kubernetes spravujte linuxové kontejnery jako jednotný systém
TRANSCRIPT
![Page 1: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/1.jpg)
spravujte linuxové kontejnery jako jednotný systém
![Page 2: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/2.jpg)
● Základní rozdíly mezi samotným řešením Docker (Docker Compose) a Kubernetes.● Jakým způsobem řešit sítě v kontejnerech a jejich srovnání (Flannel, Calico, Contrail, Weave).● Způsoby používání storage v kontejnerech případně integrace s CEPH.● Diskuze na téma nasazení Kubernetes ve vaší společnosti (Use Case).● Živá ukázka jednoduchého aplikačního clusteru.● Příklady využití v rámci CI/CD systému (rolling updates, testování, validace, automatizace).
Agenda
![Page 3: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/3.jpg)
Basics Recap
Containers
![Page 4: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/4.jpg)
What is container
Control groups (cgroups)Virtualize by sharing and limiting access for:• CPU• Memory• Disk IO• Network IO
NamespacesVirtualize by isolating the:• User IDs
Kernel
App
1
App
1
App
2
App
2
App
2program, libraries, config files
• Processes isolated from the host and (optionally) other containers • Share the same underlying Kernel• Virtual network interfaces / addresses (maybe host NAT’d)• Files and optional (shared) mounts from the host filesystem
Each Linux container...
• Process IDs & tree• Filesystem mounts• Network interfaces
Security:• SELinux policy and enforcement control over
all resources• AppArmor to restrict a program’s abilities• Linux capabilities etc.
![Page 5: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/5.jpg)
Containers have similar resource isolation and allocation benefits as virtual machines but a different architectural approach allows them to be much more portable and efficient
(more specifics on Docker)
vs
App
1A
pp1
App
2A
pp2
App
2program, libraries,
config files
Guest OS
Hypervisor
Host OS Host OS
App
1A
pp1
App
2A
pp2
App
2
program, libraries, config files
Container Engine
Very obvious:No Guest OSin a container
Not so obvious:Containers sharethe Host OS kernel;engine doesn’t reallysit beneath containers
Not so obvious:Container's appsand files can have a whole OS filesystemlike Ubuntu
How it is different from VMs
![Page 6: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/6.jpg)
• Docker Engine: The engine that runs on the host OS to manage container images and instances
• Docker Registry: Docker Hub is the free public registry-aaS, others: quay.io, Google Cntr Reg, private ones
• Docker Tools: cli, GUI, container compose, container swarm clustering
Docker Components
App
1A
pp1
App
2A
pp2
App
2program, libraries, config
files
Any Linux distro…• Ubuntu, Debian, Red Hat, Fedora, Centos, SUSE, etc.
And with some caveats:• Boot2docker VM or DockerMachine on Windows or OSX• Windows Server 2016!
Where Docker Works…
What is Docker
![Page 7: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/7.jpg)
Docker Images• Can be saved from a running container (docker commit)• Can be built from a Dockerfile manifest (docker build)• Are downloaded into local cache (docker pull)• Are uploaded to your own repository in the registry (docker
push)
Container Management Made Easy
Layered format Dockerfile• Base image contains an operating system (e.g. Debian or
Ubuntu)• Additional layers add applications and configuration files• Docker tracks and creates just the difference in
running/stored images• Uses a copy-on-write and union file system to optimize
footprint
Optimized Container Format
referenceparent image
• Fast deployment and restart
• Minimum overhead• Easy to migrate to any
Linux
Understanding Docker Containers
![Page 8: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/8.jpg)
● Instantiate an image as a running container (docker run)● Attach to a running container (docker attach)● Pause a container (docker stop) or restart (docker restart)● Destroy a container instance (docker rm)●Best Practice: Run a single process in a single container● Containers can talk through normal networking or assisted
by linking
Docker Basics
Docker Engine● Uses its own libcontainer to control the kernel (no longer
uses LXC)○ Runc is its plumbing that was standardized in the
Open Container Format by the OCI● Usually looks like a whole system to the process inside of
the container
How It Works
How to scale:
Follow the Unix adage,several decoupled simple
components are better than a single complicated one
Docker Container Lifecycle
![Page 9: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/9.jpg)
Using Docker: Summary
![Page 10: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/10.jpg)
Kubernetes Intro
Kubernetes is an open-source system for automating deployment, operations, and scaling of containerized applications.
What Kubernetes try to solve?
High Available Container ClusterNetworking for containers
Storage for containersScheduling
Application Lifecycle
•
![Page 11: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/11.jpg)
Kubernetes tools
Master Components Node components
kube-apiserver
etcd
kube-controller-manager
These controllers include:
● Node Controller● Responsible for noticing & responding when nodes go down.● Replication Controller● Responsible for maintaining the correct number of pods for every
replication controller object in the system.● Endpoints Controller● Populates the Endpoints object (i.e., join Services & Pods).● Service Account & Token Controllers● Create default accounts and API access tokens for new namespaces.● … and others.
kubelet
kubelet is the primary node agent. It: * Watches for pods that have been assigned to its node (either by apiserver or via local configuration file) and: * Mounts the pod’s required volumes * Downloads the pod’s secrets * Run the pod’s containers via docker (or, experimentally, rkt). * Periodically executes any requested container liveness probes. * Reports the status of the pod back to the rest of the system, by creating a “mirror pod” if necessary. * Reports the status of the node back to the rest of the system.
kube-proxy
![Page 12: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/12.jpg)
Kubernetes tools
Master Components Node components
kube-scheduler
addons
Addons are pods and services that implement cluster features. They don’t run on the master VM, but currently the default setup scripts that make the API calls to create these pods and services does run on the master VM.
