CRI-O sida beddelka Docker oo ah jawi runtime loogu talagalay Kubernetes: dejinta CentOS 8

Hello! Magacaygu waa Sergey, waxaan ahay DevOps oo jooga Surf. Waaxda DevOps ee Surf ujeedadeedu ma aha oo kaliya inay abuurto isdhexgalka ka dhexeeya khabiirada iyo isku dhafka hababka shaqada, laakiin sidoo kale inay si firfircoon u baarto oo ay u hirgeliso tignoolajiyada hadda jira labadaba kaabayaasha u gaarka ah iyo kaabayaasha macaamiisha.

Hoosta waxaan ka hadli doonaa wax yar oo ku saabsan isbeddelka ku yimid xirmooyinka tignoolajiyada ee weelasha aan la kulannay markaan barannay qaybinta CentOS 8 iyo ku saabsan waxa ay tahay CRI-O iyo sidii degdeg loogu samayn lahaa deegaan fulin kara Kubureteska.

Waa maxay sababta Docker aan loogu darin CentOS 8?

Ka dib markii la rakibo siidooyinkii ugu dambeeyay ee waaweyn RHEL 8 ama CentOS 8 Qofna kama caawin karo laakiin ogeysiis: qaybintan iyo kaydadka rasmiga ah kuma jiraan codsiga Docker, kaas oo fikir ahaan iyo shaqo ahaanba beddelaya xidhmooyinka podman, Buildah (joogto qaybinta by default) iyo CRI-O. Tan waxa u sabab ah hirgelinta la taaban karo ee heerarka la sameeyay, iyo waxyaabo kale, by Koofiyada Cas oo qayb ka ah mashruuca Initiative Container Initiative (OCI).

Hadafka OCI, oo qayb ka ah aasaaska Linux, waa in la abuuro heerar warshadeed furan oo loogu talagalay qaababka weelka iyo runtimes kuwaas oo xalliya dhowr dhibaato hal mar. Marka hore, ma aysan khilaafin falsafada Linux (tusaale ahaan, qaybta in barnaamij kastaa uu sameeyo hal ficil, iyo Docker waa nooc ka mid ah dhammaan-in-mid la isku daray). Marka labaad, waxay baabi'in karaan dhammaan cilladaha jira ee software-ka Docker. Seddexaad, waxay si buuxda ula socon doonaan shuruudaha ganacsi ee hogaaminaya goobaha ganacsiga ee geynta, maaraynta iyo u adeegida codsiyada weelka ku jira (tusaale, Koofiyada Cas OpenShift).

Dhibaatooyin Docker iyo faa'iidooyinka software-ka cusub ayaa horay loogu sifeeyay si faahfaahsan maqaalkani, iyo sharaxaad faahfaahsan oo ku saabsan dhammaan xirmooyinka software-ka ee lagu bixiyo mashruuca OCI iyo sifooyinkeeda qaab dhismeedka waxaa laga heli karaa dukumentiyada rasmiga ah iyo maqaallada ka soo jeeda Koofiyada Cas lafteeda (ma xuma maqaal ee Red Hat blog) iyo dhinac saddexaad dib u eegis.

Waxaa muhiim ah in la ogaado sida ay u shaqeeyaan qaybaha xirmada la soo jeediyay:

• podman - dhexgalka tooska ah ee weelasha iyo kaydinta sawirka iyada oo loo marayo habka runC;
• Buildah - ururinta iyo raritaanka sawirada diiwaanka;
• CRI-O - jawi la fulin karo oo loogu talagalay nidaamyada abaabulka weelka (tusaale, Kubernetes).

Waxaan u maleynayaa in si loo fahmo nidaamka guud ee isdhexgalka ka dhexeeya qaybaha xirmooyinka, waxaa lagu talinayaa in la bixiyo jaantuska xiriirka halkan Kubureteska c runC iyo maktabado heer hoose ah oo la isticmaalayo CRI-O:

CRI-O и Kubureteska u hoggaansamaan isla sii deynta iyo wareegga taageerada (matrixka ku habboonaanta waa mid aad u fudud: noocyada waaweyn Kubureteska и CRI-O isku mid ah), iyo tan, iyada oo la tixgelinayo diiradda saarista tijaabada dhamaystiran oo dhamaystiran ee hawlgalka xirmadan ee horumariyayaashu, waxay ina siinaysaa xuquuqda aan ku fileyno xasiloonida ugu badan ee la heli karo ee hawlgalka iyada oo loo marayo xaalad kasta oo la isticmaalo (iftiinka qaraabada ah ayaa sidoo kale faa'iido leh halkan CRI-O marka la barbar dhigo Docker sababtoo ah xaddidid ujeedo leh ee shaqeynta).

