Galab wanaagsan, waxaan rabaa in aan kula wadaago waayo-aragnimadayda ku saabsan dejinta iyo adeegsiga adeegga AWS EKS (Adeegga Kubernetes ee Elastic Kubernetes) ee weelasha Windows, ama halkii ku saabsan suurtagalnimada isticmaalka, iyo cayayaanka laga helay weelka nidaamka AWS, kuwaas Kuwa xiisaynaya adeegan weelasha Windows, fadlan bisad hoostooda.
Waan ogahay in weelasha Windows aysan ahayn mowduuc caan ah, dad yarna ay isticmaalaan, laakiin wali waxaan go'aansaday inaan qoro maqaalkan, maadaama ay jireen dhowr maqaal oo ku saabsan Habré oo ku saabsan kubernetes iyo Windows oo ay wali jiraan dad noocaas ah.
Начало
Dhammaantood waxay bilaabeen markii la go'aamiyay in loo haajiro adeegyada shirkadeena kubernetes, taas oo ah 70% Windows iyo 30% Linux. Ujeedadaas awgeed, adeegga daruuraha AWS EKS waxaa loo tixgeliyey mid ka mid ah fursadaha suurtogalka ah. Ilaa Oktoobar 8, 2019, AWS EKS Windows wuxuu ku jiray Aragtida Dadweynaha, waxaan ku bilaabay, noocii hore ee 1.11 ee kubernetes ayaa lagu isticmaalay halkaas, laakiin waxaan go'aansaday inaan hubiyo si kastaba oo aan arko heerka adeegga daruuriga ah, inuu shaqeynayo. at dhan, sida ay u soo baxday, maya, waxa ay ahayd halkaas cayayaan ah oo lagu daray ka saarida pods, halka kuwii hore joojiyay ka jawaabidda via ip gudaha ka subnet la mid ah sida daaqadaha shaqaalaha noode.
Sidaa darteed, waxaa la go'aamiyay in la iska dhaafo isticmaalka AWS EKS si aan ugu taageerno kooxdayada kubernetes ee isla EC2, kaliya waa inaan ku qeexnaa dhammaan dheelitirka iyo HA nafteena iyada oo loo marayo CloudFormation.
Amazon EKS Taageerada Kontaynarrada Windows hadda Guud ahaan waa la heli karaa
by Martin Beeby | 08 OCT 2019
Kahor intaanan helin wakhti aan ku daro template CloudFormation kooxadeyda, waxaan arkay warkan
Dabcan, dhammaan shaqadeyda ayaan dhinac iska dhigay oo waxaan bilaabay inaan barto waxa ay u qabteen GA, iyo sida ay wax walba isu beddeleen Horudhac Dadweynaha. Haa, AWS, si fiican loo sameeyay, ayaa cusboonaysiiyay sawirada daaqadaha shaqalaha node nooca 1.14, iyo sidoo kale kooxda lafteeda, nooca 1.14 ee EKS, hadda waxay taageertaa daaqadaha noodaha. Mashruuc ay dadweynuhu ku eegayaan Way dabooleen oo yiraahdeen hadda isticmaal dukumeentiga rasmiga ah halkan:
Isku dhafka kooxda EKS ee VPC-da iyo shabakadaha hoose ee hadda jira
Dhammaan ilaha, xiriirka kore ee ku dhawaaqista iyo sidoo kale dukumeentiyada, waxaa la soo jeediyay in la geeyo kooxda iyada oo loo marayo utility eksctl lahaanshaha ama iyada oo loo marayo CloudFormation + kubectl ka dib, oo kaliya isticmaalka subnets dadweynaha ee Amazon, iyo sidoo kale abuurista a VPC kala saar koox cusub.
Doorashadani kuma habboona qaar badan; marka hore, VPC gaar ah waxay ka dhigan tahay kharashyo dheeraad ah oo ku kacaya qiimaheeda + isu-fiirsiga taraafikada VPC-gaaga hadda. Maxaa la gudboon kuwa horeba u haysta kaabayaal diyaarsan oo AWS ah oo leh xisaabaadkooda Multiple AWS, VPC, subnets, miisaska dariiqyada, albaabka gaadiidka iyo wixii la mid ah? Dabcan, ma rabtid inaad jebiso ama dib u sameyso waxaas oo dhan, waxaadna u baahan tahay inaad ku biirto kooxda cusub ee EKS kaabayaasha shabakada hadda, adoo isticmaalaya VPC-da jira iyo, kala-soocidda, inta badan waxay abuurtaa shabakadaha cusub ee kooxda.
