k8s-临时容器
ephemeralContainers <[]Object> #定义临时容器 什么是临时容器 临时容器与其他容器的不同之处在于,它们缺少对资源或执行的保证,并且永远不会自动重启,因此不适用于构建应用程序。临时容器使用与常规容器相同的 ContainerSpec 段进行描述,但许多字段是不相容且不允许的。
- 临时容器没有端口配置,因此像 ports,livenessProbe,readinessProbe 这样的字段是不允许的。
- Pod 资源分配是不可变的,因此 resources 配置是不允许的。
- 临时容器是使用 API 中的一种特殊的 ephemeralcontainers 处理器进行创建的, 而不是直接添加到 pod.spec 段,因此无法使用 kubectl edit 来添加一个临时容器。
临时容器用途:
- 当由于容器崩溃或容器镜像不包含调试应用程序而导致 kubectl exec 无用时,临时容器对于交互式故障排查很有用。
开启特性支持临时容器[kubelet报错不用管]
master节点修改
需要开启支持临时容器的特性: 修改kube-apiserver.yaml、kube-scheduler.yaml、kubelet配置。
[root@master01 ~]# vim /etc/kubernetes/manifests/kube-apiserver.yaml 添加 - --feature-gates=EphemeralContainers=true
[root@master01 ~]# vim /etc/kubernetes/manifests/kube-scheduler.yaml 添加 - --feature-gates=EphemeralContainers=true
[root@master01 ~]#vim /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS="--feature-gates=EphemeralContainers=true"
node节点修改
[root@node01 ~]# vi /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS="--feature-gates=EphemeralContainers=true"
#修改之后重启k8s控制节点和工作节点的kubelet
[root@master01 ~]# systemctl restart kubelet
[root@node01 ~]# systemctl restart kubelet
#查看kube-system名称空间pod,都是running说明修改正常
[root@master1 test]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-6949477b58-thdxp 1/1 Running 0 22d calico-node-t9bxc 1/1 Running 0 46d calico-node-xr4jj 1/1 Running 0 46d coredns-7f89b7bc75-lb9vn 1/1 Running 0 22d coredns-7f89b7bc75-w4m6r 1/1 Running 0 22d etcd-xianchaomaster1 1/1 Running 0 46d fluentd-elasticsearch-9jbn2 1/1 Running 0 22d fluentd-elasticsearch-n7cc8 1/1 Running 0 22d kube-apiserver-xianchaomaster1 1/1 Running 0 64m kube-controller-manager-xianchaomaster1 1/1 Running 0 46d kube-proxy-8nfx7 1/1 Running 0 46d kube-proxy-zwjjx 1/1 Running 0 46d kube-scheduler-xianchaomaster1 1/1 Running 0 29m
debug方式使用临时容器[相比还是这种方法好]
缺点:
- 每执行一遍debug就会创建一个临时容器,创建的临时容器不会退出,一直保留
- 退出后临时容器不可以进入使用,只能再次新建一个,这个循环
#创建一个部署tomcat的pod
[root@master01 test]# vim tomcat.yaml
apiVersion: v1 #pod属于k8s核心组v1
kind: Pod #创建的是一个Pod资源
metadata: #元数据
name: demo-pod #pod名字
namespace: default #pod所属的名称空间
labels:
app: myapp #pod具有的标签
env: dev #pod具有的标签
spec:
containers: #定义一个容器,容器是对象列表,下面可以有多个name
- name: tomcat-pod-java #容器的名字
ports:
- containerPort: 8080
image: tomcat:8.5-jre8-alpine #容器使用的镜像
imagePullPolicy: IfNotPresent
[root@master01 test]# kubectl get pod NAME READY STATUS RESTARTS AGE demo-pod 1/1 Running 0 2m8s
#创建临时容器
#控制器名称 #控制器里容器名称 [root@master01 ~]# kubectl debug -it demo-pod --image=busybox:1.28 --target=tomcat-pod-java
//进入临时容器查看主容器进程
/ # ps -ef | grep tomcat
1 root 0:02 /usr/lib/jvm/java-1.8-openjdk/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
60 root 0:00 grep tomcat
#查看tomcat-test这个pod是否已经有临时容器
[root@master01 test]# kubectl describe pod demo-pod
Containers: //这个字段下多了一个临时容器
Ephemeral Containers:
debugger-hdmqt:
Container ID: docker://af5f78082a9d0e03b13460eaef7080f8654a6c2bb2d1d99b77ec25a06bb8f29d
Image: busybox:1.28
Image ID: docker://sha256:8c811b4aec35f259572d0f79207bc0678df4c736eeec50bc9fec37ed936a472a
Port: <none>
