Å ajÄ rakstÄ tiks apspriests, kÄ tas darbojas , un bÅ«s arÄ« praktiskÄ daļa ar to savienojumu ar Docker.
Par izplatÄ«tÄkajÄm problÄmÄm ar Docker un jau to risinÄjumiem , Å”odien es Ä«si aprakstÄ«Å”u ievieÅ”anu no Kata Containers. Kata Containers ir droÅ”s konteinera izpildlaiks, kura pamatÄ ir vieglas virtuÄlÄs maŔīnas. Darbs ar tiem ir tÄds pats kÄ ar citiem konteineriem, taÄu papildus tiek nodroÅ”inÄta uzticamÄka izolÄcija, izmantojot aparatÅ«ras virtualizÄcijas tehnoloÄ£iju. Projekts sÄkÄs 2017. gadÄ, kad tÄda paÅ”a nosaukuma kopiena pabeidza Intel Clear Containers un Hyper.sh RunV labÄko ideju apvienoÅ”anu, pÄc tam tika turpinÄts darbs pie dažÄdu arhitektÅ«ru, tostarp AMD64, ARM, IBM p- un z, atbalsta. - sÄrija. TurklÄt darbs tiek atbalstÄ«ts hipervizoros QEMU, Firecracker, un ir arÄ« integrÄcija ar konteineru. Kods ir pieejams saskaÅÄ ar MIT licenci.
GalvenÄs iezÄ«mes
- StrÄdÄjot ar atseviŔķu kodolu, tÄdÄjÄdi nodroÅ”inot tÄ«kla, atmiÅas un I/O izolÄciju, ir iespÄjams piespiest izmantot aparatÅ«ras izolÄciju, kuras pamatÄ ir virtualizÄcijas paplaÅ”inÄjumi
- Atbalsts nozares standartiem, tostarp OCI (konteinera formÄts), Kubernetes CRI
- Š”ŃŠ°Š±ŠøŠ»ŃŠ½Š°Ń ŠæŃŠ¾ŠøŠ·Š²Š¾Š“ŠøŃŠµŠ»ŃŠ½Š¾ŃŃŃ Š¾Š±ŃŃŠ½ŃŃ ŠŗŠ¾Š½ŃŠµŠ¹Š½ŠµŃŠ¾Š² Linux, ŠæŠ¾Š²ŃŃŠµŠ½ŠøŠµ ŠøŠ·Š¾Š»ŃŃŠøŠø Š±ŠµŠ· Š½Š°ŠŗŠ»Š°Š“Š½ŃŃ ŃŠ°ŃŃ Š¾Š“Š¾Š², Š²Š»ŠøŃŃŃŠøŃ Š½Š° ŠæŃŠ¾ŠøŠ·Š²Š¾Š“ŠøŃŠµŠ»ŃŠ½Š¾ŃŃŃ Š¾Š±ŃŃŠ½ŃŃ Š²ŠøŃŃŃŠ°Š»ŃŠ½ŃŃ Š¼Š°ŃŠøŠ½
- NovÄrst nepiecieÅ”amÄ«bu palaist konteinerus pilnvÄrtÄ«gÄs virtuÄlÄs maŔīnÄs, vispÄrÄ«gÄs saskarnes vienkÄrÅ”o integrÄciju un palaiÅ”anu
UzstÄdÄ«Å”ana
Ir Š²Š°ŃŠøŠ°Š½ŃŠ¾Š² ŃŃŃŠ°Š½Š¾Š²ŠŗŠø, Ń ŃŠ°ŃŃŠ¼Š¾ŃŃŃ ŃŃŃŠ°Š½Š¾Š²ŠŗŃ ŠøŠ· ŃŠµŠæŠ¾Š·ŠøŃŠ¾ŃŠøŠµŠ², Š½Š° Š¾ŃŠ½Š¾Š²Šµ Š¾ŠæŠµŃŠ°ŃŠøŠ¾Š½Š½Š¾Š¹ ŃŠøŃŃŠµŠ¼Ń Centos 7.