Kiiskeyga, wadadan ayaa la doortay, waxaan isticmaalay VPC-da jira, waxaan ku daray kaliya 2 subnets dadweynaha iyo 2 subnets gaar ah oo loogu talagalay kooxda cusub, dabcan, dhammaan sharciyada ayaa lagu xisaabtamay sida ku cad dukumentiyada. .
Waxa kale oo jirtay hal shardi: ma jiro qanjidhada shaqaalaha ee shabakadaha dadweynaha ee isticmaalaya EIP.
eksctl vs CloudFormation
Isla markiiba waxaan samayn doonaa boos celin ah in aan isku dayay labada hab ee lagu geynayo koox, labada xaaladoodba sawirku waa isku mid.
Waxaan tusi doonaa tusaale kaliya anigoo isticmaalaya eksctl maadaama koodka halkan uu noqon doono mid gaaban. Adigoo isticmaalaya eksctl, dhig kutlada 3 tillaabo:
1. Waxaan abuurnaa kooxda lafteeda + noodhka shaqaalaha Linux, kaas oo hadhow martigelin doona weelasha nidaamka iyo isla kantaroolaha vpc-ga xun.
eksctl create cluster
--name yyy
--region www
--version 1.14
--vpc-private-subnets=subnet-xxxxx,subnet-xxxxx
--vpc-public-subnets=subnet-xxxxx,subnet-xxxxx
--asg-access
--nodegroup-name linux-workers
--node-type t3.small
--node-volume-size 20
--ssh-public-key wwwwwwww
--nodes 1
--nodes-min 1
--nodes-max 2
--node-ami auto
--node-private-networkingSi loo geeyo VPC jira, kaliya sheeg aqoonsiga shabakadaha hoose, oo eksctl ayaa go'aamin doonta VPC lafteeda.
Si aad u hubiso in qanjidhada shaqaalahaaga la geeyo kaliya subnet gaar ah, waxaad u baahan tahay inaad qeexdo --node-private-networking for nodegroup.
2. Waxaan ku rakibnaa vpc-controller in cluster our, kaas oo markaa ka shaqeyn doona noodhka shaqaalahayaga, tirinta tirada cinwaannada IP-ga ee bilaashka ah, iyo sidoo kale tirada ENI-yada tusaale ahaan, ku dara oo ka saaraya iyaga.
eksctl utils install-vpc-controllers --name yyy --approve3.Ka dib markii weelasha nidaamkaagu ay si guul leh u fureen noodhka shaqaalaha Linux, oo ay ku jiraan vpc-controller, waxa hadhay oo dhan waa in la abuuro nodegroup kale oo leh shaqaalaha daaqadaha.
eksctl create nodegroup
--region www
--cluster yyy
--version 1.14
--name windows-workers
--node-type t3.small
--ssh-public-key wwwwwwwwww
--nodes 1
--nodes-min 1
--nodes-max 2
--node-ami-family WindowsServer2019CoreContainer
--node-ami ami-0573336fc96252d05
--node-private-networkingKa dib markii uu noodhkaagu si guul leh ugu xidhmo kutladaada oo ay wax walba u muuqdaan inay fiican yihiin, waxay ku jirtaa xaalad diyaar ah, laakiin maya.
Cilad ku jirta vpc-controller
Haddi aan isku dayno in aan ku wadno galbadaha noodhka shaqaalaha daaqadaha, waxa aanu heli doonaa khaladka:
NetworkPlugin cni failed to teardown pod "windows-server-iis-7dcfc7c79b-4z4v7_default" network: failed to parse Kubernetes args: pod does not have label vpc.amazonaws.com/PrivateIPv4Address]Haddii aan si qoto dheer u eegno, waxaan aragnaa in tusaalahayaga AWS uu u eg yahay sidan:
Waana inay noqotaa sidan:
Halkaa waxaa ka cad in vpc-controller uusan buuxin qaybtiisa sababo jira oo uusan ku dari karin cinwaanno IP-ga cusub tusaale ahaan si ay boobyadu u isticmaalaan.
Aynu eegno diiwaannada vpc-controller pod waana kan waxa aan aragno:
kubectl log -n cube-nidaam
I1011 06:32:03.910140 1 watcher.go:178] Node watcher processing node ip-10-xxx.ap-xxx.compute.internal.
I1011 06:32:03.910162 1 manager.go:109] Node manager adding node ip-10-xxx.ap-xxx.compute.internal with instanceID i-088xxxxx.
I1011 06:32:03.915238 1 watcher.go:238] Node watcher processing update on node ip-10-xxx.ap-xxx.compute.internal.
