ProHoster > Блог > Gudanarwa > Tsarin gudu a cikin akwati

Tsarin gudu a cikin akwati

Mun daɗe muna bin batun yin amfani da systemd a cikin kwantena. Komawa cikin 2014, injiniyan tsaro Daniel Walsh ya rubuta labarin Tsari mai gudana a cikin kwantena Docker, kuma bayan shekaru biyu - wani, wanda aka kira Tsarin gudana a cikin akwati mara gata, inda ya bayyana cewa lamarin bai inganta sosai ba. Musamman ma, ya rubuta cewa "Abin takaici, ko da shekaru biyu bayan haka, idan kun yi amfani da google "Tsarin Docker", abu na farko da ya fito shine tsohon labarinsa. Don haka lokaci ya yi da za a canza wani abu." Bugu da kari, mun riga mun yi magana akai rikici tsakanin Docker da masu haɓaka tsarin.

Tsarin gudu a cikin akwati

A cikin wannan labarin za mu nuna abin da ya canza a tsawon lokaci da kuma yadda Podman zai iya taimaka mana a wannan batu.

Akwai dalilai da yawa don gudanar da tsarin a cikin akwati, kamar:

  1. Kwantena masu hidima da yawa - mutane da yawa suna son cire aikace-aikacen sabis ɗin su da yawa daga na'urori masu kama-da-wane kuma su sarrafa su cikin kwantena. Zai fi kyau, ba shakka, don karya irin waɗannan aikace-aikacen zuwa microservices, amma ba kowa ya san yadda ake yin wannan ba tukuna ko kuma kawai ba shi da lokaci. Don haka, gudanar da irin waɗannan aikace-aikacen azaman sabis ɗin da aka ƙaddamar da tsarin daga fayilolin naúrar yana da cikakkiyar ma'ana.
  2. Fayilolin Naúrar Tsari - Yawancin aikace-aikacen da ke gudana a cikin kwantena an gina su daga lambar da a baya ke gudana akan injina ko na zahiri. Waɗannan aikace-aikacen suna da fayil ɗin ɗaya wanda aka rubuta don waɗannan aikace-aikacen kuma ya fahimci yadda yakamata a ƙaddamar da su. Don haka yana da kyau a fara sabis ta amfani da hanyoyin tallafi, maimakon yin kutse na sabis ɗin init na ku.
  3. Systemd mai sarrafa tsari ne. Yana gudanar da sabis (kashewa, sake kunna sabis, ko kashe ayyukan aljanu) fiye da kowane kayan aiki.

Wannan ya ce, akwai dalilai da yawa don kada a gudanar da tsarin a cikin kwantena. Babban ɗayan shine tsarin tsarin / jarida yana sarrafa fitar da kwantena, da kayan aikin kamar Kubernetes ko BuɗeShift tsammanin kwantena su rubuta log kai tsaye zuwa stdout da stderr. Don haka, idan za ku sarrafa kwantena ta kayan aikin ƙungiyar kaɗe-kaɗe kamar waɗanda aka ambata a sama, ya kamata ku yi la'akari da gaske ta amfani da kwantena na tushen tsarin. Bugu da ƙari, masu haɓaka Docker da Moby galibi suna adawa da amfani da tsarin a cikin kwantena.

Zuwan Podman

Muna farin cikin bayar da rahoton cewa a karshe lamarin ya ci gaba. Ƙungiyar da ke da alhakin gudanar da kwantena a Red Hat sun yanke shawarar haɓakawa injin kwandon ku. Ya samu suna podman kuma yana ba da ƙirar layin umarni iri ɗaya (CLI) kamar Docker. Kuma kusan duk umarnin Docker ana iya amfani dashi a cikin Podman ta hanya ɗaya. Sau da yawa muna gudanar da taron karawa juna sani, wanda a yanzu ake kira Canza Docker zuwa Podman, kuma nunin farko na kira don rubutawa: alias docker=podman.

Mutane da yawa suna yin haka.

Ni da Podman na ba mu da wata hanya a kan kwantena na tushen tsarin. Bayan haka, Systemd shine tsarin tsarin init na Linux wanda aka fi amfani dashi, kuma rashin barin shi yayi aiki yadda yakamata a cikin kwantena yana nufin yin watsi da yadda dubban mutane suka saba da sarrafa kwantena.

