浅析docker, kubernets规范及实现

没有规矩，不成方圆， 所有的事物都是有迹可循；在容器的世界里也不例外。现在，我们就从规范入手来简单的梳理一下docker, kubernets。

开源容器的业界规范

目前，容器的开源标准是OCI。在介绍OCI之前，我们先聊聊它的前世appc。虽然appc已经不玩了，但是并不意味着它没有意义。OCI规范很多都是从appc那边一脉相承的，所以多看看，了解一下也是很有帮助。

APPC

The App Container (appc) is an open specification that defines several aspects of how to run applications in containers: an image format, runtime environment, and discovery protocol.

appc 主要定义了下面三个方面的协议。

1. The App Container Image format (ACI)
2. The App Container Executor (ACE)
3. App Container Image Discovery

这个规范的实现可以参考下面的产品列表。

Mature implementations of appc

• Jetpack - FreeBSD/Go
• Kurma - Linux/Go
• rkt - Linux/Go -> A security-minded, standards-based container engine

Partial implementations of appc

• libappc - C++ library
• Nose Cone - Linux/C++

OCI

Open Container Initiative (OCI) is an open governance structure for the express purpose of creating open industry standards around container formats and runtime.

Open Container Initiative (OCI)主要包括下面两个方面：

1. OCI Image Format Specification 对应于ACI
2. OCI Runtime Specification 对应于ACE

OCI的实现

• runC, which is donated by Docker Inc and is on the top of libcontainer。
  相对于docker, runC是更加轻量级的运行时，并且支持容器热迁移。 下图为runC的运行原理：

• containerd. It was initiated by Docker Inc and fully leverages run to meet the OCI. The following is the architecture chart of containerd:

  
  • Using plugin cri-containerd to support Kubernetes

• LXD which is a next generation system container manager and is built on the top of LXC.

上面几个实现的互相依赖关系如下：

• containerd –> runC –> libcontainer
• lxd –> lxc

Kubernetes的接口规范

Kubernetes 定义了以下的规范，这样可以灵活切换支持不同的runtime engine， virtual network 及 storage。

CRI: Container Runtime Interface consists of a protofbuf API, specifications/requirements and libraries for container runtimes to integrate with kubelet on a node.

对于这个runtime规范，目前有以下的实现。这就意味着kubernets的runtime可以有下面的替代：

• cri-o OCI conformant runtimes.
• rktlet the rkt container runtime.
• frakti hypervisor-based container runtimes.
• docker CRI shim –> Kubernetes default implementation.

  [k8s@iml11 ~]$ kubectl version Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:53:20Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:43:26Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} [root@iml11 linux-amd64]# ps -ef|grep docker root 7189 2083 0 Aug03 ? 00:00:06 /usr/bin/docker-containerd-shim-current 3389a4aafa8188545b8f501143ac75344d2558204bcf5823c0fc568ccb775827 /var/run/docker/libcontainerd/3389a4aafa8188545b8f501143ac75344d2558204bcf5823c0fc568ccb775827 /usr/libexec/docker/docker-runc-current root 22095 2083 0 Aug09 ? 00:00:05 /usr/bin/docker-containerd-shim-current 473e9a6f97817a79091c49a282fe9b4d6db66d1f495ce555fe53078dbc109146 /var/run/docker/libcontainerd/473e9a6f97817a79091c49a282fe9b4d6db66d1f495ce555fe53078dbc109146 /usr/libexec/docker/docker-runc-current root 22273 2083 0 Aug09 ? 01:20:42 /usr/bin/docker-containerd-shim-current 0e24b9c7dce08d37f951ddb721b6895861a167e7f64ce401f392f34d5defbb47 /var/run/docker/libcontainerd/0e24b9c7dce08d37f951ddb721b6895861a167e7f64ce401f392f34d5defbb47 /usr/libexec/docker/docker-runc-current

如果在配置运行kubernets时，底层运行引擎不使用docker，可以通过cri-containerd进行切换。架构如下图所示：

同样我们可以使用crictl去和container交互。

[root@iml11 ~]# crictl -h
NAME:
   crictl - client for CRI

USAGE:
   crictl [global options] command [command options] [arguments...]

VERSION:
   1.11.0

COMMANDS:
     attach        Attach to a running container
     create        Create a new container
     exec          Run a command in a running container
     version       Display runtime version information
     images        List images
     inspect       Display the status of one or more containers
     inspecti      Return the status of one or more images
     inspectp      Display the status of one or more pods
     logs          Fetch the logs of a container
     port-forward  Forward local port to a pod
     ps            List containers
     pull          Pull an image from a registry
     runp          Run a new pod
     rm            Remove one or more containers
     rmi           Remove one or more images
     rmp           Remove one or more pods
     pods          List pods
     start         Start one or more created containers
     info          Display information of the container runtime
     stop          Stop one or more running containers
     stopp         Stop one or more running pods
     update        Update one or more running containers
     config        Get and set crictl options
     stats         List container(s) resource usage statistics
     completion    Output bash shell completion code
     help, h       Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config value, -c value            Location of the client config file (default: "/etc/crictl.yaml") [$CRI_CONFIG_FILE]
   --debug, -D                         Enable debug mode
   --image-endpoint value, -i value    Endpoint of CRI image manager service [$IMAGE_SERVICE_ENDPOINT]
   --runtime-endpoint value, -r value  Endpoint of CRI container runtime service (default: "unix:///var/run/dockershim.sock") [$CONTAINER_RUNTIME_ENDPOINT]
   --timeout value, -t value           Timeout of connecting to the server (default: 10s)
   --help, -h                          show help
   --version, -v                       print the version
[root@iml11 ~]#

CNI: Container Network Interface is a Cloud Native Computing Foundation project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins.

对于网络层，可以参考下面的第三方实现：

CSI: Container Storage Interface will enable storage vendors (SP) to develop a plugin once and have it work across a number of container orchestration (CO) systems.

对于存储层，目前至少有以下的实现：

• Sample Drivers

• Production Drivers

Refer to:

• https://containerd.io
• https://linuxcontainers.org/
• https://coreos.com/rkt/docs/latest/app-container.html
• https://kubernetes-csi.github.io/docs/Drivers.html
• http://www.infoq.com/cn/news/2017/02/Docker-Containerd-RunC
• http://dockone.io/article/776
• https://www.infoq.com/presentations/cri-runtime-kubernetes?utm_source=presentations_about_Containers&utm_medium=link&utm_campaign=Containers
• https://github.com/containernetworking/cni

• ← Previous Post
• Next Post →