Pẹlẹ o! Orukọ mi ni Sergey, Emi ni DevOps ni Surf. Ẹka DevOps ni Surf ni ero kii ṣe lati ṣe agbekalẹ ibaraenisepo laarin awọn alamọja ati ṣepọ awọn ilana iṣẹ, ṣugbọn tun lati ṣe iwadii ni itara ati ṣe awọn imọ-ẹrọ lọwọlọwọ mejeeji ni awọn amayederun tirẹ ati ni awọn amayederun alabara.
Ni isalẹ Emi yoo sọrọ diẹ nipa awọn iyipada ninu akopọ imọ-ẹrọ fun awọn apoti ti a pade lakoko ikẹkọ pinpin CentOS 8 ati nipa ohun ti o jẹ CRI-O ati bi o si ni kiakia ṣeto soke ohun executable ayika fun Kubernetes.
Kini idi ti Docker ko si ninu CentOS 8?
Lẹhin fifi sori ẹrọ awọn idasilẹ pataki tuntun epo 8 tabi CentOS 8 ọkan ko le ṣe iranlọwọ bikoṣe akiyesi: awọn pinpin ati awọn ibi ipamọ osise ko ni ohun elo naa ninu Docker, eyi ti ideologically ati iṣẹ-ṣiṣe rọpo awọn idii podman, Buildah (bayi ni pinpin nipa aiyipada) ati CRI-O. Eyi jẹ nitori imuse ti o wulo ti awọn iṣedede ti o dagbasoke, laarin awọn ohun miiran, nipasẹ Red Hat gẹgẹ bi apakan ti iṣẹ akanṣe Open Container Initiative (OCI).
Ibi-afẹde ti OCI, eyiti o jẹ apakan ti Linux Foundation, ni lati ṣẹda awọn iṣedede ile-iṣẹ ṣiṣi fun awọn ọna kika eiyan ati awọn akoko asiko ti o yanju awọn iṣoro pupọ ni ẹẹkan. Ni akọkọ, wọn ko tako imọ-jinlẹ ti Linux (fun apẹẹrẹ, ni apakan ti eto kọọkan yẹ ki o ṣe iṣe kan, ati Docker ni irú ti gbogbo-ni-ọkan darapọ). Ni ẹẹkeji, wọn le ṣe imukuro gbogbo awọn aipe ti o wa ninu sọfitiwia naa Docker. Kẹta, wọn yoo ni ibamu ni kikun pẹlu awọn ibeere iṣowo ti awọn iru ẹrọ iṣowo ti o ṣaju fun gbigbe, iṣakoso ati ṣiṣe awọn ohun elo ti a fi sinu apoti (fun apẹẹrẹ, Red Hat OpenShift).
shortcomings Docker ati awọn anfani ti sọfitiwia tuntun ti ṣapejuwe tẹlẹ ni diẹ ninu awọn alaye ni , ati apejuwe alaye ti gbogbo akopọ sọfitiwia ti a nṣe laarin iṣẹ akanṣe OCI ati awọn ẹya ara ẹrọ ayaworan rẹ ni a le rii ninu iwe aṣẹ ati awọn nkan lati Red Hat funrararẹ (kii ṣe buburu ni Red Hat bulọọgi) ati ni ẹni-kẹta .
O ṣe pataki lati ṣe akiyesi iṣẹ wo ni awọn paati ti akopọ ti a dabaa ni:
- podman - ibaraenisepo taara pẹlu awọn apoti ati ibi ipamọ aworan nipasẹ ilana runC;
- Buildah - apejọ ati ikojọpọ awọn aworan si iforukọsilẹ;
- CRI-O - agbegbe ti o le ṣiṣẹ fun awọn eto orchestration eiyan (fun apẹẹrẹ, Kubernetes).
Mo ro pe lati ni oye ero gbogbogbo ti ibaraenisepo laarin awọn paati ti akopọ, o ni imọran lati pese apẹrẹ asopọ kan nibi Kubernetes c runC ati kekere-ipele ikawe lilo CRI-O:
CRI-O и Kubernetes faramọ itusilẹ kanna ati ọmọ atilẹyin (matrix ibamu jẹ rọrun pupọ: awọn ẹya pataki Kubernetes и CRI-O ṣe deede), ati eyi, ni akiyesi idojukọ lori pipe ati idanwo okeerẹ ti iṣẹ ti akopọ yii nipasẹ awọn olupilẹṣẹ, fun wa ni ẹtọ lati nireti iduroṣinṣin ti o pọju ninu iṣiṣẹ labẹ awọn oju iṣẹlẹ lilo eyikeyi (ina ibatan tun jẹ anfani nibi. CRI-O akawe pẹlu Docker nitori opin idi ti iṣẹ-ṣiṣe).
