CRI-O dị ka nnọchi maka Docker dị ka ebe Kubernetes na-agba ọsọ: ịtọlite CentOS 8

Nnọọ! Aha m bụ Sergey, abụ m DevOps na Surf. Ngalaba DevOps na Surf na-achọ ọ bụghị naanị ịmepụta mmekọrịta n'etiti ndị ọkachamara na ijikọ usoro ọrụ, kamakwa iji nyocha nke ọma na mejuputa teknụzụ dị ugbu a ma na akụrụngwa nke ya yana na akụrụngwa nke ndị ahịa.

N'okpuru ebe a, m ga-ekwu ntakịrị banyere mgbanwe na teknụzụ teknụzụ maka arịa ndị anyị zutere mgbe anyị na-amụ nkesa CentOS 8 na banyere ihe ọ bụ CRI-O na ka esi ngwa ngwa melite ebe executable maka Kubernetes.

Gịnị mere na Docker anaghị etinye na nkesa ọkọlọtọ? CentOS 8

Mgbe ị wụnyechara mwepụta ndị kachasị ọhụrụ Kpoo 8 ma ọ bụ CentOS 8 onye enweghị ike inye aka ma mara: nkesa ndị a na ebe nchekwa gọọmentị enweghị ngwa Docker, nke ideologically na arụ ọrụ dochie ngwugwu podman, Buildah (dị ugbu a na nkesa na ndabara) na CRI-O. Nke a bụ n'ihi mmejuputa iwu bara uru nke ụkpụrụ ndị e mepụtara, n'etiti ihe ndị ọzọ, site na Red Hat dịka akụkụ nke ọrụ Open Container Initiative (OCI).

Ebumnuche nke OCI, nke bụ akụkụ nke The Linux Ntọala, imepụta ụkpụrụ ụlọ ọrụ mepere emepe maka usoro akpa na gburugburu oge ọrụ nke ga-edozi ọtụtụ nsogbu n'otu oge. Nke mbụ, ha agaghị emegide echiche nke nkà ihe ọmụma. Linux (dịka ọmụmaatụ, n'akụkụ ebe mmemme ọ bụla ga-eme otu ihe, na Docker bụ ụdị ihe niile na-ejikọta). Nke abuo, ha nwere ike iwepu ezughị oke niile dị na ngwanrọ Docker. Nke atọ, ha ga-adaba n'ụzọ zuru ezu na azụmahịa chọrọ nke na-eduga nyiwe azụmahịa maka ibunye, jikwaa na ijere ngwa ndị nwere akpa (dịka ọmụmaatụ, Red Hat OpenShift).

-adịghị emezi emezi Docker na uru nke ọhụrụ software na-ama kọwara na ụfọdụ nkọwa na isiokwu a, na nkọwa zuru ezu nke ngwugwu sọftụwia dum enyere n'ime oru OCI na ihe owuwu ya nwere ike ịchọta na akwụkwọ gọọmentị na akụkọ sitere na Red Hat n'onwe ya (ọ bụghị ihe ọjọọ. otu isiokwu na Red Hat blog) na ndị ọzọ nyocha.

Ọ dị mkpa iburu n'uche ọrụ nke akụkụ nke nchịkọta a tụrụ aro nwere:

• podman - mmekọrịta kpọmkwem na arịa na nchekwa ihe oyiyi site na usoro runC;
• Buildah - mgbakọ na-ebugote ihe oyiyi na ndekọ;
• CRI-O - gburugburu ebe a na-arụ ọrụ maka sistemụ orchesteration akpa (dịka ọmụmaatụ, Kubernetes).

Echere m na iji ghọta atụmatụ izugbe nke mmekọrịta dị n'etiti akụrụngwa nke tojupụtara, ọ bụ ihe amamihe dị na ya ịnye eserese njikọ ebe a. Kubernetes c runC na ụlọ akwụkwọ dị ala na-eji CRI-O:

CRI-O и Kubernetes rube isi na otu ntọhapụ na nkwado okirikiri (matrix ndakọrịta dị nnọọ mfe: isi nsụgharị Kubernetes и CRI-O coincide), na nke a, na-eburu n'uche na-elekwasị anya zuru ezu na keukwu ule nke ọrụ nke a tojupụtara site mmepe, na-enye anyị ikike na-atụ anya kacha achievable kwụsie ike na-arụ ọrụ n'okpuru ihe ọ bụla ojiji ndapụta (ịtụle lightness bụkwa uru ebe a. CRI-O tụnyere Docker n'ihi njedebe nwere nzube nke ọrụ).

