Ogow. turjumi: qoraaga maqaalka - Erkan Erol, oo ah injineer ka socda SAP - wuxuu wadaagayaa daraasaddiisa hababka shaqada kooxda. kubectl exec, aad u yaqaan qof kasta oo la shaqeeya Kubernetes. Waxa uu la socdaa algorithm oo dhan oo leh liisaska koodhka isha ee Kubernetes (iyo mashaariicda la xidhiidha), kuwaas oo kuu ogolaanaya inaad u fahamto mawduuca sida qoto dheer ee loo baahan yahay.
Maalin Jimce ah, ayaa nin aan wada shaqayno ii yimi oo weydiiyey sida loo fuliyo amar ku jira boodhka isagoo isticmaalaya . Uma jawaabi karin isaga oo si lama filaan ah u gartay in aanan waxba ka ogayn habka hawlgalka kubectl exec. Haa, waxaan lahaa fikrado gaar ah oo ku saabsan qaab-dhismeedkeeda, laakiin ma hubin 100% saxnimadooda sidaas darteed waxaan go'aansaday inaan wax ka qabto arrintan. Markii aan bartay blogs, dukumentiyada iyo koodhka isha, waxaan bartay waxyaabo badan oo cusub, maqaalkan waxaan rabaa inaan wadaago daahfurtayda iyo fahamkayga. Haddii ay wax khaldan yihiin, fadlan igala soo xidhiidh .
Tababarka
Si aan ugu abuurno kutlada MacBookga, waan xoojiyey . Kadibna waxaan saxay ciwaanada IP-yada ee qanjidhada kubelet config, maadaama goobaha caadiga ah aysan ogolayn kubectl exec. Waxaad wax badan ka akhriyi kartaa sababta ugu weyn ee tan .
- Baabuur kasta = MacBookgayga
- Master noode IP = 192.168.205.10
- noodhka shaqaalaha IP = 192.168.205.11
- Dekedda serverka API = 6443
Qeybaha
- kubectl habka fulintaMarka aan fulino "kubectl exec..." habka waa la bilaabayaa. Tan waxaa lagu samayn karaa mishiin kasta oo marin u leh server-ka K8s API. Ogow tarjumaad: Intaa waxaa dheer ee liisaska console-ka, qoraagu wuxuu adeegsadaa faallooyinka "mashiin kasta", isagoo tilmaamaya in amarrada soo socda lagu fulin karo mashiinnada noocaan ah ee marin u leh Kubernetes.
- : Qayb ku taal noode sare oo bixisa gelitaanka Kubernetes API. Tani waa jihada hore ee diyaaradda xakamaynta ee Kubernetes.
- : Wakiil ku socda meel kasta oo kutlada ah. Waxay hubisaa shaqada weelasha ku jira bacda.
- (Waqtiga konteenarada): Software ka masuulka ah socodsiinta weelasha. Tusaalooyinka: Docker, CRI-O, weel...
- Kernel: Kernel OS oo ku yaal noodhka shaqaalaha; waxay mas'uul ka tahay maareynta habka.
- bartilmaameed (bartilmaameed) weelka: weel ka mid ah boodhka oo ku socda mid ka mid ah qanjidhada shaqaalaha.
Waxa aan ogaaday
1. Dhaqdhaqaaq dhinaca macmiilka ah
Ku samee boodh meel magaceed ah default:
// any machine
$ kubectl run exec-test-nginx --image=nginxKa dib waxaan fulineynaa amarka exec oo sugeynaa 5000 ilbiriqsi si loo eego dheeraad ah:
// any machine
$ kubectl exec -it exec-test-nginx-6558988d5-fgxgg -- sh
# sleep 5000Habka kubectl wuxuu u muuqdaa (oo leh pid=8507 kiiskeena):
// any machine
$ ps -ef |grep kubectl
501 8507 8409 0 7:19PM ttys000 0:00.13 kubectl exec -it exec-test-nginx-6558988d5-fgxgg -- shHaddii aan hubinno dhaqdhaqaaqa shabakadda ee habka, waxaan ogaan doonaa inay xiriir la leedahay api-server (192.168.205.10.6443):
// any machine
$ netstat -atnv |grep 8507
tcp4 0 0 192.168.205.1.51673 192.168.205.10.6443 ESTABLISHED 131072 131768 8507 0 0x0102 0x00000020
tcp4 0 0 192.168.205.1.51672 192.168.205.10.6443 ESTABLISHED 131072 131768 8507 0 0x0102 0x00000028Aan eegno koodka. Kubectl wuxuu ku abuuraa codsi POST ilaha hoose ee fulinta wuxuuna soo diraa codsi REST:
req := restClient.Post().
