Mholo! Igama lam ndinguSergey, ndinguDevOps eSurf. Isebe leDevOps eSurf alijolisanga kuphela ukuseka intsebenziswano phakathi kweengcali kunye nokudibanisa iinkqubo zokusebenza, kodwa kunye nophando olusebenzayo kunye nokuphumeza iteknoloji yangoku kwiziseko zayo nakwiziseko zoncedo zabathengi.
Apha ngezantsi ndiza kuthetha kancinci malunga notshintsho kwisitaki sobuchwephesha kwizikhongozeli esidibene nazo ngelixa sifunda ukuhanjiswa CentOS 8 kunye nokuba yintoni na CRI-O kunye nendlela yokuseta ngokukhawuleza imeko-bume ephunyeziweyo Kubernetes.
Kutheni i-Docker ingabandakanywa kwi-CentOS 8?
Emva kokufaka ukukhutshwa okukhulu kwamva nje I-RHEL 8 okanye CentOS 8 omnye akanakunceda kodwa aqaphele: olu nikezelo kunye nogcino olusemthethweni aluqulathanga isicelo Docker, ezithatha indawo yeepakethe ngokweengcamango kunye nokusebenza IPodman, Buildah (zikhoyo kunikezelo ngokungagqibekanga) kunye CRI-O. Oku kungenxa yokuphunyezwa okusebenzayo kwemigangatho ephuhliswe, phakathi kwezinye izinto, yiRed Hat njengenxalenye yeprojekthi ye-Open Container Initiative (OCI).
Injongo ye-OCI, eyinxalenye yeSiseko seLinux, kukudala imigangatho yoshishino evulekileyo yeefomathi zekhonteyina kunye namaxesha okusebenza asombulula iingxaki ezininzi ngaxeshanye. Okokuqala, abazange baphikise ifilosofi yeLinux (umzekelo, kwindawo apho inkqubo nganye kufuneka yenze isenzo esinye, kwaye Docker luhlobo lwe-All-in-one dibanisa). Okwesibini, banokususa zonke iintsilelo ezikhoyo kwisoftware Docker. Okwesithathu, ziya kuhambelana ngokupheleleyo neemfuno zoshishino zokukhokela iiplatifomu zorhwebo zokuthumela, ukulawula kunye nokukhonza izicelo ezifakwe kwiikhonteyina (umzekelo, i-Red Hat OpenShift).
Iingxaki Docker kunye neenzuzo zesoftware entsha sele ichaziwe kwiinkcukacha ezithile kwi
Kubalulekile ukuqaphela ukuba yeyiphi indlela yokusebenza yamacandelo estakhi esicetywayo:
- IPodman - ukusebenzisana ngokuthe ngqo kunye nezikhongozeli kunye nokugcinwa komfanekiso ngokusebenzisa inkqubo ye-runC;
- Buildah - ukudibanisa kunye nokulayisha imifanekiso kwirejista;
- CRI-O β indawo ephunyezwayo yeenkqubo ze-container orchestration (umzekelo, Kubernetes).
Ndicinga ukuba ukuqonda iskimu ngokubanzi sokusebenzisana phakathi kwamacandelo estack, kuyacetyiswa ukuba unikeze umzobo woqhagamshelo apha. Kubernetes c balekaC kunye namathala eencwadi akumgangatho ophantsi asebenzisa CRI-O:
CRI-O ΠΈ Kubernetes bambelela kumjikelezo ofanayo wokukhutshwa kunye nenkxaso (i-matrix yokuhambelana ilula kakhulu: iinguqulelo ezinkulu Kubernetes ΠΈ CRI-O zihambelana), kwaye oku, kuthathelwa ingqalelo ugxininiso kuvavanyo olupheleleyo nolubanzi lokusebenza kwesi sipakisho ngabaphuhlisi, kusinika ilungelo lokulindela uzinzo olufikelelekayo oluphezulu ekusebenzeni phantsi kwazo naziphi na iimeko zokusetyenziswa (ukukhanya okuhambelanayo kukwaluncedo apha. CRI-O xa kuthelekiswa Docker ngenxa yokunciphisa okunenjongo yokusebenza).