Podman ya san abin da zai yi don yin tsarin aiki da kyau a cikin akwati. Yana buƙatar abubuwa kamar hawan tmpfs akan /run da /tmp. Tana son a kunna yanayin "kwantena" kuma tana tsammanin rubuta izini zuwa sashinta na kundin rukunin rukunin da kuma zuwa /var/log/jaldi.

Lokacin da ka fara akwati wanda umarnin farko ya kasance init ko tsarin, Podman yana daidaita tmpfs da Cgroups ta atomatik don tabbatar da cewa tsarin yana farawa ba tare da matsala ba. Don toshe wannan yanayin ƙaddamarwa ta atomatik, yi amfani da zaɓin --systemd=ƙarya. Lura cewa Podman yana amfani da yanayin tsarin kawai lokacin da ya ga yana buƙatar gudanar da tsarin tsarin ko init.

Ga wani yanki daga littafin:

mutum podman gudu
...

–systemd=gaskiya|karya

Gudun ganga a yanayin tsari. An kunna ta tsohuwa.

Idan kuna gudanar da tsarin tsarin ko shigar da umarni a cikin akwati, Podman zai saita wuraren hawan tmpfs a cikin kundayen adireshi masu zuwa:

/run, /run/kulle, /tmp, /sys/fs/cgroup/systemd, /var/lib/jarida

Hakanan siginar tsaida tsoho zai zama SIGRTMIN+3.

Duk wannan yana ba da damar systemd don aiki a cikin rufaffiyar akwati ba tare da wani gyare-gyare ba.

NOTE: systemd ƙoƙarin rubuta zuwa ga tsarin fayil ɗin rukuni. Koyaya, SELinux yana hana kwantena yin wannan ta tsohuwa. Don kunna rubutu, kunna ma'aunin kwantena_manage_cgroup:

setsebool -P akwati_manage_cgroup gaskiya

Yanzu duba yadda Dockerfile yayi kama da tsarin aiki a cikin akwati ta amfani da Podman:

# cat Dockerfile

FROM fedora

RUN dnf -y install httpd; dnf clean all; systemctl enable httpd

EXPOSE 80

CMD [ "/sbin/init" ]

Shi ke nan.

Yanzu muna harhada kwandon:

# podman build -t systemd .

Muna gaya wa SELinux don ƙyale systemd don canza tsarin ƙungiyoyin ƙungiyoyi:

# setsebool -P container_manage_cgroup true

Mutane da yawa, a hanya, sun manta game da wannan mataki. Abin farin ciki, wannan yana buƙatar yin sau ɗaya kawai kuma an adana saitin bayan sake kunna tsarin.

Yanzu kawai mu fara akwati:

# podman run -ti -p 80:80 systemd

systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)

Detected virtualization container-other.

Detected architecture x86-64.

Welcome to Fedora 29 (Container Image)!

Set hostname to <1b51b684bc99>.

Failed to install release agent, ignoring: Read-only file system

File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.

Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)

[  OK ] Listening on initctl Compatibility Named Pipe.

[  OK ] Listening on Journal Socket (/dev/log).

[  OK ] Started Forward Password Requests to Wall Directory Watch.

[  OK ] Started Dispatch Password Requests to Console Directory Watch.

[  OK ] Reached target Slices.

…

[  OK ] Started The Apache HTTP Server.

Shi ke nan, sabis ɗin yana aiki:

$ curl localhost

<html  xml_lang="en" lang="en">

…

</html>

NOTE: Kar a gwada wannan akan Docker! A can har yanzu kuna buƙatar rawa tare da tambourine don ƙaddamar da irin waɗannan kwantena ta cikin daemon. (Za a buƙaci ƙarin filaye da fakiti don yin wannan duka suna aiki ba tare da matsala ba a cikin Docker, ko kuma za a buƙaci a gudanar da shi a cikin akwati mai gata. Don cikakkun bayanai, duba labarin.)