Resource("pods").
Name(pod.Name).
Namespace(pod.Namespace).
SubResource("exec")
req.VersionedParams(&corev1.PodExecOptions{
Container: containerName,
Command: p.Command,
Stdin: p.Stdin,
Stdout: p.Out != nil,
Stderr: p.ErrOut != nil,
TTY: t.Raw,
}, scheme.ParameterCodec)
return p.Executor.Execute("POST", req.URL(), p.Config, p.In, p.Out, p.ErrOut, t.Raw, sizeQueue)()
2. Dhaqdhaqaaqa dhinaca noodhka sare
Waxaan sidoo kale ilaalin karnaa codsiga dhinaca api-server:
handler.go:143] kube-apiserver: POST "/api/v1/namespaces/default/pods/exec-test-nginx-6558988d5-fgxgg/exec" satisfied by gorestful with webservice /api/v1
upgradeaware.go:261] Connecting to backend proxy (intercepting redirects) https://192.168.205.11:10250/exec/default/exec-test-nginx-6558988d5-fgxgg/exec-test-nginx?command=sh&input=1&output=1&tty=1
Headers: map[Connection:[Upgrade] Content-Length:[0] Upgrade:[SPDY/3.1] User-Agent:[kubectl/v1.12.10 (darwin/amd64) kubernetes/e3c1340] X-Forwarded-For:[192.168.205.1] X-Stream-Protocol-Version:[v4.channel.k8s.io v3.channel.k8s.io v2.channel.k8s.io channel.k8s.io]]Ogow in codsiga HTTP uu ku jiro codsiga beddelka borotokoolka. Waxay kuu ogolaanaysaa inaad ku dhufato stdin/stdout/stderr/spdy-error " durdurrada" ee hal xiriir TCP ah.
Adeegaha API wuxuu helayaa codsiga wuxuuna u rogaa PodExecOptions:
// PodExecOptions is the query options to a Pod's remote exec call
type PodExecOptions struct {
metav1.TypeMeta
// Stdin if true indicates that stdin is to be redirected for the exec call
Stdin bool
// Stdout if true indicates that stdout is to be redirected for the exec call
Stdout bool
// Stderr if true indicates that stderr is to be redirected for the exec call
Stderr bool
// TTY if true indicates that a tty will be allocated for the exec call
TTY bool
// Container in which to execute the command.
Container string
// Command is the remote command to execute; argv array; not executed within a shell.
Command []string
}()
Si loo fuliyo ficilada loo baahan yahay, api-server waa in uu ogaadaa boodhka uu u baahan yahay in lala xidhiidho:
// ExecLocation returns the exec URL for a pod container. If opts.Container is blank
// and only one container is present in the pod, that container is used.
func ExecLocation(
getter ResourceGetter,
connInfo client.ConnectionInfoGetter,
ctx context.Context,
name string,
opts *api.PodExecOptions,
) (*url.URL, http.RoundTripper, error) {
return streamLocation(getter, connInfo, ctx, name, opts, opts.Container, "exec")
}()
Dabcan, xogta ku saabsan barta dhamaadka waxaa laga soo qaatay macluumaadka ku saabsan noodhka:
nodeName := types.NodeName(pod.Spec.NodeName)
if len(nodeName) == 0 {
// If pod has not been assigned a host, return an empty location
return nil, nil, errors.NewBadRequest(fmt.Sprintf("pod %s does not have a host assigned", name))
}
nodeInfo, err := connInfo.GetConnectionInfo(ctx, nodeName)()
Hooray! Kubeletku hadda wuxuu leeyahay deked (node.Status.DaemonEndpoints.KubeletEndpoint.Port), kaas oo Server-ku API ku xidhi karo:
// GetConnectionInfo retrieves connection info from the status of a Node API object.
