1. kata简介
kata containers是开源社区通过轻量级虚拟机构建的安全容器,这些虚拟机不仅有着容器一样的性能,而且通过硬件虚拟化作为第二层防御提供更强的隔离特性。
自2017年12月推出以来,该社区成功地将Intel Clear Containers的最佳部分与hyper.sh runv合并,并扩展到支持主要体系结构,包括AMD64、ARM、IBM P系列和IBM Z系列以及x86_64。kata容器还支持多个管理程序,包括qemu、nemu和Firecracker ,并与containerd项目等集成。
kata容器社区由openstack基金会(OSF)管理,该基金会支持全球开放基础设施的开发和采用。代码托管在github上,使用apache 2许可证。
2.kata的特点
安全性
拥有专用的内核,提供网络、I/O和内存的隔离,并可以利用虚拟化VT扩展的硬件强制隔离。兼容性
支持行业标准,包括OCI容器格式、Kubernetes CRI接口以及虚拟化技术。性能
作为标准Linux容器提供一致的性能;提高了隔离性,但不需要额外承担标准虚拟机的性能。简单
不需要通过虚拟机隔离在运行容器,同时兼具两者优势;提供标准的接口对接OCI
3.container vs kata
kata
4.需要部署的组件
4.1 kubernetes
4.2 kata 下载地址
- 安装包准备
[root@node1 kata]# ll
total 107260
-rw-r--r-- 1 root root 62432 Oct 23 16:00 boost-iostreams-1.53.0-27.el7.x86_64.rpm
-rw-r--r-- 1 root root 40044 Oct 23 16:00 boost-random-1.53.0-27.el7.x86_64.rpm
-rw-r--r-- 1 root root 37409592 Oct 23 14:44 kata-containers-image-1.9.0_rc0-40.1.x86_64.rpm
-rw-r--r-- 1 root root 6158772 Oct 23 14:44 kata-ksm-throttler-1.9.0_rc0-45.1.x86_64.rpm
-rw-r--r-- 1 root root 8743684 Oct 23 14:44 kata-linux-container-4.19.75.54-57.1.x86_64.rpm
-rw-r--r-- 1 root root 2500 Oct 23 14:44 kata-proxy-1.9.0_rc0-41.1.x86_64.rpm
-rw-r--r-- 1 root root 1893496 Oct 23 14:44 kata-proxy-bin-1.9.0_rc0-41.1.x86_64.rpm
-rw-r--r-- 1 root root 21077560 Oct 23 14:44 kata-runtime-1.9.0_rc0-62.1.x86_64.rpm
-rw-r--r-- 1 root root 2488 Oct 23 14:43 kata-shim-1.9.0_rc0-39.1.x86_64.rpm
-rw-r--r-- 1 root root 7662544 Oct 23 14:44 kata-shim-bin-1.9.0_rc0-39.1.x86_64.rpm
-rw-r--r-- 1 root root 29492 Oct 23 15:54 kobo-rpmlib-0.6.0-1.el7.noarch.rpm
-rw-r--r-- 1 root root 230582 Oct 23 15:52 libpixman-0.38.4-alt1.x86_64.rpm
-rw-r--r-- 1 root root 1893288 Oct 23 15:56 librados2-10.2.5-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 2527228 Oct 23 16:02 librbd1-10.2.5-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 2592 Oct 23 16:10 qemu-lite-2.11.0+git.87517afd72-44.1.x86_64.rpm
-rw-r--r-- 1 root root 2721908 Oct 23 14:43 qemu-lite-bin-2.11.0+git.87517afd72-44.1.x86_64.rpm
-rw-r--r-- 1 root root 3125224 Oct 23 14:43 qemu-lite-data-2.11.0+git.87517afd72-44.1.x86_64.rpm
-rw-r--r-- 1 root root 2608 Oct 23 14:43 qemu-vanilla-4.1.0+git.9e06029aea-44.1.x86_64.rpm
-rw-r--r-- 1 root root 2668892 Oct 23 14:43 qemu-vanilla-bin-4.1.0+git.9e06029aea-44.1.x86_64.rpm
-rw-r--r-- 1 root root 13542688 Oct 23 15:35 qemu-vanilla-data-4.1.0+git.9e06029aea-44.1.x86_64.rpm
- 安装顺序如下
[root@node1 kata]# rpm -ivh boost-random-1.53.0-27.el7.x86_64.rpm
[root@node1 kata]# rpm -ivh boost-iostreams-1.53.0-27.el7.x86_64.rpm
[root@node1 kata]# rpm -ivh librados2-10.2.5-4.el7.x86_64.rpm
[root@node1 kata]# rpm -ivh librbd1-10.2.5-4.el7.x86_64.rpm
#qemu
[root@node1 kata]# rpm -ivh qemu-vanilla-data-4.1.0+git.9e06029aea-44.1.x86_64.rpm
[root@node1 kata]# rpm -ivh qemu-vanilla-bin-4.1.0+git.9e06029aea-44.1.x86_64.rpm
[root@node1 kata]# rpm -ivh qemu-vanilla-4.1.0+git.9e06029aea-44.1.x86_64.rpm
