ACK 的节点基础组件
containerd
版本信息
$ containerd --version
containerd github.com/containerd/containerd/v2 v2.1.3 05ac95a2d4aa0ae5ec8298e867e0a0185dd80236
配置文件
- systemd 配置
- containerd 配置
/etc/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
/etc/containerd/config.toml
version = 3
root = "/var/lib/containerd"
state = "/run/containerd"
disabled_plugins = []
required_plugins = ["io.containerd.grpc.v1.cri"]
oom_score = -999
# Alibaba Cloud Vendor enhancement configuration
# imports = ["/etc/containerd/alibabacloud.toml"]
[grpc]
address = "/run/containerd/containerd.sock"
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = "/run/containerd/debug.sock"
level = "info"
[timeouts]
"io.containerd.timeout.shim.cleanup" = "5s"
"io.containerd.timeout.shim.load" = "5s"
"io.containerd.timeout.shim.shutdown" = "3s"
"io.containerd.timeout.task.state" = "2s"
[plugins]
[plugins."io.containerd.gc.v1.scheduler"]
pause_threshold = 0.02
deletion_threshold = 0
mutation_threshold = 100
schedule_delay = "0s"
startup_delay = "100ms"
[plugins."io.containerd.cri.v1.images"]
snapshotter = "overlayfs"
disable_snapshot_annotations = true
discard_unpacked_layers = false
max_concurrent_downloads = 3
image_pull_progress_timeout = "5m0s"
image_pull_with_sync_fs = false
use_local_image_pull = true
[plugins."io.containerd.cri.v1.images".pinned_images]
sandbox = "registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/pause:3.9"
[plugins."io.containerd.cri.v1.images".registry]
config_path = "/etc/containerd/cert.d:/etc/containerd/certs.d"
[plugins."io.containerd.cri.v1.runtime"]
ignore_image_defined_volumes = true
disable_apparmor = true
enable_cdi = true
cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"]
[plugins."io.containerd.cri.v1.runtime".containerd]
default_runtime_name = "runc"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes]
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
privileged_without_host_devices = false
sandboxer = "podsandbox"
[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runc.options]
NoPivotRoot = false
NoNewKeyring = false
SystemdCgroup = true
[plugins."io.containerd.cri.v1.runtime".cni]
bin_dirs = ["/opt/cni/bin"]
conf_dir = "/etc/cni/net.d"
max_conf_num = 1
[plugins."io.containerd.nri.v1.nri"]
disable = false
socket_path = "/var/run/nri/nri.sock"
plugin_path = "/opt/nri/plugins"
plugin_config_path = "/etc/nri/conf.d"
plugin_registration_timeout = "5s"
plugin_request_timeout = "2s"
disable_connections = false
kubelet
启动参数
root 2165 1 0 10:11 ? 00:00:20 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --pod-manifest-path=/etc/kubernetes/manifests --v=3 --authorization-mode=Webhook --authentication-token-webhook=true --anonymous-auth=false --client-ca-file=/etc/kubernetes/pki/ca.crt --container-runtime-endpoint=/var/run/containerd/containerd.sock --cgroup-driver=systemd --node-labels=alibabacloud.com/nodepool-id=np7c4f1ce4799742d7b300248362d8d53d,ack.aliyun.com=ca133aaf80fd542038acda778fbbf93a1 --rotate-certificates=true --cert-dir=/var/lib/kubelet/pki --node-ip=0.0.0.0 --config=/var/lib/kubelet/ack-managed-config.yaml --hostname-override=cn-hangzhou.10.0.0.238 --cluster-dns=192.168.0.10 --cloud-provider=external --provider-id=cn-hangzhou.i-bp16qq4fgg0o7ecm6hm1 --enable-controller-attach-detach=true
配置文件
- systemd 配置
- kubelet 配置
/etc/systemd/system/kubelet.service
# ! IMPORTANT !
# This configuration is managed and generated by ACK
# please do not edit it to avoid unexpected failures
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/
[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
/var/lib/kubelet/ack-managed-config.yaml
# ! IMPORTANT !
# This configuration is managed and generated by ACK
# please do not edit it to avoid unexpected failures
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
serializeImagePulls: false
cpuManagerPolicy: none
clusterDomain: cluster.local
clusterDNS:
- 192.168.0.10
tlsCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
maxPods: 48
podPidsLimit: 16384
containerLogMaxSize: 100Mi
containerLogMaxFiles: 10
featureGates:
RotateKubeletServerCertificate: true
evictionHard:
imagefs.available: 15%
memory.available: 300Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
providerID: cn-hangzhou.i-bp1bbgnuonurc0d6cbdq
systemReserved:
cpu: 40m
memory: 391Mi
pid: "1000"
kubeReserved:
cpu: 40m
memory: 391Mi
pid: "1000"
serverTLSBootstrap: true