Marka la rakibayo Kubureteska "dariiqa saxda ah" (sida laga soo xigtay OCI, dabcan) adoo isticmaalaya CRI-O on CentOS 8 Waxaan la kulannay dhibaatooyin yar yar, si kastaba ha ahaatee, waxaan si guul leh uga gudubnay. Waxaan ku farxi doonaa inaan kula wadaago tilmaamaha rakibaadda iyo qaabeynta, taas oo guud ahaan qaadan doonta ilaa 10 daqiiqo.

Sida loo geeyo Kubernetes CentOS 8 iyadoo la adeegsanayo qaabka CRI-O

Shuruudaha loo baahan yahay: joogitaanka ugu yaraan hal martigeliyaha (2 cores, 4 GB RAM, ugu yaraan 15 GB kaydinta) oo la rakibay CentOS 8 ( profile-ka rakibaadda "Server" ayaa lagula talinayaa), iyo sidoo kale gelitaanka gudaha DNS-ka maxalliga ah (sida ugu dambeysa, waxaad ku heli kartaa gelitaanka /etc/hosts). Ha iloobin dami isdhaafsiga.

Waxaan ku fulinaa dhammaan hawlgallada martigeliyaha sida xididka isticmaalaha, taxaddar.

1. Talaabada kowaad, waxaanu habayn doonaa OS-ka, rakibi doona oo aanu habayn doonaa ku tiirsanaanta hordhaca ah ee CRI-O.
   • Aynu cusboonaysiinno OS-ka:

     dnf -y update
     

   • Marka xigta waxaad u baahan tahay inaad habayso dabka iyo SELinux. Halkan wax walbaa waxay ku xiran yihiin deegaanka ay ku shaqeyn doonaan martigeliyaha ama martigeliyayaashayada. Waxaad samayn kartaa dab-damis sida waafaqsan talooyinka ka yimid dukumentiyo, ama, haddii aad ku jirto shabakad la aamini karo ama aad isticmaasho dab-damiska qolo saddexaad, u beddel aagga caadiga ah si aad u aaminto ama demi firewall-ka:

     firewall-cmd --set-default-zone trusted
     
     firewall-cmd --reload

     Si aad u damiso firewall-ka waxaad isticmaali kartaa amarka soo socda:

     systemctl disable --now firewalld
     

     SELinux waxay u baahan tahay in la damiyo ama loo beddelo qaabka "la oggol yahay":

     setenforce 0
     
     sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

   • Soo rar qaybaha kernel-ka lagama maarmaanka ah iyo baakadaha, habee dejinta tooska ah ee moduleka "br_netfilter" ee nidaamka bilowga:

     modprobe overlay
     
     modprobe br_netfilter
     
     echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf
     
     dnf -y install iproute-tc
     

   • Si loo hawlgeliyo gudbinta baakidhka iyo saxitaanka habaynta taraafikada, waxaanu samayn doonaa dejinta ku haboon:

     cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF
     net.bridge.bridge-nf-call-iptables = 1
     net.ipv4.ip_forward = 1
     net.bridge.bridge-nf-call-ip6tables = 1
     EOF
     

     codso dejinta la sameeyay:

     sysctl --system

   • deji nooca loo baahan yahay CRI-O (nooca weyn CRI-O, sidii horeba loo sheegay, waafaqid nooca loo baahan yahay Kubureteska), tan iyo nuqulkii ugu dambeeyay ee xasilloon Kubureteska hadda 1.18:

     export REQUIRED_VERSION=1.18
     

     ku dar meelaha loo baahan yahay

     dnf -y install 'dnf-command(copr)'
     
     dnf -y copr enable rhcontainerbot/container-selinux
     
     curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo
     
     curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo

   • hadda waan ku rakiban karnaa CRI-O:

     dnf -y install cri-o
     

     U fiirso nuance ugu horreysa ee aan la kulanno inta lagu jiro habka rakibidda: waxaad u baahan tahay inaad wax ka beddesho qaabeynta CRI-O ka hor inta aanad bilaabin adeega, mar haddii qaybta loo baahan yahay in ay leedahay meel ka duwan kan la cayimay:

     sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.conf

     Hadda waad kicin kartaa oo aad bilaabi kartaa daemon-ka CRI-O:

     systemctl enable --now crio
     

     Waxaad hubin kartaa heerka daemon:

     systemctl status crio
     

2. Rakibaadda iyo hawlgelinta Kubureteska.
   • Aynu ku darno kaydka loo baahan yahay:

     cat <<EOF > /etc/yum.repos.d/kubernetes.repo
     [kubernetes]
     name=Kubernetes
     baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
     enabled=1
     gpgcheck=1
     repo_gpgcheck=1
     gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
     exclude=kubelet kubeadm kubectl
     EOF
     

