课堂kubernetes第四讲运行时kubelet

1、IBM开源技术微讲堂Kubernetes系列第四讲Kubernetes运行时1更多信息，请访问：hp:/opentech-ma“Kubenetes”系列公开课课程Wiki：/opentech-ma每周四晚8点档Kubernetes 初探上手 KubernetesKubernetes 的资源调度Kubernetes 的运行时Kubernetes 的网络管理Kubernetes 的存储管理Kubernetes 的日志与监控Kubernetes 的应用部署扩展 Kubernetes 生态Kubernetes 的企业实践讲师简介Michael Brown目前就职于IBM Digital Busines

2、s Group的开源与开放 标准项目组，专注于开源云计算技术（例如Open Container Initiative, Docker与kubernetes等）的开发与研究。在他的职业生涯中，曾参与过许多开源项目 与开放标准的研发工作，包括操作系统、Java虚拟机、浏览器、中间件和金融产品等相关项目。以下是他个人的自我描述：“Engineer, IBMer, Inventor, Coach, PC Gamer, and Proud Father. Opinions are my own and not of my employer. ” 2016 IBM CorporationKubernete

3、s RuntimeMichael W. BrownDeveloper Advocate - Open Source Software Development Maintainer CRI-Containerd5IBM Voice Gateway | 2017 IBM CorporationKubelet Architecture - General IntroductionContainer runtimes in KubernetesOpen Containers Initiative (OCI) IntroductionAgendaKubelet Architecture - Remind

4、er chart from Kubernetes 101User via kubectl deploys a new applicationAPI server receives the request and stores it in the DB (etcd)Watchers/controllers detect the resource changes and act upon itReplicaSet watcher/controller detects the new app and creates new pods to match the desired # of instanc

5、esScheduler assigns new pods to a kubeletKubelet detects pods and deploys them via the container runing (e.g. Docker)Kubeproxy manages network trafficfor the pods including service discovery and load-balancingNodeNodePodBase OS/KernelDocker EngineImagesUbuntuLibertyKubletKube- ProxyPod/ServiceCCCMas

6、terAPIServerReplication Endpoints.Kub Client ( kubectl )deployment.ymlStorage (etcd)7123Controllers46Scheduler56Kubelet Architecture78Kubelet Architecture - KubeletKublet runs on each node.Kublet is the primary node agent.Kublet manages isolated application containers.Kublet creates and manages pods

7、, and the application containers requested for each pod.Kublet processes pod specs to identify the configuration for the pod and application containers.Kublet receives pod specs from the apiserver, command line, HTTP endpoint, and HTTP server.Kubelet also links in the cAdvisor resource monitoring ag

8、ent.9Kubelet Architecture - Kube ProxyThe Kubernetes service abstraction provides a way to group pods.The group of pods of a service have a common accesspolicy (e.g. load-balanced)A virtual IP is created for the serviceEach node runs a kube-proxy, acting as a network proxy and load balancerService e

9、ndpoints are found primarily via DNS.10Kubelet Architecture - Container RuntimeEach node includes at least one container runtime.The container runtime is responsible for downloading images and running containers.Kubelet does not link in the base container runtime.The Kubernetes Container Runtime Int

10、erface (CRI) has been defined to decouple and cContainer Runtimes in KubernetesWhat is Container Runtime Interface (CRI) ?A GRPC interface and a group of librariesEnables Kubernetes to use a wide variety of container runtimesIntroduced in Kubernetes 1.5+KubeletCRIGrpc clientCRI shimCRIgrpc serverCRI

11、 protobufcontainer run4mecontainercoconntatianineer rcontainercontainer1112Container Runtime InterfaceCRI Integrationscontainerd (with cri-containerd): /kubernetes-incubator/cri-containerdcri-o: /kubernetes-incubator/cri-oDocker (Upstream): /kubernetes/kubernetes/tree/master/pkg/kubelet/dockershimfr

12、akti: /kubernetes/fraktirktlet: /kubernetes-incubator/rktletvirtlet: /Mirantis/virtletCRI Tools /kubernetes-incubator/cri-toolscritest: CRI Validation Test Suitecrictl: CRI Command Line Tool13Kubernetes & ContainerdContainerd Scope (In/Out)Kubernetes RequirementContainer Lifecycle ManagementInContai

13、ner Create/Start/Stop/Delete/List/Inspect ()Image ManagementInPull/List/Inspect ()NetworkingOutNo concrete network solution. User can setupnetwork namespace and put containers into it.Kubernetes networking deals with pods, rather than containers, so container runtimes should not provide complex netw

14、orking solutions thatdont satisfy requirements. ()VolumesOutNo volume management. User can setup hostpath, and mount it into container.Kubernetes manages volumes. Container runtimes should not provide internal volume management that may conflict with Kubernetes. ()Persistent Container LoggingOutNo p

15、ersistent container log. Container STDIOis provided as FIFOs, which can be redirected/ decorated as is required.Kubernetes has specific requirements for persistent container logs, such as format and path etc. Container runtimes should not persist an unmanageable container log. ()MetricsInContainerd

16、provides container and snapshotmetrics as part of the API.Kubernetes expects container runtime to provide container metrics (CPU, Memory, writable layer size, etc.) and image filesystem usage (disk, inode usage, etc.). ()The scope of containerd aligns with the requirement of Kubernetes.CRI-Container

17、dcri-containerd: A containerd based implementation of CRI./kubernetes-incubator/cri-containerdKubernetes incubator project.Started in April 2017.containercontainerKubeletdockershimdockercontainerdcontainer containerCRIcontainercontainerKubeletcri-containerdcontainerdcontainer containerCRI14dockershi

18、mcri-containerdArchitecturePod BPod A NamespacesPod A Cgroupscri-containerdsandbox containercontainerd shimimage servicerunFme serviceKubeletGRPCClientGRPCcontainerd shimcontainer Aocicni15Kublet creating a single-container podExample to demonstrate how cri-containerd works for the case when Kubelet

19、 creates a single-container pod:Kubelet calls cri-containerd, via the CRI runtime service API, to create a pod;cri-containerd uses containerd to create and start a special pause container (the sandbox container) and put that container inside the pods cgroups and namespace (steps omitted for brevity)

20、;cri-containerd configures the pods network namespace using CNI;Kubelet subsequently calls cri-containerd, via the CRI image service API, to pull the application container image;cri-containerd further uses containerd to pull the image if the image is not present on the node;Kubelet then calls cri-co

21、ntainerd, via the CRI runtime service API, to create and start the application container inside the pod using the pulled container image;cri-containerd finally calls containerd to create the application container, put it inside the pods cgroups and namespace, then to start the pods new application c

22、ontainer.After these steps, a pod and its corresponding application container is created and running.Kubeletcri-containerdcontainerdCRI16Pod CgroupsPod Namespacessandbox pause containerapplicaFon container17StatusCri-containerd v1.0.0-alpha.0 was released on Sep. 25, 2017.It is feature complete. All

23、 Kubernetes features are supported.All CRI validation tests have passed. (A CRI validation is a test framework for validating whether a CRI implem All regular node e2e tests have passed. (The Kubernetes test framework for testing Kubernetes node level fun For more current status, see the github proj

24、ect repository, links provided on last slide.18Next Steps for CRI-ContainerdStability:Set up a full set of Kubernetes integration test in the Kubernetes test infrastructure on various OS distros such as Ubuntu, COS (Container-Optimized OS) etc.Actively fix any test failures and other issues reported

25、 by users.Usability:Improve the user experience of crictl. Crictl is a portable command line tool for all CRI container runtimes. The goal here is to make it easy to use for debug and development scenarios.Integrate cri-containerd with kube-up.sh, to help users bring up a production quality Kubernet

26、es cluster using cri-containerd and containerd.Improve our documentation for users and admins alike.We plan to release our v1.0.0-beta.0 by the end of 2017.Open Container Initiative (OCI) -Containerd19Open Container Initiative (OCI) with CRI-O2021Thank You! Q&AAbout OCI:runc on github: /opencontainers/runcOCI testing:/opencontainers/runtime-toolsContainerD /containerd/containerdCRI-O:http:/cri-o.io/kubernetes-incubator/cri-o22More on CRI-ContainerdCri-containerd is a Kubernetes incub