cilium-agent的DaemonSet启动流程

文章目录

    • 概述
    • 架构分析
      • config
      • mount-cgroup
      • apply-sysctl-overwrites
      • mount-bpf-fs
      • clean-cilium-state
      • install-cni-binaries
      • cilium-agent
    • 总结
    • 参考资料

概述

本文主要分析 cilium-agent 作为 DaemonSet 在每个节点的启动流程。

架构分析

下面按照 cilium-agent 从 init-container 到业务容器启动的过程分析,可以先看看 cilium-agent 的 init-container 的定义。

initContainers:
- command:
  - cilium
  - build-config
  env:
  image: quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  imagePullPolicy: IfNotPresent
  name: config
  volumeMounts:
  - mountPath: /tmp
    name: tmp
- command:
  - sh
  - -ec
  - |
    cp /usr/bin/cilium-mount /hostbin/cilium-mount;
    nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
    rm /hostbin/cilium-mount
  env:
  - name: CGROUP_ROOT
    value: /run/cilium/cgroupv2
  - name: BIN_PATH
    value: /opt/cni/bin
  image: quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  imagePullPolicy: IfNotPresent
  name: mount-cgroup
  securityContext:
    capabilities:
      add:
      - SYS_ADMIN
      - SYS_CHROOT
      - SYS_PTRACE
      drop:
      - ALL
    seLinuxOptions:
      level: s0
      type: spc_t
  volumeMounts:
  - mountPath: /hostproc
    name: hostproc
  - mountPath: /hostbin
    name: cni-path
- command:
  - sh
  - -ec
  - |
    cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
    nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
    rm /hostbin/cilium-sysctlfix
  env:
  - name: BIN_PATH
    value: /opt/cni/bin
  image: quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  imagePullPolicy: IfNotPresent
  name: apply-sysctl-overwrites
  securityContext:
    capabilities:
      add:
      - SYS_ADMIN
      - SYS_CHROOT
      - SYS_PTRACE
      drop:
      - ALL
    seLinuxOptions:
      level: s0
      type: spc_t
  volumeMounts:
  - mountPath: /hostproc
    name: hostproc
  - mountPath: /hostbin
    name: cni-path
- args:
  - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
  command:
  - /bin/bash
  - -c
  - --
  image: quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  imagePullPolicy: IfNotPresent
  name: mount-bpf-fs
  securityContext:
    privileged: true
  volumeMounts:
  - mountPath: /sys/fs/bpf
    mountPropagation: Bidirectional
    name: bpf-maps
- command:
  - /init-container.sh
  env:
  - name: CILIUM_ALL_STATE
    valueFrom:
      configMapKeyRef:
        key: clean-cilium-state
        name: cilium-config
        optional: true
  - name: CILIUM_BPF_STATE
    valueFrom:
      configMapKeyRef:
        key: clean-cilium-bpf-state
        name: cilium-config
        optional: true
  - name: KUBERNETES_SERVICE_HOST
    value: 192.168.1.200
  - name: KUBERNETES_SERVICE_PORT
    value: "6443"
  image: quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  imagePullPolicy: IfNotPresent
  name: clean-cilium-state
  resources:
    requests:
      cpu: 100m
      memory: 100Mi
  securityContext:
    capabilities:
      add:
      - NET_ADMIN
      - SYS_MODULE
      - SYS_ADMIN
      - SYS_RESOURCE
      drop:
      - ALL
    seLinuxOptions:
      level: s0
      type: spc_t
  volumeMounts:
  - mountPath: /sys/fs/bpf
    name: bpf-maps
  - mountPath: /run/cilium/cgroupv2
    mountPropagation: HostToContainer
    name: cilium-cgroup
  - mountPath: /var/run/cilium
    name: cilium-run
- command:
  - /install-plugin.sh
  image: quay.io/cilium/cilium:v1.14.4@sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e
  imagePullPolicy: IfNotPresent
  name: install-cni-binaries
  resources:
    requests:
      cpu: 100m
      memory: 10Mi
  securityContext:
    capabilities:
      drop:
      - ALL
    seLinuxOptions:
      level: s0
      type: spc_t
  terminationMessagePath: /dev/termination-log
  terminationMessagePolicy: FallbackToLogsOnError
  volumeMounts:
  - mountPath: /host/opt/cni/bin
    name: cni-path

