Wannan shine sabuntawa na , wanda yanzu yana gudana akan Kubernetes 1.14 tare da sabon sigar CNI kamar na Afrilu 2019.
Da farko, ina so in gode wa ƙungiyar Cilium: mutanen sun taimake ni duba da gyara rubutun sa ido na awo.
Me ya canza tun Nuwamba 2018
Ga abin da ya canza tun lokacin (idan kuna sha'awar):
Flannel ya kasance mafi sauri kuma mafi sauƙin dubawar CNI, amma har yanzu baya goyan bayan manufofin cibiyar sadarwa da ɓoyewa.
Romana ba ta da tallafi, don haka mun cire shi daga ma'auni.
WeaveNet yanzu yana goyan bayan manufofin hanyar sadarwa don Ingress da Egress! Amma yawan aiki ya ragu.
A cikin Calico, har yanzu kuna buƙatar saita matsakaicin girman fakiti (MTU) da hannu don mafi kyawun aiki. Calico yana ba da zaɓuɓɓuka biyu don shigar da CNI, don haka zaku iya yin ba tare da ma'ajiyar ETCD daban ba:
- tanadin jihar a cikin Kubernetes API azaman ma'ajin bayanai (girman tari <50 nodes);
- tanadin yanayi a cikin Kubernetes API azaman wurin ajiyar bayanai tare da wakili na Typha don sauke kaya akan K8S API (girman gungu> nodes 50).
Calico ya sanar da goyon baya a saman Istio don tsaro matakin aikace-aikace.
Cilium yanzu yana goyan bayan ɓoyewa! Cilium yana ba da ɓoyayyen ɓoyewa tare da ramukan IPSec kuma yana ba da madadin hanyar rufaffiyar hanyar sadarwar WeaveNet. Amma WeaveNet ya fi Cilium sauri tare da kunna boye-boye.
Cilium yanzu ya fi sauƙi don tura godiya ga ginannen ma'aikacin ETCD.
Ƙungiyar Cilium ta yi ƙoƙari ta datse wani nauyi daga CNI ta hanyar rage yawan ƙwaƙwalwar ajiya da farashin CPU, amma masu fafatawa har yanzu suna da sauƙi.
mahallin ma'auni
Ana gudanar da ma'auni akan sabar Supermicro guda uku marasa inganci tare da 10 Gb Supermicro sauyawa. Ana haɗa sabobin kai tsaye zuwa maɓalli ta hanyar kebul na DAC SFP+ masu wucewa kuma an saita su akan VLAN guda ɗaya tare da firam ɗin jumbo (MTU 9000).
Kubernetes 1.14.0 wanda aka shigar akan Ubuntu 18.04 LTS tare da Docker 18.09.2 (tsohuwar sigar Docker a cikin wannan sakin).
Don inganta reproducibility, mun yanke shawarar koyaushe saita maigidan a kulli na farko, sanya sashin sabar na ma'auni akan sabar na biyu, da ɓangaren abokin ciniki akan na uku. Don yin wannan, muna amfani da NodeSelector a cikin ayyukan Kubernetes.
Za mu bayyana sakamakon maƙasudin akan sikeli mai zuwa:
Zaɓin CNI don ma'auni
Wannan ma'auni ne kawai don CNI daga jeri a cikin sashin Dubi takaddun Kubernetes na hukuma. Daga cikin 9 CNIs, za mu ɗauki 6 kawai: za mu ware waɗanda ke da wuyar shigarwa da / ko ba sa aiki ba tare da tsari ba bisa ga takardun (Romana, Contiv-VPP da JuniperContrail / TungstenFabric).
Za mu kwatanta CNIs masu zuwa:
- Calico v3.6
- Canal v3.6 (mahimmanci Flannel don sadarwar + Calico azaman Tacewar zaɓi)
- 1.4.2
- 0.11.0
- Kube-Router 0.2.5
- WeaveNet 2.5.1
saitin
Mafi sauƙi na CNI shine shigar, mafi kyawun ra'ayinmu na farko zai kasance. Duk CNIs daga ma'auni suna da sauƙin shigarwa (tare da umarni ɗaya ko biyu).
Kamar yadda muka fada, ana daidaita sabar da sauyawa tare da kunna firam ɗin jumbo (mun saita MTU zuwa 9000). Za mu yi farin ciki idan CNI ta ƙayyade MTU ta atomatik bisa tsarin adaftar. Koyaya, Cilium da Flannel ne kawai suka gudanar da wannan. Sauran CNI suna da buƙatu akan GitHub don ƙara ganowar MTU ta atomatik, amma za mu daidaita shi da hannu ta hanyar canza ConfigMap don Calico, Canal da Kube-router, ko wuce canjin yanayi don WeaveNet.
