深入萬物基礎(chǔ)-容器

一、思考

我們在 k8s 里面的容器和 docker 的容器有什么異同？

其實 docker 之前有自己的一套編排軟件：docker swarm 它可以在多臺主機中創(chuàng)建一個 docker 集群，但是也僅限于此了，docker 在很早就放棄了這個項目。docker machine 是配合 swarm 的一個預(yù)處理工具

k8s 全稱：kubernetes，因為中間有 8 個字母，所以簡稱 k8s，是谷歌公司開發(fā)的一款容器編排工具，占據(jù)了 80%以上的市場份額。

k8s 的 Pod 是最小單位，Pod 中容器的配置需要注意以下常用的

Pod 里面的容器內(nèi)容可以寫的東西

args

command Entrypoint array. Not executed within a shell. The docker image’s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container’s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $, ie: $(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell

env 容器要用的環(huán)境變量

envFrom List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.

image 寫鏡像的名字

imagePullPolicy 下載策略： Always：總是去下載： 【默認(rèn)】 先看網(wǎng)上有沒有，有了就下載，（本機也有，docker 就相當(dāng)于不用下載了） Never：總不去下載，一定保證當(dāng)前 Pod 所在的機器有這個鏡像 ；直接看本機 IfNotPresent：如果本機沒有就去下載；先看本機，再看遠程

lifecycle 生命周期鉤子

livenessProbe Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

name -required- 容器的名字

ports 端口：

readinessProbe Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

resources Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

securityContext Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

startupProbe StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod’s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

stdin Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.

stdinOnce Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false

terminationMessagePath Optional: Path at which the file to which the container’s termination message will be written is mounted into the container’s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.

terminationMessagePolicy Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.

tty Whether this container should allocate a TTY for itself, also requires ‘stdin’ to be true. Default is false.

volumeDevices volumeDevices is the list of block devices to be used by the container.

volumeMounts Pod volumes to mount into the container’s filesystem. Cannot be updated.

workingDir 指定進容器的工作目錄

二、鏡像

在 Kubernetes 的 Pod 中使用容器鏡像之前，我們必須將其推送到一個鏡像倉庫（或者使用倉庫中已經(jīng)有的容器鏡像）。在 Kubernetes 的 Pod 定義中定義容器時，必須指定容器所使用的鏡像，容器中的 image 字段支持與 docker 命令一樣的語法，包括私有鏡像倉庫和標(biāo)簽。

如果使用 hub.dokcer.com Registry 中的鏡像，可以省略 registry 地址和 registry 端口。例如：nginx:latest

Kubernetes 中，默認(rèn)的鏡像抓取策略是 IfNotPresent，使用此策略，kubelet 在發(fā)現(xiàn)本機有鏡像的情況下，不會向鏡像倉庫抓取鏡像。如果您期望每次啟動 Pod 時，都強制從鏡像倉庫抓取鏡像，可以嘗試如下方式：

• 設(shè)置 container 中的 imagePullPolicy 為 Always
• 省略 imagePullPolicy 字段，并使用 :latest tag 的鏡像
• 省略 imagePullPolicy 字段和鏡像的 tag
• 激活 AlwaysPullImages 管理控制器

docker pull redis docker.io/library/redis:latest

下載私有倉庫鏡像

#這個秘鑰默認(rèn)在default名稱空間，不能被hello名稱空間共享kubectl create secret -n hello docker-registry my-aliyun –docker-server=registry.cn-hangzhou.aliyuncs.com –docker-username=lansonli –docker-password=lansonli123456789

apiVersion: v1kind: Podmetadata: name: foospec: containers: – name: foo image: registry.cn-zhangjiakou.aliyuncs.com/atguigudocker/atguigu-java-img:v1.0 imagePullSecrets: – name: mydocker

三、啟動命令

四、環(huán)境變量

env 指定即可

五、生命周期容器鉤子

Kubernetes 中為容器提供了兩個 hook（鉤子函數(shù)）：

• PostStart
• 此鉤子函數(shù)在容器創(chuàng)建后將立刻執(zhí)行。但是，并不能保證該鉤子函數(shù)在容器的 ENTRYPOINT 之前執(zhí)行。該鉤子函數(shù)沒有輸入?yún)?shù)。
• PreStop
• 此鉤子函數(shù)在容器被 terminate（終止）之前執(zhí)行，例如：
• 通過接口調(diào)用刪除容器所在 Pod
• 某些管理事件的發(fā)生：健康檢查失敗、資源緊缺等
• 如果容器已經(jīng)被關(guān)閉或者進入了 completed 狀態(tài)，preStop 鉤子函數(shù)的調(diào)用將失敗。該函數(shù)的執(zhí)行是同步的，即，kubernetes 將在該函數(shù)完成執(zhí)行之后才刪除容器。該鉤子函數(shù)沒有輸入?yún)?shù)。

apiVersion: v1kind: Podmetadata: name: lansonli-demospec: containers: – name: lansonli-demo-container image: alpine command: [“/bin/sh”, “-c”, “echo hello; “] volumeMounts: – name: mount1 mountPath: /app lifecycle: postStart: exec: command: [“/bin/sh”, “-c”, “echo world;”] preStop: exec: command: [“/bin/sh”,”-c”,”echo 66666;”]

• Kubernetes 在容器啟動后立刻發(fā)送 postStart 事件，但是并不能確保 postStart 事件處理程序在容器的 EntryPoint 之前執(zhí)行。postStart 事件處理程序相對于容器中的進程來說是異步的（同時執(zhí)行），然而，Kubernetes 在管理容器時，將一直等到 postStart 事件處理程序結(jié)束之后，才會將容器的狀態(tài)標(biāo)記為 Running。
• Kubernetes 在決定關(guān)閉容器時，立刻發(fā)送 preStop 事件，并且，將一直等到 preStop 事件處理程序結(jié)束或者 Pod 的 –grace-period 超時，才刪除容器

六、資源限制

pods/qos/qos-pod.yaml apiVersion: v1kind: Podmetadata: name: qos-demo namespace: qos-examplespec: containers: – name: qos-demo-ctr image: nginx resources: limits: # 限制最大大小 -Xmx memory: “200Mi” cpu: “700m” # 啟動默認(rèn)給分配的大小 -Xms requests: memory: “200Mi” cpu: “700m”

kubectl describe 可用來排錯的，查看資源的狀態(tài)