gVisor与Containerd集成
皇甫逸清
gVisor内核要求:Linux 3.17+,如果用的是CentOS7则需要升级内核,Ubuntu不需要。
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml-devel kernel-ml –y
grub2-set-default 0
reboot
uname -r
1、准备gVisor二进制文件
sha512sum -c runsc.sha512
rm -f *.sha512
chmod a+x runsc
mv runsc /usr/local/bin
2、Docker配置使用gVisor
runsc install # 查看加的配置/etc/docker/daemon.json
systemctl restart docker
参考文档:
https://gvisor.dev/docs/user_guide/install/
切换Containerd容器引擎
1、准备配置
cat > /etc/sysctl.d/99-kubernetes-cri.conf << EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sysctl --system
2、安装
cd /etc/yum.repos.d
wget http://mirrors.aliyun.com/dockerce/linux/centos/docker-ce.repo
yum install -y containerd.io
3、修改配置文件
•
pause镜像地址
•
Cgroup驱动改为systemd
•
增加runsc容器运行时
•
配置docker镜像加速器
mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml
vi /etc/containerd/config.toml
...
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.2"
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
runtime_type = "io.containerd.runsc.v1"
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://b9pmyelo.mirror.aliyuncs.com"]
...
systemctl restart containerd
4、配置kubelet使用containerd
[root@k8s-node1 ~]# cat /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd
5,重启服务
systemctl restart kubelet
[root@k8s-master ~]# kubectl get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-master Ready control-plane,master 66d v1.21.8 172.16.2.15 <none> CentOS Linux 7 (Core) 5.15.13-1.el7.elrepo.x86_64 docker://20.10.10
k8s-node1 Ready <none> 66d v1.21.0 172.16.2.29 <none> CentOS Linux 7 (Core) 5.15.13-1.el7.elrepo.x86_64 containerd://1.4.12
k8s-node2 Ready <none> 66d v1.21.0 172.16.2.42 <none> CentOS Linux 7 (Core) 5.15.13-1.el7.elrepo.x86_64 docker://20.10.10
创建Pod测试gVisor:
RuntimeClass
是一个用于选择容器运行时配置的特性,容器运行时配置用
于运行 Pod 中的容器
[root@k8s-master gvisor]# cat runtimeclass.yaml
apiVersion: node.k8s.io/v1 # RuntimeClass 定义于 node.k8s.io API 组
kind: RuntimeClass
metadata:
name: gvisor # 用来引用 RuntimeClass 的名字
handler: runsc # 对应的 CRI 配置的名称
[root@k8s-master gvisor]# cat gv.yaml
apiVersion: v1
kind: Pod
metadata:
name: gv
spec:
nodeName: k8s-node1
runtimeClassName: gvisor
containers:
- image: nginx
name: gv
ports:
- containerPort: 80
[root@k8s-master gvisor]# kubectl exec pods/gv dmesg
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[ 0.000000] Starting gVisor...
[ 0.211642] Recruiting cron-ies...
[ 0.346717] Moving files to filing cabinet...
[ 0.489654] Checking naughty and nice process list...
[ 0.897029] Searching for socket adapter...
[ 1.337473] Rewriting operating system in Javascript...
[ 1.404005] Singleplexing /dev/ptmx...
[ 1.821850] Consulting tar man page...
[ 1.972985] Gathering forks...
[ 2.335428] Synthesizing system calls...
[ 2.724146] Adversarially training Redcode AI...
[ 2.792839] Ready!
类似资料: