• 周五. 12月 9th, 2022

5G编程聚合网

5G时代下一个聚合的编程学习网

热门标签

The relationship between docker and k8s

[db:作者]

1月 6, 2022

Reprint please indicate the source : Grape city official website , Grape city provides professional development tools for developers 、 Solutions and services , Enabling developers .

Last time we talked about PaaS The history of development , from Cloud Foundry A dismal exit , To Docker Coronation , It is Docker“ A little bit ” Improvement , There’s a butterfly effect , Incited the whole world PaaS The open source project market is surging .

In order to better understand “ Containers ” This PaaS The most core technology in the world , This article will start with a process , Tell you what a container is ,Cloud Foundry etc. PaaS“ Qianlang ” How to implement the container .

process vs Containers

With Linux Operating system as an example , The process running in the computer is after the program is executed , Binary files from disk , To the memory 、 register 、 A collection of related device states used by stack instructions and so on , It’s a dynamic representation of data and state synthesis . The goal of container technology is to isolate and limit the state and data of a process . so to speak , The essence of a container is Linux A special process in . This particular process , Mainly by Linux The system provides two mechanisms to achieve , Let’s review .

Namespace

Linux Namespace yes Linux A function of the kernel , This function partitions kernel resources , So that a set of processes can see a set of resources , And another set of processes sees another set of resources . This function works by having the same namespace for a set of resources and processes , But they refer to different resources . Resources can exist in multiple spaces . An example of such a resource is a process ID, Host name , user ID, File names and some names related to network access and interprocess communication . The types are listed below :

  1. Mount namespaces
  2. UTS namespaces
  3. IPC namespaces
  4. PID namespaces
  5. Network namespaces
  6. User namespaces

Super process

stay Linux Operating system ,PID==1 This process is called a super process , It’s the whole process tree root, Responsible for generating all other user processes . All processes will be suspended under this process , If the process exits , So all the processes are kill.

Isolation & Limit

Just now we mentioned isolation and restriction , What do you mean specifically ?

Isolation

With Docker For example (Cloud Foundry Empathy , The latter is not installed on my machine ), We can do the following to create a simple image :
$ docker run -it busybox /bin/sh

The execution of this statement is : use docker Run a container , The image name of the container is busybox, And the command to execute after running is /bin/sh, and -it Parameter representation requires standard input stdin And assign a text I / O environment tty Interact with the outside . By this order , We can go inside a container , Execute in container and host respectively top command , You can see the following results :

7.png

( Execute inside and outside the container top The return result of the statement )

You can find , There are only two running processes left in the container . One is the main process PID==1 Of /bin/sh Super process , The other is what we run top. All the other processes in the host are invisible in the container —— This is isolation .

5.jpg

( Isolated top process , Picture from the Internet )

Original , Whenever we run a /bin/sh Program , The operating system assigns it a process number , such as PID100. And now , We’re going to pass Docker Put this /bin/sh The program runs in a container , Now ,Docker It will be in this PID100 Create with a “ Smoke screen ”, Let him never see before 99 A process , In this way, the program running in the container will treat itself as PID==1 The super process of .

And this mechanism , In fact, it is a manipulation of the process space of the isolated program , Although shown in the container PID1, But in the original host , It’s actually the same PID100 The process of . The technology used is Linux Medium Namespace Mechanism . And this mechanism , In fact, that is Linux An optional parameter when creating a process . stay Linux in , The function to create a thread is ( There’s no mistake here. It’s just threads ,Linux Threads are implemented in processes , So it can be used to describe processes ):

int pid = clone(main_function, stack_size, SIGCHLD, NULL);

If we add a parameter to this method, for example CLONE_NEWPID:

int pid = clone(main_function, stack_size, CLONE_NEWPID | SIGCHLD, NULL);

Then the new process will see a new process space , In this space , Because there’s only one process in this space , So its own PID Is equal to 1 了 .

Such a process is Linux The most basic isolation of containers is realized .

