开头语
写在前面:如有问题,以你为准,
目前24年应届生,各位大佬轻喷,部分资料与图片来自网络
内容较长,页面右上角目录方便跳转
基础
容器的应用程序可以直接访问Liux内核的系统调用,容器在安全隔离上还是比较弱,虽然 内核在不断地增强自身的安全特性,但由于内核自身代码极瑞复杂,CVE漏洞层出不穷。
所以要想减少这方面安全风险,就是做好安全隔离,阻断容器内程序对物理机内核的依赖。
Google开源的一种gVisor容器沙箱技术就是采用这种思路,gVisorl隔离容器内应用和内核之间访
问,提供了大部分Linux内核的系统调用,巧妙的将容器内进程的系统调用转化为对gViso的访问。
资料
https://github.com/google/givsor
https://gvisor.dev/docs/
https://gvisor.dev/docs/user_guide/quick_start/kubernetes/
原理
Kubernetes的Kata Containers 与 gVisor - ghostwritten | 血衫非弧の一存
gVsior 能否能够平滑处理的是容器的系统调用,可能有一些应用程序无法适配,且会有一定性能损耗
架构
安装(docker 有问题)
Warning FailedCreatePodSandBox 2s (x4 over 37s) kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = RuntimeHandler "runsc" not supportedhttps://github.com/google/gvisor/releases/tag/
https://gvisor.dev/docs/user_guide/install/ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget ${URL}/runsc
wget ${URL}/containerd-shim-runsc-v1
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/bin[root@master gvisor]# cat /etc/docker/daemon.json
{
"registry-mirrors": [
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn",
"https://registry.docker-cn.com",
"https://9cpn8tt6.mirror.aliyuncs.com"
],
"exec-opts": ["native.cgroupdriver=systemd"]
}
[root@master gvisor]# runsc install
2023/11/13 03:15:36 Runtime runsc not found: adding
2023/11/13 03:15:36 Successfully updated config.
[root@master gvisor]# cat /etc/docker/daemon.json
{
"exec-opts": [
"native.cgroupdriver=systemd"
],
"registry-mirrors": [
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn",
"https://registry.docker-cn.com",
"https://9cpn8tt6.mirror.aliyuncs.com"
],
"runtimes": {
"runsc": {
"path": "/usr/bin/runsc"
}
}
}
[root@master gvisor]# systemctl restart docker
[root@master gvisor]# docker info | grep Runtimes
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc runsc
# 可以看到已经支持 runsc安装成功测试
[root@node2 k8s]# docker run -it --runtime=runsc nginx:1.17.2 dmesg
[ 0.000000] Starting gVisor... # 从这个字段可以看出已经加载了gvisor
[ 0.458236] Constructing home...
[ 0.797653] Creating process schedule...
[ 1.279727] Mounting deweydecimalfs...
[ 1.513559] Recruiting cron-ies...
[ 1.953258] Creating bureaucratic processes...
[ 1.998313] Synthesizing system calls...
[ 2.093768] Feeding the init monster...
[ 2.373844] Checking naughty and nice process list...
[ 2.380829] Waiting for children...
[ 2.476625] Committing treasure map to memory...
[ 2.618154] Setting up VFS...
[ 2.709283] Setting up FUSE...
[ 2.774159] Ready!对比测试
[root@node2 k8s]# docker run -d --runtime=runsc nginx:1.17.2
4bd617fe4ebbd049b8e00cae3720551eb0c1f663e023f9dc5749c520230d74cd
[root@node2 k8s]# docker exec -it 4bd617fe4eb bash
root@4bd617fe4ebb:/# uname -a
Linux 4bd617fe4ebb 4.4.0 #1 SMP Sun Jan 10 15:06:54 PST 2016 x86_64 GNU/Linux
[root@node2 k8s]# docker run -d nginx:1.17.2
15a905a0ceef6ca90f4635e3c292b899b8bdc2b5b9f478fc956d268935b3f774
[root@node2 k8s]# docker exec -it 15a905a0ceef bash
root@15a905a0ceef:/# uname -a
Linux 15a905a0ceef 4.18.0-147.el8.x86_64 #1 SMP Thu Sep 26 15:52:44 UTC 2019 x86_64 GNU/Linux由此可以看出没有使用gVisor的容器使用的内核和宿主机一样的
其他配置
Containerd 集成
RuntimeClass
是一个用于选择容器运行时配置的特性,容器运行时配置用于运行Pod中的容器
实操
apiVersion: node.k8s.io/v1 # RuntimeClass 定义于 node.k8s.io API组
kind: RuntimeClass
metadata:
name: gvisor #用于引用 RuntimeClass 的名字
handler: runsc # 对应CRI 接口配置的名字[root@master gvisor]# kubectl create -f rc-gvisor.yaml
runtimeclass.node.k8s.io/gvisor created
[root@master gvisor]# kubectl get runtimeclasses.node.k8s.io
NAME HANDLER AGE
gvisor runsc 40sapiVersion: v1
kind: Pod
metadata:
name: nginx-gvisor
spec:
runtimeClassName: gvisor # 引用上创建的运行时类名
containers:
- name: nginx
image: nignx:1.17.1
1465
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
