ProHoster > Ibhulogi > Ulawulo > I-CRI-O njengendawo yokutshintsha i-Docker njengendawo esebenzayo ye-Kubernetes: ukuseta kwi-CentOS 8

I-CRI-O njengendawo yokutshintsha i-Docker njengendawo esebenzayo ye-Kubernetes: ukuseta kwi-CentOS 8

Mholo! Igama lam ndinguSergey, ndinguDevOps eSurf. Isebe leDevOps eSurf alijolisanga kuphela ukuseka intsebenziswano phakathi kweengcali kunye nokudibanisa iinkqubo zokusebenza, kodwa kunye nophando olusebenzayo kunye nokuphumeza iteknoloji yangoku kwiziseko zayo nakwiziseko zoncedo zabathengi.

Apha ngezantsi ndiza kuthetha kancinci malunga notshintsho kwisitaki sobuchwephesha kwizikhongozeli esidibene nazo ngelixa sifunda ukuhanjiswa CentOS 8 kunye nokuba yintoni na CRI-O kunye nendlela yokuseta ngokukhawuleza imeko-bume ephunyeziweyo Kubernetes.

I-CRI-O njengendawo yokutshintsha i-Docker njengendawo esebenzayo ye-Kubernetes: ukuseta kwi-CentOS 8

Kutheni i-Docker ingabandakanywa kwi-CentOS 8?

Emva kokufaka ukukhutshwa okukhulu kwamva nje I-RHEL 8 okanye CentOS 8 omnye akanakunceda kodwa aqaphele: olu nikezelo kunye nogcino olusemthethweni aluqulathanga isicelo Docker, ezithatha indawo yeepakethe ngokweengcamango kunye nokusebenza IPodman, Buildah (zikhoyo kunikezelo ngokungagqibekanga) kunye CRI-O. Oku kungenxa yokuphunyezwa okusebenzayo kwemigangatho ephuhliswe, phakathi kwezinye izinto, yiRed Hat njengenxalenye yeprojekthi ye-Open Container Initiative (OCI).

Injongo ye-OCI, eyinxalenye yeSiseko seLinux, kukudala imigangatho yoshishino evulekileyo yeefomathi zekhonteyina kunye namaxesha okusebenza asombulula iingxaki ezininzi ngaxeshanye. Okokuqala, abazange baphikise ifilosofi yeLinux (umzekelo, kwindawo apho inkqubo nganye kufuneka yenze isenzo esinye, kwaye Docker luhlobo lwe-All-in-one dibanisa). Okwesibini, banokususa zonke iintsilelo ezikhoyo kwisoftware Docker. Okwesithathu, ziya kuhambelana ngokupheleleyo neemfuno zoshishino zokukhokela iiplatifomu zorhwebo zokuthumela, ukulawula kunye nokukhonza izicelo ezifakwe kwiikhonteyina (umzekelo, i-Red Hat OpenShift).

Iingxaki Docker kunye neenzuzo zesoftware entsha sele ichaziwe kwiinkcukacha ezithile kwi eli nqaku, kunye nenkcazo eneenkcukacha ye-software yonke enikezelwayo ngaphakathi kweprojekthi ye-OCI kunye neempawu zayo zokwakha zingafumaneka kumaxwebhu asemthethweni kunye namanqaku avela kwi-Red Hat ngokwayo (hayi embi. inqaku kwiblogi ye-Red Hat) kunye nomntu wesithathu uphononongo.

Kubalulekile ukuqaphela ukuba yeyiphi indlela yokusebenza yamacandelo estakhi esicetywayo:

  • IPodman - ukusebenzisana ngokuthe ngqo kunye nezikhongozeli kunye nokugcinwa komfanekiso ngokusebenzisa inkqubo ye-runC;
  • Buildah - ukudibanisa kunye nokulayisha imifanekiso kwirejista;
  • CRI-O β€” indawo ephunyezwayo yeenkqubo ze-container orchestration (umzekelo, Kubernetes).