Xa uyifaka Kubernetes "indlela echanekileyo" (ngokwe OCI, kunjalo) usebenzisa CRI-O phezu CentOS 8 Siye safumana ubunzima obungephi, esathi, nangona kunjalo, sazoyisa ngempumelelo. Ndiya kukuvuyela ukwabelana nawe ngokufakela kunye nemiyalelo yoqwalaselo, leyo iyonke iya kuthatha malunga nemizuzu eyi-10.
Indlela yokufaka i-Kubernetes kwi-CentOS 8 usebenzisa isakhelo se-CRI-O
Izinto ezifunekayo: ubukho bomninimzi omnye (ii-cores ezi-2, i-4 GB RAM, ubuncinane i-15 GB yokugcina) efakwe CentOS 8 (Iprofayile yofakelo "yeServer" iyacetyiswa), kunye namangeno ayo kwi-DNS yendawo (njengendlela yokugqibela, ungadlula ngokungena kwi-/etc/hosts). Kwaye ungalibali
Senza yonke imisebenzi kumamkeli njengomsebenzisi weengcambu, lumka.
- Kwisinyathelo sokuqala, siya kumisela i-OS, ukufaka kunye nokuqwalasela ukuxhomekeka kwangaphambili kwe-CRI-O.
- Masihlaziye i-OS:
dnf -y update
- Okulandelayo kufuneka uqwalasele i-firewall kunye ne-SELinux. Apha yonke into ixhomekeke kwindawo apho umphathi wethu okanye ababuki zindwendwe baya kusebenza khona. Unokuseta i-firewall ngokweengcebiso ezivela
amaxwebhu , okanye, ukuba ukunethiwekhi ethembekileyo okanye usebenzisa i-firewall yomntu wesithathu, tshintsha indawo engagqibekanga ukuya ethembekileyo okanye ucime udonga lomlilo:firewall-cmd --set-default-zone trusted firewall-cmd --reload
Ukucima i-firewall ungasebenzisa lo myalelo ulandelayo:
systemctl disable --now firewalld
I-SELinux kufuneka icinywe okanye itshintshelwe kwimodi "yokuvumela":
setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
- Layisha iimodyuli zekernel eziyimfuneko kunye neepakethe, qwalasela ukulayishwa okuzenzekelayo kwemodyuli "br_netfilter" ekuqaliseni inkqubo:
modprobe overlay modprobe br_netfilter echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf dnf -y install iproute-tc
- Ukuvula ukuthunyelwa kwepakethi kunye nokulungisa ukusetyenzwa kwetrafikhi, siya kwenza useto olufanelekileyo:
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF
sebenzisa iisetingi ezenziweyo:
sysctl --system
- seta uguqulelo olufunekayo CRI-O (uguqulelo olukhulu CRI-O, njengoko sele kukhankanyiwe, thelekisa uguqulelo olufunekayo Kubernetes), ekubeni inguqulelo yamva nje ezinzileyo Kubernetes ngoku 1.18:
export REQUIRED_VERSION=1.18
yongeza iindawo zokugcina eziyimfuneko:
dnf -y install 'dnf-command(copr)' dnf -y copr enable rhcontainerbot/container-selinux curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo
- ngoku singafaka CRI-O:
dnf -y install cri-o
Nika ingqalelo kwi-nuance yokuqala esidibana nayo ngexesha lokufakela: kufuneka uhlele uqwalaselo CRI-O phambi kokuba uqalise inkonzo, kuba icandelo elifunekayo le-conmon linendawo eyahlukileyo kunaleyo ichaziweyo:
sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.conf
Ngoku ungavula kwaye uqale i-daemon CRI-O:
systemctl enable --now crio
Ungajonga ubume bedaemon:
systemctl status crio
- Masihlaziye i-OS:
- Ukufakela kunye nokusebenza Kubernetes.
