“K8S Ecology Weekly” mainly contains some recommended weekly information related to K8S ecology that I have come into contact with. Welcome to subscribe zhihu column “K8S Ecology”.

Docker V20.10 features overview

In previous K8S ecological weekly | Docker v20.10.0 released – walk, I had to introduce Docker v20.10.0 – beta1 released relevant information, but there is no specific introduction Docker v20.10 version of the specific features and other details.

Docker v20.10, very big changes. CGroup V2 support, enhanced rootless mode support, double-stack logging, more flexible built-in DNS, etc. I also spent a lot of time in this release.

Detailed changes will be introduced after the official release of V20.10. We welcome your testing and feedback, and we have received some feedback so far. We will fix and publish the next version as soon as possible.

As promised at the time, as the last weekly of 2020, I would like to introduce Docker V20.10 in detail in this weekly.

The installation

Docker V20.10 was released on December 8, 2020, and is the first major release since Docker V19.03 (July 2019). You can install Docker v20.10 automatically by using the following command.

➜ ~ curl - fsSL https://get.docker.com | shCopy the code

Cgroup v2 support

Docker V19.03 is not supported by Cgroup V2, but since Fedora 31, this has become the default cgroup version on Fedora. Before Docker V20.10 is released, Fedora 31 or later users need to set the cgroup of their system to V1 to run Docker properly.

There were a lot of changes involved, including runc and Containerd, until Docker added cgroup V2 support.

During this process, I also found a hidden bug in RunC V1.0-RC91 that would cause Docker not to properly run the container in privileged mode by increasing the — Privileged parameter. Runc was later modified to release RUNC V1.0-RC92, which enabled the CGroup V2 feature in Docker to be completed.

About more detailed content, here I am in the ecological weekly | K8S runc v1.0 – rc92 release “has made a detailed introduction, interested friends can see.

rootless mode GA

One of the things Docker has been criticized for is that the Docker daemon must be started with root in order to use all of its features. This means that any user who can operate the Docker Daemon will have the opportunity to obtain root privileges for the operating system.

We have experimental rootless mode support in Docker V19.03, which allows users to run Docker daemons without root permission. This greatly improves the security of the system. But it was still experimental, and some of it was missing.

I would like to take advantage of the release of Docker V20.10 to formally introduce Docker rootless mode to you. In addition, it has reached GA and graduated from experimental, and also provides many functions.

Rootless mode is to run docker daemons and containers in the user namespace without root permission.

You can install Docker rootless mode with the following command:

➜ ~ curl - fsSL https://get.docker.com/rootless | shCopy the code

Or install it directly from the official RPM/DEB package of Docker. After installation, use systemctl to manage the Docker service.

➜  ~ systemctl --user start docker
Copy the code

For more details on rootless mode usage and best practices, please refer to the Docker official documentation: Running the Docker Daemon as a Non-root User

Dockerfile: RUN – mount = type = (SSH | secret | cache) features such as GA

Docker V18.06 experimentally added RUN –mount=type=cache, which can be used to preserve the package manager’s cache files during the build process.

In V18.09, RUN –mount=type= SSH and RUN –mount=type=secret were added to transfer private information such as keys or user credentials during the build process to prevent leakage. These advanced features were covered in detail in my previous article, Advanced: A Guide to Advanced Use of Dockerfile and Image Optimization.

These features are very useful and cover most of your security requirements when building images. If you are interested, please feel free to communicate with me. I may write related articles to introduce you later.

other

  • The built-in DNS-related logic has also been optimized to provide better performance;
  • Docker builds can now support direct SSH remote building of private repository images;

For more information about changes to this release, see its ReleaseNote

Rook v1.5.4 release

There are two important things to note about this release:

  • The latest version of Ceph does not support OSD partitioning. In my personal experience, I have basically never installed OSD in a partition, generally use the whole disk directly;
  • Cceph-csi has been updated to v3.2.0 by default.

For more information about this release, refer to its ReleaseNote.

Etcd officially graduated from CNCF

Etcd must be familiar to everyone. I have also introduced it many times in “K8S Ecology Weekly”, so I will not repeat it here.

For those interested, please check the official announcement: CNCF announces the graduation of ETCD

Congratulations etCD again!

digression

This year is the last day of the 2020 Solar calendar. Thank you for your attention and support!

Next, I will publish a “report on K8S Ecological Evolution in 2020” to share with you the unmistakable information about K8S ecology in 2020, as well as the outlook and development direction of K8S ecology in 2021. Please look forward to it!

Please feel free to subscribe to my official account [MoeLove]