E1011 06:32:08.200423 1 manager.go:126] Node manager failed to get resource vpc.amazonaws.com/CIDRBlock pool on node ip-10-xxx.ap-xxx.compute.internal: failed to find the route table for subnet subnet-0xxxx
E1011 06:32:08.201211 1 watcher.go:183] Node watcher failed to add node ip-10-xxx.ap-xxx.compute.internal: failed to find the route table for subnet subnet-0xxx
I1011 06:32:08.201229 1 watcher.go:259] Node watcher adding key ip-10-xxx.ap-xxx.compute.internal (0): failed to find the route table for subnet subnet-0xxxx
I1011 06:32:08.201302 1 manager.go:173] Node manager updating node ip-10-xxx.ap-xxx.compute.internal.
E1011 06:32:08.201313 1 watcher.go:242] Node watcher failed to update node ip-10-xxx.ap-xxx.compute.internal: node manager: failed to find node ip-10-xxx.ap-xxx.compute.internal.Baadhitaannada Google-ka waxba uma horseedin, maadaama sida muuqata aanu qofna weli qabin cayayaankan oo kale, ama aan arrin ku soo dhejin, waa inaan marka hore ka fikiraa ikhtiyaarrada nafteyda. Waxa ugu horreeya ee maskaxda ku soo dhaca waxay ahayd in laga yaabo in vpc-controller uusan xallin karin ip-10-xxx.ap-xxx.compute.internal oo uu gaaro oo sidaas darteed khaladaadku dhacaan.
Haa, runtii, waxaan u isticmaalnaa server-yada DNS ee caadiga ah ee VPC iyo, mabda 'ahaan, ma isticmaalno kuwa Amazon, markaa xitaa gudbinta looma habeynin ap-xxx.compute.internal domain. Waxaan tijaabiyay doorashadan, mana aysan keenin natiijooyin, laga yaabee in imtixaanku uusan nadiif ahayn, sidaas darteed, intaa ka sii dheer, markii aan la xiriiro taageerada farsamada, waxaan u hoggaansamay fikradooda.
Maaddaama aysan jirin fikrado dhab ah, dhammaan kooxaha amniga waxaa abuuray eksctl laftiisa, sidaas darteed shaki kuma jiro adeegyadooda, miisaska dariiqa ayaa sidoo kale sax ahaa, nat, dns, helitaanka internetka ee qanjidhada shaqaalaha ayaa sidoo kale halkaas ku sugnaa.
Waxaa intaa dheer, haddii aad geyso noodhka shaqaalaha shabakada hoose ee dadweynaha adiga oo aan isticmaalin -node-private-networking, noodhkan waxaa isla markiiba cusbooneysiiyay vpc-controller wax walbana waxay u shaqeeyeen sida saacada shaqada.
Waxaa jiray laba doorasho:
- Iska daa oo sug ilaa uu qof ku sifeeyo bug-gan AWS oo ay hagaajiyaan, ka dibna si badbaado leh ayaad u isticmaali kartaa AWS EKS Windows, sababtoo ah waxay hadda ku sii daayeen GA (8 maalmood ayaa ka soo wareegtay wakhtiga qorista maqaalkan), qaar badan ayaa laga yaabaa inay raac wadadii aniga oo kale .
- U qor Taageerada AWS oo u sheeg nuxurka dhibaatada oo u sheeg guntin dhan oo geedo ah oo meel kasta ka yimid una cadd in adeeggoodu aanu shaqaynayn markaad isticmaalayso VPC-gaaga iyo subnets-kaaga, maahan wax aan micno lahayn in aanu haysanay taageero ganacsi, waa inaad isticmaashaa ugu yaraan hal mar :)
Xiriirinta injineerada AWS
Anigoo abuuray tigidh ku yaal portal-ka, waxaan si khalad ah u doortay inaan iiga soo jawaabo Websaydhka - iimaylka ama xarunta taageerada, iyada oo loo marayo doorashadan waxay kuugu jawaabi karaan dhowr maalmood ka dib haba yaraatee, inkasta oo xaqiiqda ah in tigidhkaygu uu lahaa darnaan - Nidaam daciif ah, kaas oo macnaheedu waa jawaab celin gudaha <12 saacadood, iyo maadaama qorshaha taageerada ganacsigu leeyahay taageerada 24/7, waxaan rajeynayaa sida ugu fiican, laakiin waxay noqotay sidii had iyo jeer.
Tigidhkayga waxa uu ahaa mid aan la qorin Jimcihii ilaa Isniinta, ka dib waxaan go'aansaday in aan mar kale u qoro iyaga oo doortay ikhtiyaarka jawaabta Chat. Markii aan sugay muddo yar, Harshad Madhav ayaa loo magacaabay inuu i arko, ka dibna waxay bilaabatay...
