Containerd源码分析--创建容器时网络功能分析

最新推荐文章于 2024-03-26 14:06:37 发布
最新推荐文章于 2024-03-26 14:06:37 发布
阅读量813 收藏 1
点赞数
文章标签: kubernetes linux 容器
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_40056921/article/details/129157735
版权

本文代码基于containerd 1.16分支

最近在看kubernetes中cni相关的内容,想研究下pod创建时网络是如何调用的,新版的kubernetes中已经没有了docker-shim,所以从kubelet中/pkg/kubelet/kuberuntime/kuberuntime_manager.go中的createPodSandbox方法开始分析,该方法调用RunPodSandbox

cri是Kubernetes容器运行时接口(CRI)的containerd插件实现。使用它,可以将containerd用作Kubernetes集群的容器运行时。

1.RunPodSandbox函数

1.1 生成id和name,将name和id进行绑定,防止创建同名的sandbox,ReleaseByName在发生错误后释放掉Name。

// RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure
// the sandbox is in ready state.
func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandboxRequest) (_ *runtime.RunPodSandboxResponse, retErr error) {
	config := r.GetConfig()
	log.G(ctx).Debugf("Sandbox config %+v", config)

	// Generate unique id and name for the sandbox and reserve the name.
	id := util.GenerateID()
	metadata := config.GetMetadata()
	if metadata == nil {
		return nil, errors.New("sandbox config must include metadata")
	}
	name := makeSandboxName(metadata)
	log.G(ctx).WithField("podsandboxid", id).Debugf("generated id for sandbox name %q", name)
	// Reserve the sandbox name to avoid concurrent `RunPodSandbox` request starting the
	// same sandbox.
	if err := c.sandboxNameIndex.Reserve(name, id); err != nil {
		return nil, fmt.Errorf("failed to reserve sandbox name %q: %w", name, err)
	}
	defer func() {
		// Release the name if the function returns with an error.
		if retErr != nil {
			c.sandboxNameIndex.ReleaseByName(name)
		}
	}()

1.2 实例化sandbox

// Create initial internal sandbox object.
	sandbox := sandboxstore.NewSandbox(
		sandboxstore.Metadata{
			ID:             id,
			Name:           name,
			Config:         config,
			RuntimeHandler: r.GetRuntimeHandler(),
		},
		sandboxstore.Status{
			State: sandboxstore.StateUnknown,
		},
	)

1.3  确保镜像存在,如果不存在则拉取,并将 镜像转换成containerd.Image接口形式

// Ensure sandbox container image snapshot.
	image, err := c.ensureImageExists(ctx, c.config.SandboxImage, config)
	if err != nil {
		return nil, fmt.Errorf("failed to get sandbox image %q: %w", c.config.SandboxImage, err)
	}
	containerdImage, err := c.toContainerdImage(ctx, *image)
	if err != nil {
		return nil, fmt.Errorf("failed to get image from containerd %q: %w", image.ID, err)
	}

1.3.1 优先从本地加载镜像,不存在则通过PullImage拉取。

func (c *criService) ensureImageExists(ctx context.Context, ref string, config *runtime.PodSandboxConfig) (*imagestore.Image, error) {
	image, err := c.localResolve(ref)
	if err != nil && !errdefs.IsNotFound(err) {
		return nil, fmt.Errorf("failed to get image %q: %w", ref, err)
	}
	if err == nil {
		return &image, nil
	}
	// Pull image to ensure the image exists
	resp, err := c.PullImage(ctx, &runtime.PullImageRequest{Image: &runtime.ImageSpec{Image: ref}, SandboxConfig: config})
	if err != nil {
		return nil, fmt.Errorf("failed to pull image %q: %w", ref, err)
	}
	imageID := resp.GetImageRef()
	newImage, err := c.imageStore.Get(imageID)
	if err != nil {
		// It's still possible that someone removed the image right after it is pulled.
		return nil, fmt.Errorf("failed to get image %q after pulling: %w", imageID, err)
	}
	return &newImage, nil
}

1.4 获取 sandbox runtime

// getSandboxRuntime returns the runtime configuration for sandbox.
// If the sandbox contains untrusted workload, runtime for untrusted workload will be returned,
// or else default runtime will be returned.
func (c *criService) getSandboxRuntime(config *runtime.PodSandboxConfig, runtimeHandler string) (criconfig.Runtime, error) {
	if untrustedWorkload(config) {
		// If the untrusted annotation is provided, runtimeHandler MUST be empty.
		if runtimeHandler != "" && runtimeHandler != criconfig.RuntimeUntrusted {
			return criconfig.Runtime{}, errors.New("untrusted workload with explicit runtime handler is not allowed")
		}