Menene matsalar MTU ba daidai ba? Wannan zane yana nuna bambanci tsakanin WeaveNet tare da tsoho MTU da firam ɗin jumbo:
Ta yaya MTU ke shafar kayan aiki?
Mun ga yadda mahimmancin MTU ke da aiki, yanzu bari mu ga yadda CNIs ɗinmu ke tantance shi ta atomatik:
CNI tana gano MTU ta atomatik
Jadawalin yana nuna cewa kuna buƙatar saita MTU don Calico, Canal, Kube-router da WeaveNet don kyakkyawan aiki. Cilium da Flannel sun sami damar ƙayyade MTU da kansu ba tare da wani saiti ba.
Tsaro
Za mu kwatanta tsaro na CNI a cikin bangarori biyu: ikon ɓoye bayanan da aka watsa da kuma aiwatar da manufofin cibiyar sadarwar Kubernetes (dangane da gwaje-gwaje na ainihi, ba takardun shaida ba).
CNI guda biyu ne kawai ke ɓoye bayanan: Cilium da WeaveNet. Rufewa WeaveNet an kunna ta ta saita kalmar sirri ta ɓoye azaman canjin yanayi na CNI. IN WeaveNet ya kwatanta shi a hanya mai rikitarwa, amma duk abin da aka yi shi ne kawai. Rufewa ciliya an daidaita shi ta umarni, ta hanyar ƙirƙirar sirrin Kubernetes, kuma ta hanyar gyare-gyare na daemonSet (kadan ya fi rikitarwa fiye da na WeaveNet, amma Cilium yana da mataki-mataki-mataki. ).
Dangane da aiwatar da manufofin hanyar sadarwa, sun yi nasara Calico, Canal, Cilium da WeaveNet, wanda a ciki zaku iya saita dokokin Ingress da Egress. Domin Kube-router akwai dokoki kawai don Ingress, kuma Flannel Babu manufofin hanyar sadarwa kwata-kwata.
Ga cikakken sakamakon:
Safety Performance Benchmark Sakamako
Yawan aiki
Wannan maƙasudin yana nuna matsakaicin abin da aka samu sama da aƙalla gudu uku na kowane gwaji. Muna gwada aikin TCP da UDP (ta amfani da iperf3), aikace-aikace na ainihi kamar HTTP (tare da Nginx da curl) ko FTP (tare da vsftpd da curl) kuma a ƙarshe aikin aikace-aikacen ta amfani da ɓoyayyen tushen SCP (ta amfani da abokin ciniki da uwar garken OpenSSH).
Ga duk gwaje-gwaje, mun yi madaidaicin ma'auni na ƙarfe (layin kore) don kwatanta aikin CNI tare da aikin cibiyar sadarwa na asali. Anan muna amfani da sikelin iri ɗaya, amma cikin launi:
- Yellow = yayi kyau sosai
- Orange = mai kyau
- Blue = so-so
- Ja = mara kyau
Ba za mu ɗauki CNI da aka tsara ba daidai ba kuma za mu nuna kawai sakamako ga CNI tare da MTU daidai. (Lura: Cilium ba ya lissafin MTU daidai idan kun kunna ɓoyewa, don haka dole ne ku rage MTU zuwa 8900 da hannu a cikin sigar 1.4. Na gaba, 1.5, yana yin wannan ta atomatik.)
Ga sakamakon:
Ayyukan TCP
Duk CNI sun yi kyau a cikin ma'aunin TCP. CNI tare da boye-boye suna da nisa a baya saboda boye-boye yana da tsada.
Ayyukan UDP
Anan ma, duk CNIs suna yin kyau. CNI tare da boye-boye ya nuna kusan sakamako iri ɗaya. Cilium kadan ne a bayan gasar, amma kashi 2,3% na karafa ne kawai, don haka ba mummunan sakamako ba ne. Kar ku manta cewa Cilium da Flannel ne kawai suka ƙaddara MTU daidai da kansu, kuma waɗannan sakamakon su ne ba tare da ƙarin tsari ba.
Me game da ainihin aikace-aikacen? Kamar yadda kuke gani, gabaɗayan aikin HTTP ya ɗan yi ƙasa da na TCP. Ko da kuna amfani da HTTP tare da TCP, mun saita iperf3 a cikin ma'auni na TCP don guje wa jinkirin farawa wanda zai shafi alamar HTTP. Kowa yayi aiki mai kyau anan. Kube-router yana da fa'ida bayyananne, amma WeaveNet bai yi kyau ba: kusan 20% mafi muni fiye da ƙarancin ƙarfe. Cilium da WeaveNet tare da boye-boye suna da matukar bakin ciki.