从 volumes 字段看,整个 Pod 启动需要创建一些宿主机的文件夹路径。

 volumes:
 - emptyDir: {}
   name: tmp
 - hostPath:
     path: /var/run/cilium
     type: DirectoryOrCreate
   name: cilium-run
 - hostPath:
     path: /sys/fs/bpf
     type: DirectoryOrCreate
   name: bpf-maps
 - hostPath:
     path: /proc
     type: Directory
   name: hostproc
 - hostPath:
     path: /run/cilium/cgroupv2
     type: DirectoryOrCreate
   name: cilium-cgroup
 - hostPath:
     path: /opt/cni/bin
     type: DirectoryOrCreate
   name: cni-path
 - hostPath:
     path: /etc/cni/net.d
     type: DirectoryOrCreate
   name: etc-cni-netd
 - hostPath:
     path: /lib/modules
     type: ""
   name: lib-modules
 - hostPath:
     path: /run/xtables.lock
     type: FileOrCreate
   name: xtables-lock
 - name: clustermesh-secrets
   projected:
     defaultMode: 256
     sources:
     - secret:
         name: cilium-clustermesh
         optional: true
     - secret:
         items:
         - key: tls.key
           path: common-etcd-client.key
         - key: tls.crt
           path: common-etcd-client.crt
         - key: ca.crt
           path: common-etcd-client-ca.crt
         name: clustermesh-apiserver-remote-cert
         optional: true
 - configMap:
     defaultMode: 420
     name: cni-configuration
   name: cni-configuration
 - hostPath:
     path: /proc/sys/net
     type: Directory
   name: host-proc-sys-net
 - hostPath:
     path: /proc/sys/kernel
     type: Directory
   name: host-proc-sys-kernel
 - name: hubble-tls
   projected:
     defaultMode: 256
     sources:
     - secret:
         items:
         - key: tls.crt
           path: server.crt
         - key: tls.key
           path: server.key
         - key: ca.crt
           path: client-ca.crt
         name: hubble-server-certs
         optional: true

再看看 cilium-agent container 的定义。

      containers:
        - name: cilium-agent
          image: "quay.io/cilium/cilium:v1.14.4"
          imagePullPolicy: IfNotPresent
          command:
            - cilium-agent
          args:
            - --config-dir=/tmp/cilium/config-map
          startupProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
              port: 9879
              scheme: HTTP
              httpHeaders:
                - name: "brief"
                  value: "true"
            failureThreshold: 105
            periodSeconds: 2
            successThreshold: 1
          livenessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
              port: 9879
              scheme: HTTP
              httpHeaders:
                - name: "brief"
                  value: "true"
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 10
            timeoutSeconds: 5
          readinessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
              port: 9879
              scheme: HTTP
              httpHeaders:
                - name: "brief"
                  value: "true"
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 3
            timeoutSeconds: 5
          env:
            - name: K8S_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: CILIUM_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: CILIUM_CLUSTERMESH_CONFIG
              value: /var/lib/cilium/clustermesh/
            - name: KUBERNETES_SERVICE_HOST
              value: hh-k8s-noah-sc-staging001-master.api.vip.com
          lifecycle:
            postStart:
              exec:
                command:
                  - "bash"
                  - "-c"
                  - |
                    set -o errexit
                    set -o pipefail
                    set -o nounset
                    
                    # When running in AWS ENI mode, it's likely that 'aws-node' has
                    # had a chance to install SNAT iptables rules. These can result
                    # in dropped traffic, so we should attempt to remove them.
                    # We do it using a 'postStart' hook since this may need to run
                    # for nodes which might have already been init'ed but may still
                    # have dangling rules. This is safe because there are no
                    # dependencies on anything that is part of the startup script
                    # itself, and can be safely run multiple times per node (e.g. in
                    # case of a restart).
                    if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
                    then
                        echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
                        iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
                    fi
                    echo 'Done!'

