一次calico-kube-controllers 一直处于创建中引发的后续
背景:
由于课程代码都是基于amd64架构进行编写的,这将导致我的主力机arm64架构机器无法顺利进行实验内容,因此我得在x64的机器上进行实验内容,先是需要搭建K8S环境,此处省略搭建步骤,在我进行kubeadm init操作后,发现镜像拉取一直不成功,镜像地址我写的是默认从K8S官方地址拉取镜像的(这里提一下为什么不写国内镜像地址的原因,原因在于国内镜像仓库更新速度过慢,有时候拉取一些images时会找不到),于是我在我的宿主机开启了代理启用了全局代理模式,发现我的K8S集群仍是无法拉取镜像,提示TimeOut。
于是,我将流量转发配置写在了containerd.service文件内,如以下所示:
root@Y76-Master01-16-181:~# cat /usr/lib/systemd/system/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# 添加以下三行
Environment="HTTPS_PROXY=http://172.164.17.103:9999"
Environment="HTTP_PROXY=http://172.164.17.103:9999"
Environment="ALL_PROXY=socks5://172.164.17.103:9999"
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
添加代理后,再次进行kubeadm init 操作后,K8S的镜像能顺利被拉到本地中,即通过 crictl命令查看
root@Y76-Master01-16-181:~# crictl -r unix:///var/run/containerd/containerd.sock images
此处,集群组件状态一切正常,都处于Runing状态,于是我进行calico部署,calico-node Pod都处于Runing状态,唯独calico-kube-controllers Pod一直处于创建中,查看Pod详细信息
root@Y76-Master01-16-181:~# kubectl describe pod -n kube-system calico-kube-controllers-9449c44c5-v8ssv Normal Scheduled 72s default-scheduler Successfully assigned kube-system/calico-kube-controllers-57b57c56f-wz4wm to y76-node01-16-182 Warning FailedCreatePodSandBox 52s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "c0805304ad1009d138d00cad8b5a4d9ddfdd27b8d6a8a886d4df4690cace4452": plugin type="calico" failed (add): error getting ClusterInformation: Get "https://10.96.0.1:443/apis/crd.projectcalico.org/v1/clusterinformations/default": net/http: TLS handshake timeout Normal SandboxChanged 5s (x3 over 51s) kubelet Pod sandbox changed, it will be killed and re-created.
到此处,我进行了一系列排查,但没能解决calico-kube-controllers 状态问题,即使我创建新的Pod也是无法成功创建出来,报错如上图一致,当百思不得其解时,我将虚拟机都还原成原先的快照,填写了国内的镜像地址后进行kubeadm init时,能成功了将所有组件的Pod都Runing起来
思考:
仅仅是镜像地址不同,但却是两个结果,这不应该。我联想到了我一开始的proxy代理操作(即在containerd.service配置了代理),于是,我将虚拟机再次还原快照,重新填写K8S官方的镜像仓库地址,再次进行kubeadm 初始化时,遇到了同样问题,我将containrd.service的配置改成如下内容:
root@Y76-Master01-16-181:~# cat /usr/lib/systemd/system/containerd.service # Copyright The containerd Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/bin/containerd Type=notify Delegate=yes KillMode=process Restart=always RestartSec=5 # 优化成以下内容 Environment="HTTPS_PROXY=http://172.164.17.103:9999" Environment="HTTP_PROXY=http://172.164.17.103:9999" Environment="NO_PROXY=localhost,127.0.0.1,172.16.0.0/12,10.96.0.0/12,10.244.0.0/16" # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=infinity # Comment TasksMax if your systemd version does not supports it. # Only systemd 226 and above support this version. TasksMax=infinity OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target
随时将配置同步给其他节点且重启containerd服务
root@Y76-Master01-16-181:~# ansible all -m copy -a "src=/usr/lib/systemd/system/containerd.service dest=/usr/lib/systemd/system/containerd.service" root@Y76-Master01-16-181:~# ansible all -m shell -a "systemctl daemon-reload && systemctl restart containerd.service "
果不其然,Pod状态一切正常
root@Y76-Master01-16-181:~# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-9449c44c5-v8ssv 1/1 Running 0 92m calico-node-97qbc 1/1 Running 3 (38m ago) 6h1m calico-node-bl59h 1/1 Running 2 (178m ago) 6h1m calico-node-rzzq7 1/1 Running 2 (178m ago) 6h1m coredns-567c556887-8knp9 1/1 Running 3 (51m ago) 8h coredns-567c556887-dwg6d 1/1 Running 2 (178m ago) 8h etcd-y76-master01-16-181 1/1 Running 3 (178m ago) 8h kube-apiserver-y76-master01-16-181 1/1 Running 3 (178m ago) 8h kube-controller-manager-y76-master01-16-181 1/1 Running 6 (46m ago) 5h46m kube-proxy-88nd6 1/1 Running 2 (178m ago) 5h47m kube-proxy-vrgtp 1/1 Running 2 (178m ago) 5h47m kube-proxy-z5jmc 1/1 Running 2 (178m ago) 5h47m kube-scheduler-y76-master01-16-181 1/1 Running 6 (46m ago) 8h
总结:
在进行排错时,应当回想操作过程中自己执行了哪些操作,再排查问题时,应当细究自己做的操作会有怎样的影响,例如此次操作,我将proxy代理给了宿主机,这意味着我的Pod会把流量转发给宿主机,通过宿主机进行通信,而Pod要通信的对端IP地址正是我定义的Pod网段(10.96.0.0/12,10.244.0.0/16),这通过宿主机进行通信肯定是找不到对端的。
