2. Who am I?
이어형 (a.k.a 어형부형)
현재 LINE: cloud native service 들을 설계/개발/운영 by kubernetes
이전 kakao: private cloud 설계/개발/운영 by openstack 7+ projects
이전 kt: public cloud storage 설계/개발/운영 by openstack swift
11. -- Chad Fowler - Trash Your Servers and Burn Your Code: Immutable Infrastructure and
Disposable Components
시스템관리자로서내가가장무서워하는것중하나는
오래동안시스템및응용프로그램을여러번업그레이드
한서버입니다.
왜? 오래된시스템은필연적으로안보이는문제를키우기
때문입니다.
“
“
17. 배포시외부요인으로실패할수있음
외부 레포지토리가 깨짐, 접근 안됨, 패키지가 없어짐 등등
$ curl -v https://kubernetes-helm.storage.googleapis.com/helm-v2.6.2-linux-amd64.tar.gz
* Trying 172.217.25.208...
* TCP_NODELAY set
* Connection failed
* connect to 172.217.25.208 port 443 failed: Connection refused
* Failed to connect to kubernetes-helm.storage.googleapis.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to kubernetes-helm.storage.googleapis.com port 443: Connection refused
오늘의 배포가 예측 못하게 실패 할 수 있으며 stage에서 재연을 못할 수 있음
18. 롤백이힘듬
대부분 롤백은 그에 상응 하는 반대의 코드가 있어야함
파일이 생겼으면 파일이 삭제 되는 상태의 코드가 필요
파일이 업데이트 되었으면 파일이 업데이트 이전 상태가 될수 있는 코드가 필
요
모든 코드를 작성하면서 롤백 코드를 작성하는것은 무리
결국 수작업으로 반대 코드에 상응한 작업을 진행
결국 snow akeserver를 만듬
19. 절차적구조기반일수록실패시특정이벤트가무시될수있음
1. 최초 실행
A(파일 변경)
B(문제 있는 이벤트) X 실패
C(A가 변경시 프로세스 리스타트) 실패되어 실행 안됨
2. 이후 실행
A(파일이 이미 변경되어 변경이 안되고 C이벤트 트리거가 안됨)
B(문제 있는 이벤트지만 이번엔 성공)
C(A가 변경 안되서 트리거가 안됨)
31. unikernel
-- What are Unikernels - unikernel.org
-- Alfred Bratterud - #includeOS
From https://mjbright.github.io/Talks/2017-Jul-RMLL-Unikernels-WhatUsage/#5
Unikernels are specialized, single-address-space machine images
constructed by using library operating systems
“
“
“VM은 무겁지 않습니다. OS가 그렇죠"“ “
35. unikernel은조금더사용성이좋아져야함
Technology Cons
Unikernels
- Not mature enough yet for production
- Requires developing applications from the grounds up
- Limited deployment possibilities
- Lack of complete IDE support
- Static resource allocation
- Lack of orchestration tools
From https://github.com/cetic/unikernels
37. A toolkit for building custom minimal,
immutable Linux distributions.
38. Secure defaults without compromising usability
지정된 container 이미지만 사용하여 구성된 OS를 이용하여 보안에 우수
Everything is replaceable and customisable
모든 파트는 container로만 구성되어 원하면 변경, 교체가 아주 쉬움
Immutable infrastructure applied to building Linux distributions
code로 부터 생성된 rootfs는 immutable(read only lesystem)임
custom linux 배포판임
39. Completely stateless, but persistent storage can be attached
code와 data의 분리로 data는 추가적인 스토리지(or 디스크를 사용)
Easy tooling, with easy iteration
빌드, 배포 등이 간편
Built with containers, for running containers
컨테이너로 만들어지며 컨테이너로 돌아감
40. Designed for building and running clustered applications, including
but not limited to container orchestration such as Docker or
Kubernetes
clustered applications을 만들고 돌리기 위한 디자인
Designed from the experience of building Docker Editions, but
redesigned as a general-purpose toolkit
docker를 사용하는 경험을 그대로 가져가려고 함
Designed to be managed by external tooling, such as Infrakit or
similar tools
외부 생태계와 연계
43. linuxkit command
$ linuxkit --help
USAGE: linuxkit [options] COMMAND
Commands:
build Build an image from a YAML file
metadata Metadata utilities
pkg Package building
push Push a VM image to a cloud or image store
run Run a VM image on a local hypervisor or remote cloud
serve Run a local http server (for iPXE booting)
version Print version information
help Print this message
Run 'linuxkit COMMAND --help' for more information on the command
Options:
-q Quiet execution
-v Verbose execution
44. linuxkit 주요command
Commands:
build Build an image from a YAML file
pkg Package building
push Push a VM image to a cloud or image store
run Run a VM image on a local hypervisor or remote cloud
45. linuxkit build
$ linuxkit build
Please specify a configuration file
USAGE: linuxkit build [options] <file>[.yml] | -
Options:
-dir string
Directory for output files, default current directory
-disable-content-trust
Skip image trust verification specified in trust section of config (default false)
-format value
Formats to create [ aws docker dynamic-vhd gcp iso-bios iso-efi kernel+initrd
kernel+squashfs qcow2-bios qcow2-efi raw-bios raw-efi rpi3 tar tar-kernel-initrd vhd vmdk ]
-name string
Name to use for output files
-o string
File to use for a single output, or '-' for stdout
-pull
Always pull images
-size string
Size for output image, if supported and fixed size (default "1024M")
50. onboot
onboot:
- name: dhcpcd
image: linuxkit/dhcpcd:v0.4
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
onboot are the system containers, executed sequentially in order.
