We all know that there is a episode in history called "Sima and Zhuo Wenjun". "Ai such as snow on the mountain, jiao if clouds between the moon." Zhuo Wenjun so beautiful, but also arrived but affectionate daughter fickle Lang.
Secretary Sima because of a "false fu" to the emperor of the appreciation, after the rise to the Zhuo Wenjun and "So to refuse", sent to the home of his wife a "The", the above only a row of numbers: "III." "The meaning is: no billion, I have no intention to you."
Zhuo Wenjun Read this letter also not show weakness, back to a "resentment lang poem", Sima Xiangru like to see the discovery although I rely on poetry to eat. To say poetry or my daughter-in-law, so personally will Zhuo Wenjun welcome back to Changan.
Zhuo Wenjun is actually a married. The husband of the first marriage died soon after his marriage. This estimate is one of the reasons why Sima later wanted to toss her. But Wenjun granny is strong. The first dare to elope overnight, the second still hold the husband. As for my literary talent, you Want me, you boss Emperor Han will be unhappy.
It is Zhuo Wenjun's intellect that has not only accomplished her own, but also made his husband more successful. Shisheng du fu all use "Mao ling many sickness, Shanga" to praise their love. If Sima Xiangru, such as marrying someone else, the "Phoenix seeking Huang" can be seen, bones subject the same characters.
Today's theme is not Love is not poetry, we use "The" to talk about k8s basic knowledge Keywords:
One target: container operation; three centers of two places; four-layer service discovery; Five pod-sharing resources, six common plug-ins, seven-tier load balancing, eight isolation dimensions, Nine Network model principles, ten types of IP addresses, rooms product lines, thousand physical machines, million-class containers, and k8s:-Day service.
One goal: container operations
Kubernetes (k8s) is an open source platform for automating container operations. These container operations include: deployment, scheduling, and Inter-node cluster expansion.
Specific features:
Automate container deployment and replication. The
shrinks the container size in real time. The
container is organized into groups and provides load balancing between containers.
Schedule: Which machine the container is running on.
Composition:
Kubectl: A client command-line tool that acts as an entry for the entire system.
Kube-apiserver: Provides the interface as the Rest API service as the control entry for the entire system.
Kube-controller-manager: Performs background tasks for the entire system, including node state status, number of pods, association of Pods and service, and so on.
Kube-scheduler: Responsible for node resource management, receiving the creation of pods tasks from kube-apiserver, and assigning them to a node.
ETCD: Responsible for service discovery and configuration sharing between nodes.
Kube-proxy: Runs on each compute node and is responsible for the POD network proxy. Get the service information from ETCD periodically to make the appropriate policy.
Kubelet: Runs on each compute node, acts as an agent, receives the pods task that allocates the node and manages the container, periodically gets the container state, and feeds back to Kube-apiserver.
DNS: An optional DNS service that creates DNS records for each service object so that all pods can access the service through DNS.
The following is the schema topology diagram for k8s:
Three centres of the two places
The three centres include local production centres, local disaster preparedness centres and remote disaster preparedness centres.
One of the important issues to be solved in the three centers is the data consistency problem. K8s uses the ETCD component as a highly available, strongly consistent service discovery storage warehouse. Used to configure sharing and service discovery.
It is a project inspired by zookeeper and Doozer. In addition to having all of their features, they also have the following 4 features:
Simple: The Http+json-based API makes it easy to use with the Curl command.
Security: Optional SSL client authentication mechanism.
Fast: Each instance supports 1000 write operations per second.
Trusted: Distributed is fully realized using the raft algorithm.
Four-tier service discovery
Let's start with a diagram explaining the network layer seven protocol:
K8s provides two ways to perform service discovery:
Environment variables: When creating a pod, Kubelet will inject all the service-related environment variables in the cluster into the pod. It is important to note that for an environment variable to inject a service into a pod, the service must first be created than the pod. This makes service discovery virtually unusable in this way.
For example, a service with a servicename of Redis-master, the corresponding Clusterip:port is 10.0.0.11:6379, the corresponding environment variable is:
DNS: Kubedns can be easily created by cluster add-on to service discovery of services within a cluster.
The above two methods, one is based on TCP, it is well known that DNS is based on UDP, they are built on the four layer protocol.
Five pod sharing resources
Pod is the most basic operation unit of k8s, contains one or more tightly related containers, a pod can be regarded as the "logical host" of the application layer by a containerized environment; multiple container applications in a pod are typically tightly coupled, and pods are created, started, or destroyed on node Each pod runs a special called volume mounted volume, so communication and data exchange between them is more efficient, and at design time we can take advantage of this feature to put a set of closely related service processes into the same pod.
The containers in the same pod can communicate with each other only via localhost. The app container in one pod shares five resources:
PID namespaces: Different applications in the pod can see the process IDs of other applications.
Network namespaces: Multiple containers in the pod can access the same IP and port range.
IPC Namespaces: Multiple containers in the pod can communicate using SYSTEMV IPC or POSIX Message Queuing.
UTS namespace: Multiple containers in the pod share a host name.
Volumes (Shared storage volume): Each container in the pod can access the Volumes defined at the pod level.
The life cycle of the pod is managed by the replication controller, defined by a template, then assigned to a node to run, and the pod ends after the pod contains the container to run.
Kubernetes designed a unique network configuration for the pod, including assigning an IP address to each pod, using the pod name as the hostname of the communication during the Glory period, and so on.
Six common plug-ins
The Container Network Interface container Networking interface is a set of standards and libraries for the Linux container network configuration that users need to develop their own container network plug-in based on these standards and libraries. With its focus on the release of resources for container network connections and container destruction, and the provision of a framework, the network can support a large number of different networking patterns and is easy to implement.
