넶浏览量:0
2023-04-10 09:59
在 Fedora CoreOS 中运行容器
[图片来源:Fedora Docs ]
Fedora CoreOS is an automatically updating, minimal, monolithic, container-focused operating system, designed for clusters but also operable standalone, optimized for Kubernetes but also great without it. It aims to combine the best of both CoreOS Container Linux and Fedora Atomic Host, integrating technology like Ignition from Container Linux with rpm-ostree and SELinux hardening from Project Atomic. Its goal is to provide the best container host to run containerized workloads securely and at scale.
🪧摘自 Fedora CoreOS Documentation #容器 #CoreOS
写在前面
随着云原生的快速发展,将业务系统部署以 Kubernetes 这种容器编排系统为主的用户越来越多,在使用过程中,底层操作系统由于无法实现一致性配置而导致的问题频频出现,因此一个专门用于运行容器,使用了容器的设计理念的操作系统应运而生,常见的容器操作系统有Fedora CoreOS 、 Red Hat CoreOS 、RancherOS 、Photon 、 KubeOS等
本文使用 Fedora CoreOS 作为样例运行一个简单的容器。
扩展知识:Fedora 在早期有一个专门运行容器的产品Atomic,后来红帽将 CoreOS收购之后,红帽将Atomic和CoreOS合并为Fedora CoreOS,简称 fcos,商业版本为Red Hat CoreOS,简称RHCOS。
准备工作
您需要实现准备一台和将来部署FCOS能够通信的一个 web 服务器,用于存放 ignition文件。
我这里使用的一台桌面版本 Linux 发行版:Linux Mint 21.1
网络信息如下
┌💁 devops @ 💻 workstation in 📁 ~
└❯ ip addr show ens37
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:d9:67:b5 brd ff:ff:ff:ff:ff:ff
altname enp2s5
inet 172.25.254.228/24 brd 172.25.254.255 scope global dynamic noprefixroute ens37
valid_lft 155sec preferred_lft 155sec
inet6 fe80::712d:e12e:ba61:7545/64 scope link noprefixroutevalid_lft forever preferred_lft forever
并且我已经准备好了 Web 服务器
┌💁 devops @ 💻 workstation in 📁 ~
└❯ sudo systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-02-19 22:33:33 MST; 1h 58min ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 947 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Process: 5087 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Main PID: 1031 (apache2)
Tasks: 55 (limit: 2182)
Memory: 6.5M
CPU: 289ms
CGroup: /system.slice/apache2.service
├─1031 /usr/sbin/apache2 -k start
├─5105 /usr/sbin/apache2 -k start
└─5106 /usr/sbin/apache2 -k start
Feb 19 22:33:31 workstation.lab.example.net systemd[1]: Starting The Apache HTTP Server...
Feb 19 22:33:33 workstation.lab.example.net systemd[1]: Started The Apache HTTP Server.
Feb 20 00:00:00 workstation.lab.example.net systemd[1]: Reloading The Apache HTTP Server...
Feb 20 00:00:00 workstation.lab.example.net systemd[1]: Reloaded The Apache HTTP Server.
┌💁 devops @ 💻 workstation in 📁 ~
└❯ ss -tplna | grep :8080
LISTEN 0 511 *:8080 *:*
请事先下载 FCOS 镜像
最新版本Fedora下载站点 https://getfedora.org/
本文使用镜像的链接 :
https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/37.20230122.3.0/x86_64/fedora-coreos-37.20230122.3.0-live.x86_64.iso
在LinuxMint中安装butane
Fedora社区为 Linux 客户端提供了两种方式来安装butane工具,这种工具可以将编写好的ignition文件转为 JSON 格式;第一种使用 dnf 进行安装,第二种使用 brew安装;我们采用 brew方式安装
首先安装 brew 工具
┌💁 devops @ 💻 workstation in 📁 ~└❯ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
配置 brew 工具
┌💁 devops @ 💻 workstation in 📁 ~
└❯ (echo; echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"') >> /home/devops/.bashrc
┌💁 devops @ 💻 workstation in 📁 ~
