Akiyesi. itumọ.: onkọwe ti nkan naa - Erkan Erol, ẹlẹrọ lati SAP - pin ikẹkọ rẹ ti awọn ilana ti iṣẹ ṣiṣe ẹgbẹ kubectl exec, ki faramọ si gbogbo eniyan ti o ṣiṣẹ pẹlu Kubernetes. O tẹle gbogbo algorithm pẹlu awọn atokọ ti koodu orisun Kubernetes (ati awọn iṣẹ akanṣe), eyiti o gba ọ laaye lati ni oye koko-ọrọ bi jinna bi o ṣe nilo.
Ni ọjọ Jimọ kan, alabaṣiṣẹpọ kan wa si ọdọ mi o beere bi a ṣe le ṣe aṣẹ kan ninu podu ni lilo . Emi ko le dahun fun u ati lojiji rii pe Emi ko mọ nkankan nipa ọna ṣiṣe kubectl exec. Bẹẹni, Mo ni awọn imọran kan nipa eto rẹ, ṣugbọn Emi ko ni idaniloju 100% ti deede wọn ati nitorinaa pinnu lati koju ọran yii. Lehin iwadi awọn bulọọgi, iwe ati koodu orisun, Mo kọ ọpọlọpọ awọn ohun titun, ati ninu nkan yii Mo fẹ lati pin awọn awari ati oye mi. Ti ohunkohun ba jẹ aṣiṣe, jọwọ kan si mi ni .
Igbaradi
Lati ṣẹda iṣupọ kan lori MacBook, Mo cloned . Lẹhinna Mo ṣe atunṣe awọn adirẹsi IP ti awọn apa ni atunto kubelet, nitori awọn eto aiyipada ko gba laaye kubectl exec. O le ka diẹ sii nipa idi akọkọ fun eyi .
- Eyikeyi ọkọ ayọkẹlẹ = mi MacBook
- Titunto si ipade IP = 192.168.205.10
- Osise IP = 192.168.205.11
- Ibudo olupin API = 6443
Awọn ohun elo
- kubectl exec ilana: Nigba ti a ba ṣiṣẹ "kubectl exec..." ilana naa bẹrẹ. Eyi le ṣee ṣe lori ẹrọ eyikeyi pẹlu iraye si olupin API K8s. Akiyesi Transl.: Siwaju sii ninu awọn atokọ console, onkọwe lo asọye “ẹrọ eyikeyi”, ti o tumọ si pe awọn aṣẹ atẹle le ṣee ṣe lori eyikeyi iru awọn ẹrọ pẹlu iraye si Kubernetes.
- : A paati lori awọn titunto si ipade ti o pese wiwọle si Kubernetes API. Eyi ni iwaju iwaju fun ọkọ ofurufu iṣakoso ni Kubernetes.
- : Aṣoju ti o nṣiṣẹ lori gbogbo ipade ni iṣupọ. O ṣe idaniloju iṣẹ ti awọn apoti ninu podu.
- (akoko asiko eiyan): Sọfitiwia ti o ni iduro fun ṣiṣe awọn apoti. Awọn apẹẹrẹ: Docker, CRI-O, ti a fi sinu…
- ekuro: Ekuro OS lori ipade oṣiṣẹ; jẹ lodidi fun isakoso ilana.
- afojusun (afojusun) eiyan: eiyan ti o jẹ apakan ti podu ti o nṣiṣẹ lori ọkan ninu awọn apa osise.
Ohun ti mo se awari
1. ose aṣayan iṣẹ-ṣiṣe
Ṣẹda podu ni aaye orukọ kan default:
// any machine
$ kubectl run exec-test-nginx --image=nginxLẹhinna a ṣiṣẹ pipaṣẹ exec ati duro 5000 awọn aaya fun awọn akiyesi siwaju:
// any machine
$ kubectl exec -it exec-test-nginx-6558988d5-fgxgg -- sh
# sleep 5000Ilana kubectl han (pẹlu pid=8507 ninu ọran wa):
// any machine
$ ps -ef |grep kubectl
501 8507 8409 0 7:19PM ttys000 0:00.13 kubectl exec -it exec-test-nginx-6558988d5-fgxgg -- shTi a ba ṣayẹwo iṣẹ nẹtiwọọki ti ilana naa, a yoo rii pe o ni awọn asopọ si olupin api (192.168.205.10.6443):
// any machine
$ netstat -atnv |grep 8507
tcp4 0 0 192.168.205.1.51673 192.168.205.10.6443 ESTABLISHED 131072 131768 8507 0 0x0102 0x00000020
tcp4 0 0 192.168.205.1.51672 192.168.205.10.6443 ESTABLISHED 131072 131768 8507 0 0x0102 0x00000028Jẹ ki a wo koodu naa. Kubectl ṣẹda ibeere POST pẹlu orisun subresource ati firanṣẹ ibeere REST kan:
req := restClient.Post().