            preStop:
              exec:
                command:
                  - /cni-uninstall.sh
          securityContext:
            seLinuxOptions:
              level: s0
              type: spc_t
            capabilities:
              add:
                - CHOWN
                - KILL
                - NET_ADMIN
                - NET_RAW
                - IPC_LOCK
                - SYS_MODULE
                - SYS_ADMIN
                - SYS_RESOURCE
                - DAC_OVERRIDE
                - FOWNER
                - SETGID
                - SETUID
              drop:
                - ALL
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
            # Unprivileged containers need to mount /proc/sys/net from the host
            # to have write access
            - mountPath: /host/proc/sys/net
              name: host-proc-sys-net
              # /proc/sys/net
            # Unprivileged containers need to mount /proc/sys/kernel from the host
            # to have write access
            - mountPath: /host/proc/sys/kernel
              name: host-proc-sys-kernel
              # /host/proc/sys/kernel
            - name: bpf-maps
              mountPath: /sys/fs/bpf
              # /sys/fs/bpf
              # Unprivileged containers can't set mount propagation to bidirectional
              # in this case we will mount the bpf fs from an init container that
              # is privileged and set the mount propagation from host to container
              # in Cilium.
              mountPropagation: HostToContainer
            - name: cilium-run
              mountPath: /var/run/cilium
            - name: etc-cni-netd
              mountPath: /host/etc/cni/net.d
            - name: clustermesh-secrets
              mountPath: /var/lib/cilium/clustermesh
              readOnly: true
            - name: cni-configuration
              mountPath: /tmp/cni-configuration
              readOnly: true
              # Needed to be able to load kernel modules
            - name: lib-modules
              mountPath: /lib/modules
              # /lib/modules
              readOnly: true
            - name: xtables-lock
              mountPath: /run/xtables.lock
            - name: hubble-tls
              mountPath: /var/lib/cilium/tls/hubble
              readOnly: true
            - name: tmp
              mountPath: /tmp

根据定义,可以梳理出下面的流程图。

在这里插入图片描述

config

在 config 的容器中,执行了下面的命令。首先 cilium 这个是 Cilium 提供的一个 CLI 的客户端工具。

cilium build-config

可以看看 build-config 这个子命令的 help 信息。

# cilium build-config -h
Resolve all of the configuration sources that apply to this node

Usage:
  cilium build-config --node-name $K8S_NODE_NAME [flags]

Flags:
      --allow-config-keys strings        List of configuration keys that are allowed to be overridden (e.g. set from not the first source. Takes precedence over deny-config-keys
      --deny-config-keys strings         List of configuration keys that are not allowed to be overridden (e.g. set from not the first source. If allow-config-keys is set, this field is ignored
      --dest string                      Destination directory to write the fully-resolved configuration. (default "/tmp/cilium/config-map")
      --enable-k8s                       Enable the k8s clientset (default true)
      --enable-k8s-api-discovery         Enable discovery of Kubernetes API groups and resources with the discovery API
  -h, --help                             help for build-config
      --k8s-api-server string            Kubernetes API server URL
      --k8s-client-burst int             Burst value allowed for the K8s client
      --k8s-client-qps float32           Queries per second limit for the K8s client
      --k8s-heartbeat-timeout duration   Configures the timeout for api-server heartbeat, set to 0 to disable (default 30s)
      --k8s-kubeconfig-path string       Absolute path of the kubernetes kubeconfig file
      --node-name string                 The name of the node on which we are running. Also set via K8S_NODE_NAME environment. (default "master")
      --source strings                   Ordered list of configuration sources. Supported values: config-map:<namespace>/name - a ConfigMap with <name>, optionally in namespace <namespace>. cilium-node-config:<NAMESPACE> - any CiliumNodeConfigs in namespace <NAMESPACE>.  node:<NODENAME> - Annotations on the node. Namespace and nodename are optional (default [config-map:cilium-config,cilium-node-config:kube-system])

Global Flags:
      --config string   Config file (default is $HOME/.cilium.yaml)
  -D, --debug           Enable debug messages
  -H, --host string     URI to server-side API