└❯ sudo apt-get install build-essential
┌💁 devops @ 💻 workstation in 📁 ~
└❯ source ~/.bashrc
┌💁 devops @ 💻 workstation in 📁 ~
└❯ brew install gcc
使用 brew安装 butane
┌💁 devops @ 💻 workstation in 📁 ~
└❯ brew install butane
生成密钥对
┌💁 devops @ 💻 workstation in 📁 ~└❯ ssh-keygen -t rsa -N '' -b 2048 -f ~/.ssh/id_rsa -q┌💁 devops @ 💻 workstation in 📁 ~└❯ cat ~/.ssh/id_rsa.pubssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCms5d2FmXtXmhSJIezA812ymi4uT3XELM508FkD/4Pv+wXE0gl/aN7bPCVD6qxpHbXHgj6nWTIoej3pZeEYEOGlXua98tSyu3aaBfj5UIY5eF8838EireSJSVZPj3k6aB8ryL5W4G/4buwW6IzvvRRrknJDsFvajs5LvLiLUNrag/i9PIQZ0VZZQbLhx0/ZJCDAFIREpXuyPM+FsS2TYOnRZNeD/2IFscI05Xe4mA0NdI8Fzfji0c0dIBKYDD3mKFQ7qhvaLD7Q2v6I9hyfe5nZqAcaPW2f+rfsycdkhSOCZNQ7DbfWm7ILbAz+FFAUuzrMseytoEfOXbemQpgM7q5hIJgZkLOb38o4e6uXH+A43svE5U1tWKpaX2yRDSvi4rP9Nae0SdrkBzFG9dPzQvbEFYla+6BiFh+iRnnOLegni1WT9GjOonKay0/XCxH9s8mlXK1hKd/jgWf9j/BTkAOb++NZDCV5fsfGG+wnMUAcc44U6MNij+w3n4u6BiqAB0= devops.lab.example.net
2. 查看FCOS节点网络、硬件等信息
创建一台虚拟机,设置为 UEFI ,使用 fcos 光盘引导,界面如下
查看网卡名
如果您的虚拟机没有通过DHCP获取地址,需要手动设置网络信息,确保可以和提供ignition文件的主机进行通信
设置网络的命令为 sudo nmtui
激活网络连接
使状态由 Deactivate 变为 Activate,再变为 Deactivate
检查是否生效
检查磁盘信息
3. 开始编写ignition文件
创建文件 fcos36.yml, 根据需要编写的ignition文件如下:
variant: fcosversion: 1.4.0# 创建用户 core 并使用 ssh 认证登录passwd:users:name: coressh_authorized_keys:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCms5d2FmXtXmhSJIezA812ymi4uT3XELM508FkD/4Pv+wXE0gl/aN7bPCVD6qxpHbXHgj6nWTIoej3pZeEYEOGlXua98tSyu3aaBfj5UIY5eF8838EireSJSVZPj3k6aB8ryL5W4G/4buwW6IzvvRRrknJDsFvajs5LvLiLUNrag/i9PIQZ0VZZQbLhx0/ZJCDAFIREpXuyPM+FsS2TYOnRZNeD/2IFscI05Xe4mA0NdI8Fzfji0c0dIBKYDD3mKFQ7qhvaLD7Q2v6I9hyfe5nZqAcaPW2f+rfsycdkhSOCZNQ7DbfWm7ILbAz+FFAUuzrMseytoEfOXbemQpgM7q5hIJgZkLOb38o4e6uXH+A43svE5U1tWKpaX2yRDSvi4rP9Nae0SdrkBzFG9dPzQvbEFYla+6BiFh+iRnnOLegni1WT9GjOonKay0/XCxH9s8mlXK1hKd/jgWf9j/BTkAOb++NZDCV5fsfGG+wnMUAcc44U6MNij+w3n4u6BiqAB0=storage:# 创建系统的根分区为 8GBdisks:device: /dev/disk/by-id/coreos-boot-diskwipe_table: falsepartitions:number: 4label: rootsize_mib: 8192resize: truesize_mib: 0label: var# 配置网卡 ens160 的网络信息files:path: /etc/NetworkManager/system-connections/ens160.nmconnectionmode: 0600contents:inline: |[connection]id=ens160type=ethernet=ens160[ipv4]address1=172.25.254.221/24;172.25.254.254dns=8.8.8.8;=lab.example.net=falsemethod=manual# 设置主机名path: /etc/hostnamemode: 0644contents:inline: fcos.xwanli0923.github.io# 创建容器本地持久化存储位置directories:path: /opt/website/htmloverwrite: true# 创建容器所需的文件path: /opt/website/html/index.htmloverwrite: truecontents:inline: <h1>Hello, I am Xing Wanli. Welcome to cloudshelledu!