The content of "K8S Ecological Weekly" mainly contains some recommended weekly information related to the K8S ecology that I came into contact with. Welcome to subscribe to the column "k8s ecology" .
Docker v20.10.7 officially released
Docker also recently released the v20.10.7 version, this version mainly focuses on stability and security, let's take a look at the specific content worthy of attention!
CLI
CLI is done mainly removed as a result has been the existence of WARNING: No kernel memory limit support
this Warning information, but also no longer appear in v2 cgroup WARNING: No oom kill disable support
Warning of the information.
why? because not at oom kill disable cgroup v2 with . --oom-kill-disable
option under cgroup v2, you will see the following prompt:
➜ ~ docker info |grep Cgroup
Cgroup Driver: systemd
Cgroup Version: 2
➜ ~ docker run --rm -it --oom-kill-disable -m 6m alpine sh
WARNING: Your kernel does not support OomKillDisable. OomKillDisable discarded.
If you want to introduce cgroup v2 here, there is too much content. made the following predictions when I was interviewed in 2019 about the trend of container technology:
From the perspective of low-level technology, cgroup v2 will gradually become popular, and then replace cgroup v1, but this process may take about two or three years.
Overall, stability and performance optimization will be the main theme of the future.
More than a year has passed, full compliance with my forecast at the time. now includes runc, containerd, Docker, Kubernetes and other components that all support cgroup v2. Operating systems including Fedora have also set cgroup v2 as the system default option. Companies are also gradually migrating to cgroup v2.
Networking
In this version, two network-related issues are mainly resolved.
- Fixed a deadlock issue that may cause Docker DNS to be unresolved. This issue is mainly encountered when using a Swarm cluster to encounter . Other users who directly use Docker or run Docker as a Kubernetes container will not be affected.
Since the Docker v20.10.6 version has dealt with the issue of the container port mapping API on IPv6 network machines, please refer to my K8S Ecological Weekly Report-Docker v20.10.6 Release . But there is no correct handling of the problem when the kernel is
ipv6.disable=1
option, which will cause when the server starts, if the ipv6.disable=1 parameter is set and port mapping is performed, the container cannot start .There are 3 solutions:
- Cancel
ipv6.disable=1
option (but usually there should be a specific reason for this setting); - to Docker v20.10.7 version ;
- When performing port mapping, manually specify its bound IPv4 address, such as
docker run -d -p 0.0.0.0:6379:6379 ghcr.io/moelove/redis:alpine
;
- Cancel
other
- By default, containerd v1.4.6 and runc v1.0.0-rc95 are used to solve the CVE-2021-30465 vulnerability;
docker scan updated to v0.8;
➜ ~ docker scan --version Version: v0.8.0 Git commit: 35651ca Provider: Snyk (1.563.0 (standalone))
I recommend you to update this version, especially if you are affected by the v20.10.6 related issues mentioned in the article, it is worth upgrading.
Docker Desktop 3.4.0 released
For most users of this version, there are two main points that need to be paid attention to:
- Docker Inc. actively listens to community users’ feedback. The skip update function is no longer exclusive to paying users. You can safely choose to upgrade/skip the upgrade . For the background of this matter, please refer to . Weekly report ;
- Related components have been upgraded in this version, including Docker Engine upgraded to v20.10.7, Kubernetes upgraded to v1.21.1, etc.;
Rook v1.6.5 released
This is a patch release with little changes, but there is something worth paying attention to in this version:
- Now you can configure the CR of CephCluster through the Helm chart;
You can use commands similar to the following to configure:
helm repo add rook-master https://charts.rook.io/master
helm install --create-namespace --namespace rook-ceph rook-ceph-cluster \
--set operatorNamespace=rook-ceph rook-master/rook-ceph-cluster -f values-override.yaml
This method is much more convenient than writing a YAML each time before. Another point worth noting is that the is experimental and is expected to reach stable .