查看相关的日志,从帮助信息可以看到,默认的输出地址是 /tmp/cilium/config-map。

# k logs cilium-hms7c -c config
Running
level=info msg=Invoked duration=1.338661ms function="cmd.glob..func36 (build-config.go:32)" subsys=hive
level=info msg=Starting subsys=hive
level=info msg="Establishing connection to apiserver" host="https://192.168.1.200:6443" subsys=k8s-client
level=info msg="Connected to apiserver" subsys=k8s-client
level=info msg="Start hook executed" duration=17.191079ms function="client.(*compositeClientset).onStart" subsys=hive
level=info msg="Reading configuration from config-map:kube-system/cilium-config" configSource="config-map:kube-system/cilium-config" subsys=option-resolver
level=info msg="Got 106 config pairs from source" configSource="config-map:kube-system/cilium-config" subsys=option-resolver
level=info msg="Reading configuration from cilium-node-config:kube-system/" configSource="cilium-node-config:kube-system/" subsys=option-resolver
level=info msg="Got 0 config pairs from source" configSource="cilium-node-config:kube-system/" subsys=option-resolver
level=info msg="Start hook executed" duration=13.721533ms function="cmd.(*buildConfig).onStart" subsys=hive
level=info msg=Stopping subsys=hive
level=info msg="Stop hook executed" duration="20.722µs" function="client.(*compositeClientset).onStop" subsys=hive

mount-cgroup

Cilium 使用 cgroup v2 来实施网络策略、监控和其他关键功能。例如,它可能用于确保只有经过验证的网络流量可以进入和离开容器化的应用程序,或者用于控制容器可以使用多少系统资源。

#- name: CGROUP_ROOT value: /run/cilium/cgroupv2
#- name: BIN_PATH value: /opt/cni/bin
cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "/opt/cni/bin/cilium-mount" /run/cilium/cgroupv2;
nsenter --cgroup=/proc/1/ns/cgroup --mount=/proc/1/ns/mnt "/hostbin/cilium-mount" /run/cilium/cgroupv2;
rm /hostbin/cilium-mount

查看一下帮助信息。

# /usr/bin/cilium-mount
usage: /usr/bin/cilium-mount <cgroup-mount-point>

实际上,这是 tools 包里一个很简单的 Go 程序,大部分的 init-container 都是通过这些小型的 Go 程序来完成一些配置化的工作。
在这里插入图片描述

Cilium will automatically mount cgroup v2 filesystem required to attach BPF cgroup programs by default at the path /run/cilium/cgroupv2.

查看一下日志的输出。

# k logs cilium-hms7c -c mount-cgroup
level=info msg="Mounted cgroupv2 filesystem at /run/cilium/cgroupv2" subsys=cgroups

apply-sysctl-overwrites

# - name: BIN_PATH value: /opt/cni/bin
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
cp /usr/bin/cilium-sysctlfix /opt/cni/bin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "/opt/cni/bin/cilium-sysctlfix";
nsenter --mount=/proc/1/ns/mnt "/opt/cni/bin/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix
# /usr/bin/cilium-sysctlfix -h
Usage of /usr/bin/cilium-sysctlfix:
      --sysctl-conf-dir string       Path to the sysctl config directory (default "/etc/sysctl.d/")
      --sysctl-config-file string    Filename of the cilium sysctl overwrites config file (default "99-zzz-override_cilium.conf")
      --systemd-sysctl-unit string   Name of the systemd sysctl unit to reload (default "systemd-sysctl.service")
parse flags: pflag: help requested