They should terminate quickly when done.
51. service
services:
- name: getty
image: linuxkit/getty:44730fd0a7c59dbacf5b48b54ba33f551bcf7ef0
env:
- INSECURE=true
- name: redis
image: redis:4.0.5-alpine
capabilities:
- CAP_NET_BIND_SERVICE
- ...
net: host
services is the system services, which normally run for the whole
time the system is up
52. linuxkit pkg
$ ls -l
total 12
-rw-r--r-- 1 al staff 469 5 17 01:49 Dockerfile
-rw-r--r-- 1 al staff 159 4 28 10:50 build.yml
-rw-r--r-- 1 al staff 1168 4 12 09:50 dhcpcd.conf
drwxr-xr-x 3 al staff 96 4 12 09:50 usr
$ linuxkit pkg
USAGE: linuxkit pkg [subcommand] [options] [prefix]
'subcommand' is one of:
build
push
show-tag
$ linuxkit pkg build pkg/dhcpcd/
53. linuxkit pkg Docker le
$ cat Dockerfile
FROM linuxkit/alpine:1b05307ae8152e3d38f79e297b0632697a30c65c AS mirror
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
RUN apk add --no-cache --initdb -p /out
alpine-baselayout
busybox
dhcpcd
musl
# Remove apk residuals
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
FROM scratch
ENTRYPOINT []
CMD []
WORKDIR /
COPY --from=mirror /out/ /
COPY /dhcpcd.conf /usr/ /
CMD ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf"]
57. linuxkit run
$ linuxkit run --help
USAGE: linuxkit run [backend] [options] [prefix]
'backend' specifies the run backend.
If not specified the platform specific default will be used
Supported backends are (default platform in brackets):
aws
azure
gcp
hyperkit [macOS]
hyperv [Windows]
openstack
packet
qemu [linux]
vbox
vcenter
vmware
59. container os와차이점은?
rancher os, core os, atomic 과의 차이점은 보다 leaner 함
그리고 linuxkit 으로 이런 container os의 custom 배포판을 생성 가능함
https://github.com/rancher/os/issues/2156
76. self hosting k8s
master node 의 static pod들을 daemon-set, deployment화 하여 node
관리와 cluster lifecycle 관리를 원활하게 함
$ kubectl -n kube-system get deployments
NAME DESIRED CURRENT
kube-controller-manager 2 2
kube-dns 1 1
kube-scheduler 2 2
$ kubectl -n kube-system get daemonsets
NAME DESIRED CURRENT NODE SELECTOR
kube-apiserver 1 1 node-role.kubernetes.io/master=
$ kubectl -n kube-system get secrets
NAME TYPE
kube-apiserver Opaque
kube-controller-manager Opaque
77. self hosting in kubeadm
# kubeadm alpha phase selfhosting --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase selfhosting [command]
Aliases:
selfhosting, selfhosted, self-hosting
Available Commands:
convert-from-staticpods Converts a static Pod-hosted control plane into a self-hosted one
Use "kubeadm alpha phase selfhosting [command] --help" for more information about a command.
85. 그렇다면kubernetes는immutable 한가?
Let's also burn old kubernetes.
오래된 k8s는 지우고 새로운 k8s로 데이터 sync(not migrated)
federation
https://kubernetes.io/docs/concepts/cluster-
administration/federation/