func (k *NodeConnectionInfoGetter) GetConnectionInfo(ctx context.Context, nodeName types.NodeName) (*ConnectionInfo, error) {
node, err := k.nodes.Get(ctx, string(nodeName), metav1.GetOptions{})
if err != nil {
return nil, err
}
// Find a kubelet-reported address, using preferred address type
host, err := nodeutil.GetPreferredNodeAddress(node, k.preferredAddressTypes)
if err != nil {
return nil, err
}
// Use the kubelet-reported port, if present
port := int(node.Status.DaemonEndpoints.KubeletEndpoint.Port)
if port <= 0 {
port = k.defaultPort
}
return &ConnectionInfo{
Scheme: k.scheme,
Hostname: host,
Port: strconv.Itoa(port),
Transport: k.transport,
}, nil
}()
Laga soo bilaabo dukumentiyada :
Xidhiidhadan waxa lagu sameeyay barta HTTPS ee kubelet. Sida caadiga ah, apiserver ma xaqiijiso shahaadada kubelet, taas oo ka dhigaysa isku xidhka mid u nugul weerarada man-in-the-dhexe (MITM) iyo aan ammaan ahayn Ka shaqaynta shabakadaha aan la isku halayn karin iyo/ama dadweynaha.
Hadda server-ka API wuu yaqaan barta ugu dambeysa wuxuuna dejiyaa xiriirka:
// Connect returns a handler for the pod exec proxy
func (r *ExecREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
execOpts, ok := opts.(*api.PodExecOptions)
if !ok {
return nil, fmt.Errorf("invalid options object: %#v", opts)
}
location, transport, err := pod.ExecLocation(r.Store, r.KubeletConn, ctx, name, execOpts)
if err != nil {
return nil, err
}
return newThrottledUpgradeAwareProxyHandler(location, transport, false, true, true, responder), nil
}()
Aan aragno waxa ka dhacaya santuuqa sayidkiisa.
Marka hore, waxaan ogaanay IP-ga noodhka shaqaalaha. Xaaladeena waa 192.168.205.11:
// any machine
$ kubectl get nodes k8s-node-1 -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node-1 Ready <none> 9h v1.15.3 192.168.205.11 <none> Ubuntu 16.04.6 LTS 4.4.0-159-generic docker://17.3.3Ka dib dhig dekedda kubelet (10250 kiiskeena):
// any machine
$ kubectl get nodes k8s-node-1 -o jsonpath='{.status.daemonEndpoints.kubeletEndpoint}'
map[Port:10250]
Hadda waa waqtigii la hubin lahaa shabakada Ma jiraa xidhiidh la leh noodhka shaqaalaha (192.168.205.11)? Waa! Haddii aad disho hab exec, way baaba'aysaa, markaa waxaan ogahay in xidhiidhka uu sameeyay api-server taasoo ka dhalatay amarka fulinta ee la fuliyay.
// master node
$ netstat -atn |grep 192.168.205.11
tcp 0 0 192.168.205.10:37870 192.168.205.11:10250 ESTABLISHED
β¦
Xidhiidhka ka dhexeeya kubectl iyo api-server wali waa furan yahay. Intaa waxaa dheer, waxaa jira xiriir kale oo isku xira api-server iyo kubelet.
3. Dhaqdhaqaaqa qanjidhka shaqaalaha
Hadda aynu ku xidhno noodhka shaqaalaha oo aynu aragno waxa ka dhacaya.
Ugu horreyntii, waxaan aragnaa in isku xirka iyada oo sidoo kale la aasaasay (khadka labaad); 192.168.205.10 waa IP-ga noode-ga sare:
// worker node
$ netstat -atn |grep 10250
tcp6 0 0 :::10250 :::* LISTEN
tcp6 0 0 192.168.205.11:10250 192.168.205.10:37870 ESTABLISHED
Ka warran kooxdayada sleep? Hurray, iyaduna way joogtaa!
// worker node
$ ps -afx
...
31463 ? Sl 0:00 _ docker-containerd-shim 7d974065bbb3107074ce31c51f5ef40aea8dcd535ae11a7b8f2dd180b8ed583a /var/run/docker/libcontainerd/7d974065bbb3107074ce31c51
31478 pts/0 Ss 0:00 _ sh
31485 pts/0 S+ 0:00 _ sleep 5000
β¦Laakiin sug: sidee buu kubelet kan u saaray? Kubelet-ku wuxuu leeyahay daemon kaas oo siiya marin u hel API-ga iyada oo loo marayo dekedda codsiyada api-server:
// Server is the library interface to serve the stream requests.
type Server interface {
http.Handler
// Get the serving URL for the requests.