从宿主机看下面的文件。

# cat /etc/sysctl.d/99-zzz-override_cilium.conf

# Disable rp_filter on Cilium interfaces since it may cause mangled packets to be dropped
-net.ipv4.conf.lxc*.rp_filter = 0
-net.ipv4.conf.cilium_*.rp_filter = 0
# The kernel uses max(conf.all, conf.{dev}) as its value, so we need to set .all. to 0 as well.
# Otherwise it will overrule the device specific settings.
net.ipv4.conf.all.rp_filter = 0
# k logs cilium-hms7c -c apply-sysctl-overwrites
sysctl config up-to-date, nothing to do

mount-bpf-fs

这个 init-container 使得进程可以通过文件系统接口来访问 BPF 虚拟文件系统,从而加载和管理 BPF 程序和 maps。提供了一个持久化的存储空间来存储 BPF 对象,这些对象可以在进程之间共享,即使是在进程终止后。

mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf

查看一下容器的日志。

# k logs cilium-hms7c -c mount-bpf-fs
none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)

clean-cilium-state

这个容器主要做的就是清理一些跟 Cilium 相关的网络接口上的配置,主要是防止 cilium-agent 启动或者重启的时候一些网络配置的残留会影响 Cilium 的正常操作。

/init-container.sh

从容器查看脚本的内容。

# cat /init-container.sh
#!/bin/sh

# Check for CLEAN_CILIUM_BPF_STATE and CLEAN_CILIUM_STATE
# is there for backwards compatibility as we've used those
# two env vars in our old kubernetes yaml files.

if [ "${CILIUM_BPF_STATE}" = "true" ] \
   || [ "${CLEAN_CILIUM_BPF_STATE}" = "true" ]; then
	cilium cleanup -f --bpf-state
fi

if [ "${CILIUM_ALL_STATE}" = "true" ] \
    || [ "${CLEAN_CILIUM_STATE}" = "true" ]; then
	cilium cleanup -f --all-state
fi

看看 cilium clean 可以有什么作用。

# cilium cleanup -h
Clean up CNI configurations, CNI binaries, attached BPF programs,
bpffs, tc filters, routes, links and named network namespaces.

Running this command might be necessary to get the worker node back into
working condition after uninstalling the Cilium agent.

Usage:
  cilium cleanup [flags]

Flags:
      --all-state   Remove all cilium state
      --bpf-state   Remove BPF state
  -f, --force       Skip confirmation
  -h, --help        help for cleanup

Global Flags:
      --config string   Config file (default is $HOME/.cilium.yaml)
  -D, --debug           Enable debug messages
  -H, --host string     URI to server-side API

如果还需要做什么清理工作,可以在这个子命令中添加。

func (c ciliumCleanup) whatWillBeRemoved() []string {
	toBeRemoved := []string{}

	if len(c.tcFilters) > 0 {
		section := "tc filters\n"
		for linkName, f := range c.tcFilters {
			section += fmt.Sprintf("%s %v\n", linkName, f)
		}
		toBeRemoved = append(toBeRemoved, section)
	}
	if len(c.xdpLinks) > 0 {
		section := "xdp programs\n"
		for _, l := range c.xdpLinks {
			section += fmt.Sprintf("%s: xdp/prog id %v\n", l.Attrs().Name, l.Attrs().Xdp.ProgId)
		}
		toBeRemoved = append(toBeRemoved, section)
	}

	if c.bpfOnly {
		return toBeRemoved
	}

	if len(c.routes) > 0 {
		section := "routes\n"
		for _, v := range c.routes {
			section += fmt.Sprintf("%v\n", v)
		}
		toBeRemoved = append(toBeRemoved, section)
	}

	if len(c.links) > 0 {
		section := "links\n"
		for _, v := range c.links {
			section += fmt.Sprintf("%v\n", v)
		}
		toBeRemoved = append(toBeRemoved, section)
	}

	if len(c.netNSs) > 0 {
		section := "network namespaces\n"
		for _, n := range c.netNSs {
			section += fmt.Sprintf("%s\n", n)
		}
		toBeRemoved = append(toBeRemoved, section)
	}
	toBeRemoved = append(toBeRemoved, fmt.Sprintf("socketlb bpf programs at %s",
		defaults.DefaultCgroupRoot))
	toBeRemoved = append(toBeRemoved, fmt.Sprintf("mounted cgroupv2 at %s",
		defaults.DefaultCgroupRoot))
	toBeRemoved = append(toBeRemoved, fmt.Sprintf("library code in %s",
		defaults.LibraryPath))
	toBeRemoved = append(toBeRemoved, fmt.Sprintf("endpoint state in %s",
		defaults.RuntimePath))
	toBeRemoved = append(toBeRemoved, fmt.Sprintf("CNI configuration at %s, %s, %s, %s, %s",
		cniConfigV1, cniConfigV2, cniConfigV3, cniConfigV4, cniConfigV5))
	return toBeRemoved
}

