Kubernetes容器运行时接口-CRI
CRI 简介
在 Kubernetes1.5 之前 Docker 作为第一个容器运行时,Kubelet 通过内嵌 dockershim 操作容器API,但随着越来越多的容器运行时的希望加入kubelet,社区开始有人提出通过加入一个client/server接口来抽象容器运行时。在 v1.6.0 后, Kubernetes 开始默认启用 CRI(容器运行时接口),下图是容器运行时在 kubernets 中得作用。
CRI 架构介绍
以下主要介绍Kubernetes1.18版的CRI
CRI 为 kubelet 提供一套抽象的容器调度的接口,CRI 主要承接 kubelet 对容器的操作。CRI 得通信协议是 gRPC,当时主要考虑到性能问题。加入 CRI 后 kubelet 得架构如下图所示。
Kubelet 现在主要包含两个运行时的模块,一个是 dockershim, 一个是 remote。dockershim 是原来的提供Docker的运行时接口(PS: docker果然还是一等公民??:)。remote包对应的就是 CRI 接口,采用gRPC,通过 RemoteRuntime 和 CRI RuntimeService相连:
... // createAndStartFakeRemoteRuntime creates and starts fakeremote.RemoteRuntime. // It returns the RemoteRuntime, endpoint on success. // Users should call fakeRuntime.Stop() to cleanup the server. func createAndStartFakeRemoteRuntime(t *testing.T) (*fakeremote.RemoteRuntime, string) { endpoint, err := fakeremote.GenerateEndpoint() require.NoError(t, err) fakeRuntime := fakeremote.NewFakeRemoteRuntime() fakeRuntime.Start(endpoint) return fakeRuntime, endpoint } func createRemoteRuntimeService(endpoint string, t *testing.T) internalapi.RuntimeService { runtimeService, err := NewRemoteRuntimeService(endpoint, defaultConnectionTimeout) require.NoError(t, err) return runtimeService } func TestVersion(t *testing.T) { fakeRuntime, endpoint := createAndStartFakeRemoteRuntime(t) defer fakeRuntime.Stop() r := createRemoteRuntimeService(endpoint, t) version, err := r.Version(apitest.FakeVersion) assert.NoError(t, err) assert.Equal(t, apitest.FakeVersion, version.Version) assert.Equal(t, apitest.FakeRuntimeName, version.RuntimeName) }
CRI 容器运行时的三类行为
CRI 容器运行时主要描述了三种服务的行为 Sandbox、Container、Image:
Sandbox:
// PodSandboxManager contains methods for operating on PodSandboxes. The methods // are thread-safe. type PodSandboxManager interface { // RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure // the sandbox is in ready state. RunPodSandbox(config *runtimeapi.PodSandboxConfig, runtimeHandler string) (string, error) // StopPodSandbox stops the sandbox. If there are any running containers in the // sandbox, they should be force terminated. StopPodSandbox(podSandboxID string) error // RemovePodSandbox removes the sandbox. If there are running containers in the // sandbox, they should be forcibly removed. RemovePodSandbox(podSandboxID string) error // PodSandboxStatus returns the Status of the PodSandbox. PodSandboxStatus(podSandboxID string) (*runtimeapi.PodSandboxStatus, error) // ListPodSandbox returns a list of Sandbox. ListPodSandbox(filter *runtimeapi.PodSandboxFilter) ([]*runtimeapi.PodSandbox, error) // PortForward prepares a streaming endpoint to forward ports from a PodSandbox, and returns the address. PortForward(*runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error) }
Container:
// ContainerManager contains methods to manipulate containers managed by a // container runtime. The methods are thread-safe. type ContainerManager interface { // CreateContainer creates a new container in specified PodSandbox. CreateContainer(podSandboxID string, config *runtimeapi.ContainerConfig, sandboxConfig *runtimeapi.PodSandboxConfig) (string, error) // StartContainer starts the container. StartContainer(containerID string) error // StopContainer stops a running container with a grace period (i.e., timeout). StopContainer(containerID string, timeout int64) error // RemoveContainer removes the container. RemoveContainer(containerID string) error // ListContainers lists all containers by filters. ListContainers(filter *runtimeapi.ContainerFilter) ([]*runtimeapi.Container, error) // ContainerStatus returns the status of the container. ContainerStatus(containerID string) (*runtimeapi.ContainerStatus, error) // UpdateContainerResources updates the cgroup resources for the container. UpdateContainerResources(containerID string, resources *runtimeapi.LinuxContainerResources) error // ExecSync executes a command in the container, and returns the stdout output. // If command exits with a non-zero exit code, an error is returned. ExecSync(containerID string, cmd []string, timeout time.Duration) (stdout []byte, stderr []byte, err error) // Exec prepares a streaming endpoint to execute a command in the container, and returns the address. Exec(*runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) // Attach prepares a streaming endpoint to attach to a running container, and returns the address. Attach(req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error) // ReopenContainerLog asks runtime to reopen the stdout/stderr log file // for the container. If it returns error, new container log file MUST NOT // be created. ReopenContainerLog(ContainerID string) error }