// Requests must not be nil. Responses may be nil iff an error is returned.
GetExec(*runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error)
GetAttach(req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error)
GetPortForward(*runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error)
// Start the server.
// addr is the address to serve on (address:port) stayUp indicates whether the server should
// listen until Stop() is called, or automatically stop after all expected connections are
// closed. Calling Get{Exec,Attach,PortForward} increments the expected connection count.
// Function does not return until the server is stopped.
Start(stayUp bool) error
// Stop the server, and terminate any open connections.
Stop() error
}()
Kubelet wuxuu xisaabiyaa jawaabta jawaabta codsiyada fulinta:
func (s *server) GetExec(req *runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) {
if err := validateExecRequest(req); err != nil {
return nil, err
}
token, err := s.cache.Insert(req)
if err != nil {
return nil, err
}
return &runtimeapi.ExecResponse{
Url: s.buildURL("exec", token),
}, nil
}()
Ha isku wareerin. Ma soo celiso natiijada amarka, laakiin barta ugu dambeysa ee isgaarsiinta:
type ExecResponse struct {
// Fully qualified URL of the exec streaming server.
Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_sizecache int32 `json:"-"`
}()
Kubelet waxa ay fulisaa interface-ka RuntimeServiceClient, taas oo qayb ka ah Interface-ka Runtime Container (wax badan ayaan ka qornay, tusaale ahaan, - qiyaastii. turjumi.):
Liiska dheer ee cri-api ee kubernetes/kubernetes
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type RuntimeServiceClient interface {
// Version returns the runtime name, runtime version, and runtime API version.
Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error)
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
// the sandbox is in the ready state on success.
RunPodSandbox(ctx context.Context, in *RunPodSandboxRequest, opts ...grpc.CallOption) (*RunPodSandboxResponse, error)
// StopPodSandbox stops any running process that is part of the sandbox and
// reclaims network resources (e.g., IP addresses) allocated to the sandbox.
// If there are any running containers in the sandbox, they must be forcibly
// terminated.
// This call is idempotent, and must not return an error if all relevant
// resources have already been reclaimed. kubelet will call StopPodSandbox
// at least once before calling RemovePodSandbox. It will also attempt to
// reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
// multiple StopPodSandbox calls are expected.
StopPodSandbox(ctx context.Context, in *StopPodSandboxRequest, opts ...grpc.CallOption) (*StopPodSandboxResponse, error)
// RemovePodSandbox removes the sandbox. If there are any running containers
// in the sandbox, they must be forcibly terminated and removed.
// This call is idempotent, and must not return an error if the sandbox has
// already been removed.
RemovePodSandbox(ctx context.Context, in *RemovePodSandboxRequest, opts ...grpc.CallOption) (*RemovePodSandboxResponse, error)
// PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
// present, returns an error.
PodSandboxStatus(ctx context.Context, in *PodSandboxStatusRequest, opts ...grpc.CallOption) (*PodSandboxStatusResponse, error)
// ListPodSandbox returns a list of PodSandboxes.
ListPodSandbox(ctx context.Context, in *ListPodSandboxRequest, opts ...grpc.CallOption) (*ListPodSandboxResponse, error)
// CreateContainer creates a new container in specified PodSandbox
CreateContainer(ctx context.Context, in *CreateContainerRequest, opts ...grpc.CallOption) (*CreateContainerResponse, error)
// StartContainer starts the container.
StartContainer(ctx context.Context, in *StartContainerRequest, opts ...grpc.CallOption) (*StartContainerResponse, error)
// StopContainer stops a running container with a grace period (i.e., timeout).
// This call is idempotent, and must not return an error if the container has
// already been stopped.
// TODO: what must the runtime do after the grace period is reached?
StopContainer(ctx context.Context, in *StopContainerRequest, opts ...grpc.CallOption) (*StopContainerResponse, error)
// RemoveContainer removes the container. If the container is running, the
// container must be forcibly removed.
// This call is idempotent, and must not return an error if the container has
// already been removed.
RemoveContainer(ctx context.Context, in *RemoveContainerRequest, opts ...grpc.CallOption) (*RemoveContainerResponse, error)
// ListContainers lists all containers by filters.