</h1>mode: 0644# 更改时区links:path: /etc/localtimetarget: ../usr/share/zoneinfo/Asia/Shanghai# 创建指定的文件系统filesystems:path: /vardevice: /dev/disk/by-partlabel/varformat: ext4with_mount_unit: true# 创建一个 Systemd Unit 文件,用于开机运行 podman 容器,容器名为 mywebserver ,映射主机端口为 80systemd:units:name: container-mywebserver.serviceenabled: truecontents: |[Unit]Description=Podman container-mywebserver.serviceDocumentation=man:podman-generate-systemd(1)Wants=network-online.targetAfter=network-online.targetRequiresMountsFor=%t/containers[Service]Environment=PODMAN_SYSTEMD_UNIT=%nRestart=on-failureTimeoutStopSec=70ExecStartPre=/bin/rm -f %t/%n.ctr-idExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm --replace -d --name mywebserver -v /opt/website/html:/usr/local/apache2/htdocs:Z -p 80:80 docker.io/library/httpd:latestExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-idExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-idType=notifyNotifyAccess=all[Install]WantedBy=multi-user.target default.target
将ignition文件转为 ign 格式
┌💁 devops @ 💻 workstation in 📁 ~└❯ butane --pretty --strict fcos36.yml --output fcos36.ign
将ignition文件存放在 Web 站点对应的目录下
┌💁 devops @ 💻 workstation in 📁 ~└❯ sudo cp fcos36.ign /var/www/html/ign/
测试文件是否能访问
在FCOS的虚拟机中执行命令
[core@localhost ~]$ exit # 如果看不到安装帮助命令,可先执行 `exit`[core@localhost ~]$ sudo coreos-installer install /dev/sda \--ignition-url http://172.25.254.228:8080/ign/fcos36.ign \--insecure-ignition
安装结束,重启系统
登录界面
5. 远程连接并验证结果
使用 SSH 私钥进行连接
devops @ 💻 workstation in 📁 ~ssh -i ~/.ssh/id_rsa core@172.25.254.221The authenticity of host '172.25.254.221 (172.25.254.221)' can't be established.ED25519 key fingerprint is SHA256:RmfcSQncM52Z6pn8acIrpXjsLpw167fDyiSjVKHCy0I.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '172.25.254.221' (ED25519) to the list of known hosts.Fedora CoreOS 37.20230122.3.0Tracker: https://github.com/coreos/fedora-coreos-trackerDiscuss: https://discussion.fedoraproject.org/tag/coreos~]$
查看磁盘分区
[]$ lsblkNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTSsda 8:0 0 20G 0 disk├─sda1 8:1 0 1M 0 part├─sda2 8:2 0 127M 0 part├─sda3 8:3 0 384M 0 part /boot├─sda4 8:4 0 8G 0 part /sysroot/ostree/deploy/fedora-coreos/var│ /usr│ /etc│ /│ /sysroot└─sda5 8:5 0 11.5G 0 part /var/lib/containers/storage/overlay/var
查看网络配置
[core@fcos ~]$ hostnamefcos.xwanli0923.github.io[core@fcos ~]$ ip addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:d0:c3:a7 brd ff:ff:ff:ff:ff:ffaltname enp3s0inet 172.25.254.221/24 brd 172.25.254.255 scope global dynamic noprefixroute ens160valid_lft 151sec preferred_lft 151secinet6 fe80::6f14:2875:e850:8fd9/64 scope link noprefixroutevalid_lft forever preferred_lft forever3: podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether ce:16:23:ac:2f:1d brd ff:ff:ff:ff:ff:ffinet 10.88.0.1/16 brd 10.88.255.255 scope global podman0valid_lft forever preferred_lft foreverinet6 fe80::9c82:7aff:fec2:5025/64 scope linkvalid_lft forever preferred_lft forever4: veth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000link/ether 32:35:08:f9:a6:c3 brd ff:ff:ff:ff:ff:ff link-netns netns-a5949274-3549-2bb7-7ce9-36465802458einet6 fe80::3035:8ff:fef9:a6c3/64 scope linkvalid_lft forever preferred_lft forever
检查容器
~]$ sudo podman psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES3cec19adf88f docker.io/library/httpd:latest httpd-foreground 6 minutes ago Up 6 minutes ago 0.0.0.0:80->80/tcp mywebserver
客户端访问
参考文档:- Fedora CoreOS裸金属安装