		//  If the untrusted workload is requesting access to the host/node, this request will fail.
		//
		//  Note: If the workload is marked untrusted but requests privileged, this can be granted, as the
		// runtime may support this.  For example, in a virtual-machine isolated runtime, privileged
		// is a supported option, granting the workload to access the entire guest VM instead of host.
		// TODO(windows): Deprecate this so that we don't need to handle it for windows.
		if hostAccessingSandbox(config) {
			return criconfig.Runtime{}, errors.New("untrusted workload with host access is not allowed")
		}

		runtimeHandler = criconfig.RuntimeUntrusted
	}

	if runtimeHandler == "" {
		runtimeHandler = c.config.ContainerdConfig.DefaultRuntimeName
	}

	handler, ok := c.config.ContainerdConfig.Runtimes[runtimeHandler]
	if !ok {
		return criconfig.Runtime{}, fmt.Errorf("no runtime for %q is configured", runtimeHandler)
	}
	return handler, nil
}

1.5 如果linux不是host network则设置pod网络,网络命名空间的路径 为:/var/run/netns

podNetwork := true

	if goruntime.GOOS != "windows" &&
		config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetNetwork() == runtime.NamespaceMode_NODE {
		// Pod network is not needed on linux with host network.
		podNetwork = false
	}
	if goruntime.GOOS == "windows" &&
		config.GetWindows().GetSecurityContext().GetHostProcess() {
		//Windows HostProcess pods can only run on the host network
		podNetwork = false
	}

	if podNetwork {
		netStart := time.Now()
		// If it is not in host network namespace then create a namespace and set the sandbox
		// handle. NetNSPath in sandbox metadata and NetNS is non empty only for non host network
		// namespaces. If the pod is in host network namespace then both are empty and should not
		// be used.
		var netnsMountDir = "/var/run/netns"
		if c.config.NetNSMountsUnderStateDir {
			netnsMountDir = filepath.Join(c.config.StateDir, "netns")
		}
		sandbox.NetNS, err = netns.NewNetNS(netnsMountDir)
		if err != nil {
			return nil, fmt.Errorf("failed to create network namespace for sandbox %q: %w", id, err)
		}
		sandbox.NetNSPath = sandbox.NetNS.GetPath()
		defer func() {
			if retErr != nil {
				deferCtx, deferCancel := ctrdutil.DeferContext()
				defer deferCancel()
				// Teardown network if an error is returned.
				if err := c.teardownPodNetwork(deferCtx, sandbox); err != nil {
					log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id)
				}

				if err := sandbox.NetNS.Remove(); err != nil {
					log.G(ctx).WithError(err).Errorf("Failed to remove network namespace %s for sandbox %q", sandbox.NetNSPath, id)
				}
				sandbox.NetNSPath = ""
			}
		}()

		// Setup network for sandbox.
		// Certain VM based solutions like clear containers (Issue containerd/cri-containerd#524)
		// rely on the assumption that CRI shim will not be querying the network namespace to check the
		// network states such as IP.
		// In future runtime implementation should avoid relying on CRI shim implementation details.
		// In this case however caching the IP will add a subtle performance enhancement by avoiding
		// calls to network namespace of the pod to query the IP of the veth interface on every
		// SandboxStatus request.
		if err := c.setupPodNetwork(ctx, &sandbox); err != nil {
			return nil, fmt.Errorf("failed to setup network for sandbox %q: %w", id, err)
		}
		sandboxCreateNetworkTimer.UpdateSince(netStart)
	}

1.5.1 获取netPlugin

        通过netPlugin.Setup进行网络设置

        selectPodIPs 获取pod ip

// setupPodNetwork setups up the network for a pod
func (c *criService) setupPodNetwork(ctx context.Context, sandbox *sandboxstore.Sandbox) error {
	var (
		id        = sandbox.ID
		config    = sandbox.Config
		path      = sandbox.NetNSPath
		netPlugin = c.getNetworkPlugin(sandbox.RuntimeHandler)
	)
	if netPlugin == nil {
		return errors.New("cni config not initialized")
	}