[root@node1 kata]# rpm -ivh qemu-lite-data-2.11.0+git.87517afd72-44.1.x86_64.rpm
[root@node1 kata]# rpm -ivh qemu-lite-bin-2.11.0+git.87517afd72-44.1.x86_64.rpm
[root@node1 kata]# rpm -ivh qemu-lite-2.11.0+git.87517afd72-44.1.x86_64.rpm
#kata-shim
[root@node1 kata]# rpm -ivh kata-shim-bin-1.9.0_rc0-39.1.x86_64.rpm
[root@node1 kata]# rpm -ivh kata-shim-1.9.0_rc0-39.1.x86_64.rpm
#kata-proxy
[root@node1 kata]# rpm -ivh kata-proxy-bin-1.9.0_rc0-41.1.x86_64.rpm
[root@node1 kata]# rpm -ivh kata-proxy-1.9.0_rc0-41.1.x86_64.rpm
[root@node1 kata]# rpm -ivh kata-ksm-throttler-1.9.0_rc0-45.1.x86_64.rp
[root@node1 kata]# rpm -ivh kata-containers-image-1.9.0_rc0-40.1.x86_64.rpm
[root@node1 kata]# rpm -ivh kata-linux-container-4.19.75.54-57.1.x86_64.rpm
#kata-runtime
[root@node1 kata]# rpm -ivh kata-runtime-1.9.0_rc0-62.1.x86_64.rpm
- 版本检测
[root@node1 kata]# kata-runtime -v
kata-runtime : 1.9.0-rc0
commit : 2989702669a6a238047624a5607fbc59a4928f50
OCI specs: 1.0.1-dev
4.3 containerd 下载地址
- 包下载
#安装依赖库
[root@node1 soft]# rpm -ivh libseccomp-2.3.1-3.el7.x86_64.rpm
[root@node1 soft]# tar -zxvf containerd-1.3.0.linux-amd64.tar.gz
[root@node1 soft]# mv bin/* /usr/local/bin/
#生成默认配置
[root@node1 soft]# mkdir /etc/containerd/
[root@node1 soft]# containerd config default > /etc/containerd/config.toml
#创建工作目录
[root@node1 /]# mkdir -p /data/cloud/work/kata
#修改/etc/containerd/config.toml中的root = "/var/lib/containerd"
[root@node1 /]# cat /etc/containerd/config.toml
version = 2
root = "/data/cloud/work/kata"
state = "/run/containerd"
plugin_dir = ""
disabled_plugins = []
required_plugins = []
oom_score = 0
[grpc]
address = "/run/containerd/containerd.sock" #和kubelet进行RPC通信
tcp_address = ""
tcp_tls_cert = ""
tcp_tls_key = ""
····
- 编写启动文件containerd.service
[root@node1 system]# cat /usr/lib/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target
[Service]
ExecStartPre=/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
[root@node1 system]# systemctl daemon-reload
[root@node1 system]# systemctl start containerd
- kubelet配置调整
ExecStart=/data/cloud/kubernetes/bin/kubelet \
--fail-swap-on=false \
--hostname-override=node1 \
--pod-infra-container-image=k8s.gcr.io/pause:3.1 \
--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin \
--bootstrap-kubeconfig=/data/cloud/pki/bootstrap.conf \
--kubeconfig=/data/cloud/pki/kubelet.conf \
--cert-dir=/data/cloud/pki \
--pod-manifest-path=/data/cloud/kubernetes/manifests \
--cluster-dns=172.20.0.2 \
--cluster-domain=cluster.kube. \
--authorization-mode=Webhook \
--client-ca-file=/data/cloud/pki/ca.pem \
--rotate-certificates=true \
--cgroup-driver=cgroupfs \
--serialize-image-pulls=false \
--v=2 \
--logtostderr=false \
--log-file=kubelet.log \
--root-dir=/data/cloud/work/kubernetes/logs \
--log-dir=/data/cloud/work/kubernetes/logs \
--container-runtime=remote \ 修改为remote,可用类型: 'docker(default)', 'remote', 'rkt (deprecated)'.
