, Kubernetes yana ba ku damar gudanar da akwati mai gata wanda ke canza sigogin kwaya kawai don takamaiman kwafsa. Ga abin da muka yi amfani da shi don canza matsakaicin adadin buɗaɗɗen haɗi:

initContainers:
  - name: sysctl
     image: alpine:3.10
     securityContext:
         privileged: true
      command: ['sh', '-c', "sysctl -w net.core.somaxconn=32768"]

Wannan fasaha ce ta ci gaba wacce galibi ba a buƙata. Amma idan aikace-aikacenku yana kokawa don jure nauyi mai nauyi, zaku iya gwada tweaking wasu daga cikin waɗannan saitunan. Ƙarin cikakkun bayanai game da wannan tsari da saita dabi'u daban-daban - kamar kullum a cikin takardun hukuma.

A ƙarshe

Duk da yake Kubernetes na iya zama kamar shirye-shiryen da aka yi daga cikin akwatin, akwai ƴan mahimman matakan da kuke buƙatar ɗauka don ci gaba da gudanar da aikace-aikacenku cikin sauƙi.

A cikin ƙauran Kubernetes ɗin ku, yana da mahimmanci ku bi "zagayowar gwajin lodi": ƙaddamar da aikace-aikacen, gwada gwadawa, lura da ma'auni da halayen ƙima, daidaita daidaitawa dangane da wannan bayanan, sannan sake sake zagayowar.

Kasance mai haƙiƙa game da zirga-zirgar zirga-zirgar da ake tsammanin ku kuma yi ƙoƙarin turawa sama da shi don ganin waɗanne abubuwan haɗin gwiwa suka fara karya. Tare da wannan tsarin maimaitawa, kaɗan daga cikin shawarwarin da aka jera zasu iya isa don cimma nasara. Ko yana iya buƙatar gyare-gyare mai zurfi.

Koyaushe tambayi kanka waɗannan tambayoyin:

  1. Nawa albarkatun aikace-aikace ke cinyewa kuma ta yaya wannan ƙarar zata canza?
  2. Menene ainihin buƙatun sikeli? Nawa ne zirga-zirgar ababen hawa za su kula a matsakaici? Me game da kololuwar zirga-zirga?
  3. Sau nawa sabis ɗin zai buƙaci a daidaita a kwance? Yaya sauri ake buƙatar kawo sabbin kwasfan fayiloli akan layi don karɓar zirga-zirga?
  4. Yaya daidai yake rufe kwas ɗin? Shin wannan ya zama dole ko kadan? Shin yana yiwuwa a cimma turawa ba tare da bata lokaci ba?
  5. Ta yaya za ku iya rage haɗarin tsaro da iyakance lalacewa daga kowane kwas ɗin da aka daidaita? Shin kowane sabis yana da izini ko damar da ba sa buƙata?

Kubernetes yana ba da dandamali mai ban mamaki wanda ke ba ku damar yin amfani da mafi kyawun ayyuka don tura dubban ayyuka a cikin tari. Koyaya, kowane aikace-aikacen ya bambanta. Wani lokaci aiwatarwa yana buƙatar ƙarin aiki kaɗan.

Abin farin ciki, Kubernetes yana ba da tsarin da ya dace don cimma duk burin fasaha. Yin amfani da haɗin buƙatun albarkatu da iyakoki, Binciken Rayuwa da Shirye-shiryen, kwantena init, manufofin cibiyar sadarwa, da daidaitawar kernel na al'ada, zaku iya cimma babban aiki tare da haƙurin kuskure da saurin haɓakawa.

Me kuma za a karanta:

  1. Mafi kyawun ayyuka da mafi kyawun ayyuka don gudanar da kwantena da Kubernetes a cikin yanayin samarwa.
  2. 90+ kayan aiki masu amfani don Kubernetes: turawa, gudanarwa, saka idanu, tsaro da ƙari.
  3. Tashar mu ta Kubernetes a cikin Telegram.

source: www.habr.com

Add a comment