“K8S Ecology Weekly” mainly contains some recommended weekly information related to K8S ecology that I have come into contact with. Welcome to subscribe zhihu column “K8S Ecology”.
Docker v20.10.6 release
It’s been more than a month since the last release, and Docker Desktop has also released a new version, v20.10.6. In addition to the M1 support, this release also brings a lot of interesting content, let’s take a look!
CLI and builder
Before Docker V1.7, the Docker CLI stores related information to a local ~/. Dockercfg configuration file after the Docker login is executed. Since v1.7, Docker has introduced a new configuration file ~/.docker/config.json. In order to maintain compatibility, Docker has been supporting both configuration files.
Starting with the current version, a warning message is displayed if ~/. Dockercfg is still used. Remind the user that the configuration file will be deleted in the later version, please use the new configuration file path & format.
In addition, starting with this release, if you are using an older builder and have commands or arguments in Dockerfile that are not supported, an error will be printed and prompted to use BuildKit to complete the build. This is a further step in the Docker community’s desire to promote BuildKit as the default builder.
The log
Fixes IO.UnexpectedEOF unexpected in Docker V20.10 when using the default JSON-file log driver.
In real-world testing, it was easier to reproduce this problem with a large number of logs being continuously output.
network
In v20.10, the iptables rules could not be cleaned automatically when the container was stopped. At the same time, it also solves the problem that Docker API does not return IPv6 address information by default, although Docker can access the port through both IPv4 and IPv6 addresses when exposing the port on the machine with IPv6 network.
other
In this version, if the official Docker source is used for Docker CE installation, it is recommended to install the Docker-Scan-plugin package by default, which is a Docker CLI plug-in that can be used to scan for image vulnerabilities.
This plugin, which I introduced in K8S Ecology Weekly, was first introduced in Docker Desktop and is very convenient.
In addition, this version also solves a serious problem. Although this problem is not caused by Docker itself, it will be triggered when Docker In Docker mode is used, so additional explanation is made here.
When using Docker In Docker V20.10 In Kubernetes, because Kubernetes has QoS mechanism, it determines the scheduling and expulsion priority of Pod. In fact, Kubelet determines when to OOM a Pod by determining its oOM_score_adj. For the section on container resource management, please refer to my previous article “Talking about Container Resource Management”.
Kubernetes sets its OOM_score_adj to 1000 if it is a Pod of BestEffort QoS, but containerd avoids the shim being pushed out before the child process. Therefore, in AdjustOOMScore function, oOM_score_adj was incremented by 1. The following error message is displayed:
docker: Error response from daemon: io.containerd.runc.v2: failed to adjust OOM score for shim: set shim OOM score: write /proc/211/oom_score_adj: invalid argument
Copy the codeBesteffort QoS is set to 1000, which is the maximum value of this value, and +1 is the error.
The corresponding correction methods are as follows:
diff --git a/sys/oom_unix.go b/sys/oom_unix.go
index d49d5bc8d.. c381e1a7e 100644
--- a/sys/oom_unix.go
+++ b/sys/oom_unix.go
@ @ - 26, 8 + 12 @ @ 26 import (
"strings"
)
-// OOMScoreMaxKillable is the maximum score keeping the process killable by the oom killer
-const OOMScoreMaxKillable = -999
+const (
+ // OOMScoreMaxKillable is the maximum score keeping the process killable by the oom killer
+ OOMScoreMaxKillable = -999
+ // OOMScoreAdjMax is from OOM_SCORE_ADJ_MAX https://github.com/torvalds/linux/blob/master/include/uapi/linux/oom.h
+ OOMScoreAdjMax = 1000
+)
diff --git a/runtime/v2/shim/util_unix.go b/runtime/v2/shim/util_unix.go
index 2b0d0ada3.. 9fb7cc573 100644
--- a/runtime/v2/shim/util_unix.go
+++ b/runtime/v2/shim/util_unix.go
53, 7 @ @ @ @ - 53, 6 + func SetScore(pid int) error {
// AdjustOOMScore sets the OOM score for the process to the parents OOM score +1
// to ensure that they parent has a lower* score than the shim
+// if not already at the maximum OOM Score
func AdjustOOMScore(pid int) error {
parent := os.Getppid()
score, err := sys.GetOOMScoreAdj(parent)
@ @ 61-60, 6 + 9 @ @ func AdjustOOMScore(pid int) error {
return errors.Wrap(err, "get parent OOM score")
}
shimScore := score + 1
+ if shimScore > sys.OOMScoreAdjMax {
+ shimScore = sys.OOMScoreAdjMax
+}if err := sys.SetOOMScore(pid, shimScore); err ! = nil { return errors.Wrap(err, "set shim OOM score") }Copy the codeAs shown in AdjustOOMScore, if the adjusted OOM_score_adj is found to be higher than the default maximum value, it is set to the system maximum value.
If containerd and Docker In Docker are used In the production environment, upgrade to this version.
Okay, that’s all you need to know about this release, see ReleaseNote for more details about the changes
Kube – state – metrics v2.0 release
Do Kubernetes cluster monitoring partners, most are familiar with this project. Kube-state-metrics can generate Prometheus format based on the resource status of Kubernetes, which greatly meets our demand for cluster observability.
In this release, the names of some metrics are replaced with a more standard and uniform format.
IO to k8s.gcr. IO /kube-state-metrics/kube-state-metrics.
For more information about changes to this release, see its ReleaseNote
Progress in the upstream
- · Kubernetes /kubernetes fixed memory leak in port-forward;
- #99963 · Kubernetes /kubernetes ensures that the Job Controller can clean up the Pod after it completes;
- KubeConfig is exposed in the Scheduler Framework for use by plug-ins outside the tree.
Please feel free to subscribe to my official account [MoeLove]