Resource("pods").
Name(pod.Name).
Namespace(pod.Namespace).
SubResource("exec")
req.VersionedParams(&corev1.PodExecOptions{
Container: containerName,
Command: p.Command,
Stdin: p.Stdin,
Stdout: p.Out != nil,
Stderr: p.ErrOut != nil,
TTY: t.Raw,
}, scheme.ParameterCodec)
return p.Executor.Execute("POST", req.URL(), p.Config, p.In, p.Out, p.ErrOut, t.Raw, sizeQueue)()
2. Iṣẹ-ṣiṣe lori apa ipade titunto si
A tun le ṣe akiyesi ibeere ni ẹgbẹ api-server:
handler.go:143] kube-apiserver: POST "/api/v1/namespaces/default/pods/exec-test-nginx-6558988d5-fgxgg/exec" satisfied by gorestful with webservice /api/v1
upgradeaware.go:261] Connecting to backend proxy (intercepting redirects) https://192.168.205.11:10250/exec/default/exec-test-nginx-6558988d5-fgxgg/exec-test-nginx?command=sh&input=1&output=1&tty=1
Headers: map[Connection:[Upgrade] Content-Length:[0] Upgrade:[SPDY/3.1] User-Agent:[kubectl/v1.12.10 (darwin/amd64) kubernetes/e3c1340] X-Forwarded-For:[192.168.205.1] X-Stream-Protocol-Version:[v4.channel.k8s.io v3.channel.k8s.io v2.channel.k8s.io channel.k8s.io]]Ṣe akiyesi pe ibeere HTTP pẹlu ibeere kan lati yi ilana naa pada. faye gba o lati multiplex olukuluku stdin/stdout/stderr/spdy-aṣiṣe "awọn ṣiṣan" lori kan nikan TCP asopọ.
Olupin API gba ibeere naa ati yi pada sinu PodExecOptions:
// PodExecOptions is the query options to a Pod's remote exec call
type PodExecOptions struct {
metav1.TypeMeta
// Stdin if true indicates that stdin is to be redirected for the exec call
Stdin bool
// Stdout if true indicates that stdout is to be redirected for the exec call
Stdout bool
// Stderr if true indicates that stderr is to be redirected for the exec call
Stderr bool
// TTY if true indicates that a tty will be allocated for the exec call
TTY bool
// Container in which to execute the command.
Container string
// Command is the remote command to execute; argv array; not executed within a shell.
Command []string
}()
Lati ṣe awọn iṣe ti o nilo, api-server gbọdọ mọ iru adarọ-ese ti o nilo lati kan si:
// ExecLocation returns the exec URL for a pod container. If opts.Container is blank
// and only one container is present in the pod, that container is used.
func ExecLocation(
getter ResourceGetter,
connInfo client.ConnectionInfoGetter,
ctx context.Context,
name string,
opts *api.PodExecOptions,
) (*url.URL, http.RoundTripper, error) {
return streamLocation(getter, connInfo, ctx, name, opts, opts.Container, "exec")
}()
Nitoribẹẹ, data nipa aaye ipari ni a gba lati alaye nipa ipade:
nodeName := types.NodeName(pod.Spec.NodeName)
if len(nodeName) == 0 {
// If pod has not been assigned a host, return an empty location
return nil, nil, errors.NewBadRequest(fmt.Sprintf("pod %s does not have a host assigned", name))
}
nodeInfo, err := connInfo.GetConnectionInfo(ctx, nodeName)()
Hooray! Kubelet ni ibudo bayi (node.Status.DaemonEndpoints.KubeletEndpoint.Port), eyiti olupin API le sopọ si:
// GetConnectionInfo retrieves connection info from the status of a Node API object.