Ndicinga ukuba ukuqonda iskimu ngokubanzi sokusebenzisana phakathi kwamacandelo estack, kuyacetyiswa ukuba unikeze umzobo woqhagamshelo apha. Kubernetes c balekaC kunye namathala eencwadi akumgangatho ophantsi asebenzisa CRI-O:

I-CRI-O njengendawo yokutshintsha i-Docker njengendawo esebenzayo ye-Kubernetes: ukuseta kwi-CentOS 8

CRI-O ΠΈ Kubernetes bambelela kumjikelezo ofanayo wokukhutshwa kunye nenkxaso (i-matrix yokuhambelana ilula kakhulu: iinguqulelo ezinkulu Kubernetes ΠΈ CRI-O zihambelana), kwaye oku, kuthathelwa ingqalelo ugxininiso kuvavanyo olupheleleyo nolubanzi lokusebenza kwesi sipakisho ngabaphuhlisi, kusinika ilungelo lokulindela uzinzo olufikelelekayo oluphezulu ekusebenzeni phantsi kwazo naziphi na iimeko zokusetyenziswa (ukukhanya okuhambelanayo kukwaluncedo apha. CRI-O xa kuthelekiswa Docker ngenxa yokunciphisa okunenjongo yokusebenza).

Xa uyifaka Kubernetes "indlela echanekileyo" (ngokwe OCI, kunjalo) usebenzisa CRI-O phezu CentOS 8 Siye safumana ubunzima obungephi, esathi, nangona kunjalo, sazoyisa ngempumelelo. Ndiya kukuvuyela ukwabelana nawe ngokufakela kunye nemiyalelo yoqwalaselo, leyo iyonke iya kuthatha malunga nemizuzu eyi-10.

Indlela yokufaka i-Kubernetes kwi-CentOS 8 usebenzisa isakhelo se-CRI-O

Izinto ezifunekayo: ubukho bomninimzi omnye (ii-cores ezi-2, i-4 GB RAM, ubuncinane i-15 GB yokugcina) efakwe CentOS 8 (Iprofayile yofakelo "yeServer" iyacetyiswa), kunye namangeno ayo kwi-DNS yendawo (njengendlela yokugqibela, ungadlula ngokungena kwi-/etc/hosts). Kwaye ungalibali khubaza utshintsho.

Senza yonke imisebenzi kumamkeli njengomsebenzisi weengcambu, lumka.

  1. Kwisinyathelo sokuqala, siya kumisela i-OS, ukufaka kunye nokuqwalasela ukuxhomekeka kwangaphambili kwe-CRI-O.
    • Masihlaziye i-OS: 
      dnf -y update

    • Okulandelayo kufuneka uqwalasele i-firewall kunye ne-SELinux. Apha yonke into ixhomekeke kwindawo apho umphathi wethu okanye ababuki zindwendwe baya kusebenza khona. Unokuseta i-firewall ngokweengcebiso ezivela amaxwebhu, okanye, ukuba ukunethiwekhi ethembekileyo okanye usebenzisa i-firewall yomntu wesithathu, tshintsha indawo engagqibekanga ukuya ethembekileyo okanye ucime udonga lomlilo: 
      firewall-cmd --set-default-zone trusted

firewall-cmd --reload

      Ukucima i-firewall ungasebenzisa lo myalelo ulandelayo:

      systemctl disable --now firewalld

      I-SELinux kufuneka icinywe okanye itshintshelwe kwimodi "yokuvumela":

      setenforce 0

sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

    • Layisha iimodyuli zekernel eziyimfuneko kunye neepakethe, qwalasela ukulayishwa okuzenzekelayo kwemodyuli "br_netfilter" ekuqaliseni inkqubo: 
      modprobe overlay

modprobe br_netfilter

echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf

dnf -y install iproute-tc

    • Ukuvula ukuthunyelwa kwepakethi kunye nokulungisa ukusetyenzwa kwetrafikhi, siya kwenza useto olufanelekileyo: 
      cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF

      sebenzisa iisetingi ezenziweyo:

      sysctl --system

    • seta uguqulelo olufunekayo CRI-O (uguqulelo olukhulu CRI-O, njengoko sele kukhankanyiwe, thelekisa uguqulelo olufunekayo Kubernetes), ekubeni inguqulelo yamva nje ezinzileyo Kubernetes ngoku 1.18: 
      export REQUIRED_VERSION=1.18

      yongeza iindawo zokugcina eziyimfuneko:

      dnf -y install 'dnf-command(copr)'

dnf -y copr enable rhcontainerbot/container-selinux

curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo

curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo

    • ngoku singafaka CRI-O: 
      dnf -y install cri-o

      Nika ingqalelo kwi-nuance yokuqala esidibana nayo ngexesha lokufakela: kufuneka uhlele uqwalaselo CRI-O phambi kokuba uqalise inkonzo, kuba icandelo elifunekayo le-conmon linendawo eyahlukileyo kunaleyo ichaziweyo:

      sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.conf

      Ngoku ungavula kwaye uqale i-daemon CRI-O:

      systemctl enable --now crio

      Ungajonga ubume bedaemon:

      systemctl status crio

  2. Ukufakela kunye nokusebenza Kubernetes.
    • Masidibanise indawo yokugcina efunekayo: 
      cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