Tare da FTP, wata ƙa'idar tushen TCP, sakamako ya bambanta. Flannel da Kube-router suna yin aikin, amma Calico, Canal da Cilium suna baya kaɗan kuma suna da kusan 10% a hankali fiye da ƙarancin ƙarfe. WeaveNet yana baya da kusan 17%, amma WeaveNet da aka ɓoye yana da kashi 40% a gaban Cilium da aka ɓoye.
Tare da SCP za mu iya ganin nawa ɓoyayyen SSH ke kashe mu. Kusan duk CNIs suna yin kyau, amma WeaveNet yana komawa baya kuma. Cilium da WeaveNet tare da ɓoyewa ana tsammanin mafi muni saboda ɓoyayyen ɓoye biyu (SSH + CNI).
Anan ga taƙaitaccen tebur tare da sakamako:
Amfanin albarkatu
Yanzu bari mu kwatanta yadda CNI ke cinye albarkatu a ƙarƙashin nauyi mai nauyi (a lokacin canja wurin TCP, 10 Gbps). A cikin gwaje-gwajen aiki muna kwatanta CNI tare da ƙaramin ƙarfe (layin kore). Don amfani da albarkatu, bari mu nuna tsantsar Kubernetes (layi mai shuɗi) ba tare da CNI ba kuma mu ga yawan ƙarin albarkatun CNI na cinyewa.
Bari mu fara da ƙwaƙwalwar ajiya. Anan shine matsakaicin ƙimar RAM na nodes (ban da maɓalli da cache) a cikin MB yayin canja wuri.
Amfanin ƙwaƙwalwar ajiya
Flannel da Kube-router sun nuna kyakkyawan sakamako - 50 MB kawai. Calico da Canal kowanne yana da 70. WeaveNet yana cinye fiye da sauran - 130 MB, kuma Cilium yana amfani da kusan 400.
Yanzu bari mu duba yawan lokacin CPU. Abin lura: zane yana nuna ba kashi dari ba, amma ppm, wato, 38 ppm don "ƙarfe mara nauyi" shine 3,8%. Ga sakamakon:
Amfanin CPU
Calico, Canal, Flannel da Kube-router suna da ingantaccen CPU - kawai 2% fiye da Kubernetes ba tare da CNI ba. WeaveNet yayi nisa a baya tare da ƙarin 5%, sai Cilium a 7%.
Ga taƙaitaccen amfani da albarkatu:
Sakamakon
Teburi mai dukkan sakamako:
Sakamakon ma'auni na gaba ɗaya
ƙarshe
A kashi na karshe zan bayyana ra'ayina na zahiri game da sakamakon. Ka tuna cewa wannan maƙasudin yana gwada aikin haɗin kai ɗaya ne kawai akan ƙaramin gungu ( nodes 3). Ba ya aiki ga manyan gungu (<50 nodes) ko haɗin layi ɗaya.
Ina ba da shawarar amfani da CNI masu zuwa dangane da yanayin:
- Kuna da a gungu nodes tare da 'yan albarkatu (da yawa GB na RAM, da yawa cores) kuma ba kwa buƙatar fasalulluka na tsaro - zaɓi Flannel. Wannan yana ɗaya daga cikin CNI mafi tsada. Kuma yana dacewa da nau'ikan gine-gine iri-iri (amd64, hannu, hannu64, da sauransu). Bugu da ƙari, wannan ɗayan biyu ne (ɗayan kuma shine Cilium) CNI wanda zai iya ƙayyade MTU ta atomatik, don haka ba dole ba ne ka saita wani abu. Kube-router kuma ya dace, amma ba daidai ba ne kuma kuna buƙatar saita MTU da hannu.
- Idan ya cancanta rufaffen hanyar sadarwa don aminci, ɗauka WeaveNet. Kar a manta da saka girman MTU idan kuna amfani da firam ɗin jumbo, kuma kunna ɓoyewa ta hanyar tantance kalmar sirri ta hanyar canjin yanayi. Amma yana da kyau a manta game da aikin - wannan shine farashin ɓoyewa.
- domin al'ada amfani советую Calico. Ana amfani da wannan CNI sosai a cikin kayan aikin tura Kubernetes daban-daban (Kops, Kubespray, Rancher, da sauransu). Kamar yadda yake tare da WeaveNet, tabbatar da saita MTU a cikin ConfigMap idan kuna amfani da firam ɗin jumbo. Kayan aiki ne da yawa wanda ke da inganci dangane da amfani da albarkatu, aiki da tsaro.
Kuma a karshe, ina ba ku shawara da ku bi ci gaba ciliya. Wannan CNI yana da ƙungiya mai aiki sosai wanda ke aiki da yawa akan samfurin su (fasali, tanadin albarkatu, aiki, tsaro, tari ...) kuma suna da tsare-tsare masu ban sha'awa.
Zane na gani don zaɓin CNI
source: www.habr.com