	opts, err := cniNamespaceOpts(id, config)
	if err != nil {
		return fmt.Errorf("get cni namespace options: %w", err)
	}
	log.G(ctx).WithField("podsandboxid", id).Debugf("begin cni setup")
	result, err := netPlugin.Setup(ctx, id, path, opts...)
	if err != nil {
		return err
	}
	logDebugCNIResult(ctx, id, result)
	// Check if the default interface has IP config
	if configs, ok := result.Interfaces[defaultIfName]; ok && len(configs.IPConfigs) > 0 {
		sandbox.IP, sandbox.AdditionalIPs = selectPodIPs(ctx, configs.IPConfigs, c.config.IPPreference)
		sandbox.CNIResult = result
		return nil
	}
	return fmt.Errorf("failed to find network info for sandbox %q", id)
}

1.5.1.1 getNetworkPlugin

        其中c.netPlugin是在初始化initCRIService中的server.NewCRIService(c, client)时,c.initPlatform()中

// getNetworkPlugin returns the network plugin to be used by the runtime class
// defaults to the global CNI options in the CRI config
func (c *criService) getNetworkPlugin(runtimeClass string) cni.CNI {
	if c.netPlugin == nil {
		return nil
	}
	i, ok := c.netPlugin[runtimeClass]
	if !ok {
		if i, ok = c.netPlugin[defaultNetworkPlugin]; !ok {
			return nil
		}
	}
	return i
}

 

// initPlatform handles linux specific initialization for the CRI service.
func (c *criService) initPlatform() (err error) {
	//...
	pluginDirs := map[string]string{
		defaultNetworkPlugin: c.config.NetworkPluginConfDir,
	}
	for name, conf := range c.config.Runtimes {
		if conf.NetworkPluginConfDir != "" {
			pluginDirs[name] = conf.NetworkPluginConfDir
		}
	}

	c.netPlugin = make(map[string]cni.CNI)
	for name, dir := range pluginDirs {
		max := c.config.NetworkPluginMaxConfNum
		if name != defaultNetworkPlugin {
			if m := c.config.Runtimes[name].NetworkPluginMaxConfNum; m != 0 {
				max = m
			}
		}
		// Pod needs to attach to at least loopback network and a non host network,
		// hence networkAttachCount is 2. If there are more network configs the
		// pod will be attached to all the networks but we will only use the ip
		// of the default network interface as the pod IP.
		i, err := cni.New(cni.WithMinNetworkCount(networkAttachCount),
			cni.WithPluginConfDir(dir),
			cni.WithPluginMaxConfNum(max),
			cni.WithPluginDir([]string{c.config.NetworkPluginBinDir}))
		if err != nil {
			return fmt.Errorf("failed to initialize cni: %w", err)
		}
		c.netPlugin[name] = i
	}

	if c.allCaps == nil {
		c.allCaps, err = cap.Current()
		if err != nil {
			return fmt.Errorf("failed to get caps: %w", err)
		}
	}

	return nil
}

 New方法创建了一个libcni实例

// New creates a new libcni instance.
func New(config ...Opt) (CNI, error) {
	cni := defaultCNIConfig()
	var err error
	for _, c := range config {
		if err = c(cni); err != nil {
			return nil, err
		}
	}
	return cni, nil
}

func defaultCNIConfig() *libcni {
	return &libcni{
		config: config{
			pluginDirs:       []string{DefaultCNIDir}, //opt/cni/bin
			pluginConfDir:    DefaultNetDir,  //etc/cni/net.d
			pluginMaxConfNum: DefaultMaxConfNum,  //1
			prefix:           DefaultPrefix,  //eth
		},
		cniConfig: cnilibrary.NewCNIConfig(
			[]string{
				DefaultCNIDir,
			},
			&invoke.DefaultExec{
				RawExec:       &invoke.RawExec{Stderr: os.Stderr},
				PluginDecoder: version.PluginDecoder{},
			},
		),
		networkCount: 1,
	}
}