The following is a graph of six commonly used plug-ins:
seven-layer load balancing
Load Balancing is the first to mention the communication between servers.
IDC (Internet data Center), also known as Data center, room, is used to place servers. IDC Network is the bridge between server communication.
Draws a lot of network devices, what are they all about?
routers, switches, and Mgw/nat are network devices that divide different roles by performance, internal and external network. The
Intranet access switch: Also known as Tor (top of Rack), is a server access network device. Each intranet access switch Xia Lian 40-48 servers, using a mask/24 network segment as the server intranet segment.
Intranet Core Switch: responsible for the IDC internal network access switch traffic forwarding and cross-IDC traffic forwarding. The
MGW/NAT:MGW is the LVS used for load balancing, and NAT is used for address translation when the intranet device accesses the extranet.
Extranet Core Routers: Unified extranet platform via a static interconnect operator or BGP connected US mission.
Talk about load balancing on each tier:
Two-tier load balancing: Two-tier load balancing based on MAC addresses.
Three-tier load balancing: IP address-based load balancing.
Four-tier load balancing: Load balancing based on ip+ ports.
Seven-tier load balancing: Load balancing based on application-layer information such as URLs.
Here is a picture of the difference between four and seven load balancing:
The above four service discovery is mainly about k8s native Kube-proxy. K8s about service exposure is mainly through the nodeport way, by binding a minion host port, and then the pod request forwarding and load balancing, but this way has the following flaw:
Service may have many, If each is bound to a node host port, the host needs to open the perimeter port for service invocation and management confusion. The
cannot apply firewall rules that are required by many companies.
The ideal way is through an external load balancer, binding fixed port, such as 80, and then according to the domain name or service name to the back of the services IP forwarding, Nginx very good solution to this demand, but the problem is if some experience services to join, how to modify Nginx configuration, and load these configurations? The solution given by Kubernetes is ingress. This is a 7-tier based scenario.
Eight Isolation dimensions
k8s Cluster scheduling This requires a corresponding scheduling strategy from top to bottom from coarse granularity to fine-grained isolation.
Nine Network model principles
The K8S network model conforms to 4 basic principles, 3 Network requirements principles, 1 architecture principles, and 1 IP principles.
Each pod has a separate IP address, and it is assumed that all pods are in a directly connected, flattened network space that can be accessed through the pod's IP, whether or not it is running on the same node.
The IP of the pod in the k8s is the smallest granular IP. All containers within the same pod share a network stack, which is called the Ip-per-pod model.
The IP addresses and ports that the pod sees inside the ip,pod that are actually assigned by DOCKER0 are aligned with the outside. The different containers within the same pod share the network, which can be used to access each other's ports via localhost, similar to different processes within the same VM.
Ip-per-pod model from the perspective of Port assignment, domain name resolution, service discovery, load balancing, application configuration, pod can be seen as a standalone VM or physical machine.
All containers can communicate with other containers in a way that is not NAT.
All nodes can have heartache in all containers in different NAT mode, and vice versa.
The address of the container is the same address as the one seen by others.
To conform to the following schema:
Derived from the architecture IP concept from the outside of the cluster to the inside of the cluster
Ten types of IP addresses
We all know that IP address is divided into ABCDE class, there are 5 kinds of special-purpose IP.
- Class A
1.0.0.0-1226.255.255.255, default subnet mask/8, which is 255.0.0.0
2.B class
128.0.0.0-191.255.255.255, default subnet mask/16, which is 255.255.0.0
3.C class
192.0.0.0-223.255.255.255, default subnet mask/24, which is 255.255.255.0
4.D class
224.0.0.0-239.255.255.255, generally used for multicast
5.E class
240.0.0.0-255.255.255.255 (where 255.255.255.255 is a full-network broadcast address), class E addresses are generally used for research purposes
- 0.0.0.0
Strictly speaking, 0.0.0.0 is not a real IP address. It represents such a collection: all unclear hosts and destination networks. What is unclear here is that there is no specific entry in the local routing table to indicate how to get there. As the default route.
7.127.0.0.1
Native Address
- 224.0.0.1
multicast address. If your host turns on IRDP (Internet routing discovery, using multicast), then you should have such a route in your host routing table.
- 169.254.x.x
Using the DHCP feature to automatically obtain the IP host, the DHCP server fails, or the response time is too long to exceed a system-specified time, the system assigns you an IP that represents the network is not functioning properly.
10.xxx, 172.16.x.x~172.31.x.x, 192.168.x.x
Private addresses, which are heavily used within the enterprise. Such an address is reserved to avoid the confusion of addresses or any other access to the public network.
Rooms product line access; thousand physical machine deployment; million-level container storage; million-day service is our near-term goal, welcome to the new American and Big Brothers Department trial (^__^)
About the author
Xiao Jing, at the age of 20, graduated from the computer department of Northeastern University. After graduating from the first company due to outstanding language talent, in 1 years from the zero start to learn Japanese and ultra-high scores passed the international Japanese first-level examination, as a two-year Japanese translation work. After employment in Renren, transformation to do Internet development. Graduate student in psychology, CAs. There are nearly hundred technical invention patents, venture partner. We have technical support experience in Tokyo, Japan and Silicon Valley, USA. Currently the United States Group reviews Technical experts (Welcome to pay attention to the personal technology of static children: Programming Life), heart article can refer to my "New automation management of the training"
"The"--kubernetes (k8s) Basics (Docker container technology)