func (k *NodeConnectionInfoGetter) GetConnectionInfo(ctx context.Context, nodeName types.NodeName) (*ConnectionInfo, error) {
node, err := k.nodes.Get(ctx, string(nodeName), metav1.GetOptions{})
if err != nil {
return nil, err
}
// Find a kubelet-reported address, using preferred address type
host, err := nodeutil.GetPreferredNodeAddress(node, k.preferredAddressTypes)
if err != nil {
return nil, err
}
// Use the kubelet-reported port, if present
port := int(node.Status.DaemonEndpoints.KubeletEndpoint.Port)
if port <= 0 {
port = k.defaultPort
}
return &ConnectionInfo{
Scheme: k.scheme,
Hostname: host,
Port: strconv.Itoa(port),
Transport: k.transport,
}, nil
}()
Lati awọn iwe aṣẹ :
Awọn asopọ wọnyi ni a ṣe si aaye ipari HTTPS ti kubelet. Nipa aiyipada, apiserver ko ṣe idaniloju ijẹrisi kubelet, eyiti o jẹ ki asopọ jẹ ipalara si awọn ikọlu eniyan-ni-arin (MITM) ati lewu fun ṣiṣẹ ni unreliable ati / tabi àkọsílẹ nẹtiwọki.
Bayi olupin API mọ aaye ipari ati fi idi asopọ mulẹ:
// Connect returns a handler for the pod exec proxy
func (r *ExecREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
execOpts, ok := opts.(*api.PodExecOptions)
if !ok {
return nil, fmt.Errorf("invalid options object: %#v", opts)
}
location, transport, err := pod.ExecLocation(r.Store, r.KubeletConn, ctx, name, execOpts)
if err != nil {
return nil, err
}
return newThrottledUpgradeAwareProxyHandler(location, transport, false, true, true, responder), nil
}()
Jẹ ká wo ohun ti o ṣẹlẹ lori awọn titunto si ipade.
Ni akọkọ, a rii IP ti ipade oṣiṣẹ. Ninu ọran wa o jẹ 192.168.205.11:
// any machine
$ kubectl get nodes k8s-node-1 -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node-1 Ready <none> 9h v1.15.3 192.168.205.11 <none> Ubuntu 16.04.6 LTS 4.4.0-159-generic docker://17.3.3Lẹhinna ṣeto ibudo kubelet (10250 ninu ọran wa):
// any machine
$ kubectl get nodes k8s-node-1 -o jsonpath='{.status.daemonEndpoints.kubeletEndpoint}'
map[Port:10250]
Bayi o to akoko lati ṣayẹwo nẹtiwọki naa. Ṣe asopọ kan wa si ipade oṣiṣẹ (192.168.205.11)? Oun ni! Ti o ba pa ilana kan exec, yoo parẹ, nitorinaa Mo mọ pe asopọ naa ni idasilẹ nipasẹ olupin api nitori abajade ti pipaṣẹ exec ti o ṣiṣẹ.
// master node
$ netstat -atn |grep 192.168.205.11
tcp 0 0 192.168.205.10:37870 192.168.205.11:10250 ESTABLISHED
…
Isopọ laarin kubectl ati api-server ṣi ṣi silẹ. Ni afikun, asopọ miiran wa ti o so api-server ati kubelet.
3. Iṣẹ-ṣiṣe lori ipade osise
Bayi jẹ ki a sopọ si ipade osise ki o wo ohun ti n ṣẹlẹ lori rẹ.
Ni akọkọ, a rii pe asopọ si rẹ tun ti fi idi mulẹ (laini keji); 192.168.205.10 is IP ti awọn titunto si ipade:
// worker node
$ netstat -atn |grep 10250
tcp6 0 0 :::10250 :::* LISTEN
tcp6 0 0 192.168.205.11:10250 192.168.205.10:37870 ESTABLISHED
Kini nipa ẹgbẹ wa sleep? Yara, o tun wa nibẹ!
// worker node
$ ps -afx
...
31463 ? Sl 0:00 _ docker-containerd-shim 7d974065bbb3107074ce31c51f5ef40aea8dcd535ae11a7b8f2dd180b8ed583a /var/run/docker/libcontainerd/7d974065bbb3107074ce31c51
31478 pts/0 Ss 0:00 _ sh
31485 pts/0 S+ 0:00 _ sleep 5000
…Ṣugbọn duro: bawo ni kubelet ṣe fa eyi kuro? Kubelet naa ni daemon kan ti o pese iraye si API nipasẹ ibudo fun awọn ibeere olupin api:
// Server is the library interface to serve the stream requests.
type Server interface {
http.Handler
// Get the serving URL for the requests.