DNS
User interface
Container Resource Monitoring
Cluster-level Logging
docker
rkt
supervisord
fluentd.
![Page 13: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/13.jpg)
Kubernetes Intro
What actually is Kubernetes?!
![Page 14: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/14.jpg)
Kubernetes Workload
![Page 15: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/15.jpg)
Networking
Ports vs SDN
![Page 16: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/16.jpg)
Container network config
● Map one or more host address:port to container’s assigned IP:port
● Easily learn services of other containers with Docker linking
Libnetwork
● Like libcontainer, a separate library and API used by Docker Engine
● Manages the networking objects: network, endpoint, and sandbox/cntr
● This was separated out after Docker’s Socket Plane acquisition● Delegates implementation to a driver
Bridge (docker0) Driver
● docker0 is a Linux bridge shared by the host interfaces and containers
● Each container gets a veth-pair “tunnel” with one end called eth0 inside the container and the other end bound to the docker0’s bridge
● Uses iptables for NAT
How Does Docker network?
![Page 17: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/17.jpg)
Kubernetes Networking Model
● All containers can communicate with all other containers without NAT● All nodes can communicate with all containers (and vice-versa) without NAT● The IP that a container sees itself as is the same IP that others see it as
OR plugins/backends
● Flannel● Calico● Weave● OpenContrail
![Page 18: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/18.jpg)
Flannel
![Page 19: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/19.jpg)
Calico
● Scale to millions of workloads with minimal CPU and network overhead
● What is happening is “obvious” – traceroute, ping, etc., work as expected; routing and ACL rules tell you everything you need to know
● Path from workload to non-virtualized device is just a route● Physical fabric is state-light (standard IP forwarding only)● External connectivity is achieved by assigning a public IP● Equal Cost Multi-Path (ECMP) any Anycast just work,
enabling scalable resilience and full utilization of physical links
● Traffic between data centers is natively L3 routedBasic IP networking knowledge only required
![Page 20: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/20.jpg)
Weave
● Weave creates a virtual network that connects Docker containers deployed across multiple hosts and enables their automatic discovery.
● Applications use the network just as if the containers were all plugged into the same network switch, with no need to configure port mappings, links, etc…
● Weave can traverse firewalls and operate in partially connected networks.● Weave routers establish TCP connections to each other, over which they perform a protocol
handshake and subsequently exchange topology information.● Weave creates a network bridge on the host. Each container is connected to that bridge via a
veth pair, the container side of which is given an IP address & netmask supplied either by the user or Weave’s IP address allocator.
![Page 21: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/21.jpg)
Full-featured SDN implementation
● Run controller as usual on a few servers or VM● On nodes running Docker Engine
○ Contrail vRouter replaces the docker0 bridge○ Every container still has a veth-pair but one end is
bound to a VRF in the vRouter○ Containers get Contrail IPAM & DHCP○ Containers are reachable from the outside using
floating IPs○ Containers are securely isolated using
microsegmentation policies
OpenStack nova-docker driver
● Container orchestration by OpenStack like VMs● Easily networked by Contrail Networking like VMs
OpenContrail
![Page 22: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/22.jpg)
Networking Comparison
Flannel Calico OpenContrail
Overlay VxLAN No MPLSoverGRE, VxLAN
Multi-tenancy No Yes Yes
Openstack Federation
No No Yes
Network Policy No Beta release Yes - native
BGP/ L3VPN/EVPN No No Yes
![Page 23: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/23.jpg)
Storage
Local vs Shared
![Page 24: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/24.jpg)
● emptyDir● hostPath● gcePersistentDisk● awsElasticBlockStore● nfs● iscsi● flocker● glusterfs● rbd● gitRepo● secret● persistentVolumeClaim● downwardAPI● azureFileVolume● CinderVolume
•
Backend Types
![Page 25: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/25.jpg)
An rbd volume allows a Rados Block Device volume to be mounted into your pod. Unlike emptyDir, which is erased when a Pod is removed, the contents of a rbd volume are preserved and the volume is merely unmounted. This means that a RBD volume can be pre-populated with data, and that data can be “handed off” between pods.
A feature of RBD is that it can be mounted as read-only by multiple consumers simultaneously. This means that you can pre-populate a volume with your dataset and then serve it in parallel from as many pods as you need. Unfortunately, RBD volumes can only be mounted by a single consumer in read-write mode - no simultaneous writers allowed.
•
Ceph Backend
![Page 26: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/26.jpg)
Cinder Backend
![Page 27: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/27.jpg)
Use Case
Smart City IoT
![Page 28: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/28.jpg)
Available at https://pisek.urbandata.cz/en/data-samples/Graphite metrics at http://graphite-server.iot.tcpcloud.eu/
![Page 29: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/29.jpg)
Live Show
How simple is that?
![Page 30: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/30.jpg)
Hybrid Environment
![Page 31: Kubernetes spravujte linuxové kontejnery jako jednotný systém](https://reader034.vdocuments.net/reader034/viewer/2022051521/58717a351a28ab230b8b5e5b/html5/thumbnails/31.jpg)
Live Demo