🥇CRI-O esikhundleni se-Docker njengendawo yesikhathi sokusebenza ye-Kubernetes: ukusethwa ku-CentOS 8

Sawubona! Igama lami ngingu-Sergey, ngingu-DevOps eSurf. Umnyango we-DevOps kwa-Surf awuhlosile nje kuphela ukusungula ukusebenzisana phakathi kochwepheshe kanye nokuhlanganisa izinqubo zomsebenzi, kodwa futhi nokucwaninga ngenkuthalo nokusebenzisa ubuchwepheshe bamanje kokubili kwingqalasizinda yawo kanye nengqalasizinda yekhasimende.

Ngezansi ngizokhuluma kancane mayelana nezinguquko zesitaki sobuchwepheshe seziqukathi esihlangabezane nazo ngenkathi sifunda ukusatshalaliswa I-CentOS 8 nokuthi kuyini CRI-O kanye nendlela yokusetha ngokushesha indawo esebenzisekayo Kubernetes.

Kungani i-Docker ingafakiwe ku-CentOS 8?

Ngemva kokufaka ukukhishwa kwakamuva okukhulu RHEL 8 noma I-CentOS 8 umuntu akanakuzisiza kodwa aqaphele: lokhu kusakazwa kanye namakhosombe asemthethweni awanalo uhlelo lokusebenza Docker, ethatha indawo yamaphakheji ngokombono nangokusebenza I-Podman, Buildah (ekhona ekusabalaliseni ngokuzenzakalelayo) kanye CRI-O. Lokhu kungenxa yokusetshenziswa okungokoqobo kwamazinga athuthukiswe, phakathi kwezinye izinto, yiRed Hat njengengxenye yephrojekthi ye-Open Container Initiative (OCI).

Inhloso ye-OCI, eyingxenye ye-The Linux Foundation, ukudala amazinga emboni evulekile amafomethi esiqukathi nezikhathi zokusebenza ezixazulula izinkinga ezimbalwa ngesikhathi esisodwa. Okokuqala, abazange baphikisane nefilosofi ye-Linux (isibonelo, engxenyeni lapho uhlelo ngalunye kufanele lenze isenzo esisodwa, futhi Docker iwuhlobo lokuhlanganisa konke-kokukodwa). Okwesibili, bangaqeda konke ukushiyeka okukhona kusoftware Docker. Okwesithathu, zizohambisana ngokugcwele nezidingo zebhizinisi ezibekwe izinkundla ezihamba phambili zezentengiselwano zokuthumela, ukuphatha kanye nokuphakela izinhlelo zokusebenza ezinamabhokisi (ngokwesibonelo, i-Red Hat OpenShift).

amaphutha Docker futhi izinzuzo zesofthiwe entsha sezichazwe kakade ngemininingwane ethile ku lesi sihloko, kanye nencazelo eningiliziwe yaso sonke isitaki sesofthiwe esinikezwa ngaphakathi kwephrojekthi ye-OCI kanye nezici zayo zezakhiwo zingatholakala kumadokhumenti asemthethweni nama-athikili asuka ku-Red Hat uqobo (hhayi okubi indatshana kubhulogi ye-Red Hat) kanye nomuntu wesithathu ukubuyekezwa.

Kubalulekile ukuqaphela ukuthi imuphi umsebenzi wezingxenye zesitaki esihlongozwayo:

I-Podman - ukuxhumana okuqondile neziqukathi nokugcinwa kwesithombe ngenqubo ye-runC;
Buildah - ukuhlanganisa nokulayisha izithombe kurejista;
CRI-O - indawo esebenzisekayo yezinhlelo zokucula iziqukathi (isibonelo, i-Kubernetes).

Ngicabanga ukuthi ukuze uqonde uhlelo olujwayelekile lokusebenzisana phakathi kwezingxenye zesitaki, kuyatuseka ukuthi unikeze umdwebo wokuxhuma lapha. Kubernetes c runC kanye nemitapo yolwazi esezingeni eliphansi esebenzisa CRI-O:

CRI-O и Kubernetes bambelela kumjikelezo ofanayo wokukhishwa nokusekelwa (i-matrix yokuhambisana ilula kakhulu: izinguqulo ezinkulu Kubernetes и CRI-O qondana), futhi lokhu, kucatshangelwa ukugxila ekuhloleni okuphelele nokuphelele kokusebenza kwalesi sitaki ngabathuthukisi, kusinika ilungelo lokulindela ukuzinza okukhulu okungafezwa ekusebenzeni ngaphansi kwanoma yiziphi izimo zokusetshenziswa (ukukhanya okuhlobene nakho kuyazuzisa lapha. CRI-O qhathanisa Docker ngenxa yokunciphisa okunenjongo kokusebenza).