Thanos v0.21 released
Thanos is a complete Prometheus HA and persistent storage solution. I have introduced it many times in the previous article (searched it since Thanos became a CNCF sandbox project in 2019, and has continued to introduce it)
There is only one main feature of this update:
- adds TLS and basic auth authentication to Thanos API.
This is actually a development trend of many monitoring projects. Remember my article " for Prometheus Node Exporter plus certification "? After solving the problem of availability and popularity in the early stage, we will gradually focus on safety.
Kubernetes Ingress-NGINX v0.47 released
The release of this version is mainly to solve two problems:
- Fix the CVE vulnerability of NGINX v1.20 and update it to v1.20.1;
- Prepare for subsequent versions. In subsequent versions, we plan to gradually abandon support for the old Kubernetes version;
Compatibility instructions are as follows:
Kubernetes version | Ingress-NGINX version | Support note |
---|---|---|
1.22 | TBD | processing |
1.21 | v0.47.0 | Only supports CVE and crash correction |
1.20 | v0.47.0 | Only supports CVE and crash correction |
1.19 | v0.47.0 | Obsolete 6 months after v1.22 was released |
It is also worth mentioning that this version was released by me and two other maintainers. It took the three of us nearly 2 hours to complete the release of this version. Cross-time zone collaboration is actually quite tiring.
Upstream progress
- #102489 · kubernetes/kubernetes In several newly released patch releases, a regression is included, which will cause kubelet crashes. It is recommended that you do not upgrade! latest revised version of 160c87a329fb82 will be released this week.
# 100142, China · Kubernetes / Kubernetes in
kubectl get pods
added output inLAST RESTART
columns, for example:$ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS LAST RESTART AGE kube-system coredns-74ff55c5b-6qp7j 1/1 Running 7 23h 7d3h kube-system coredns-74ff55c5b-z79st 1/1 Running 7 23h 7d3h kube-system etcd-jjacobelli-lt 1/1 Running 6 23h 7d3h kube-system kube-apiserver-jjacobelli-lt 1/1 Running 0 <none> 57s kube-system kube-controller-manager-jjacobelli-lt 0/1 Running 8 61s 7d3h kube-system kube-flannel-ds-c8d66 1/1 Running 7 8h 7d3h kube-system kube-proxy-r9nrx 1/1 Running 6 23h 7d3h kube-system kube-scheduler-jjacobelli-lt 0/1 Running 8 62s 7d3h
The advantage of this is that the user can quickly find the last restart/recovery time of the Pod without having to check the log, which is much more convenient.
- #102529 · kubernetes/kubernetes CronJobControllerV2 reaches GA! I have introduced it in " K8S Ecological Weekly | Kubernetes v1.21 released, bringing a new memory manager ", interested friends can take a look;
- An interesting proposal KEP 2775 , the main purpose of this proposal is order to protect cluster resources and avoid the impact of associated deletion , and propose to add interactive deletion or delayed deletion functions, interested friends can go to this KEP Leave a message and discuss;
- GKE Dataplane V2 has been in GA a few days ago, please refer to my previous two articles to understand its background " K8S Ecological Weekly | Google chooses Cilium as GKE's next-generation data plane " and " is the next-generation data plane Cilium selected by Google" ". At present, GA also marks another major development of Cilium!
- Grafana v8.0 is officially released. In this version, the data source of AlertManger is added, which is a big improvement in alarm.
Project recommendation
apisix-mesh-agent-A service mesh project that uses Apache APISIX for the data plane in conjunction with Istio and other control planes. stakeholder: I am a member of the api7 team
The main reasons for recommending this project are as follows:
- Envoy project is relatively expensive to learn. Apache APISIX is easier to use and expand in comparison;
- Compared with Envoy, the performance of Apache APISIX is a great advantage;
If you are using Istio but suffer from the difficulty of getting started/secondary development of Envoy, then I recommend you to learn about this project. However, this project currently only releases the v0.6 version, and it needs continuous polishing. Welcome to participate!
Welcome to subscribe to my article public account【MoeLove】
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。