K8s ecological weekly | docker v20.10.6 released, corrected the abnormal behavior of dind in k8s

Time:2021-6-1

“K8s ecological weekly” mainly contains some weekly information about k8s ecology that I have come into contact with. Welcome to the Zhihu column“K8s ecology”

Docker v20.10.6 released

More than a month has passed since the last version, docker recently released v20.10.6, and docker desktop also released a new version. This version not only brings M1 support, but also brings a lot of noteworthy content. Let’s have a look!

CLI and builder

Before docker V1.7, docker cli would store the relevant information to the local database after executing docker login~/.dockercfgIn the configuration file. Since V1.7, docker has introduced new configuration files~/.docker/config.jsonIn order to maintain compatibility, docker has been supporting these two configuration files at the same time.

From the current version, if it is still in use~/.dockercfgA line of warning message is output. Remind users that the profile will be deleted in subsequent versions, please use the new profile path & format.

In addition, starting from this version, if you are using an old version of builder and there are unsupported commands or parameters in the dockerfile, you will be prompted to use buildkit to complete the build. This is also a further step taken by the docker community to upgrade buildkit to the default builder.

journal

#42174 · moby/mobyFixed the error of Io. Unexpected EOF in docker v20.10 when using the default JSON file log driver.

In the actual test, it is easy to reproduce this problem when a large number of logs are continuously output.

network

This version corrects the problem that iptables rules cannot be cleaned up automatically when the container stops in v20.10; At the same time, it also solves the problem that docker does not return IPv6 address information by default in the API of docker inspect, although it can access the port through IPv4 and IPv6 addresses at the same time when the port is exposed on the IPv6 network machine.

other

In this version, if the official source of docker is used for docker CE installation, it is recommended to install docker scan plugin package by default, which is a plug-in of docker CLI and can be used to scan for image vulnerabilities.

I have introduced this plug-in in the previous k8s ecological weekly. It was first introduced into docker desktop, and this plug-in is very convenient.

In addition,This version also solves a serious problem. Although this problem is not caused by docker itself, it will be triggered when using docker in docker mode. Therefore, additional explanation will be given here.

When docker in docker v20.10 is used in kubernetes, because kubernetes has QoS mechanism, it determines the scheduling and expulsion priority of pod. In fact, kubelet judges the oom of pod_ score_ Adj to determine when to oom it. For the part of container resource management, please refer to my previous articleTalking about container resource management

If it is a pod of best effort QoS, kubernetes will send its oom_ score_ Adj is set to 1000. However, in order to avoid that shim will not be pushed before the child process, containerdAdjustOOMScoreFunction, the oom_ score_ Adj plus 1. This will result in the following error messages:

docker: Error response from daemon: io.containerd.runc.v2: failed to adjust OOM score for shim: set shim OOM score: write /proc/211/oom_score_adj: invalid argument

As mentioned earlier, besteffort QoS sets 1000 for it, which is the maximum value of this value. If you want to + 1, you will naturally report an error.

The corresponding correction method is as follows:

diff --git a/sys/oom_unix.go b/sys/oom_unix.go
index d49d5bc8d..c381e1a7e 100644
--- a/sys/oom_unix.go
+++ b/sys/oom_unix.go
@@ -26,8 +26,12 @@ import (
        "strings"
 )

-// OOMScoreMaxKillable is the maximum score keeping the process killable by the oom killer
-const OOMScoreMaxKillable = -999
+const (
+       // OOMScoreMaxKillable is the maximum score keeping the process killable by the oom killer
+       OOMScoreMaxKillable = -999
+       // OOMScoreAdjMax is from OOM_SCORE_ADJ_MAX https://github.com/torvalds/linux/blob/master/include/uapi/linux/oom.h
+       OOMScoreAdjMax = 1000
+)

diff --git a/runtime/v2/shim/util_unix.go b/runtime/v2/shim/util_unix.go
index 2b0d0ada3..9fb7cc573 100644
--- a/runtime/v2/shim/util_unix.go
+++ b/runtime/v2/shim/util_unix.go
@@ -53,6 +53,7 @@ func SetScore(pid int) error {

 // AdjustOOMScore sets the OOM score for the process to the parents OOM score +1
 // to ensure that they parent has a lower* score than the shim
+// if not already at the maximum OOM Score
 func AdjustOOMScore(pid int) error {
        parent := os.Getppid()
        score, err := sys.GetOOMScoreAdj(parent)
@@ -60,6 +61,9 @@ func AdjustOOMScore(pid int) error {
                return errors.Wrap(err, "get parent OOM score")
        }
        shimScore := score + 1
+       if shimScore > sys.OOMScoreAdjMax {
+               shimScore = sys.OOMScoreAdjMax
+       }
        if err := sys.SetOOMScore(pid, shimScore); err != nil {
                return errors.Wrap(err, "set shim OOM score")
        }

As you can see, in adjustommcore, if you find the adjusted oom_ score_ If adj is greater than the default maximum value of the system, set it to the maximum value of the system.

If containerd and docker in docker are used in the production environment, it is recommended to upgrade to this version.

Well, the above is what we need to pay attention to in this version. For more detailed changes, please check the detailsReleaseNote

Kube state metrics v2.0 release

As a small partner of kubernetes cluster monitoring, most of them are familiar with this project. Kube state metrics can generate Prometheus format according to the resource state of kubernetes, which greatly meets our needs for cluster observability.

This version mainly replaces the names of some metrics with a more standard and unified format.

At the same time, the position of the mirror is moved from quay.io to k8s.gcr.io/cube-state-metrics/cube-state-metrics.

For more changes to this release, see itsReleaseNote

Upstream progress


Welcome to subscribe my official account number [MoeLove].

K8s ecological weekly | docker v20.10.6 released, corrected the abnormal behavior of dind in k8s