Sawubona! Igama lami ngingu-Sergey, ngingu-DevOps eSurf. Umnyango we-DevOps kwa-Surf awuhlosile nje kuphela ukusungula ukusebenzisana phakathi kochwepheshe kanye nokuhlanganisa izinqubo zomsebenzi, kodwa futhi nokucwaninga ngenkuthalo nokusebenzisa ubuchwepheshe bamanje kokubili kwingqalasizinda yawo kanye nengqalasizinda yekhasimende.
Ngezansi ngizokhuluma kancane mayelana nezinguquko zesitaki sobuchwepheshe seziqukathi esihlangabezane nazo ngenkathi sifunda ukusatshalaliswa I-CentOS 8 nokuthi kuyini CRI-O kanye nendlela yokusetha ngokushesha indawo esebenzisekayo Kubernetes.
Kungani i-Docker ingafakiwe ku-CentOS 8?
Ngemva kokufaka ukukhishwa kwakamuva okukhulu RHEL 8 noma I-CentOS 8 umuntu akanakuzisiza kodwa aqaphele: lokhu kusakazwa kanye namakhosombe asemthethweni awanalo uhlelo lokusebenza Docker, ethatha indawo yamaphakheji ngokombono nangokusebenza I-Podman, Buildah (ekhona ekusabalaliseni ngokuzenzakalelayo) kanye CRI-O. Lokhu kungenxa yokusetshenziswa okungokoqobo kwamazinga athuthukiswe, phakathi kwezinye izinto, yiRed Hat njengengxenye yephrojekthi ye-Open Container Initiative (OCI).
Inhloso ye-OCI, eyingxenye ye-The Linux Foundation, ukudala amazinga emboni evulekile amafomethi esiqukathi nezikhathi zokusebenza ezixazulula izinkinga ezimbalwa ngesikhathi esisodwa. Okokuqala, abazange baphikisane nefilosofi ye-Linux (isibonelo, engxenyeni lapho uhlelo ngalunye kufanele lenze isenzo esisodwa, futhi Docker iwuhlobo lokuhlanganisa konke-kokukodwa). Okwesibili, bangaqeda konke ukushiyeka okukhona kusoftware Docker. Okwesithathu, zizohambisana ngokugcwele nezidingo zebhizinisi ezibekwe izinkundla ezihamba phambili zezentengiselwano zokuthumela, ukuphatha kanye nokuphakela izinhlelo zokusebenza ezinamabhokisi (ngokwesibonelo, i-Red Hat OpenShift).
amaphutha Docker futhi izinzuzo zesofthiwe entsha sezichazwe kakade ngemininingwane ethile ku
Kubalulekile ukuqaphela ukuthi imuphi umsebenzi wezingxenye zesitaki esihlongozwayo:
- I-Podman - ukuxhumana okuqondile neziqukathi nokugcinwa kwesithombe ngenqubo ye-runC;
- Buildah - ukuhlanganisa nokulayisha izithombe kurejista;
- CRI-O - indawo esebenzisekayo yezinhlelo zokucula iziqukathi (isibonelo, i-Kubernetes).
Ngicabanga ukuthi ukuze uqonde uhlelo olujwayelekile lokusebenzisana phakathi kwezingxenye zesitaki, kuyatuseka ukuthi unikeze umdwebo wokuxhuma lapha. Kubernetes c runC kanye nemitapo yolwazi esezingeni eliphansi esebenzisa CRI-O:
CRI-O ΠΈ Kubernetes bambelela kumjikelezo ofanayo wokukhishwa nokusekelwa (i-matrix yokuhambisana ilula kakhulu: izinguqulo ezinkulu Kubernetes ΠΈ CRI-O qondana), futhi lokhu, kucatshangelwa ukugxila ekuhloleni okuphelele nokuphelele kokusebenza kwalesi sitaki ngabathuthukisi, kusinika ilungelo lokulindela ukuzinza okukhulu okungafezwa ekusebenzeni ngaphansi kwanoma yiziphi izimo zokusetshenziswa (ukukhanya okuhlobene nakho kuyazuzisa lapha. CRI-O qhathanisa Docker ngenxa yokunciphisa okunenjongo kokusebenza).
