Dan l-artikolu ser jiddiskuti kif jaħdem , u se jkun hemm ukoll parti prattika bil-konnessjoni tagħhom ma’ Docker.
Dwar problemi komuni ma 'Docker u s-soluzzjonijiet tagħhom diġà , illum ser niddeskrivi fil-qosor l-implimentazzjoni minn Kata Containers. Kata Containers huwa runtime ta' kontenitur sigur ibbażat fuq magni virtwali ħfief. Ix-xogħol magħhom huwa l-istess bħal ma 'kontenituri oħra, iżda barra minn hekk hemm iżolament aktar affidabbli bl-użu tat-teknoloġija tal-virtwalizzazzjoni tal-ħardwer. Il-proġett beda fl-2017, meta l-komunità tal-istess isem temmet l-għaqda tal-aħjar ideat minn Intel Clear Containers u Hyper.sh RunV, u wara x-xogħol kompla fuq appoġġ għal diversi arkitetturi, inklużi AMD64, ARM, IBM p- u z -serje. Barra minn hekk, ix-xogħol ġewwa l-hypervisors QEMU, Firecracker huwa appoġġjat, u hemm ukoll integrazzjoni ma containerd. Il-kodiċi huwa disponibbli fuq taħt il-liċenzja MIT.
Karatteristiċi ewlenin
- Ħidma b'qalba separata, u b'hekk tipprovdi netwerk, memorja u iżolament I / O, huwa possibbli li jiġi sfurzat l-użu ta 'iżolament ta' ħardwer ibbażat fuq estensjonijiet ta 'virtwalizzazzjoni
- Appoġġ għall-istandards tal-industrija inkluż OCI (format tal-kontenitur), Kubernetes CRI
- Prestazzjoni konsistenti ta 'kontenituri Linux regolari, iżolament miżjud mingħajr l-overhead tal-prestazzjoni ta' VMs regolari
- Elimina l-ħtieġa li jitħaddmu kontenituri ġewwa magni virtwali sħaħ, interfaces ġeneriċi jissimplifikaw l-integrazzjoni u t-tnedija
Installazzjoni
Hemm għażliet ta 'installazzjoni, ser nikkunsidra l-installazzjoni mir-repożitorji, ibbażati fuq is-sistema operattiva Centos 7.
Huwa importanti: Ix-xogħol tal-Kontenituri Kata huwa appoġġjat biss fuq il-ħardwer, it-trażmissjoni tal-virtwalizzazzjoni mhux dejjem taħdem, ukoll bżonn appoġġ sse4.1 mill-proċessur.
L-installazzjoni tal-Kontenituri Kata hija pjuttost sempliċi:
Installa utilitajiet biex taħdem ma' repożitorji:
# yum -y install yum-utilsIddiżattiva Selinux (huwa aktar korrett li jiġi kkonfigurat, iżda għas-sempliċità nneħħih):
# setenforce 0
# sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/configAħna nqabbdu r-repożitorju u nwettqu l-installazzjoni
# source /etc/os-release
# ARCH=$(arch)
# BRANCH="${BRANCH:-stable-1.10}"
# yum-config-manager --add-repo "http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/${BRANCH}/CentOS_${VERSION_ID}/home:katacontainers:releases:${ARCH}:${BRANCH}.repo"
# yum -y install kata-runtime kata-proxy kata-shimaġġustament
Se nikkonfiguraha biex taħdem ma 'docker, l-installazzjoni tagħha hija tipika, mhux se niddeskriviha f'aktar dettall:
# rpm -qa | grep docker
docker-ce-cli-19.03.6-3.el7.x86_64
docker-ce-19.03.6-3.el7.x86_64
# docker -v
Docker version 19.03.6, build 369ce74a3cAħna nagħmlu bidliet għal daemon.json:
# cat <<EOF > /etc/docker/daemon.json
{
"default-runtime": "kata-runtime",
"runtimes": {
"kata-runtime": {
"path": "/usr/bin/kata-runtime"
}
}
}
EOFIbda mill-ġdid docker:
# service docker restartKontroll funzjonali
Jekk tibda l-kontenitur qabel ma terġa' tibda docker, tista' tara li uname se tagħti l-verżjoni tal-kernel li taħdem fuq is-sistema prinċipali:
# docker run busybox uname -a
Linux 19efd7188d06 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 GNU/LinuxWara bidu mill-ġdid, il-verżjoni tal-kernel tidher bħal din:
# docker run busybox uname -a
Linux 9dd1f30fe9d4 4.19.86-5.container #1 SMP Sat Feb 22 01:53:14 UTC 2020 x86_64 GNU/LinuxAktar timijiet!