这个容器没有日志输出,这里其实可以也打一些日志,确保是否有真正执行一些清理的工作。

# k logs cilium-hms7c -c clean-cilium-state

install-cni-binaries

这个就很熟悉了,大部分的 CNI 都会通过这样的方式将 CNI 的二进制放到宿主机的 /etc/cni/net.d/ 这个目录里。

/install-plugin.sh
# cat /install-plugin.sh
#!/bin/bash

# Copy the cilium-cni plugin binary to the host

set -e

HOST_PREFIX=${HOST_PREFIX:-/host}

BIN_NAME=cilium-cni
CNI_DIR=${CNI_DIR:-${HOST_PREFIX}/opt/cni}
CILIUM_CNI_CONF=${CILIUM_CNI_CONF:-${HOST_PREFIX}/etc/cni/net.d/${CNI_CONF_NAME}}

if [ ! -d "${CNI_DIR}/bin" ]; then
	mkdir -p "${CNI_DIR}/bin"
fi

# Install the CNI loopback driver if not installed already
if [ ! -f "${CNI_DIR}/bin/loopback" ]; then
	echo "Installing loopback driver..."

	# Don't fail hard if this fails as it is usually not required
	cp /cni/loopback "${CNI_DIR}/bin/" || true
fi

echo "Installing ${BIN_NAME} to ${CNI_DIR}/bin/ ..."

# Copy the binary, then do a rename
# so the move is atomic
rm -f "${CNI_DIR}/bin/${BIN_NAME}.new" || true
cp "/opt/cni/bin/${BIN_NAME}" "${CNI_DIR}/bin/.${BIN_NAME}.new"
mv "${CNI_DIR}/bin/.${BIN_NAME}.new" "${CNI_DIR}/bin/${BIN_NAME}"

echo "wrote ${CNI_DIR}/bin/${BIN_NAME}"
# k logs cilium-hms7c -c install-cni-binaries
Installing cilium-cni to /host/opt/cni/bin/ ...
wrote /host/opt/cni/bin/cilium-cni

cilium-agent

关于 cilium-agent 的启动分析,会在后面的文章里详细展开。

总结

根据以上的分析,可以总结一下,在 Kubernetes 集群内部的节点下,启动 cilium-agent 的二进制之前需要执行下面的脚本。

# config
cilium build-config
cilium build-config --k8s-kubeconfig-path /root/.kube/config  --source config-map:kube-system/cilium-config

mkdir -p /hostbin /var/run/cilium /sys/fs/bpf /run/cilium/cgroupv2 /opt/cni/bin /etc/cni/net.d /proc/sys/net /proc/sys/kernel
# mount-cgroup

# /hostbin是一个非常临时的目录
# /hostproc相当于/proc
mkdir -p /hostbin
mkdir -p /hostproc
mount --bind /proc /hostproc
mount --bind /opt/cni/bin /hostbin
export BIN_PATH=/opt/cni/bin
export CGROUP_ROOT=/run/cilium/cgroupv2

cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
rm /hostbin/cilium-mount

# apply-sysctl-overwrites
mkdir -p /hostbin
mkdir -p /hostproc
mount --bind /proc /hostproc
mount --bind /opt/cni/bin /hostbin
export BIN_PATH=/opt/cni/bin

cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix

# mount-bpf-fs
mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf

# clean-cilium-state
/init-container.sh

# install-cni-binaries
/install-plugin.sh

参考资料

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/363182.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