     Hadda waan ku rakibi karnaa Kubureteska (nooca 1.18, sida kor ku xusan):

     dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes

   • Nuance labaad ee muhiimka ah: maadaama aynaan isticmaalin daemon Docker, laakiin waxaan isticmaalnaa daemon CRI-O, ka hor inta aan la bilaabin iyo bilaabista Kubureteska Waxaad u baahan tahay inaad ku sameyso goobaha ku habboon faylka qaabeynta /var/lib/kubelet/config.yaml, adigoo marka hore abuuray hagaha la rabo:

     mkdir /var/lib/kubelet
     
     cat <<EOF > /var/lib/kubelet/config.yaml
     apiVersion: kubelet.config.k8s.io/v1beta1
     kind: KubeletConfiguration
     cgroupDriver: systemd
     EOF

   • Qodobka saddexaad ee muhiimka ah ee aan la kulanno inta lagu jiro rakibidda: inkastoo xaqiiqda ah in aan muujinay darawalka loo isticmaalo kooxaysi, iyo qaabaynteeda iyada oo loo marayo doodaha la soo gudbiyay kubelet waa duugoobay (sida si cad loogu sheegay dukumeentiyada), waxaan u baahanahay inaan ku darno doodaha faylka, haddii kale kooxdayada lama bilaabi doono:

     cat /dev/null > /etc/sysconfig/kubelet
     
     cat <<EOF > /etc/sysconfig/kubelet
     KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock'
     EOF

   • Hadda waxaan kicin karnaa daemon-ka kubelet:

     sudo systemctl enable --now kubelet
     

     Si aad u habayso kantarool-diyaarad ama shaqaale noodes daqiiqado gudahood, waxaad isticmaali kartaa oo leh qoraalkan.

3. Waa waqtigii la bilaabi lahaa kooxdayada.
   • Si aad u bilowdo kutlada, socodsii amarka:

     kubeadm init --pod-network-cidr=10.244.0.0/16
     

     Hubi inaad qorto amarka ku biirista kooxda “kubeadm join…”, kaas oo lagaa codsanayo inaad isticmaasho dhamaadka wax soo saarka, ama ugu yaraan calaamadaha la cayimay.

   • Aan ku rakibno plugin (CNI) ee shabakadda Pod. Waxaan ku talinayaa in la isticmaalo Calico. Waxaa suurtogal ah in aad caan u ah Flannel wuxuu leeyahay arrimo ku habboon nftables, haa iyo Calico - hirgelinta kaliya ee CNI ayaa lagu taliyay oo si buuxda u tijaabiyay mashruucu Kubureteska:

     kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml 

   • Si aad ugu xidhid noodhka shaqaalaha kooxdayada, waxaad u baahan tahay inaad u habayso si waafaqsan tilmaamaha 1 iyo 2, ama isticmaal qoraal, ka dibna ka socodsii amarka "kubeadm init..." wax soo saarka ee aan ku qornay tallaabadii hore:

     kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN 
         --discovery-token-ca-cert-hash $TOKEN_HASH

   • Aan hubino in kooxdeenu ay bilawday oo ay bilawday shaqada:

     kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
     

   Diyaar! Waxaad mar horeba ku martigelin kartaa culayska lacag bixinta kooxdaada K8s.

Maxaa horteena sugaya

Waxaan rajeynayaa in tilmaamaha kor ku xusan ay kaa caawiyeen badbaadinta wakhti iyo neerfaha.
Natiijada geeddi-socodyada ka dhaca warshadaha waxay inta badan ku xiran tahay sida ay u aqbalaan inta badan isticmaalayaasha dhammaadka ah iyo horumarinta software kale ee niche u dhiganta. Ilaa hadda si buuxda uma cadda waxa hindisayaasha OCI ay horseedi doonaan dhowr sano gudahood, laakiin waxaan ku daawan doonnaa farxad. Waxaad hadda la wadaagi kartaa ra'yigaaga faallooyinka.

Feejignow!

Maqaalkani waxa uu u muuqday mahadnaq ilahan soo socda:

• Qaybta ku saabsan konteenarada runtimes Dukumentiyada Kubernetes
• Bogga Mashruuca CRI-O ee internetka
• Maqaallada koofiyadda Cas: kan, tan iyo qaar kale oo badan

Source: www.habr.com