      Ngoku sinokufaka Kubernetes (uguqulelo 1.18, njengoko kukhankanyiwe ngasentla):

      dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes

    • I-nuance yesibini ebalulekileyo: kuba singasebenzisi i-daemon Docker, kodwa sisebenzisa i-daemon CRI-O, phambi kokuqaliswa kunye nokuqalisa Kubernetes kufuneka wenze izicwangciso ezifanelekileyo kwifayile yoqwalaselo /var/lib/kubelet/config.yaml, wenze kuqala ulawulo olufunekayo: 
      mkdir /var/lib/kubelet

cat <<EOF > /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd
EOF

    • Inqaku lesithathu elibalulekileyo esidibana nalo ngexesha lofakelo: nangona sibonise umqhubi osetyenzisiweyo iqela, kunye noqwalaselo lwayo ngeengxoxo ezigqithisiweyo cubelet iphelelwe lixesha (njengoko kuchazwe ngokucacileyo kuxwebhu), kufuneka songeze iimpikiswano kwifayile, kungenjalo iqela lethu aliyi kuqaliswa: 
      cat /dev/null > /etc/sysconfig/kubelet

cat <<EOF > /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock'
EOF

    • Ngoku sinokuvula i-daemon cubelet: 
      sudo systemctl enable --now kubelet

      Ukwenza ngokwezifiso ulawulo-plane okanye msebenzi iindawo ngemizuzu, ungasebenzisa ngesi script.

  3. Lixesha lokuqalisa iqela lethu.
    • Ukuqalisa iqela, sebenzisa umyalelo: 
      kubeadm init --pod-network-cidr=10.244.0.0/16

      Qiniseka ukuba ubhala phantsi umyalelo wokujoyina iqela elithi "kubeadm join ...", ocelwe ukuba uyisebenzise ekupheleni kwemveliso, okanye ubuncinci iithokheni ezikhankanyiweyo.

    • Masifakele iplagi (CNI) yenethiwekhi yePod. Ndincoma ukusebenzisa Calico. Mhlawumbi edume ngakumbi Flannel unemiba yokuhambelana ne izinto ezingenamsebenziewe, kwaye Calico - Ukuphunyezwa kwe-CNI kuphela okucetyiswayo kunye nokuvavanywa ngokupheleleyo yiprojekthi Kubernetes: 
      kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml

    • Ukuqhagamshela i-node yabasebenzi kwiqela lethu, kufuneka uyiqwalasele ngokwemiyalelo 1 kunye ne-2, okanye usebenzise. umbhalo, emva koko uqhube umyalelo ovela β€œkubeadm init...” isiphumo esisibhale phantsi kwinqanaba elidlulileyo: 
      kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN 
    --discovery-token-ca-cert-hash $TOKEN_HASH

    • Masijonge ukuba iqela lethu liqalisiwe kwaye liqalile ukusebenza: 
      kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A

    Ulungile! Unako ukubamba imithwalo ehlawulwayo kwiqela lakho le-K8s.

Yintoni esilindele ngaphambili

Ndiyathemba ukuba le miyalelo ingentla ikuncedile ukukongela ixesha kunye nemithambo-luvo.
Isiphumo seenkqubo ezenzeka kwishishini zihlala zixhomekeke kwindlela zamkelwa ngayo ngobuninzi babasebenzisi bokugqibela kunye nabaphuhlisi bezinye isoftware kwi-niche ehambelanayo. Akukacaci ngokupheleleyo ukuba amalinge e-OCI aya kukhokelela phi kwiminyaka embalwa, kodwa siya kubukela ngolonwabo. Ungabelana ngoluvo lwakho ngoku kwizimvo.

Hla umamele!

Eli nqaku livele enkosi kule mithombo ilandelayo:

  • Icandelo malunga namaxesha okusebenza kwisikhongozeli Kubernetes amaxwebhu
  • Iphepha Iprojekthi ye-CRI-O kwi-Intanethi
  • Amanqaku eblogi ye-Red Hat: Le, oku kunye nabanye abaninzi



umthombo: www.habr.com

Yongeza izimvo