Limit

Only have namespace Isolated containers are like programmers without computers , It’s incomplete .

If we just isolate and don’t limit , The programs in the cage still occupy system resources , Access is still free . In order to add resource constraints to programs with isolation , The second technology is used :cgroups

cgroups It was originally google The engineer of is in 2006 A program developed in , The full name is Linux Control Group, yes Linux The upper limit used in the operating system to limit the resources that a process group can use , Include CPU、 Memory 、 disk 、 Network bandwidth and other functions .

adopt Cgroups Exposed to users API file system , Users can modify the value of the file to operate Cgroups function .

8.png

( By cgroup Limited process , Picture from the Internet )

stay Linux System (Ubuntu) You can execute the following command to view CgroupsAPI file :

mount -t Cgroups

9.png

(cgroup file system )

You can see from the above picture that , There are many problems in the system, including cpu、 Memory 、IO Such as multiple Cgroups The configuration file .

We use CPU As an example to illustrate the following Cgroups This function . Yes CPU There are two parameters that need to be introduced to limit cfs_period and cfs_quota, In order to give the movable type a common cloud Docker Procedural limitations within CPU when , These two parameters are often manipulated . These two parameters are used in combination , It means in the length of cfs_period Within time , Program group can only be divided into total amount of cfs_quota Of CPU Time . in other words cfs_quota / cfs_period == cpu Use the upper limit .

If you want to limit a process CPU Use , Can be in /sys/fs/Cgroups/cpu Under the table of contents , Execute the following command to create a folder container:

/sys/fs/Cgroups/cpu/ > mkdir container

here , We can see that the system automatically container A series of CPU Restricted parameter file , This is a Linux The system automatically generates , It means that our success is CPU Created a control group container:

10.png

( default CPU List of resource files )

For display CPU The actual effect of restrictions , Let’s execute a dead loop created with the following script :

while : ; do : ; done &

We are top In the command result, you will see that the returned process is 398, Because of the dead cycle ,cpu The occupancy rate is 100%:

11.png

( The process of the dead cycle takes up 100% CPU)

At this time , Let’s take another look container In the catalog cpu.cfs_quota_us and cpu.cfs_period_us:

12.png

( By default CPU The limiting parameter of )
Here’s what it looks like when there’s no limit .cfs_quota_us by -1 There is no limit to the explanation CPU The upper operating limit of . Now let’s change this value :

echo 20000 > /sys/fs/Cgroups/cpu/container/cpu.cfs_quota_us

And then the previous process 398 Write to this control group tasks In file :

echo 398 > /sys/fs/Cgroups/cpu/container/tasks

Then top once , I found that the dead cycle just now CPU Usage becomes 20% 了 ,CPU Restrictions on the use of resources come into effect .

13.png

( Use cgroup Limit CPU The dead cycle process of usage )

above , It is through Cgroups The principle that the function limits the container . Empathy , We can use this method , Memory for a process 、 Bandwidth and so on , If the process is a container process , A resource controlled container can basically be displayed in front of you. In fact , In the early days of the cloud age ,Cloud Foundry etc. “ Qianlang ” This is the way to create and manage containers . Compared to the latecomers ,Cloud Foundry Wait for the isolation and limitation of the container , It’s relatively simple 、 Easy to understand , But in some scenarios, it’s hard to avoid constraints .

Here’s a special explanation , Only Linux The container running in is the result of simulation by limiting the process ,Windows and Mac The lower container , It’s all through Docker Desktop And so on , Operating virtual machine simulation out of “ real ” Virtual container for .

Summary

This section starts from the principle of container and Linux In this paper, we start with the technology of container isolation and restriction , In the early days of the cloud era Cloud Foundry etc. Paas The container principle of the platform . The next section will continue to introduce Docker stay Cloud Foundry What changes have been made to the container base , Is how to solve Cloud Foundry Fatal short board .

If you want to know Docker How to stir up the storm ,Docker What’s the difference between this container and traditional virtual machine ?

Please look forward to the next , We continue to nag .

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注