--container-runtime-endpoint=unix:///run/containerd/containerd.sock #/etc/containerd/config.toml中的rpc address
- 重启kubelet
[root@node1 system]# systemctl daemon-reload
[root@node1 system]# systemctl restart kubelet
5.通过kubectl查看各个节点信息
其中node1 的 CONTAINER-RUNTIME变成 containerd://1.3.0
[root@node4 data]# kubectl get no -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
node1 Ready <none> 13d v1.15.1 10.239.7.147 <none> CentOS Linux 7 (Core) 3.10.0-693.25.4.el7.x86_64 containerd://1.3.0
node2 Ready <none> 13d v1.15.1 10.239.7.239 <none> CentOS Linux 7 (Core) 3.10.0-693.25.4.el7.x86_64 docker://18.6.3
node3 Ready <none> 13d v1.15.1 10.239.7.252 <none> CentOS Linux 7 (Core) 3.10.0-693.25.4.el7.x86_64 docker://18.6.3
node4 Ready <none> 13d v1.15.1 10.239.7.253 <none> CentOS Linux 7 (Core) 3.10.0-693.25.4.el7.x86_64 docker://18.6.3
6.镜像的加载
kata的本地镜像是由containerd代为管理,containerd中包含一个ctr作为管理镜像的控制端。由于不能连接外网,事先将镜像下载到本地
准备镜像
[root@node1 images]# ll
total 1833112
-rw-r--r-- 1 root root 160556032 Oct 23 17:59 cni.tar
-rw-r--r-- 1 root root 80301056 Oct 23 18:02 cronjob-trigger-controller.tar
-rw-r--r-- 1 root root 89049088 Oct 23 18:03 function-controller.tar
-rw-r--r-- 1 root root 983584768 Oct 23 18:01 go-init.tar
-rw-r--r-- 1 root root 62167040 Oct 23 18:03 go.tar
-rw-r--r-- 1 root root 87129088 Oct 23 18:02 http-trigger-controller.tar
-rw-r--r-- 1 root root 46828544 Oct 23 18:00 kube-controllers.tar
-rw-r--r-- 1 root root 84282368 Oct 23 18:01 kube-proxy.tar
-rw-r--r-- 1 root root 193295360 Oct 23 18:00 node.tar
-rw-r--r-- 1 root root 754176 Oct 23 17:54 pause.tar
-rw-r--r-- 1 root root 9650688 Oct 23 18:00 pod2daemon-flexvol.tar
-rw-r--r-- 1 root root 79481856 Oct 23 18:02 unzip.tar
导入镜像
[root@node1 images]# ctr images import cni.tar
unpacking docker.io/calico/cni:v3.8.2 (sha256:7cee94c553996ee79c10c1d1af0aa1b6e0da8fed00c3f8c44ebec29f324c2065)...done
[root@node1 images]# ctr images import node.tar
unpacking docker.io/calico/node:v3.8.2 (sha256:26f8a8aba77995ed703c76751a78c0aba90c00dcaeebf25c65ee37284ec5c434)...done
[root@node1 images]# ctr images import kube-controllers.tar
unpacking docker.io/calico/kube-controllers:v3.8.2 (sha256:853dd91db251cc8ed010b5c4daf886c804d5d3604203896472aa2dcc5e6dec82)...done
[root@node1 images]# ctr images import node.tar
unpacking docker.io/calico/node:v3.8.2 (sha256:9a3e907e7a7ca9d142f2dd4cb34bfbb99edae01026d8a555a7cfe9a7b311d775)...done
[root@node1 images]# ctr images import pod2daemon-flexvol.tar
unpacking docker.io/calico/pod2daemon-flexvol:v3.8.2 (sha256:49100ba527b49e19e1658bb2525f8b1e30021de2c7e423fbf2d158a9e5cca86e)...done
#查看镜像
[root@node1 images]# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/calico/cni:v3.8.2 application/vnd.oci.image.manifest.v1+json sha256:7cee94c553996ee79c10c1d1af0aa1b6e0da8fed00c3f8c44ebec29f324c2065 153.1 MiB linux/amd64 -
docker.io/calico/kube-controllers:v3.8.2 application/vnd.oci.image.manifest.v1+json sha256:853dd91db251cc8ed010b5c4daf886c804d5d3604203896472aa2dcc5e6dec82 44.6 MiB linux/amd64 -
docker.io/calico/node:v3.8.2 application/vnd.oci.image.manifest.v1+json sha256:9a3e907e7a7ca9d142f2dd4cb34bfbb99edae01026d8a555a7cfe9a7b311d775 184.3 MiB linux/amd64 -
docker.io/calico/pod2daemon-flexvol:v3.8.2 application/vnd.oci.image.manifest.v1+json sha256:49100ba527b49e19e1658bb2525f8b1e30021de2c7e423fbf2d158a9e5cca86e 9.2 MiB linux/amd64 -
k8s.gcr.io/pause:3.1 application/vnd.oci.image.manifest.v1+json sha256:0968e31df05b727234888883ba43ccaa4ec75566113c75065af5a6124b62d93c 729.0 KiB linux/amd64 -
查看pod状态
[root@node4 yaml]# kubectl -n kube-system get pod
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-7bdc789876-5sg7q 1/1 Running 0 80m
calico-node-4dgvb 1/1 Running 0 80m
calico-node-7whd5 1/1 Running 0 80m
calico-node-j8w9q 1/1 Running 0 80m
calico-node-vg5lk 1/1 Running 0 80m
其他
- 检查是否支持虚拟化环境
[root@node1 kata]# kata-runtime kata-env |grep VMContainerCapable
VMContainerCapable = true