// Requests must not be nil. Responses may be nil iff an error is returned.
GetExec(*runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error)
GetAttach(req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error)
GetPortForward(*runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error)
// Start the server.
// addr is the address to serve on (address:port) stayUp indicates whether the server should
// listen until Stop() is called, or automatically stop after all expected connections are
// closed. Calling Get{Exec,Attach,PortForward} increments the expected connection count.
// Function does not return until the server is stopped.
Start(stayUp bool) error
// Stop the server, and terminate any open connections.
Stop() error
}()
Kubelet ṣe iṣiro aaye ipari esi fun awọn ibeere exec:
func (s *server) GetExec(req *runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) {
if err := validateExecRequest(req); err != nil {
return nil, err
}
token, err := s.cache.Insert(req)
if err != nil {
return nil, err
}
return &runtimeapi.ExecResponse{
Url: s.buildURL("exec", token),
}, nil
}()
Maṣe gba idamu. Ko da abajade ti aṣẹ pada, ṣugbọn aaye ipari fun ibaraẹnisọrọ:
type ExecResponse struct {
// Fully qualified URL of the exec streaming server.
Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_sizecache int32 `json:"-"`
}()
Kubelet ṣe imuse ni wiwo RuntimeServiceClient, eyi ti o jẹ ara awọn Container Runtime Interface (a kowe diẹ sii nipa rẹ, fun apẹẹrẹ, - isunmọ. itumọ.):
Atokọ gigun lati cri-api ni kubernetes/kubernetes
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type RuntimeServiceClient interface {
// Version returns the runtime name, runtime version, and runtime API version.
Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error)
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
// the sandbox is in the ready state on success.
RunPodSandbox(ctx context.Context, in *RunPodSandboxRequest, opts ...grpc.CallOption) (*RunPodSandboxResponse, error)
// StopPodSandbox stops any running process that is part of the sandbox and
// reclaims network resources (e.g., IP addresses) allocated to the sandbox.
// If there are any running containers in the sandbox, they must be forcibly
// terminated.
// This call is idempotent, and must not return an error if all relevant
// resources have already been reclaimed. kubelet will call StopPodSandbox
// at least once before calling RemovePodSandbox. It will also attempt to
// reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
// multiple StopPodSandbox calls are expected.
StopPodSandbox(ctx context.Context, in *StopPodSandboxRequest, opts ...grpc.CallOption) (*StopPodSandboxResponse, error)
// RemovePodSandbox removes the sandbox. If there are any running containers
// in the sandbox, they must be forcibly terminated and removed.
// This call is idempotent, and must not return an error if the sandbox has
// already been removed.
RemovePodSandbox(ctx context.Context, in *RemovePodSandboxRequest, opts ...grpc.CallOption) (*RemovePodSandboxResponse, error)
// PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
// present, returns an error.
PodSandboxStatus(ctx context.Context, in *PodSandboxStatusRequest, opts ...grpc.CallOption) (*PodSandboxStatusResponse, error)
// ListPodSandbox returns a list of PodSandboxes.
ListPodSandbox(ctx context.Context, in *ListPodSandboxRequest, opts ...grpc.CallOption) (*ListPodSandboxResponse, error)
// CreateContainer creates a new container in specified PodSandbox
CreateContainer(ctx context.Context, in *CreateContainerRequest, opts ...grpc.CallOption) (*CreateContainerResponse, error)
// StartContainer starts the container.
StartContainer(ctx context.Context, in *StartContainerRequest, opts ...grpc.CallOption) (*StartContainerResponse, error)
// StopContainer stops a running container with a grace period (i.e., timeout).
// This call is idempotent, and must not return an error if the container has
// already been stopped.
// TODO: what must the runtime do after the grace period is reached?
StopContainer(ctx context.Context, in *StopContainerRequest, opts ...grpc.CallOption) (*StopContainerResponse, error)
// RemoveContainer removes the container. If the container is running, the
// container must be forcibly removed.
// This call is idempotent, and must not return an error if the container has
// already been removed.
RemoveContainer(ctx context.Context, in *RemoveContainerRequest, opts ...grpc.CallOption) (*RemoveContainerResponse, error)
// ListContainers lists all containers by filters.