ListContainers(ctx context.Context, in *ListContainersRequest, opts ...grpc.CallOption) (*ListContainersResponse, error)
// ContainerStatus returns status of the container. If the container is not
// present, returns an error.
ContainerStatus(ctx context.Context, in *ContainerStatusRequest, opts ...grpc.CallOption) (*ContainerStatusResponse, error)
// UpdateContainerResources updates ContainerConfig of the container.
UpdateContainerResources(ctx context.Context, in *UpdateContainerResourcesRequest, opts ...grpc.CallOption) (*UpdateContainerResourcesResponse, error)
// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. This is often called after the log file has been
// rotated. If the container is not running, container runtime can choose
// to either create a new log file and return nil, or return an error.
// Once it returns error, new container log file MUST NOT be created.
ReopenContainerLog(ctx context.Context, in *ReopenContainerLogRequest, opts ...grpc.CallOption) (*ReopenContainerLogResponse, error)
// ExecSync runs a command in a container synchronously.
ExecSync(ctx context.Context, in *ExecSyncRequest, opts ...grpc.CallOption) (*ExecSyncResponse, error)
// Exec prepares a streaming endpoint to execute a command in the container.
Exec(ctx context.Context, in *ExecRequest, opts ...grpc.CallOption) (*ExecResponse, error)
// Attach prepares a streaming endpoint to attach to a running container.
Attach(ctx context.Context, in *AttachRequest, opts ...grpc.CallOption) (*AttachResponse, error)
// PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
PortForward(ctx context.Context, in *PortForwardRequest, opts ...grpc.CallOption) (*PortForwardResponse, error)
// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
ContainerStats(ctx context.Context, in *ContainerStatsRequest, opts ...grpc.CallOption) (*ContainerStatsResponse, error)
// ListContainerStats returns stats of all running containers.
ListContainerStats(ctx context.Context, in *ListContainerStatsRequest, opts ...grpc.CallOption) (*ListContainerStatsResponse, error)
// UpdateRuntimeConfig updates the runtime configuration based on the given request.
UpdateRuntimeConfig(ctx context.Context, in *UpdateRuntimeConfigRequest, opts ...grpc.CallOption) (*UpdateRuntimeConfigResponse, error)
// Status returns the status of the runtime.
Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
}
()
Waxay si fudud u isticmaashaa gRPC si ay ugu wacdo habka iyada oo loo marayo Interface Runtime Container:
type runtimeServiceClient struct {
cc *grpc.ClientConn
}()
func (c *runtimeServiceClient) Exec(ctx context.Context, in *ExecRequest, opts ...grpc.CallOption) (*ExecResponse, error) {
out := new(ExecResponse)
err := c.cc.Invoke(ctx, "/runtime.v1alpha2.RuntimeService/Exec", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}()
Kontaynarada Runtime-ga ayaa mas'uul ka ah hirgelinta RuntimeServiceServer:
Liiska dheer ee cri-api ee kubernetes/kubernetes
// RuntimeServiceServer is the server API for RuntimeService service.
type RuntimeServiceServer interface {
// Version returns the runtime name, runtime version, and runtime API version.
Version(context.Context, *VersionRequest) (*VersionResponse, error)
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
// the sandbox is in the ready state on success.
RunPodSandbox(context.Context, *RunPodSandboxRequest) (*RunPodSandboxResponse, error)
// StopPodSandbox stops any running process that is part of the sandbox and
// reclaims network resources (e.g., IP addresses) allocated to the sandbox.
// If there are any running containers in the sandbox, they must be forcibly
// terminated.
// This call is idempotent, and must not return an error if all relevant
// resources have already been reclaimed. kubelet will call StopPodSandbox
// at least once before calling RemovePodSandbox. It will also attempt to
// reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
// multiple StopPodSandbox calls are expected.
StopPodSandbox(context.Context, *StopPodSandboxRequest) (*StopPodSandboxResponse, error)
// RemovePodSandbox removes the sandbox. If there are any running containers
// in the sandbox, they must be forcibly terminated and removed.
// This call is idempotent, and must not return an error if the sandbox has
// already been removed.
RemovePodSandbox(context.Context, *RemovePodSandboxRequest) (*RemovePodSandboxResponse, error)
// PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
// present, returns an error.