Nigbati fifi sori ẹrọ Kubernetes "ọna ọtun" ọna (gẹgẹ bi OCI, dajudaju) lilo CRI-O on CentOS 8 A konge awọn iṣoro kekere diẹ, eyiti, sibẹsibẹ, a bori ni aṣeyọri. Emi yoo ni idunnu lati pin pẹlu rẹ fifi sori ẹrọ ati awọn ilana iṣeto ni, eyiti lapapọ yoo gba to iṣẹju mẹwa 10.
Bii o ṣe le mu Kubernetes ṣiṣẹ lori CentOS 8 ni lilo ilana CRI-O
Awọn ibeere: wiwa ti o kere ju ogun kan (awọn ohun kohun 2, Ramu 4 GB, o kere ju ibi ipamọ 15 GB) pẹlu fifi sori ẹrọ CentOS 8 (profaili fifi sori ẹrọ “Olupin” ni a ṣe iṣeduro), bakanna bi awọn titẹ sii fun ni DNS agbegbe (gẹgẹbi ibi-afẹde ti o kẹhin, o le gba nipasẹ titẹ sii ni /etc/hosts). Ki o si ma ṣe gbagbe .
A ṣe gbogbo awọn iṣẹ lori agbalejo bi olumulo gbongbo, ṣọra.
- Ni igbesẹ akọkọ, a yoo tunto OS, fi sori ẹrọ ati tunto awọn igbẹkẹle alakoko fun CRI-O.
- Jẹ ki a ṣe imudojuiwọn OS naa:
dnf -y update
- Nigbamii o nilo lati tunto ogiriina ati SELinux. Nibi ohun gbogbo da lori agbegbe ti agbalejo wa tabi agbalejo yoo ṣiṣẹ. O le boya ṣeto ogiriina kan ni ibamu si awọn iṣeduro lati , tabi, ti o ba wa lori nẹtiwọki ti o gbẹkẹle tabi lo ogiriina ẹni-kẹta, yi agbegbe aifọwọyi pada si igbẹkẹle tabi pa ogiriina naa:
firewall-cmd --set-default-zone trusted firewall-cmd --reloadLati paa ogiriina o le lo pipaṣẹ atẹle:
systemctl disable --now firewalldSELinux nilo lati wa ni pipa tabi yipada si ipo “igbanilaaye”:
setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
- Gbe awọn modulu ekuro pataki ati awọn idii, tunto ikojọpọ aifọwọyi ti module “br_netfilter” ni ibẹrẹ eto:
modprobe overlay modprobe br_netfilter echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf dnf -y install iproute-tc
- Lati mu firanšẹ siwaju soso ṣiṣẹ ati ṣiṣe atunṣe ijabọ, a yoo ṣe awọn eto ti o yẹ:
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOFlo awọn eto ti a ṣe:
sysctl --system
- ṣeto awọn ti a beere version CRI-O (pataki ti ikede CRI-O, bi a ti sọ tẹlẹ, baramu ẹya ti a beere Kubernetes), niwon awọn titun idurosinsin version Kubernetes Lọwọlọwọ 1.18:
export REQUIRED_VERSION=1.18fi awọn ibi ipamọ ti o yẹ kun:
dnf -y install 'dnf-command(copr)' dnf -y copr enable rhcontainerbot/container-selinux curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo
- bayi a le fi sori ẹrọ CRI-O:
dnf -y install cri-oSan ifojusi si nuance akọkọ ti a ba pade lakoko ilana fifi sori ẹrọ: o nilo lati satunkọ iṣeto naa CRI-O ṣaaju ki o to bẹrẹ iṣẹ naa, nitori pe paati conmon ti o nilo ni ipo ti o yatọ ju ọkan ti a sọ pato lọ:
sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.confBayi o le mu ṣiṣẹ ki o bẹrẹ daemon CRI-O:
systemctl enable --now crioO le ṣayẹwo ipo daemon:
systemctl status crio
- Jẹ ki a ṣe imudojuiwọn OS naa:
- Fifi sori ẹrọ ati ibere ise Kubernetes.