Mgbe ị na wụnye Kubernetes "ụzọ ziri ezi" ụzọ (dị ka OCI, n'ezie) iji CRI-O on CentOS 8 Anyị zutere obere ihe isi ike, bụ́ ndị, Otú ọ dị, anyị meriri nke ọma. M ga-enwe obi ụtọ ịkọrọ gị nrụnye na ntụziaka nhazi, nke na mkpokọta ga-ewe ihe dị ka nkeji 10.

Otu esi eji Kubernetes eme ihe na CentOS 8 site na iji gburugburu CRI-O

Ihe achọrọ: ọnụnọ nke opekata mpe otu onye ọbịa (Cores 2, 4 GB Ram, opekata mpe 15 GB nchekwa) etinyere CentOS 8 (a na-atụ aro profaịlụ nwụnye "Server"), yana ntinye maka ya na DNS mpaghara (dịka ebe ikpeazụ, ị nwere ike nweta site na ntinye na /etc/hosts). Echefula gbanyụọ swap.

Anyị na-arụ ọrụ niile na onye ọbịa dị ka onye ọrụ mgbọrọgwụ, kpachara anya.

1. Na nzọụkwụ nke mbụ, anyị ga-ahazi OS, wụnye na hazie nkwado ndabere maka CRI-O.
   • Ka anyị melite OS:

     dnf -y update
     

   • Ọzọ ịkwesịrị ịhazi firewall na SELinuxN'ebe a, ihe niile dabere na gburugburu ebe onye na-elekọta anyị ma ọ bụ onye na-elekọta anyị ga-arụ ọrụ. Ị nwere ike hazie firewall ahụ dịka ndụmọdụ dị na ya si dị. akwụkwọ, ma ọ bụ, ọ bụrụ na ịnọ na netwọk ntụkwasị obi ma ọ bụ jiri firewall nke atọ, gbanwee mpaghara ndabara ka ntụkwasị obi ma ọ bụ gbanyụọ firewall:

     firewall-cmd --set-default-zone trusted
     
     firewall-cmd --reload

     Iji gbanyụọ firewall ị nwere ike iji iwu a:

     systemctl disable --now firewalld
     

     SELinux Ọ dị mkpa ịgbanyụ ma ọ bụ gbanwee gaa na ọnọdụ "nkwenye":

     setenforce 0
     
     sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

   • Budata modul kernel na ngwugwu dị mkpa, hazie ntinye akpaaka nke modul “br_netfilter” na mbido sistemụ:

     modprobe overlay
     
     modprobe br_netfilter
     
     echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf
     
     dnf -y install iproute-tc
     

   • Iji mee ka mbugharị ngwugwu rụọ ọrụ na nhazi okporo ụzọ, anyị ga-eme ntọala kwesịrị ekwesị:

     cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF
     net.bridge.bridge-nf-call-iptables = 1
     net.ipv4.ip_forward = 1
     net.bridge.bridge-nf-call-ip6tables = 1
     EOF
     

     tinye ntọala emere:

     sysctl --system

   • tọọ ụdị achọrọ CRI-O (isi ụdị CRI-O, dị ka ekwuru na mbụ, dakọtara ụdị achọrọ Kubernetes), ebe ọ bụ na ụdị kwụsiri ike kachasị ọhụrụ Kubernetes ugbu a 1.18:

     export REQUIRED_VERSION=1.18
     

     tinye ebe nchekwa ndị dị mkpa:

     dnf -y install 'dnf-command(copr)'
     
     dnf -y copr enable rhcontainerbot/container-selinux
     
     curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo
     
     curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo

   • ugbu a anyị nwere ike ịwụnye CRI-O:

     dnf -y install cri-o
     

     Lezienụ anya na nuance mbụ anyị na-ezute n'oge usoro nrụnye: ịkwesịrị idezi nhazi ahụ CRI-O tupu ịmalite ọrụ ahụ, ebe ọ bụ na akụrụngwa conmon achọrọ nwere ọnọdụ dị iche karịa nke akọwapụtara:

     sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.conf

     Ugbu a ị nwere ike ịgbalite ma malite daemon CRI-O:

     systemctl enable --now crio
     

     Ị nwere ike ịlele ọnọdụ daemon:

     systemctl status crio
     

2. Nwụnye na ịgbalite Kubernetes.
   • Ka anyị tinye ebe nchekwa achọrọ:

     cat <<EOF > /etc/yum.repos.d/kubernetes.repo
     [kubernetes]
     name=Kubernetes
     baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
     enabled=1
     gpgcheck=1
     repo_gpgcheck=1
     gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
     exclude=kubelet kubeadm kubectl
     EOF
     