Lapho ufaka Kubernetes "indlela efanele" (ngokusho kwe-OCI, kunjalo) usebenzisa CRI-O on I-CentOS 8 Sahlangabezana nobunzima obuthile, kodwa esabunqoba ngempumelelo. Ngizokujabulela ukwabelana nawe imiyalelo yokufaka nokumisa, okuzothatha cishe imizuzu eyi-10.
Ungawafaka kanjani ama-Kubernetes ku-CentOS 8 usebenzisa uhlaka lwe-CRI-O
Okudingekayo: ukuba khona okungenani komsingathi oyedwa (ama-cores ama-2, i-RAM engu-4 GB, okungenani isitoreji esingu-15 GB) esifakiwe I-CentOS 8 (kunconywa iphrofayili yokufaka ethi βIsevaβ), kanye nokufakiwe kwayo ku-DNS yendawo (njengendlela yokugcina, ungadlula ngokungena ku-/etc/hosts). Futhi ungakhohlwa
Senza yonke imisebenzi kumsingathi njengomsebenzisi wempande, qaphela.
- Esinyathelweni sokuqala, sizomisa i-OS, sifake futhi silungise ukuncika kokuqala kwe-CRI-O.
- Masibuyekeze i-OS:
dnf -y update
- Okulandelayo udinga ukumisa i-firewall ne-SELinux. Lapha konke kuncike endaweni lapho umphathi wethu noma abasingathi bazosebenza khona. Ungasetha i-firewall ngokwezincomo ezivela
imibhalo , noma, uma ukunethiwekhi ethenjwayo noma usebenzisa i-firewall yenkampani yangaphandle, shintsha indawo ezenzakalelayo ibe eyethenjwayo noma vala i-firewall:firewall-cmd --set-default-zone trusted firewall-cmd --reload
Ukucisha i-firewall ungasebenzisa umyalo olandelayo:
systemctl disable --now firewalld
I-SELinux idinga ukuvalwa noma ishintshelwe kumodi "evumelayo":
setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
- Layisha amamojula namaphakheji e-kernel adingekayo, lungiselela ukulayishwa okuzenzakalelayo kwemojula ye-βbr_netfilterβ ekuqaleni kwesistimu:
modprobe overlay modprobe br_netfilter echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf dnf -y install iproute-tc
- Ukuze wenze kusebenze ukudluliswa kwephakethe kanye nokulungisa ukucutshungulwa kwethrafikhi, sizokwenza izilungiselelo ezifanele:
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF
sebenzisa izilungiselelo ezenziwe:
sysctl --system
- setha inguqulo edingekayo CRI-O (inguqulo enkulu CRI-O, njengoba sekushiwo, fanisa inguqulo edingekayo Kubernetes), kusukela enguqulweni yakamuva ezinzile Kubernetes Okwamanje 1.18:
export REQUIRED_VERSION=1.18
engeza izinqolobane ezidingekayo:
dnf -y install 'dnf-command(copr)' dnf -y copr enable rhcontainerbot/container-selinux curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo
- manje sesingakwazi ukufaka CRI-O:
dnf -y install cri-o
Naka i-nuance yokuqala esihlangana nayo phakathi nenqubo yokufaka: udinga ukuhlela ukucushwa CRI-O ngaphambi kokuqala isevisi, njengoba ingxenye edingekayo ye-conmon inendawo ehlukile kunaleyo eshiwo:
sed -i 's//usr/libexec/crio/conmon//usr/bin/conmon/' /etc/crio/crio.conf
Manje usungavula futhi uqale i-daemon CRI-O:
systemctl enable --now crio
Ungahlola isimo se-daemon:
systemctl status crio
- Masibuyekeze i-OS:
- Ukufakwa nokwenza kusebenze Kubernetes.