PodSandboxStatus(context.Context, *PodSandboxStatusRequest) (*PodSandboxStatusResponse, error)
// ListPodSandbox returns a list of PodSandboxes.
ListPodSandbox(context.Context, *ListPodSandboxRequest) (*ListPodSandboxResponse, error)
// CreateContainer creates a new container in specified PodSandbox
CreateContainer(context.Context, *CreateContainerRequest) (*CreateContainerResponse, error)
// StartContainer starts the container.
StartContainer(context.Context, *StartContainerRequest) (*StartContainerResponse, error)
// StopContainer stops a running container with a grace period (i.e., timeout).
// This call is idempotent, and must not return an error if the container has
// already been stopped.
// TODO: what must the runtime do after the grace period is reached?
StopContainer(context.Context, *StopContainerRequest) (*StopContainerResponse, error)
// RemoveContainer removes the container. If the container is running, the
// container must be forcibly removed.
// This call is idempotent, and must not return an error if the container has
// already been removed.
RemoveContainer(context.Context, *RemoveContainerRequest) (*RemoveContainerResponse, error)
// ListContainers lists all containers by filters.
ListContainers(context.Context, *ListContainersRequest) (*ListContainersResponse, error)
// ContainerStatus returns status of the container. If the container is not
// present, returns an error.
ContainerStatus(context.Context, *ContainerStatusRequest) (*ContainerStatusResponse, error)
// UpdateContainerResources updates ContainerConfig of the container.
UpdateContainerResources(context.Context, *UpdateContainerResourcesRequest) (*UpdateContainerResourcesResponse, error)
// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. This is often called after the log file has been
// rotated. If the container is not running, container runtime can choose
// to either create a new log file and return nil, or return an error.
// Once it returns error, new container log file MUST NOT be created.
ReopenContainerLog(context.Context, *ReopenContainerLogRequest) (*ReopenContainerLogResponse, error)
// ExecSync runs a command in a container synchronously.
ExecSync(context.Context, *ExecSyncRequest) (*ExecSyncResponse, error)
// Exec prepares a streaming endpoint to execute a command in the container.
Exec(context.Context, *ExecRequest) (*ExecResponse, error)
// Attach prepares a streaming endpoint to attach to a running container.
Attach(context.Context, *AttachRequest) (*AttachResponse, error)
// PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
PortForward(context.Context, *PortForwardRequest) (*PortForwardResponse, error)
// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
ContainerStats(context.Context, *ContainerStatsRequest) (*ContainerStatsResponse, error)
// ListContainerStats returns stats of all running containers.
ListContainerStats(context.Context, *ListContainerStatsRequest) (*ListContainerStatsResponse, error)
// UpdateRuntimeConfig updates the runtime configuration based on the given request.
UpdateRuntimeConfig(context.Context, *UpdateRuntimeConfigRequest) (*UpdateRuntimeConfigResponse, error)
// Status returns the status of the runtime.
Status(context.Context, *StatusRequest) (*StatusResponse, error)
}
()
Hadday sidaas tahay, waa inaan aragnaa xidhiidhka ka dhexeeya kubelet iyo wakhtiga weelka, sax? Aan hubinno.
Ku socodsii amarkan ka hor iyo ka dib amarka fulinta oo fiiri kala duwanaanshaha. Xaalkayga farqigu waa:
// worker node
$ ss -a -p |grep kubelet
...
u_str ESTAB 0 0 * 157937 * 157387 users:(("kubelet",pid=5714,fd=33))
...Hmmm Maxay noqon kartaa? Taasi waa sax, waa Docker (pid=5714)!
// worker node
$ ss -a -p |grep 157387
...
u_str ESTAB 0 0 * 157937 * 157387 users:(("kubelet",pid=5714,fd=33))
u_str ESTAB 0 0 /var/run/docker.sock 157387 * 157937 users:(("dockerd",pid=1186,fd=14))
...Sida aad xasuusato, kani waa habka daemon-ka docker (pid=1186) kaas oo fuliya amarkeena:
// worker node
$ ps -afx
...
1186 ? Ssl 0:55 /usr/bin/dockerd -H fd://
17784 ? Sl 0:00 _ docker-containerd-shim 53a0a08547b2f95986402d7f3b3e78702516244df049ba6c5aa012e81264aa3c /var/run/docker/libcontainerd/53a0a08547b2f95986402d7f3
17801 pts/2 Ss 0:00 _ sh
17827 pts/2 S+ 0:00 _ sleep 5000
...4. Hawsha ku jirta wakhtiga uu socdo weelka
Aan baarno koodhka isha CRI-O si aan u fahanno waxa socda. Docker caqligu waa la mid.