Waxaan khadka internetka ku daabacnay 3 saacadood oo isku xigta, wareejinta diiwaannada, geynay isla kooxda shaybaarka AWS si aan uga daydo dhibaatada, dib-u-abuurista kooxdayda qaybteyda, iyo wixii la mid ah, waxa kaliya ee aan u nimid waa taas Diiwaanada waxaa caddaatay in resol uusan shaqaynayn magacyada gudaha ee AWS, oo aan kor ku qoray, Harshad Madhav wuxuu iga codsaday inaan abuurno gudbin, oo la sheegay in aan isticmaalno DNS-ka caadiga ah taasina waxay noqon kartaa dhibaato.
Gudbinta
ap-xxx.compute.internal -> 10.x.x.2 (VPC CIDRBlock)
amazonaws.com -> 10.x.x.2 (VPC CIDRBlock)Taasi waa wixii la sameeyay, maalintii way dhammaatay, Harshad Madhav ayaa dib u soo qoray si loo hubiyo oo ay shaqeyso, laakiin maya, xalku waxba ma tarin.
Kadib waxaa jiray isgaarsiin lala yeeshay 2 injineero kale, mid si fudud uga baxay sheekeysiga, sida muuqata wuxuu ka baqay kiis adag, kii labaadna wuxuu ku qaatay maalinteyda mar kale wareeg buuxa oo qalad ah, dirista logs, abuurista rucubyada labada dhinac, gudaha Dhammaadkii ayuu si fiican u yidhi, aniga way ii shaqaynaysaa, halkan waxaan ku samaynayaa wax kasta oo tallaabo tallaabo ah dukumentiga rasmiga ah adigana waad guulaysan doontaa.
Taas oo aan si xushmad leh uga codsaday inuu baxo oo uu qof kale u dhiibo tigidhkayga haddii aanad garanayn meesha aad dhibaatada ka raadiso.
Dhamaadka
Maalintii saddexaad ayaa waxaa la ii magacaabay Injineer cusub oo Arun B. ah, waxaana bilawgii xidhiidhkii isaga la soo baxay in aanu kani ahayn 3dii Injineer ee hore. Wuxuu akhriyay taariikhda oo dhan wuxuuna isla markiiba waydiistay inuu ururiyo logyada isagoo isticmaalaya qoraalkiisa ps1, kaas oo ku yaal githubkiisa. Tan waxaa ku xigtay mar kale dhammaan soo noqnoqoshada abuurista kooxa, soo saarista natiijooyinka amarka, ururinta diiwaanka, laakiin Arun B. wuxuu u socday jihada saxda ah isagoo ku xukumaya su'aalaha la i weydiiyay.
Goorma ayaanu gaadhnay heerka awood-stderrthreshold=debug ee vpc-controller-kooda, maxaase dhacay kadib? Dabcan ma shaqaynayso) boodhka si fudud kuma bilaabo doorashadan, kaliya -stderrthreshold=info ayaa shaqeysa.
Waxaan ku dhameysanay halkan Arun B. wuxuu sheegay inuu isku dayi doono inuu soo saaro talaabooyinkayga si aan u helo qalad la mid ah. Maalintii xigtay waxaan jawaab ka helay Arun B. isagu kama tegin kiiskan, laakiin wuxuu qaatay code dib u eegista ee vpc-controller oo ay heleen meesha ay ku taal iyo sababta ay u shaqeyn weyday:
Sidaa darteed, haddii aad isticmaasho miiska dariiqa ugu muhiimsan ee VPC-gaaga, ka dib marka la eego ma laha ururo leh subnets lagama maarmaanka ah, kuwaas oo lagama maarmaan u ah vpc-controller, marka la eego subnet dadweynaha, waxay leedahay miiska wadada gaarka ah. kaas oo leh urur.
Adigoo gacanta ku daraya ururada miiska dariiqa ugu muhiimsan oo leh shabakado-hoosaadyada lagama maarmaanka ah, iyo dib-u-abuurista nodegroup, wax walba si fiican ayey u shaqeeyaan.
Waxaan rajeynayaa in Arun B. uu si dhab ah uga warbixin doono cayayaankan horumarinta EKS waxaanan arki doonaa nooc cusub oo vpc-controller ah halkaas oo wax walba ay ka shaqeyn doonaan sanduuqa. Hadda nooca ugu dambeeyay waa: 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/eks/vpc-resource-controller:0.2.1
wuxuu leeyahay dhibaatadan.
Waad ku mahadsan tahay qof kasta oo akhriya ilaa dhamaadka, tijaabi wax kasta oo aad u isticmaali doonto wax soo saarka ka hor inta aan la hirgelin.
Source: www.habr.com