Image:
// ImageManagerService interface should be implemented by a container image // manager. // The methods should be thread-safe. type ImageManagerService interface { // ListImages lists the existing images. ListImages(filter *runtimeapi.ImageFilter) ([]*runtimeapi.Image, error) // ImageStatus returns the status of the image. ImageStatus(image *runtimeapi.ImageSpec) (*runtimeapi.Image, error) // PullImage pulls an image with the authentication config. PullImage(image *runtimeapi.ImageSpec, auth *runtimeapi.AuthConfig, podSandboxConfig *runtimeapi.PodSandboxConfig) (string, error) // RemoveImage removes the image. RemoveImage(image *runtimeapi.ImageSpec) error // ImageFsInfo returns information of the filesystem that is used to store images. ImageFsInfo() ([]*runtimeapi.FilesystemUsage, error) }
CRI 容器生命周期操作流程
kubelet创建一个Pod主要可以拆解成:
- 调用
RunPodSandox
创建一个pod沙盒 - 调用
CreateContainer
创建一个容器 - 调用
StartContainer
启动一个容器
CRI Streaming接口
streaming接口主要是用于执行 exec
命令,exec
命令主要用于 attach 容器进行交互,通过流式接口的可以节省资源,提高连接的可靠性。
kubelet 调用 Exec()
接口发给 RuntimeService ,RuntimeService 返回一个 url 给到 apiserver, 让 apiserver 跟 Stream Server 直接建立连接,获取流式数据。 由于绕过了kubelet,因此Stream Server 也提高连接的可靠性
CRI 中 Exec()
接口:
// ContainerManager contains methods to manipulate containers managed by a // container runtime. The methods are thread-safe. type ContainerManager interface { ... // Exec prepares a streaming endpoint to execute a command in the container, and returns the address. Exec(*runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) // Attach prepares a streaming endpoint to attach to a running container, and returns the address. Attach(req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error) ... }
CRI proto接口定义
CRI 是一个为kubelet提供的一个广泛的容器运行时的无需编译的接口插件。 CRI 包含了一个 protocol buffers 和 gRPC API。kubernetes1.18的 CRI 代码路径:kubernetes/staging/src/k8s.io/cri-api/
。
CRI中定义了容器和镜像的服务的接口,因为容器运行时与镜像的生命周期是彼此隔离的,因此需要定义两个服务 RuntimeService 和 ImageService。
RuntimeService的proto接口定义文件
// Runtime service defines the public APIs for remote container runtimes service RuntimeService { // Version returns the runtime name, runtime version, and runtime API version. rpc Version(VersionRequest) returns (VersionResponse) {} // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure // the sandbox is in the ready state on success. rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} // StopPodSandbox stops any running process that is part of the sandbox and // reclaims network resources (e.g., IP addresses) allocated to the sandbox. // If there are any running containers in the sandbox, they must be forcibly // terminated. // This call is idempotent, and must not return an error if all relevant // resources have already been reclaimed. kubelet will call StopPodSandbox // at least once before calling RemovePodSandbox. It will also attempt to // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, // multiple StopPodSandbox calls are expected. rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} // RemovePodSandbox removes the sandbox. If there are any running containers // in the sandbox, they must be forcibly terminated and removed. // This call is idempotent, and must not return an error if the sandbox has // already been removed. rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not // present, returns an error. rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} // ListPodSandbox returns a list of PodSandboxes. rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} // CreateContainer creates a new container in specified PodSandbox rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} // StartContainer starts the container. rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} // StopContainer stops a running container with a grace period (i.e., timeout). // This call is idempotent, and must not return an error if the container has // already been stopped. // TODO: what must the runtime do after the grace period is reached? rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} // RemoveContainer removes the container. If the container is running, the // container must be forcibly removed. // This call is idempotent, and must not return an error if the container has // already been removed. rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} // ListContainers lists all containers by filters. rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} // ContainerStatus returns status of the