     Ugbu a, anyị nwere ike ịwụnye Kubernetes (ụdị 1.18, dị ka ekwuru n'elu):

     dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes

   • Nuance nke abụọ dị mkpa: ebe anyị anaghị eji daemon Docker, ma anyị na-eji daemon CRI-O, tupu mmalite na mmalite Kubernetes ịkwesịrị ịme ntọala kwesịrị ekwesị na faịlụ nhazi /var/lib/kubelet/config.yaml, ebe mbụ ịmepụtara akwụkwọ ndekọ aha achọrọ:

     mkdir /var/lib/kubelet
     
     cat <<EOF > /var/lib/kubelet/config.yaml
     apiVersion: kubelet.config.k8s.io/v1beta1
     kind: KubeletConfiguration
     cgroupDriver: systemd
     EOF

   • Isi ihe nke atọ dị mkpa anyị na-ezute n'oge echichi: n'agbanyeghị na anyị egosila onye ọkwọ ụgbọ ala ejiri otu, na nhazi ya site na arụmụka gafere kubelet oge ochie (dị ka ekwuru n'ụzọ doro anya na akwụkwọ ahụ), anyị kwesịrị itinye arụmụka na faịlụ ahụ, ma ọ bụghị ya, agaghị ebido ụyọkọ anyị:

     cat /dev/null > /etc/sysconfig/kubelet
     
     cat <<EOF > /etc/sysconfig/kubelet
     KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock'
     EOF

   • Ugbu a, anyị nwere ike ịgbalite daemon kubelet:

     sudo systemctl enable --now kubelet
     

     Iji hazie njikwa-ụgbọelu ma ọ bụ onye ọrụ ọnụ na nkeji, ị nwere ike iji ya na edemede a.

3. Oge erugo ibido ụyọkọ anyị.
   • Ka ibido ụyọkọ ahụ, mee iwu:

     kubeadm init --pod-network-cidr=10.244.0.0/16
     

     Jide n'aka na ị detuo iwu ka ị sonyere ụyọkọ "kubeadm join...", nke a gwara gị ka ị jiri na njedebe nke mmepụta, ma ọ bụ opekata mpe akara ndị akọwapụtara.

   • Ka anyị wụnye ngwa mgbakwunye (CNI) maka netwọk Pod. Ana m akwado iji calico. Ikekwe ka ewu ewu Flannel nwere nsogbu ndakọrịta ihe nzuzu, ee na calico - naanị mmejuputa CNI akwadoro ma nwalee ya nke ọma site na oru ngo Kubernetes:

     kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml 

   • Iji jikọọ ọnụ onye ọrụ na ụyọkọ anyị, ịkwesịrị ịhazi ya dịka ntuziaka 1 na 2 siri dị, ma ọ bụ jiri. edemede, wee mee iwu site na "kubeadm init..." mmepụta nke anyị dere na nzọụkwụ gara aga:

     kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN 
         --discovery-token-ca-cert-hash $TOKEN_HASH

   • Ka anyị lelee na ebidola ụyọkọ anyị wee malite ịrụ ọrụ:

     kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
     

   Njikere! Ị nwere ike nọrọ n'ụgwọ ịkwụ ụgwọ na ụyọkọ K8 gị.

Gịnị na-echere anyị n'ihu

Enwere m olileanya na ntuziaka ndị dị n'elu nyere aka zọpụta gị oge na irighiri akwara.
Nsonaazụ nke usoro na-eme na ụlọ ọrụ na-adaberekarị n'otú ha si anabata ọtụtụ ndị ọrụ njedebe na ndị mmepe nke ngwanrọ ndị ọzọ na niche kwekọrọ. Amabeghị nke ọma ihe atụmatụ OCI ga-eduga na afọ ole na ole, mana anyị ga-eji obi ụtọ na-ekiri. Ị nwere ike ịkekọrịta echiche gị ugbu a na nkwupụta.

Nọrọ na-ekiri!

Akụkọ a pụtara ekele maka isi mmalite ndị a:

• Akụkụ gbasara oge oji akpa akpa Kubernetes akwụkwọ
• Ibe Ọrụ CRI-O na ịntanetị
• Akụkọ blọọgụ Red Hat: Nke a, nke a na ọtụtụ ndị ọzọ

isi: www.habr.com