1.5.1.2

判断CNI插件是否就绪

初始化新namespace

// Setup setups the network in the namespace and returns a Result
func (c *libcni) Setup(ctx context.Context, id string, path string, opts ...NamespaceOpts) (*Result, error) {
	if err := c.Status(); err != nil {
		return nil, err
	}
	ns, err := newNamespace(id, path, opts...)
	if err != nil {
		return nil, err
	}
	result, err := c.attachNetworks(ctx, ns)
	if err != nil {
		return nil, err
	}
	return c.createResult(result)
}

asynchAttach 开启协程,创建网络

func (c *libcni) attachNetworks(ctx context.Context, ns *Namespace) ([]*types100.Result, error) {
	var wg sync.WaitGroup
	var firstError error
	results := make([]*types100.Result, len(c.Networks()))
	rc := make(chan asynchAttachResult)

	for i, network := range c.Networks() {
		wg.Add(1)
		go asynchAttach(ctx, i, network, ns, &wg, rc)
	}

	for range c.Networks() {
		rs := <-rc
		if rs.err != nil && firstError == nil {
			firstError = rs.err
		}
		results[rs.index] = rs.res
	}
	wg.Wait()

	return results, firstError
}

执行network.Attach方法

func asynchAttach(ctx context.Context, index int, n *Network, ns *Namespace, wg *sync.WaitGroup, rc chan asynchAttachResult) {
	defer wg.Done()
	r, err := n.Attach(ctx, ns)
	rc <- asynchAttachResult{index: index, res: r, err: err}
}

func (n *Network) Attach(ctx context.Context, ns *Namespace) (*types100.Result, error) {
	r, err := n.cni.AddNetworkList(ctx, n.config, ns.config(n.ifName))
	if err != nil {
		return nil, err
	}
	return types100.NewResultFromResult(r)
}

进入到containernetworking/cni/libcni/api.go中调用cni进行网络创建

// AddNetworkList executes a sequence of plugins with the ADD command
func (c *CNIConfig) AddNetworkList(ctx context.Context, list *NetworkConfigList, rt *RuntimeConf) (types.Result, error) {
	var err error
	var result types.Result
	for _, net := range list.Plugins {
		result, err = c.addNetwork(ctx, list.Name, list.CNIVersion, net, result, rt)
		if err != nil {
			return nil, fmt.Errorf("plugin %s failed (add): %w", pluginDescription(net.Network), err)
		}
	}

	if err = c.cacheAdd(result, list.Bytes, list.Name, rt); err != nil {
		return nil, fmt.Errorf("failed to set network %q cached result: %w", list.Name, err)
	}