# time docker run busybox mount
kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
kataShared on /etc/resolv.conf type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
kataShared on /etc/hostname type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
kataShared on /etc/hosts type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio)
proc on /proc/bus type proc (ro,relatime)
proc on /proc/fs type proc (ro,relatime)
proc on /proc/irq type proc (ro,relatime)
proc on /proc/sys type proc (ro,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /sys/firmware type tmpfs (ro,relatime)
real 0m2.381s
user 0m0.066s
sys 0m0.039s# time docker run busybox free -m
total used free shared buff/cache available
Mem: 1993 30 1962 0 1 1946
Swap: 0 0 0
real 0m3.297s
user 0m0.086s
sys 0m0.050sIttestjar veloċi tat-tagħbija
Biex tevalwa t-telf mill-virtwalizzazzjoni - I run sysbench, bħala l-eżempji ewlenin .
Tmexxi sysbench bl-użu ta' Docker+containerd
Test tal-proċessur
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Prime numbers limit: 20000
Initializing worker threads...
Threads started!
General statistics:
total time: 36.7335s
total number of events: 10000
total time taken by event execution: 36.7173s
response time:
min: 3.43ms
avg: 3.67ms
max: 8.34ms
approx. 95 percentile: 3.79ms
Threads fairness:
events (avg/stddev): 10000.0000/0.00
execution time (avg/stddev): 36.7173/0.00Test RAM
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Initializing worker threads...
Threads started!
Operations performed: 104857600 (2172673.64 ops/sec)
102400.00 MiB transferred (2121.75 MiB/sec)
General statistics:
total time: 48.2620s
total number of events: 104857600
total time taken by event execution: 17.4161s
response time:
min: 0.00ms
avg: 0.00ms
max: 0.17ms
approx. 95 percentile: 0.00ms
Threads fairness:
events (avg/stddev): 104857600.0000/0.00
execution time (avg/stddev): 17.4161/0.00It-tħaddim ta' sysbench bl-użu ta' Docker+Kata Containers
Test tal-proċessur
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Prime numbers limit: 20000
Initializing worker threads...
Threads started!
General statistics:
total time: 36.5747s
total number of events: 10000
total time taken by event execution: 36.5594s
response time:
min: 3.43ms
avg: 3.66ms
max: 4.93ms
approx. 95 percentile: 3.77ms
Threads fairness:
events (avg/stddev): 10000.0000/0.00
execution time (avg/stddev): 36.5594/0.00Test RAM
sysbench 1.0: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Initializing random number generator from current time
Initializing worker threads...
Threads started!
Operations performed: 104857600 (2450366.94 ops/sec)
102400.00 MiB transferred (2392.94 MiB/sec)
General statistics:
total time: 42.7926s
total number of events: 104857600
total time taken by event execution: 16.1512s
response time:
min: 0.00ms
avg: 0.00ms
max: 0.43ms
approx. 95 percentile: 0.00ms
Threads fairness:
events (avg/stddev): 104857600.0000/0.00
execution time (avg/stddev): 16.1512/0.00Fil-prinċipju, is-sitwazzjoni hija diġà ċara, iżda huwa aktar ottimali li tmexxi t-testijiet diversi drabi, tneħħi l-outliers u nagħmel medja tar-riżultati, għalhekk ma nagħmelx aktar testijiet s'issa.
Sejbiet
Minkejja l-fatt li kontenituri bħal dawn jieħdu madwar ħames sa għaxar darbiet itwal biex jibdew (il-ħin ta’ tħaddim tipiku għal kmandi simili meta jintuża containerd huwa inqas minn terz ta’ sekonda), xorta jaħdmu pjuttost malajr jekk nieħdu l-ħin assolut tal-bidu (hemm huma eżempji hawn fuq, kmandi mwettqa f’medja ta’ tliet sekondi). Ukoll, ir-riżultati ta 'test ta' malajr ta 'CPU u RAM juru kważi l-istess riżultati, li ma jistgħux ma jifirħux, speċjalment fid-dawl tal-fatt li l-iżolament huwa pprovdut bl-użu ta' mekkaniżmu mmexxi tajjeb bħal kvm.
Avviż
L-artiklu huwa reviżjoni, iżda jagħtik l-opportunità li tħoss ir-runtime alternattiva. Ħafna oqsma ta 'applikazzjoni mhumiex koperti, pereżempju, is-sit jiddeskrivi l-abbiltà li tmexxi Kubernetes fuq Kata Containers. Barra minn hekk, tista 'wkoll tmexxi serje ta' testijiet iffukati fuq is-sejba ta 'problemi ta' sigurtà, l-iffissar ta 'restrizzjonijiet, u affarijiet interessanti oħra.
Nitlob lil dawk kollha li qraw u reġgħu hawn biex jieħdu sehem fl-istħarriġ, li fuqu se jiddependu pubblikazzjonijiet futuri dwar dan is-suġġett.
Utenti reġistrati biss jistgħu jipparteċipaw fl-istħarriġ. , ta 'xejn.
Għandi nkompli nippubblika artikli dwar Kata Containers?
-
80,0%Iva, ikteb aktar!28
-
20,0%Le, m'għandekx...7
Ivvutaw 35 utent. 7 utenti astjenew.
Sors: www.habr.com