container. If the container is not // present, returns an error. rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} // UpdateContainerResources updates ContainerConfig of the container. rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} // ReopenContainerLog asks runtime to reopen the stdout/stderr log file // for the container. This is often called after the log file has been // rotated. If the container is not running, container runtime can choose // to either create a new log file and return nil, or return an error. // Once it returns error, new container log file MUST NOT be created. rpc ReopenContainerLog(ReopenContainerLogRequest) returns (ReopenContainerLogResponse) {} // ExecSync runs a command in a container synchronously. rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} // Exec prepares a streaming endpoint to execute a command in the container. rpc Exec(ExecRequest) returns (ExecResponse) {} // Attach prepares a streaming endpoint to attach to a running container. rpc Attach(AttachRequest) returns (AttachResponse) {} // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} // ContainerStats returns stats of the container. If the container does not // exist, the call returns an error. rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} // ListContainerStats returns stats of all running containers. rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} // UpdateRuntimeConfig updates the runtime configuration based on the given request. rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} // Status returns the status of the runtime. rpc Status(StatusRequest) returns (StatusResponse) {} }
ImageService 的 proto 接口定义文件:
// ImageService defines the public APIs for managing images. service ImageService { // ListImages lists existing images. rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} // ImageStatus returns the status of the image. If the image is not // present, returns a response with ImageStatusResponse.Image set to // nil. rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} // PullImage pulls an image with authentication config. rpc PullImage(PullImageRequest) returns (PullImageResponse) {} // RemoveImage removes the image. // This call is idempotent, and must not return an error if the image has // already been removed. rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} // ImageFSInfo returns information of the filesystem that is used to store images. rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} }
CRI工具介绍
- CRI命令工具:crictl,帮助用户和开发者调试容器问题
- CRI测试工具:critest,用于验证CRI接口的测试工具,验证是否满足Kubelet要求。
crictl 安装:
VERSION="v1.17.0" wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin rm -f crictl-$VERSION-linux-amd64.tar.gz
critest 安装:
VERSION="v1.17.0" wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/critest-$VERSION-linux-amd64.tar.gz sudo tar zxvf critest-$VERSION-linux-amd64.tar.gz -C /usr/local/bin rm -f critest-$VERSION-linux-amd64.tar.gz
参考文献
低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。
持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。
转载内容版权归作者及来源网站所有,本站原创内容转载请注明来源。
- 上一篇
阿里云服务器企业版ECS该如何选择及使用教程
请认真看完此文国内云服务商中,阿里云服务器的口碑可以说是数一数二的了,因此很多企业在建站时都会首先考虑到阿里云服务器。所以,服务器吧小编今天就带大家来深入学习一下阿里云企业版云服务器ECS的使用方法。 阿里云企业版云服务器ECS快速入门需围绕这几个方面:ECS实例规格的选择、网络规划建议、对实例数量及具体配置的成本估算、安全组的配置、自动快照策略的制定、镜像迁移以及业务负载均衡与高可用性。 一、实例规格的选择如果你的业务面向以下应用场景,可以选择图中推荐的实例。这里更多实例规格族。(说明:不同地域下可购买的实例规格可能存在差异,你可以前往ECS实例可购买地域,查看实例的可购情况。) (说明:更多应用场景说明请参见企业级配置选型。) 具体的实例配置需要结合应用场景的要求决定,可以参考如下实例配置建议:均衡性能:需要相对均衡的处理器与内存资源配比,可以满足大多数场景下的应用资源需求。 高网络收发包应用:需要高网络收发包能力,您可以根据应用场景选择更合理的计算与内存的资源配比。 高性能计算:需要消耗高计算资源,GPU并行计算以及高主频是该场景下的典型应用。 高性能端游:需要高主频处理器支持,...
- 下一篇
阿里云服务器2核8G5M性能配置好不好用?
阿里云服务器2核8G5M是热销的云服务器配置,最近这个配置活动较多。目前主要应用场景为中大型的web网站,包括对用户体验较为重视的政府和企业网站等。让网站可以更快打开,提升企业和品牌形象。这款配置比之前介绍的阿里云2核4G5M多了4GB内存。这么大的内存开启opcache php内存缓存,MySQL mencached数据库缓存等,可以进一步给服务器加速,提升用户体验。本文给这些实例规格族、实例CPU、内存、阿里云盘、优惠活动做详细介绍。 一、几核几G几M是什么意思 几核就是几个CPU核心,几G就是服务器有多少GB的内存,几M就是云服务器宽带是多少Mbps。1Mbps = 128KB/S。服务器的核心在服务商等于宿主机(母鸡)CPU一个处理器线程。比如2核云服务器,宿主机采用4核8线程,那就是分配到了2个线程的处理器。 二、阿里云服务器2核8G5M有那些实例规格 这款配置有突发性能型实例,会限制CPU。如果你了解突发性能t5、t6那么可以用,否则不建议购买会限制性能的实例。除了突发性能实例,目前阿里云其他服务器均不限制处理器性能。都可以放心选购。 以下均为2核8G阿里云实例 实例规格族...
相关文章
文章评论
共有0条评论来说两句吧...
文章二维码
点击排行
推荐阅读
最新文章
- SpringBoot2更换Tomcat为Jetty,小型站点的福音
- Springboot2将连接池hikari替换为druid,体验最强大的数据库连接池
- MySQL8.0.19开启GTID主从同步CentOS8
- CentOS6,7,8上安装Nginx,支持https2.0的开启
- SpringBoot2整合Thymeleaf,官方推荐html解决方案
- CentOS关闭SELinux安全模块
- CentOS7设置SWAP分区,小内存服务器的救世主
- Docker安装Oracle12C,快速搭建Oracle学习环境
- Docker快速安装Oracle11G,搭建oracle11g学习环境
- CentOS7编译安装Gcc9.2.0,解决mysql等软件编译问题