ListContainers(ctx context.Context, in *ListContainersRequest, opts ...grpc.CallOption) (*ListContainersResponse, error)
// ContainerStatus returns status of the container. If the container is not
// present, returns an error.
ContainerStatus(ctx context.Context, in *ContainerStatusRequest, opts ...grpc.CallOption) (*ContainerStatusResponse, error)
// UpdateContainerResources updates ContainerConfig of the container.
UpdateContainerResources(ctx context.Context, in *UpdateContainerResourcesRequest, opts ...grpc.CallOption) (*UpdateContainerResourcesResponse, error)
// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. This is often called after the log file has been
// rotated. If the container is not running, container runtime can choose
// to either create a new log file and return nil, or return an error.
// Once it returns error, new container log file MUST NOT be created.
ReopenContainerLog(ctx context.Context, in *ReopenContainerLogRequest, opts ...grpc.CallOption) (*ReopenContainerLogResponse, error)
// ExecSync runs a command in a container synchronously.
ExecSync(ctx context.Context, in *ExecSyncRequest, opts ...grpc.CallOption) (*ExecSyncResponse, error)
// Exec prepares a streaming endpoint to execute a command in the container.
Exec(ctx context.Context, in *ExecRequest, opts ...grpc.CallOption) (*ExecResponse, error)
// Attach prepares a streaming endpoint to attach to a running container.
Attach(ctx context.Context, in *AttachRequest, opts ...grpc.CallOption) (*AttachResponse, error)
// PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
PortForward(ctx context.Context, in *PortForwardRequest, opts ...grpc.CallOption) (*PortForwardResponse, error)
// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
ContainerStats(ctx context.Context, in *ContainerStatsRequest, opts ...grpc.CallOption) (*ContainerStatsResponse, error)
// ListContainerStats returns stats of all running containers.
ListContainerStats(ctx context.Context, in *ListContainerStatsRequest, opts ...grpc.CallOption) (*ListContainerStatsResponse, error)
// UpdateRuntimeConfig updates the runtime configuration based on the given request.
UpdateRuntimeConfig(ctx context.Context, in *UpdateRuntimeConfigRequest, opts ...grpc.CallOption) (*UpdateRuntimeConfigResponse, error)
// Status returns the status of the runtime.
Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
}
()
O rọrun nlo gRPC lati pe ọna kan nipasẹ Atọka Iṣeduro Apoti:
type runtimeServiceClient struct {
cc *grpc.ClientConn
}()
func (c *runtimeServiceClient) Exec(ctx context.Context, in *ExecRequest, opts ...grpc.CallOption) (*ExecResponse, error) {
out := new(ExecResponse)
err := c.cc.Invoke(ctx, "/runtime.v1alpha2.RuntimeService/Exec", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}()
Akoko asiko apoti jẹ iduro fun imuse RuntimeServiceServer:
Atokọ gigun lati cri-api ni kubernetes/kubernetes
// RuntimeServiceServer is the server API for RuntimeService service.
type RuntimeServiceServer interface {
// Version returns the runtime name, runtime version, and runtime API version.
Version(context.Context, *VersionRequest) (*VersionResponse, error)
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
// the sandbox is in the ready state on success.
RunPodSandbox(context.Context, *RunPodSandboxRequest) (*RunPodSandboxResponse, error)
// StopPodSandbox stops any running process that is part of the sandbox and
// reclaims network resources (e.g., IP addresses) allocated to the sandbox.
// If there are any running containers in the sandbox, they must be forcibly
// terminated.
// This call is idempotent, and must not return an error if all relevant
// resources have already been reclaimed. kubelet will call StopPodSandbox
// at least once before calling RemovePodSandbox. It will also attempt to
// reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
// multiple StopPodSandbox calls are expected.
StopPodSandbox(context.Context, *StopPodSandboxRequest) (*StopPodSandboxResponse, error)
// RemovePodSandbox removes the sandbox. If there are any running containers
// in the sandbox, they must be forcibly terminated and removed.
// This call is idempotent, and must not return an error if the sandbox has
// already been removed.
RemovePodSandbox(context.Context, *RemovePodSandboxRequest) (*RemovePodSandboxResponse, error)
// PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
// present, returns an error.
PodSandboxStatus(context.Context, *PodSandboxStatusRequest) (*PodSandboxStatusResponse, error)
// ListPodSandbox returns a list of PodSandboxes.