Host Port: <none>
State: Running
Started: Thu, 12 Aug 2021 10:01:18 +0800
Ready: False
Restart Count: 0
Environment: <none>
Mounts: <none>
kubectl raw更新临时容器
#创建json文件
[root@master01 test]# vim a.json
{
"apiVersion": "v1",
"kind": "EphemeralContainers",
"metadata": {
"name": "demo-pod" //控制器的名字
},
"ephemeralContainers": [{
"command": [
"sh"
],
"image": "busybox:1.28",
"imagePullPolicy": "IfNotPresent",
"name": "debugger", //临时容器的名字
"stdin": true,
"tty": true,
"targetContainerName": "tomcat-pod-java", //容器名字
"terminationMessagePolicy": "File"
}]
}
#对应控制器名称 [root@master01 test]# kubectl replace --raw /api/v1/namespaces/default/pods/demo-pod/ephemeralcontainers -f a.json
#显示如下
{"kind":"EphemeralContainers","apiVersion":"v1","metadata":{"name":"demo-pod","namespace":"default","uid":"519be5a4-c2a4-4baa-a002-6e4cbb3ce4d5","resourceVersion":"284506","creationTimestamp":"2021-08-12T02:23:28Z"},"ephemeralContainers":[{"name":"debugger","image":"busybox","command":["sh"],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","stdin":true,"tty":true,"targetContainerName":"tomcat-pod-java"}]}
此时,可以直接attach到临时容器上去:
[root@master01 test]# kubectl attach -it -c debugger demo-pod If you don't see a command prompt, try pressing enter. / #
#通过临时容器查看主容器进程
/ # ps -ef |grep tomcat
1 root 0:02 /usr/lib/jvm/java-1.8-openjdk/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
61 root 0:00 grep tomcat
总结:
临时容器特别适合包含主容器剥离出来的一些调试工具,在需要的时候临时注入到目标pod中。有个比较尴尬的问题,就是在pod中添加临时容器之后,目前还无法删除,同时如果这时候临时容器已经退出,会导致无法再次attach,也不会被拉起(临时容器不支持probe什么的),相关的issue:https://github.com/kubernetes/kubernetes/issues/84764
目前临时容器最大的坑是无法删除,如果attach了临时容器,然后退出了容器主进程(和前面示例中展示的那样),会导致这个容器无法再attach,也无法重新启动。此时,如果要重复上述步骤再次进行调试,需要新创建一个临时容器,同时还需要保留老的配置,否则k8s会拒绝新的配置:
[root@master1]# cat a.json
{
"apiVersion": "v1",
"kind": "EphemeralContainers",
"metadata": {
"name": "tomcat-test"
},
"ephemeralContainers": [
{
"command": [
"sh"
],
"image": "busybox",
"imagePullPolicy": "IfNotPresent",
"name": "debugger",
"stdin": true,
"tty": true,
"targetContainerName": "tomcat-java",
"terminationMessagePolicy": "File"
},
{"command": [
"sh"
],
"image": "busybox",
"imagePullPolicy": "IfNotPresent",
"name": "debugger1",
"stdin": true,
"tty": true,
"targetContainerName": "tomcat-java",
"terminationMessagePolicy": "File"
}
]
}
#创建新的临时容器
[root@master01 test]# kubectl replace --raw /api/v1/namespaces/default/pods/demo-pod/ephemeralcontainers -f a.json
{"kind":"EphemeralContainers","apiVersion":"v1","metadata":{"name":"demo-pod","namespace":"default","uid":"177db040-9deb-4cf3-9542-144d119e217d","resourceVersion":"287896","creationTimestamp":"2021-08-12T02:49:53Z"},"ephemeralContainers":[{"name":"debugger","image":"busybox:1.28","command":["sh"],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","stdin":true,"tty":true,"targetContainerName":"tomcat-pod-java"},{"name":"debugger1","image":"busybox:1.28","command":["sh"],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","stdin":true,"tty":true,"targetContainerName":"tomcat-pod-java"}]}
继续阅读
我的微信
这是我的微信扫一扫
评论