Tas ir svarÄ«gi: Kata Containers darbs tiek atbalstÄ«ts tikai aparatÅ«rÄ, ne vienmÄr darbojas arÄ« virtualizÄcijas pÄradresÄcija nepiecieÅ”ams sse4.1 atbalsts no procesora.
Kata konteineru instalÄÅ”ana ir pavisam vienkÄrÅ”a:
InstalÄjiet utilÄ«tas darbam ar krÄtuvÄm:
# yum -y install yum-utilsAtspÄjot Selinux (pareizÄk ir konfigurÄt, bet vienkÄrŔības labad es to atspÄjoju):
# setenforce 0
# sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/configMÄs savienojam repozitoriju un veicam instalÄÅ”anu
# source /etc/os-release
# ARCH=$(arch)
# BRANCH="${BRANCH:-stable-1.10}"
# yum-config-manager --add-repo "http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/${BRANCH}/CentOS_${VERSION_ID}/home:katacontainers:releases:${ARCH}:${BRANCH}.repo"
# yum -y install kata-runtime kata-proxy kata-shimkoriÄ£ÄÅ”ana
Es gatavojos strÄdÄt ar docker, tÄ uzstÄdÄ«Å”ana ir tipiska, es to neaprakstÄ«Å”u sÄ«kÄk:
# rpm -qa | grep docker
docker-ce-cli-19.03.6-3.el7.x86_64
docker-ce-19.03.6-3.el7.x86_64
# docker -v
Docker version 19.03.6, build 369ce74a3cMÄs veicam izmaiÅas failÄ daemon.json:
# cat <<EOF > /etc/docker/daemon.json
{
"default-runtime": "kata-runtime",
"runtimes": {
"kata-runtime": {
"path": "/usr/bin/kata-runtime"
}
}
}
EOFRestartÄjiet doku:
# service docker restartFunkcionÄlÄ pÄrbaude
Ja startÄjat konteineru pirms doka restartÄÅ”anas, varat redzÄt, ka uname parÄdÄ«s kodola versiju, kas darbojas galvenajÄ sistÄmÄ:
# docker run busybox uname -a
Linux 19efd7188d06 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 GNU/LinuxPÄc restartÄÅ”anas kodola versija izskatÄs Å”Ädi:
# docker run busybox uname -a
Linux 9dd1f30fe9d4 4.19.86-5.container #1 SMP Sat Feb 22 01:53:14 UTC 2020 x86_64 GNU/LinuxVairÄk komandu!
# time docker run busybox mount
kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
kataShared on /etc/resolv.conf type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
kataShared on /etc/hostname type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
kataShared on /etc/hosts type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
proc on /proc/bus type proc (ro,relatime)
proc on /proc/fs type proc (ro,relatime)
proc on /proc/irq type proc (ro,relatime)
proc on /proc/sys type proc (ro,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /sys/firmware type tmpfs (ro,relatime)
real 0m2.381s
user 0m0.066s
sys 0m0.039s# time docker run busybox free -m
total used free shared buff/cache available
Mem: 1993 30 1962 0 1 1946
Swap: 0 0 0
real 0m3.297s
user 0m0.086s
sys 0m0.050sÄtra slodzes pÄrbaude
Lai novÄrtÄtu virtualizÄcijas radÄ«tos zaudÄjumus - kÄ galvenos piemÄrus palaidu sysbench .
Palaiž sysbench, izmantojot Docker+containerd
Procesora pÄrbaude
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Prime numbers limit: 20000
Initializing worker threads...
Threads started!
General statistics:
total time: 36.7335s
total number of events: 10000
total time taken by event execution: 36.7173s
response time:
min: 3.43ms
avg: 3.67ms
max: 8.34ms
approx. 95 percentile: 3.79ms
Threads fairness:
events (avg/stddev): 10000.0000/0.00
execution time (avg/stddev): 36.7173/0.00RAM tests
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Initializing worker threads...
Threads started!