- Masidibanise indawo yokugcina efunekayo:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg exclude=kubelet kubeadm kubectl EOF
Ngoku sinokufaka Kubernetes (uguqulelo 1.18, njengoko kukhankanyiwe ngasentla):
dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes
- I-nuance yesibini ebalulekileyo: kuba singasebenzisi i-daemon Docker, kodwa sisebenzisa i-daemon CRI-O, phambi kokuqaliswa kunye nokuqalisa Kubernetes kufuneka wenze izicwangciso ezifanelekileyo kwifayile yoqwalaselo /var/lib/kubelet/config.yaml, wenze kuqala ulawulo olufunekayo:
mkdir /var/lib/kubelet cat <<EOF > /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd EOF
- Inqaku lesithathu elibalulekileyo esidibana nalo ngexesha lofakelo: nangona sibonise umqhubi osetyenzisiweyo iqela, kunye noqwalaselo lwayo ngeengxoxo ezigqithisiweyo cubelet iphelelwe lixesha (njengoko kuchazwe ngokucacileyo kuxwebhu), kufuneka songeze iimpikiswano kwifayile, kungenjalo iqela lethu aliyi kuqaliswa:
cat /dev/null > /etc/sysconfig/kubelet cat <<EOF > /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock' EOF
- Ngoku sinokuvula i-daemon cubelet:
sudo systemctl enable --now kubelet
Ukwenza ngokwezifiso ulawulo-plane okanye msebenzi iindawo ngemizuzu, ungasebenzisa
ngesi script .
- Masidibanise indawo yokugcina efunekayo:
- Lixesha lokuqalisa iqela lethu.
- Ukuqalisa iqela, sebenzisa umyalelo:
kubeadm init --pod-network-cidr=10.244.0.0/16
Qiniseka ukuba ubhala phantsi umyalelo wokujoyina iqela elithi "kubeadm join ...", ocelwe ukuba uyisebenzise ekupheleni kwemveliso, okanye ubuncinci iithokheni ezikhankanyiweyo.
- Masifakele iplagi (CNI) yenethiwekhi yePod. Ndincoma ukusebenzisa Calico. Mhlawumbi edume ngakumbi Flannel unemiba yokuhambelana ne izinto ezingenamsebenziewe, kwaye Calico - Ukuphunyezwa kwe-CNI kuphela okucetyiswayo kunye nokuvavanywa ngokupheleleyo yiprojekthi Kubernetes:
kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
- Ukuqhagamshela i-node yabasebenzi kwiqela lethu, kufuneka uyiqwalasele ngokwemiyalelo 1 kunye ne-2, okanye usebenzise.
umbhalo , emva koko uqhube umyalelo ovela βkubeadm init...β isiphumo esisibhale phantsi kwinqanaba elidlulileyo:kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN --discovery-token-ca-cert-hash $TOKEN_HASH
- Masijonge ukuba iqela lethu liqalisiwe kwaye liqalile ukusebenza:
kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
Ulungile! Unako ukubamba imithwalo ehlawulwayo kwiqela lakho le-K8s.
- Ukuqalisa iqela, sebenzisa umyalelo:
Yintoni esilindele ngaphambili
Ndiyathemba ukuba le miyalelo ingentla ikuncedile ukukongela ixesha kunye nemithambo-luvo.
Isiphumo seenkqubo ezenzeka kwishishini zihlala zixhomekeke kwindlela zamkelwa ngayo ngobuninzi babasebenzisi bokugqibela kunye nabaphuhlisi bezinye isoftware kwi-niche ehambelanayo. Akukacaci ngokupheleleyo ukuba amalinge e-OCI aya kukhokelela phi kwiminyaka embalwa, kodwa siya kubukela ngolonwabo. Ungabelana ngoluvo lwakho ngoku kwizimvo.
Hla umamele!
Eli nqaku livele enkosi kule mithombo ilandelayo:
- Icandelo malunga namaxesha okusebenza kwisikhongozeli
Kubernetes amaxwebhu Iphepha Iprojekthi ye-CRI-O kwi-Intanethi- Amanqaku eblogi ye-Red Hat:
Le ,oku kunye nabanye abaninzi
umthombo: www.habr.com