ListPodSandbox(context.Context, *ListPodSandboxRequest) (*ListPodSandboxResponse, error)
// CreateContainer creates a new container in specified PodSandbox
CreateContainer(context.Context, *CreateContainerRequest) (*CreateContainerResponse, error)
// StartContainer starts the container.
StartContainer(context.Context, *StartContainerRequest) (*StartContainerResponse, error)
// StopContainer stops a running container with a grace period (i.e., timeout).
// This call is idempotent, and must not return an error if the container has
// already been stopped.
// TODO: what must the runtime do after the grace period is reached?
StopContainer(context.Context, *StopContainerRequest) (*StopContainerResponse, error)
// RemoveContainer removes the container. If the container is running, the
// container must be forcibly removed.
// This call is idempotent, and must not return an error if the container has
// already been removed.
RemoveContainer(context.Context, *RemoveContainerRequest) (*RemoveContainerResponse, error)
// ListContainers lists all containers by filters.
ListContainers(context.Context, *ListContainersRequest) (*ListContainersResponse, error)
// ContainerStatus returns status of the container. If the container is not
// present, returns an error.
ContainerStatus(context.Context, *ContainerStatusRequest) (*ContainerStatusResponse, error)
// UpdateContainerResources updates ContainerConfig of the container.
UpdateContainerResources(context.Context, *UpdateContainerResourcesRequest) (*UpdateContainerResourcesResponse, error)
// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. This is often called after the log file has been
// rotated. If the container is not running, container runtime can choose
// to either create a new log file and return nil, or return an error.
// Once it returns error, new container log file MUST NOT be created.
ReopenContainerLog(context.Context, *ReopenContainerLogRequest) (*ReopenContainerLogResponse, error)
// ExecSync runs a command in a container synchronously.
ExecSync(context.Context, *ExecSyncRequest) (*ExecSyncResponse, error)
// Exec prepares a streaming endpoint to execute a command in the container.
Exec(context.Context, *ExecRequest) (*ExecResponse, error)
// Attach prepares a streaming endpoint to attach to a running container.
Attach(context.Context, *AttachRequest) (*AttachResponse, error)
// PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
PortForward(context.Context, *PortForwardRequest) (*PortForwardResponse, error)
// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
ContainerStats(context.Context, *ContainerStatsRequest) (*ContainerStatsResponse, error)
// ListContainerStats returns stats of all running containers.
ListContainerStats(context.Context, *ListContainerStatsRequest) (*ListContainerStatsResponse, error)
// UpdateRuntimeConfig updates the runtime configuration based on the given request.
UpdateRuntimeConfig(context.Context, *UpdateRuntimeConfigRequest) (*UpdateRuntimeConfigResponse, error)
// Status returns the status of the runtime.
Status(context.Context, *StatusRequest) (*StatusResponse, error)
}
()
Ti o ba jẹ bẹ, o yẹ ki a rii asopọ laarin kubelet ati asiko asiko eiyan, otun? Jẹ ki a ṣayẹwo.
Ṣiṣe aṣẹ yii ṣaaju ati lẹhin aṣẹ exec ki o wo awọn iyatọ. Ninu ọran mi iyatọ jẹ:
// worker node
$ ss -a -p |grep kubelet
...
u_str ESTAB 0 0 * 157937 * 157387 users:(("kubelet",pid=5714,fd=33))
...Hmmm... Asopọ tuntun nipasẹ awọn sockets unix laarin kubelet (pid=5714) ati nkan ti a ko mọ. Kini o le jẹ? Iyẹn tọ, Docker ni (pid=1186)!
// worker node
$ ss -a -p |grep 157387
...
u_str ESTAB 0 0 * 157937 * 157387 users:(("kubelet",pid=5714,fd=33))
u_str ESTAB 0 0 /var/run/docker.sock 157387 * 157937 users:(("dockerd",pid=1186,fd=14))
...Bi o ṣe ranti, eyi ni ilana docker daemon (pid=1186) ti o mu aṣẹ wa ṣiṣẹ:
// worker node
$ ps -afx
...