	return result, nil
}

参考:;【containerd 源码分析】containerd cri PodRunSandbox 源码分析之二_张忠琳的博客-CSDN博客

一只泥巴佬
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
containerd-cni-1.6.6-linux-amd64.tar.gz 包
08-11
执行如下命令下载最新...wget https://download.fastgit.org/containerd/containerd/releases/download/v1.6.6/cri-containerd-cni-1.6.6-linux-amd64.tar.gz --no-check-certificate ``` 下载不了,可以使用这个
k8s搭建集群报错failed to set up sandbox container “xxx“ network for pod “coredns-xxx“:networkPlugin cni fa
那条大鱼的博客
02-23 2685
k8s搭建集群关于cni网络插件报错的问题
一个与cni0相关的pod创建问题
为梦想奋斗
03-08 878
failed to set bridge addr问题
K8S 问题记录
最新发布
qq_39328864的博客
03-26 250
【代码】K8S 问题记录。
"Failed to destroy network for sandbox" 错误处理分享
weixin_47980221的博客
06-25 773
问题说明:calico pod突然报错,如下截图 最后排查到containerd 的cni插件有问题,官方文档说的是:如果你使用 containerd v1.6.0-v1.6.3 并遇到 "Incompatible CNI versions" 或者 "Failed to destroy network for sandbox" 错误,考虑更新你的 CNI 插件并编辑 CNI 配置文件(...
K8S问题记录
勿在浮沙筑高
12-11 3828
与其他采集正常的k8s集群对比,发现所用kube-state-metrics (deployment)版本有差异,将其镜像版本由2.0.0 改为了 v1.9.7 问题得到解决,效果如下。该指标由 kube-state-metrics (deployment)采集,经curl在集群内访问该exporter,原始采集到的指标即不完整。查看flannel网络插件分配的子网IP,发现两者确实不一致。命令确认cni0的IP信息,使用。进入到对应计算节点,使用。cgroup内存泄露。
创建一个pod,但pod的status持续:ContainerCreating
qq_29700227的博客
09-01 871
关于:Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "f6529b2e4 7a567d56cc32cdb18cbe264c3cc4e4446f7da1d69bb2137b4ee275b": plugin type="flannel" failed (add): open /run/flannel/subnet.env: no such file or dir
源码解析Containerd容器启动流程
Extreme的博客
11-29 345
task是containerd中真正运行的对象,它包含了容器的所有信息,如rootfs、namespace、进程等。创建task,会启动shim进程。shim进程是一个短暂的进程,它的生命周期与容器一致。它的主要作用是与交互,完成容器创建容器网络配置是在task创建之后,由ctr调用cni插件完成的。
cri-containerd-cni-1.6.8-linux-amd64.tar.gz
09-01
containerd 是一个行业标准的容器运行,强调简单性、健壮性、可移植性;继 Kubernetes、Prometheus、Envoy 和 CoreDNS 之后,于 2019 年 2 月 28 日,containerd 正式成为云原生计算基金会的毕业项目;从 k8s v...
cri-containerd-cni-1.5.5-linux-amd64.tar.gz
08-27
cri-containerd-cni-1.5.5-linux-amd64.tar.gz
cri-containerd-1.7.7-linux-amd64.tar.gz
01-06
cri-containerd-1.7.7-linux-amd64.tar.gz
containerd-1.6.11-linux-amd64
12-07
containerd容器虚拟化技术,从docker中剥离出来,形成开放容器接口(OCI)标准的一部分。
containerd 源码分析
Matthew__M的博客
09-06 1113
dockerd是docker engine守护进程,dockerd启动会启动containerd子进程,dockerdcontainerd通过rpc进行通信 ctr是containerd的cli containerd通过shim操作runc,runc真正控制容器生命周期,启动一个容器就会启动一个shim进程 shim直接调用runc的包函数,shim与containerd之前通过rpc通信 真正用户想启动的进程由runc的init进程启动,即runc init [args ...] do...
【k8s错误解决系列】Error: failed to get sandbox container task: no running task found: task xxx not found
weixin_42072280的博客
12-09 3895
【k8s错误解决系列】Error: failed to get sandbox container task: no running task found: task xxx not found
containerd源代码分析: 整体架构
03-23 1147
本文梳理了containerd项目的整体代码的静态逻辑结构,主要设计到功能的抽象接口及实现、插件系统对服务的封装,插件的配置注册、GRPC通信的服务和客户端代码。通过一个content功能实例贯穿始终
Kubernetes 网络模型
lingshengxiyou的博客
04-04 149
集群网络系统是 Kubernetes 的核心部分,但是想要准确了解它的工作原理可是个不小的挑战。高度耦合的容器间通信:这个已经被 Pod 和 localhost 通信解决了。Pod 间通信:这是本文档讲述的重点。Pod 与 Service 间通信:涵盖在 Service 中。外部与 Service 间通信:也涵盖在 Service 中。Kubernetes 的宗旨就是在应用之间共享机器。
kubernetes集群pod异常状态ContainerCreating的解决
CycloneKid的博客
10-11 1545
今天在使用kubernetes集群部署pod,pod显示不正常状态ContainerCreating,如下图所示 这是node节点无法部署pod致使pod处于错误状态,node节点上有两个服务,一个是kubelet,另一个是kube-porxy,pod部署报错一般是kubelet服务出了问题,在node节点上使用命令journalctl -u kubelet查看kubelet服务的日志 jou...
containerd 源码分析containerd 启动流程分析
zhonglinzhang
08-02 9709
github:https://github.com/containerd/containerdrelease-v1.3.0 前言 dockerd是docker engine守护进程,dockerd启动会启动containerd子进程,dockerdcontainerd通过rpc进行通信 ctr是containerd的cli containerd通过shim操作runc,r...
docker-containerd-shim
06-01
docker-containerd-shim是Docker容器运行(runtime)中的一个组件,它是Containerd的子进程,用于启动和管理Docker容器Containerd是一个容器运行管理器,它可以管理容器的生命周期、容器的镜像和存储等等。Docker容器运行(runtime)使用Containerd作为容器管理后台,docker-containerd-shim是Containerd的一个子进程,用于启动和管理Docker容器。当Docker客户端发出创建容器的请求,Dockerd会将请求发送给ContainerdContainerd会启动docker-containerd-shim来启动容器。docker-containerd-shim会创建并管理容器的进程和文件系统,并将容器的状态信息返回给Dockerd。 docker-containerd-shim的作用是在Containerd的基础上,为Docker容器提供更高级的管理功能,如容器网络配置、容器的日志记录、容器的资源限制等等。docker-containerd-shim还可以通过插件的形式扩展其他的功能,如容器的安全性和监控等等。 总之,docker-containerd-shim是Docker容器运行中的一个重要组件,它通过Containerd来启动和管理Docker容器,并提供了更高级的容器管理和扩展功能。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值