江科大stm32学习笔记9——OLED调试工具

一、OLED OLED&#xff1a;有机发光二极管&#xff0c;供电3~5.5V&#xff0c;0.96寸OLED通信协议&#xff1a;I2C/SPI&#xff0c;分辨率&#xff1a;128*64 二、调试方式 串口调试&#xff1a;通过串口通信&#xff0c;将调试信息发送到电脑端&#xff0c;电脑使用串口助手…

canvas的一些基础

在 Canvas 中&#xff0c;基本图形有两种&#xff1a;直线图形和曲线图形 直线图形&#xff1a;直线、矩形(描边矩形和填充矩形)、多边形 曲线图形&#xff1a;曲线和弧线&#xff08;弧线是圆的一部分&#xff0c;曲线则不一定&#xff0c;弧线上的每个点都具有相同的曲率&…

npm ERR! reason: certificate has expired(淘宝镜像过期)

npm ERR! request to https://registry.npm.taobao.org/yauzl/-/yauzl-2.4.1.tgz failed, reason: certificate has expired 今天在执行npm install命令时&#xff0c;报错百度了下是淘宝证书过期原因 解决方法一 执行下面两个命令再进行npm install即可 npm cache clean --…

C语言中大小写字母的转化的方法

C语言中大小写字母的转化 介绍 在C语言中&#xff0c;我们经常需要在大小写字母之间进行转换。这篇文章将详细介绍如何在C语言中实现这个功能。 方法 C语言的标准库 <ctype.h> 提供了一些函数&#xff0c;可以帮助我们在大小写字母之间进行转换。这些函数包括 toupper…

PPT、PDF全文档翻译相关产品调研笔记

主要找一下是否有比较给力的全文档翻译 文章目录 1 百度翻译2 小牛翻译3 腾讯交互翻译4 DeepL5 languagex6 云译科技7 快翻:qtrans8 simplifyai9 officetranslator10 火山引擎翻译-无文档翻译1 百度翻译 地址: https://fanyi.baidu.com/ 配套的比较完善,对于不同行业也有区…

Qt代码添加日志管理的模块功能

在程序中一般需要添加日志管理的记录&#xff0c;在学习Httpserver的过程中&#xff0c;学习到了日志管理模块&#xff0c;将QtwebApp的日志模块提取出来可作为一般性程序的日志管理&#xff0c;记录实验的过程&#xff0c;项目源代码也附在后面。 项目运行结果 项目代码结构 参…

Spring Bean 定义常见错误

Spring 的核心是围绕 Bean 进行的。不管是 Spring Boot 还是 Spring Cloud&#xff0c;只要名称中带有 Spring 关键字的技术都脱离不了 Bean&#xff0c;而要使用一个 Bean 少不了要先定义出来&#xff0c;所以定义一个 Bean 就变得格外重要了。 当然&#xff0c;对于这么重要…

Jmeter分布式压测

Jmeter分布式压测 Jmeter分布式压测 分布式压测原理&#xff1a; image1140682 27.7 KB 1、安装从节点slave环境 保证slave与master所有jdk&jmeter都是同一个大版本jdk-11jmeter-5.6.2 2、禁用SSL连接模式 配置 JMETER_HOME/bin 目录下 user.properties文件 server.rm…

Docker本地部署可编辑开源导航页并发布公网分享好友可访问

文章目录 1. 使用Docker搜索镜像2. 下载镜像3. 查看镜像4. 启动容器5. 浏览器访问6. 远程访问6.1 内网穿透工具安装6.2 创建远程连接公网地址6.3 使用固定二级子域名地址远程访问 今天和大家分享如何使用Docker本地部署一个开源的简约风格网址导航页&#xff0c;支持五种搜索引…

TCP 了解

参考&#xff1a;4.2 TCP 重传、滑动窗口、流量控制、拥塞控制 | 小林coding TCP报文 其中比较重要的字段有&#xff1a;&#xff08;1&#xff09;序号&#xff08;sequence number&#xff09;&#xff1a;Seq序号&#xff0c;占32位&#xff0c;用来标识从TCP源端向目的端发…

8.DNS域名解析服务器

目录 1. 概述 1.1. 产生原因 1.2. 作用&#xff1a; 1.3. 连接方式 1.4. 因特网的域名结构 1.4.1. 拓扑&#xff1a; 1.4.2. 分类 1.4.3. 域名服务器类型划分 2. DNS域名解析过程 2.1. 分类&#xff1a; 2.2. 解析图&#xff1a; 2.2.1. 图&#xff1a; 2.2.2. 过…