- Jẹ ki a ṣafikun ibi ipamọ ti o nilo:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg exclude=kubelet kubeadm kubectl EOFBayi a le fi sori ẹrọ Kubernetes (ẹya 1.18, bi a ti sọ loke):
dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes
- Nuance pataki keji: nitori a ko lo daemon kan Docker, sugbon a lo daemon CRI-O, ṣaaju ifilọlẹ ati ipilẹṣẹ Kubernetes o nilo lati ṣe awọn eto ti o yẹ ninu faili iṣeto ni /var/lib/kubelet/config.yaml, ni akọkọ ti ṣẹda itọsọna ti o fẹ:
mkdir /var/lib/kubelet cat <<EOF > /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd EOF
- Ojuami pataki kẹta ti a ba pade lakoko fifi sori ẹrọ: laibikita otitọ pe a ti tọka awakọ ti a lo ẹgbẹ, ati iṣeto ni nipasẹ awọn ariyanjiyan ti o ti kọja kubelet ti igba atijọ (gẹgẹbi a ti sọ ni gbangba ninu iwe), a nilo lati ṣafikun awọn ariyanjiyan si faili naa, bibẹẹkọ iṣupọ wa kii yoo ṣe ipilẹṣẹ:
cat /dev/null > /etc/sysconfig/kubelet cat <<EOF > /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock' EOF
- Bayi a le mu daemon ṣiṣẹ kubelet:
sudo systemctl enable --now kubeletLati ṣe akanṣe Iṣakoso-ofurufu tabi Osise apa ni iṣẹju, o le lo .
- Jẹ ki a ṣafikun ibi ipamọ ti o nilo:
- O to akoko lati pilẹṣẹ iṣupọ wa.
- Lati bẹrẹ iṣupọ, ṣiṣe aṣẹ naa:
kubeadm init --pod-network-cidr=10.244.0.0/16Rii daju lati kọ aṣẹ silẹ lati darapọ mọ iṣupọ “kubeadm join…”, eyiti o beere lọwọ rẹ lati lo ni ipari iṣẹjade, tabi o kere ju awọn ami-itọka kan.
- Jẹ ki a fi ohun itanna (CNI) sori ẹrọ fun nẹtiwọọki Pod. Mo ṣeduro lilo Calico. O ṣee ṣe olokiki diẹ sii Flannel ni o ni ibamu oran pẹlu nftables, bẹẹni ati Calico - imuse CNI nikan ni a ṣe iṣeduro ati idanwo ni kikun nipasẹ iṣẹ akanṣe Kubernetes:
kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
- Lati so ipade oṣiṣẹ pọ mọ iṣupọ wa, o nilo lati tunto rẹ ni ibamu si awọn ilana 1 ati 2, tabi lo , lẹhinna ṣiṣe aṣẹ naa lati inu “kubeadm init…” ti a kọ silẹ ni igbesẹ ti tẹlẹ:
kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN --discovery-token-ca-cert-hash $TOKEN_HASH
- Jẹ ki a ṣayẹwo pe iṣupọ wa ti wa ni ipilẹṣẹ ati bẹrẹ ṣiṣẹ:
kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
Ṣetan! O le ti gbalejo awọn ẹru isanwo tẹlẹ lori iṣupọ K8s rẹ.
- Lati bẹrẹ iṣupọ, ṣiṣe aṣẹ naa:
Kini o duro de wa niwaju
Mo nireti pe awọn itọnisọna ti o wa loke ṣe iranlọwọ fun ọ ni akoko diẹ ati awọn iṣan.
Abajade ti awọn ilana ti o waye ni ile-iṣẹ nigbagbogbo da lori bii wọn ṣe gba nipasẹ ọpọlọpọ awọn olumulo ipari ati awọn olupilẹṣẹ ti sọfitiwia miiran ni onakan ti o baamu. Ko tii ṣe alaye patapata kini awọn ipilẹṣẹ OCI yoo yorisi si ni awọn ọdun diẹ, ṣugbọn a yoo ma wo pẹlu idunnu. O le pin ero rẹ ni bayi ninu awọn asọye.
Duro aifwy!
Nkan yii han ọpẹ si awọn orisun wọnyi:
- Abala nipa awọn akoko asiko Apoti
- CRI-O ise agbese lori ayelujara
- Awọn nkan bulọọgi Red Hat: , ati ọpọlọpọ awọn miiran
orisun: www.habr.com