Operations performed: 104857600 (2172673.64 ops/sec)
102400.00 MiB transferred (2121.75 MiB/sec)
General statistics:
total time: 48.2620s
total number of events: 104857600
total time taken by event execution: 17.4161s
response time:
min: 0.00ms
avg: 0.00ms
max: 0.17ms
approx. 95 percentile: 0.00ms
Threads fairness:
events (avg/stddev): 104857600.0000/0.00
execution time (avg/stddev): 17.4161/0.00Darbojas sysbench, izmantojot Docker+Kata konteinerus
Procesora pÄrbaude
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Prime numbers limit: 20000
Initializing worker threads...
Threads started!
General statistics:
total time: 36.5747s
total number of events: 10000
total time taken by event execution: 36.5594s
response time:
min: 3.43ms
avg: 3.66ms
max: 4.93ms
approx. 95 percentile: 3.77ms
Threads fairness:
events (avg/stddev): 10000.0000/0.00
execution time (avg/stddev): 36.5594/0.00RAM tests
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Initializing worker threads...
Threads started!
Operations performed: 104857600 (2450366.94 ops/sec)
102400.00 MiB transferred (2392.94 MiB/sec)
General statistics:
total time: 42.7926s
total number of events: 104857600
total time taken by event execution: 16.1512s
response time:
min: 0.00ms
avg: 0.00ms
max: 0.43ms
approx. 95 percentile: 0.00ms
Threads fairness:
events (avg/stddev): 104857600.0000/0.00
execution time (avg/stddev): 16.1512/0.00PrincipÄ situÄcija jau ir skaidra, bet optimÄlÄk ir testus palaist vairÄkas reizes, noÅemot izÅÄmumus un vidÄjos rezultÄtus, tÄpÄc pagaidÄm vairÄk testu neveicu.
Atzinumi
Neskatoties uz to, ka Å”Ädu konteineru palaiÅ”ana prasa apmÄram piecas lÄ«dz desmit reizes ilgÄku laiku (parastais izpildes laiks lÄ«dzÄ«gÄm komandÄm, izmantojot konteineru, ir mazÄks par treÅ”daļu sekundes), tie joprojÄm darbojas diezgan Ätri, ja Åemam absolÅ«to sÄkuma laiku (tur ir iepriekÅ” minÄtie piemÄri, komandas tiek izpildÄ«tas vidÄji trÄ«s sekundÄs). CPU un RAM ÄtrÄs pÄrbaudes rezultÄti uzrÄda gandrÄ«z tÄdus paÅ”us rezultÄtus, kas var tikai priecÄties, jo Ä«paÅ”i Åemot vÄrÄ faktu, ka izolÄcija tiek nodroÅ”inÄta, izmantojot tik labi darbinÄtu mehÄnismu kÄ kvm.
PaziÅojums
Raksts ir apskats, taÄu tas dod iespÄju sajust alternatÄ«vo izpildlaiku. Daudzas pielietoÅ”anas jomas nav aptvertas, piemÄram, vietnÄ ir aprakstÄ«ta iespÄja palaist Kubernetes virs Kata konteineriem. TurklÄt varat arÄ« palaist virkni testu, kas vÄrsti uz droŔības problÄmu atraÅ”anu, ierobežojumu iestatÄ«Å”anu un citÄm interesantÄm lietÄm.
Aicinu visus, kas Å”eit lasÄ«juÅ”i un pÄrtÄ«juÅ”i, piedalÄ«ties aptaujÄ, no kuras bÅ«s atkarÄ«gas turpmÄkÄs publikÄcijas par Å”o tÄmu.
AptaujÄ var piedalÄ«ties tikai reÄ£istrÄti lietotÄji. , lÅ«dzu.
Vai man vajadzÄtu turpinÄt publicÄt rakstus par Kata Containers?
80,0%JÄ, raksti vairÄk!28
20,0%NÄ, nevajag...7
Nobalsoja 35 lietotÄji. 7 lietotÄji atturÄjÄs.
Avots: www.habr.com