万字图解| 深入揭秘Golang锁结构:Mutex(上)

大家好&#xff0c;我是「云舒编程」&#xff0c;今天我们来聊聊Golang锁结构&#xff1a;Mutex。 文章首发于微信公众号&#xff1a;云舒编程 关注公众号获取&#xff1a; 1、大厂项目分享 2、各种技术原理分享 3、部门内推 一、前言 Golang的Mutex算是在日常开发中最常见的组…

Redis核心技术与实战【学习笔记】 - 14.Redis 旁路缓存的工作原理及如何选择应用系统的缓存类型

概述 我们知道&#xff0c;Redis 提供了高性能的数据存取功能&#xff0c;广泛应用在缓存场景中&#xff0c;既可以提升业务的响应速度&#xff0c;又可以避免把高并发的请求发送到数据库。 如果 Redis 做缓存时出现了问题&#xff0c;比如说缓存失效&#xff0c;那么&#x…

轴承故障诊断 (12)基于交叉注意力特征融合的VMD+CNN-BiLSTM-CrossAttention故障识别模型

目录 往期精彩内容&#xff1a; 前言 模型整体结构 1 变分模态分解VMD的Python示例 第一步&#xff0c;Python 中 VMD包的下载安装&#xff1a; 第二步&#xff0c;导入相关包进行分解 2 轴承故障数据的预处理 2.1 导入数据 2.2 故障VMD分解可视化 第一步&#xff0c…

【issue-YOLO】自定义数据集训练YOLO-v7 Segmentation

1. 拉取代码创建环境 执行nvidia-smi验证cuda环境是否可用&#xff1b;拉取官方代码&#xff1b; clone官方代码仓库 git clone https://github.com/WongKinYiu/yolov7&#xff1b;从main分支切换到u7分支 cd yolov7 && git checkout 44f30af0daccb1a3baecc5d80eae229…

关于Spring框架的 @Configuration 与@Service 加载顺序哪个先后(某些环境加载是随机的)

很多资料都说Configuration 优先加载&#xff0c;Service后加载&#xff0c;如下图&#xff1a; 本来也是以为 Configuration 优先加载于 Service &#xff0c;那参数处理放在Configuration注入完后&#xff0c;service构建时就可以拿来用的&#xff0c;在我在IDEA的调试时下断…

C语言数据结构之二叉树

少年恃险若平地 独倚长剑凌清秋 &#x1f3a5;烟雨长虹&#xff0c;孤鹜齐飞的个人主页 &#x1f525;个人专栏 &#x1f3a5;前期回顾-栈和队列 期待小伙伴们的支持与关注&#xff01;&#xff01;&#xff01; 目录 树的定义与判定 树的定义 树的判定 树的相关概念 树的运用…

字符串转换const char* , char*,QByteArray,QString,string相互转换,支持中文

文章目录 1.char * 与 const char * 的转换2.QByteArray 与 char* 的转换3.QString 与 QByteArray 的转换4.QString 与 string 的转换5.QString与const string 的转换6.QString 与 char* 的转换 在开发中&#xff0c;经常会遇到需要将数据类型进行转换的情况&#xff0c;下面依…

❤ 做一个自己的AI智能机器人吧

❤ 做一个自己的AI智能机器人 看了扣子&#xff08;coze&#xff09;的模型&#xff0c;字节基于chatgpt搭建的一个辅助生成AI的网站&#xff0c;感觉蛮有意思&#xff0c;看了掘金以后&#xff0c;于是动手自己也实现了一个。 官网 https://www.coze.cn/ 进入的网站 1、 创…

如何在Windows系统使用Plex部署影音服务与公网访问本地资源【内网穿透】

文章目录 1.前言2. Plex网站搭建2.1 Plex下载和安装2.2 Plex网页测试2.3 cpolar的安装和注册 3. 本地网页发布3.1 Cpolar云端设置3.2 Cpolar本地设置 4. 公网访问测试5. 结语 正文开始前给大家推荐个网站&#xff0c;前些天发现了一个巨牛的 人工智能学习网站&#xff0c; 通…