Wasu ƙarin abubuwa masu daɗi game da Podman da systemd

Podman yana aiki mafi kyau fiye da Docker a cikin fayilolin naúrar tsarin

Idan ana buƙatar fara kwantena lokacin da tsarin ya tashi, to zaku iya kawai saka umarnin Podman masu dacewa a cikin fayil ɗin naúrar tsarin, wanda zai fara sabis ɗin kuma saka idanu. Podman yana amfani da madaidaicin ƙirar cokali mai yatsu-exec. A takaice dai, tsarin kwantena yara ne na tsarin Podman, don haka systemd zai iya saka idanu da su cikin sauƙi.

Docker yana amfani da samfurin uwar garken abokin ciniki, kuma ana iya sanya umarnin Docker CLI kai tsaye a cikin fayil ɗin raka'a. Koyaya, da zarar abokin ciniki na Docker ya haɗu da Docker daemon, (abokin ciniki) ya zama wani tsari ne kawai na sarrafa stdin da stdout. Hakanan, systemd ba shi da masaniya game da alaƙa tsakanin abokin ciniki Docker da kwandon da ke gudana ƙarƙashin ikon Docker daemon, sabili da haka, a cikin wannan ƙirar, tsarin tsarin ba zai iya sa ido kan sabis ɗin ba.

Kunna tsarin ta hanyar soket

Podman yana sarrafa kunnawa ta soket daidai. Saboda Podman yana amfani da samfurin cokali mai yatsu-exec, yana iya tura soket ɗin zuwa tsarin kwandon yara. Docker ba zai iya yin wannan ba saboda yana amfani da samfurin uwar garken abokin ciniki.

Sabis ɗin varlink wanda Podman ke amfani da shi don sadarwa tare da abokan ciniki na nesa zuwa kwantena ana kunna shi ta hanyar soket. Kunshin cockpit-podman, wanda aka rubuta a cikin Node.js da kuma wani ɓangare na aikin kokfit, yana ba mutane damar yin hulɗa tare da kwantena Podman ta hanyar haɗin yanar gizo. The web daemon Gudun Cockpit-podman aika saƙon zuwa varlink soket cewa systemd saurara. Systemd sannan yana kunna shirin Podman don karɓar saƙonni da fara sarrafa kwantena. Kunna tsarin da ke kan soket yana kawar da buƙatar daemon mai gudana koyaushe yayin aiwatar da APIs masu nisa.

Bugu da ƙari, muna haɓaka wani abokin ciniki na Podman mai suna podman-remote, wanda ke aiwatar da Podman CLI iri ɗaya amma yana kiran varlink don gudanar da kwantena. Podman-remote zai iya gudana a saman zaman SSH, yana ba ku damar yin hulɗa tare da kwantena akan inji daban-daban. A tsawon lokaci, muna shirin ba da damar podman-remote don tallafawa MacOS da Windows tare da Linux, ta yadda masu haɓakawa a kan waɗannan dandamali za su iya gudanar da na'ura mai mahimmanci na Linux tare da Podman varlink yana gudana kuma suna da cikakkiyar kwarewa cewa kwantena suna gudana akan na'ura na gida.

SD_SANARWA

Systemd yana ba ku damar jinkirta ƙaddamar da sabis na taimako har sai an fara aikin kwantena da suke buƙata. Podman na iya tura soket ɗin SD_NOTIFY zuwa sabis ɗin da aka keɓe domin sabis ɗin ya sanar da tsarin cewa yana shirye don aiki. Kuma kuma, Docker, wanda ke amfani da samfurin abokin ciniki-uwar garken, ba zai iya yin wannan ba.

A cikin tsare-tsaren

Muna shirin ƙara umarnin podman yana samar da tsarin CONTAINERID, wanda zai samar da fayil ɗin naúrar tsarin don sarrafa takamaiman akwati da aka ƙayyade. Wannan ya kamata ya yi aiki a duka tushen tushen da tushen tushen don kwantena marasa gata. Mun ma ga buƙatar OCI-daidaitacce systemd-nspawn runtime.

ƙarshe

Gudun tsarin a cikin akwati buƙatu ce mai fahimta. Kuma godiya ga Podman, a ƙarshe muna da lokacin aikin kwantena wanda baya cin karo da systemd, amma yana sauƙaƙa amfani.

source: www.habr.com

Add a comment