1186 ? Ssl 0:55 /usr/bin/dockerd -H fd://
17784 ? Sl 0:00 _ docker-containerd-shim 53a0a08547b2f95986402d7f3b3e78702516244df049ba6c5aa012e81264aa3c /var/run/docker/libcontainerd/53a0a08547b2f95986402d7f3
17801 pts/2 Ss 0:00 _ sh
17827 pts/2 S+ 0:00 _ sleep 5000
...4. Iṣẹ-ṣiṣe ni akoko asiko eiyan
Jẹ ki a ṣayẹwo koodu orisun CRI-O lati ni oye ohun ti n ṣẹlẹ. Ni Docker kannaa kanna.
Olupin kan wa ti o ni iduro fun imuse RuntimeServiceServer:
// Server implements the RuntimeService and ImageService
type Server struct {
config libconfig.Config
seccompProfile *seccomp.Seccomp
stream StreamService
netPlugin ocicni.CNIPlugin
hostportManager hostport.HostPortManager
appArmorProfile string
hostIP string
bindAddress string
*lib.ContainerServer
monitorsChan chan struct{}
defaultIDMappings *idtools.IDMappings
systemContext *types.SystemContext // Never nil
updateLock sync.RWMutex
seccompEnabled bool
appArmorEnabled bool
}()
// Exec prepares a streaming endpoint to execute a command in the container.
func (s *Server) Exec(ctx context.Context, req *pb.ExecRequest) (resp *pb.ExecResponse, err error) {
const operation = "exec"
defer func() {
recordOperation(operation, time.Now())
recordError(operation, err)
}()
resp, err = s.getExec(req)
if err != nil {
return nil, fmt.Errorf("unable to prepare exec endpoint: %v", err)
}
return resp, nil
}()
Ni ipari pq naa, akoko asiko eiyan n ṣiṣẹ aṣẹ lori ipade oṣiṣẹ:
// ExecContainer prepares a streaming endpoint to execute a command in the container.
func (r *runtimeOCI) ExecContainer(c *Container, cmd []string, stdin io.Reader, stdout, stderr io.WriteCloser, tty bool, resize <-chan remotecommand.TerminalSize) error {
processFile, err := prepareProcessExec(c, cmd, tty)
if err != nil {
return err
}
defer os.RemoveAll(processFile.Name())
args := []string{rootFlag, r.root, "exec"}
args = append(args, "--process", processFile.Name(), c.ID())
execCmd := exec.Command(r.path, args...)
if v, found := os.LookupEnv("XDG_RUNTIME_DIR"); found {
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", v))
}
var cmdErr, copyError error
if tty {
cmdErr = ttyCmd(execCmd, stdin, stdout, resize)
} else {
if stdin != nil {
// Use an os.Pipe here as it returns true *os.File objects.
// This way, if you run 'kubectl exec <pod> -i bash' (no tty) and type 'exit',
// the call below to execCmd.Run() can unblock because its Stdin is the read half
// of the pipe.
r, w, err := os.Pipe()
if err != nil {
return err
}
go func() { _, copyError = pools.Copy(w, stdin) }()
execCmd.Stdin = r
}
if stdout != nil {
execCmd.Stdout = stdout
}
if stderr != nil {
execCmd.Stderr = stderr
}
cmdErr = execCmd.Run()
}
if copyError != nil {
return copyError
}
if exitErr, ok := cmdErr.(*exec.ExitError); ok {
return &utilexec.ExitErrorWrapper{ExitError: exitErr}
}
return cmdErr
}()
Nikẹhin, ekuro n ṣiṣẹ awọn aṣẹ:
Awọn olurannileti
- API Server tun le pilẹ asopọ kan si kubelet.
- Awọn asopọ atẹle wọnyi duro titi igba ipade exec ibaraenisepo yoo pari:
- laarin kubectl ati api-server;
- laarin api-server ati kubectl;
- laarin kubelet ati asiko asiko eiyan.
- Kubectl tabi api-server ko le ṣiṣe ohunkohun lori awọn apa osise. Kubelet le ṣiṣẹ, ṣugbọn o tun ṣe ajọṣepọ pẹlu akoko asiko eiyan lati ṣe awọn nkan yẹn.
Oro
- ijiroro""ni kubernetes-dev;
- Nkan "»;
- ijiroro"" lori Aṣiṣe olupin.
PS lati onitumọ
Ka tun lori bulọọgi wa:
- "Kini o ṣẹlẹ ni Kubernetes nigbati o ba ṣiṣẹ kubectl?" и ;
- «»;
- «»;
- «».
orisun: www.habr.com