- Ake sengeze inqolobane edingekayo:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg exclude=kubelet kubeadm kubectl EOF
Manje sesingakwazi ukufaka Kubernetes (inguqulo 1.18, njengoba kushiwo ngenhla):
dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes
- I-nuance yesibili ebalulekile: njengoba singasebenzisi i-daemon Docker, kodwa sisebenzisa i-daemon CRI-O, ngaphambi kokwethulwa kanye nokuqalisa Kubernetes udinga ukwenza izilungiselelo ezifanele kufayela lokucushwa /var/lib/kubelet/config.yaml, uqale udale inkomba oyifunayo:
mkdir /var/lib/kubelet cat <<EOF > /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd EOF
- Iphuzu lesithathu elibalulekile esibhekana nalo ngesikhathi sokufakwa: naphezu kokuthi sikhombisile ukuthi umshayeli usetshenzisiwe iqembu, kanye nokucushwa kwayo ngokusebenzisa izimpikiswano ezidlulisiwe kubelet isiphelelwe yisikhathi (njengoba kushiwo ngokucacile kumadokhumenti), sidinga ukungeza izimpikiswano kufayela, ngaphandle kwalokho iqoqo lethu ngeke liqaliswe:
cat /dev/null > /etc/sysconfig/kubelet cat <<EOF > /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock' EOF
- Manje singakwazi ukwenza i-daemon isebenze kubelet:
sudo systemctl enable --now kubelet
Ukuze wenze ngendlela oyifisayo control-plane noma isisebenzi ama-node ngemizuzu, ungasebenzisa
nalesi script .
- Ake sengeze inqolobane edingekayo:
- Isikhathi sokuqalisa iqoqo lethu.
- Ukuze uqalise iqoqo, sebenzisa umyalo:
kubeadm init --pod-network-cidr=10.244.0.0/16
Qiniseka ukuthi ubhala phansi umyalo wokujoyina iqoqo elithi βkubeadm join β¦β, ocelwe ukuthi ulisebenzise ekugcineni kokuphumayo, noma okungenani amathokheni ashiwo.
- Masifake i-plugin (CNI) yenethiwekhi ye-Pod. Ngincoma ukusebenzisa UCalico. Mhlawumbe edume kakhulu Flannel inezinkinga zokuhambisana ne izinto ezingekho emthethweni,yebo futhi UCalico - okuwukuphela kokuqaliswa kwe-CNI okunconyiwe futhi okuhlolwe ngokugcwele yiphrojekthi Kubernetes:
kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
- Ukuxhuma i-node yesisebenzi kuqoqo lethu, udinga ukulimisa ngokuya ngemiyalo 1 no-2, noma usebenzise
umbhalo , bese ugijima umyalo ophuma kokuthi βkubeadm init...β okukhiphayo esikubhale phansi esinyathelweni esedlule:kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN --discovery-token-ca-cert-hash $TOKEN_HASH
- Ake sihlole ukuthi iqoqo lethu liqalisiwe futhi seliqalile ukusebenza:
kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
Ilungile! Ungakwazi kakade ukusingatha imithwalo ekhokhelwayo kuqoqo lakho le-K8s.
- Ukuze uqalise iqoqo, sebenzisa umyalo:
Yini esilindele ngaphambili
Ngithemba ukuthi imiyalelo engenhla isizile ukukongela isikhathi nezinzwa.
Umphumela wezinqubo ezenzeka embonini ngokuvamile uncike ekutheni zamukelwa kanjani inqwaba yabasebenzisi bokugcina nabathuthukisi bezinye isofthiwe ku-niche ehambisanayo. Okwamanje akukacaci ngokuphelele ukuthi izinhlelo ze-OCI zizoholela kuphi eminyakeni embalwa, kodwa sizobe sibuka ngenjabulo. Ungabelana ngombono wakho njengamanje kumazwana.
Hlala ubukele!
Lesi sihloko sivele ngenxa yemithombo elandelayo:
- Isigaba esimayelana nezikhathi zokusebenza zesiqukathi
Kubernetes imibhalo Ikhasi Iphrojekthi ye-CRI-O ku-inthanethi- Izindatshana zebhulogi ye-Red Hat:
Lena ,lokhu nabanye abaningi
Source: www.habr.com