Waxaa jira adeege ka mas'uul ah hirgelinta RuntimeServiceServer:
// Server implements the RuntimeService and ImageService
type Server struct {
config libconfig.Config
seccompProfile *seccomp.Seccomp
stream StreamService
netPlugin ocicni.CNIPlugin
hostportManager hostport.HostPortManager
appArmorProfile string
hostIP string
bindAddress string
*lib.ContainerServer
monitorsChan chan struct{}
defaultIDMappings *idtools.IDMappings
systemContext *types.SystemContext // Never nil
updateLock sync.RWMutex
seccompEnabled bool
appArmorEnabled bool
}()
// Exec prepares a streaming endpoint to execute a command in the container.
func (s *Server) Exec(ctx context.Context, req *pb.ExecRequest) (resp *pb.ExecResponse, err error) {
const operation = "exec"
defer func() {
recordOperation(operation, time.Now())
recordError(operation, err)
}()
resp, err = s.getExec(req)
if err != nil {
return nil, fmt.Errorf("unable to prepare exec endpoint: %v", err)
}
return resp, nil
}()
Dhammaadka silsiladda, wakhtiga ku-meel-gaadhka weelku waxa uu fulinayaa amarka budhka shaqaalaha:
// ExecContainer prepares a streaming endpoint to execute a command in the container.
func (r *runtimeOCI) ExecContainer(c *Container, cmd []string, stdin io.Reader, stdout, stderr io.WriteCloser, tty bool, resize <-chan remotecommand.TerminalSize) error {
processFile, err := prepareProcessExec(c, cmd, tty)
if err != nil {
return err
}
defer os.RemoveAll(processFile.Name())
args := []string{rootFlag, r.root, "exec"}
args = append(args, "--process", processFile.Name(), c.ID())
execCmd := exec.Command(r.path, args...)
if v, found := os.LookupEnv("XDG_RUNTIME_DIR"); found {
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", v))
}
var cmdErr, copyError error
if tty {
cmdErr = ttyCmd(execCmd, stdin, stdout, resize)
} else {
if stdin != nil {
// Use an os.Pipe here as it returns true *os.File objects.
// This way, if you run 'kubectl exec <pod> -i bash' (no tty) and type 'exit',
// the call below to execCmd.Run() can unblock because its Stdin is the read half
// of the pipe.
r, w, err := os.Pipe()
if err != nil {
return err
}
go func() { _, copyError = pools.Copy(w, stdin) }()
execCmd.Stdin = r
}
if stdout != nil {
execCmd.Stdout = stdout
}
if stderr != nil {
execCmd.Stderr = stderr
}
cmdErr = execCmd.Run()
}
if copyError != nil {
return copyError
}
if exitErr, ok := cmdErr.(*exec.ExitError); ok {
return &utilexec.ExitErrorWrapper{ExitError: exitErr}
}
return cmdErr
}()
Ugu dambeyntii, kernel-ku wuxuu fuliyaa amarada:
Xusuusin
- Server-ka API waxa kale oo uu bilaabi karaa xidhiidhka kubelet.
- Xidhiidhada soo socdaa way sii jiraan ilaa uu ka dhamaado kalfadhiga fulinta isdhexgalka:
- inta u dhaxaysa kubectl iyo api-server;
- inta u dhaxaysa api-server iyo kubectl;
- inta u dhaxaysa kubelet iyo wakhtiga weelka.
- Kubectl ama api-server waxba kuma socodsiin karaan qanjidhada shaqaalaha. Kubelet-ku wuu ordi karaa, laakiin sidoo kale waxa uu la falgalaa wakhtiga weelka si uu u sameeyo waxyaalahaas.
Khayraadka
- dood"" kubernetes-dev;
- Maqaalka";
- dood""Ciladka Server-ka.
PS ka turjumaan
Sidoo kale ka akhri boggayaga:
- "Maxaa ku dhacaya Kubernetes marka aad ordo kubectl run?" ΠΈ ;
- Β«";
- Β«";
- Β«".
Source: www.habr.com