Lapho ufaka Kubernetes "indlela efanele" (ngokusho kwe-OCI, kunjalo) usebenzisa CRI-O on I-CentOS 8 Sahlangabezana nobunzima obuthile, kodwa esabunqoba ngempumelelo. Ngizokujabulela ukwabelana nawe imiyalelo yokufaka nokumisa, okuzothatha cishe imizuzu eyi-10.

Ungawafaka kanjani ama-Kubernetes ku-CentOS 8 usebenzisa uhlaka lwe-CRI-O

Okudingekayo: ukuba khona okungenani komsingathi oyedwa (ama-cores ama-2, i-RAM engu-4 GB, okungenani isitoreji esingu-15 GB) esifakiwe I-CentOS 8 (kunconywa iphrofayili yokufaka ethi “Iseva”), kanye nokufakiwe kwayo ku-DNS yendawo (njengendlela yokugcina, ungadlula ngokungena ku-/etc/hosts). Futhi ungakhohlwa khubaza ukushintshanisa.

Senza yonke imisebenzi kumsingathi njengomsebenzisi wempande, qaphela.

Esinyathelweni sokuqala, sizomisa i-OS, sifake futhi silungise ukuncika kokuqala kwe-CRI-O.
- Masibuyekeze i-OS:
```
dnf -y update
```
- Okulandelayo udinga ukumisa i-firewall ne-SELinux. Lapha konke kuncike endaweni lapho umphathi wethu noma abasingathi bazosebenza khona. Ungasetha i-firewall ngokwezincomo ezivela imibhalo, noma, uma ukunethiwekhi ethenjwayo noma usebenzisa i-firewall yenkampani yangaphandle, shintsha indawo ezenzakalelayo ibe eyethenjwayo noma vala i-firewall:
```
firewall-cmd --set-default-zone trusted

firewall-cmd --reload
```
  Ukucisha i-firewall ungasebenzisa umyalo olandelayo:
```
systemctl disable --now firewalld
```
  I-SELinux idinga ukuvalwa noma ishintshelwe kumodi "evumelayo":
```
setenforce 0

sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
```
- Layisha amamojula namaphakheji e-kernel adingekayo, lungiselela ukulayishwa okuzenzakalelayo kwemojula ye-“br_netfilter” ekuqaleni kwesistimu:
```
modprobe overlay

modprobe br_netfilter

echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf

dnf -y install iproute-tc
```
- Ukuze wenze kusebenze ukudluliswa kwephakethe kanye nokulungisa ukucutshungulwa kwethrafikhi, sizokwenza izilungiselelo ezifanele:
```
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
```
  sebenzisa izilungiselelo ezenziwe:
```
sysctl --system
```
- setha inguqulo edingekayo CRI-O (inguqulo enkulu CRI-O, njengoba sekushiwo, fanisa inguqulo edingekayo Kubernetes), kusukela enguqulweni yakamuva ezinzile Kubernetes Okwamanje 1.18:
```
export REQUIRED_VERSION=1.18
```
  engeza izinqolobane ezidingekayo:
```
dnf -y install 'dnf-command(copr)'

dnf -y copr enable rhcontainerbot/container-selinux

curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo

curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo
```
- manje sesingakwazi ukufaka CRI-O:
```
dnf -y install cri-o
```
  Naka i-nuance yokuqala esihlangana nayo phakathi nenqubo yokufaka: udinga ukuhlela ukucushwa CRI-O ngaphambi kokuqala isevisi, njengoba ingxenye edingekayo ye-conmon inendawo ehlukile kunaleyo eshiwo:
```
sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.conf
```
  Manje usungavula futhi uqale i-daemon CRI-O:
```
systemctl enable --now crio
```
  Ungahlola isimo se-daemon:
```
systemctl status crio
```
Ukufakwa nokwenza kusebenze Kubernetes.
- Ake sengeze inqolobane edingekayo:
```
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
```
  Manje sesingakwazi ukufaka Kubernetes (inguqulo 1.18, njengoba kushiwo ngenhla):
```
dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes
```
- I-nuance yesibili ebalulekile: njengoba singasebenzisi i-daemon Docker, kodwa sisebenzisa i-daemon CRI-O, ngaphambi kokwethulwa kanye nokuqalisa Kubernetes udinga ukwenza izilungiselelo ezifanele kufayela lokucushwa /var/lib/kubelet/config.yaml, uqale udale inkomba oyifunayo:
```
mkdir /var/lib/kubelet

cat <<EOF > /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd
EOF
```
- Iphuzu lesithathu elibalulekile esibhekana nalo ngesikhathi sokufakwa: naphezu kokuthi sikhombisile ukuthi umshayeli usetshenzisiwe iqembu, kanye nokucushwa kwayo ngokusebenzisa izimpikiswano ezidlulisiwe kubelet isiphelelwe yisikhathi (njengoba kushiwo ngokucacile kumadokhumenti), sidinga ukungeza izimpikiswano kufayela, ngaphandle kwalokho iqoqo lethu ngeke liqaliswe:
```
cat /dev/null > /etc/sysconfig/kubelet

cat <<EOF > /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock'
EOF
```
- Manje singakwazi ukwenza i-daemon isebenze kubelet:
```
sudo systemctl enable --now kubelet
```
  Ukuze wenze ngendlela oyifisayo control-plane noma isisebenzi ama-node ngemizuzu, ungasebenzisa nalesi script.
Isikhathi sokuqalisa iqoqo lethu.
- Ukuze uqalise iqoqo, sebenzisa umyalo:
```
kubeadm init --pod-network-cidr=10.244.0.0/16
```
  Qiniseka ukuthi ubhala phansi umyalo wokujoyina iqoqo elithi “kubeadm join …”, ocelwe ukuthi ulisebenzise ekugcineni kokuphumayo, noma okungenani amathokheni ashiwo.
- Masifake i-plugin (CNI) yenethiwekhi ye-Pod. Ngincoma ukusebenzisa UCalico. Mhlawumbe edume kakhulu Flannel inezinkinga zokuhambisana ne izinto ezingekho emthethweni,yebo futhi UCalico - okuwukuphela kokuqaliswa kwe-CNI okunconyiwe futhi okuhlolwe ngokugcwele yiphrojekthi Kubernetes:
```
kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml 
```
- Ukuxhuma i-node yesisebenzi kuqoqo lethu, udinga ukulimisa ngokuya ngemiyalo 1 no-2, noma usebenzise umbhalo, bese ugijima umyalo ophuma kokuthi “kubeadm init...” okukhiphayo esikubhale phansi esinyathelweni esedlule:
```
kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN 
    --discovery-token-ca-cert-hash $TOKEN_HASH
```
- Ake sihlole ukuthi iqoqo lethu liqalisiwe futhi seliqalile ukusebenza:
```
kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
```
Ilungile! Ungakwazi kakade ukusingatha imithwalo ekhokhelwayo kuqoqo lakho le-K8s.

Yini esilindele ngaphambili

Ngithemba ukuthi imiyalelo engenhla isizile ukukongela isikhathi nezinzwa.
Umphumela wezinqubo ezenzeka embonini ngokuvamile uncike ekutheni zamukelwa kanjani inqwaba yabasebenzisi bokugcina nabathuthukisi bezinye isofthiwe ku-niche ehambisanayo. Okwamanje akukacaci ngokuphelele ukuthi izinhlelo ze-OCI zizoholela kuphi eminyakeni embalwa, kodwa sizobe sibuka ngenjabulo. Ungabelana ngombono wakho njengamanje kumazwana.

Hlala ubukele!

Lesi sihloko sivele ngenxa yemithombo elandelayo:

Isigaba esimayelana nezikhathi zokusebenza zesiqukathi Kubernetes imibhalo

Ikhasi Iphrojekthi ye-CRI-O ku-inthanethi

Izindatshana zebhulogi ye-Red Hat: Lena, lokhu nabanye abaningi

Source: www.habr.com

I-CRI-O esikhundleni se-Docker njengendawo yesikhathi sokusebenza ye-Kubernetes: ukusetha ku-CentOS 8

Kungani i-Docker ingafakiwe ku-CentOS 8?

Ungawafaka kanjani ama-Kubernetes ku-CentOS 8 usebenzisa uhlaka lwe-CRI-O

Yini esilindele ngaphambili

Engeza amazwana Отменить ответ