Process eviction: When there is resource pressure on a machine, it may be due to a malicious program that is consuming system resources, or due to overcommit. The system reduces the overall impact of a single program on the system by controlling the survival of processes on the machine. The most critical aspect of the eviction phase is to select the right process to ensure system stability by minimizing the cost.
Containerd Docking Private Image Repository Harbor
Harbor is a CNCF Foundation-hosted open source trusted cloud-native docker registry project that can be used to store, sign, and scan image content. Harbor extends the docker registry project by adding some common features such as security, identity rights management, etc. In addition, it also supports copying images between registries and provides more advanced security features such as user management, access control, and activity auditing, etc. Support for Helm repository
Error [ERR_REQUIRE_ESM]: require() of ES Module Error Problem and Solution
In the Node.js Cli tools project developed with TypeScript, the output of tsconfig.json is set to CommonJS.
When importing external dependencies such as chalk, boxen, etc., the latest versions of these packages are pure ES Module packages, resulting in an error like the following and not available.
1 2 3 4 5 6 Error [ERR_REQUIRE_ESM]: require() of ES Module xxx\node_modules\boxen\index.js from abc.ts not supported. Instead change the require of index.js in xxx.
How to use Docker in Alpine Linux Docker images
Docker in Docker actually makes a lot of sense, like the following scenario I encountered.
I need to use the CIDI service provided by the public cloud to trigger one-click build+test+deployment in the cloud, so I need an environment to build and release, but the build node in the cloud does not necessarily meet my criteria.
In the case of cloud build nodes we have no way to control (i.e. we can’t SSH directly to them).
Load balancing problem for Keep-Alive connections
In a distributed system, if Service A has to invoke Service B and multiple instances of both services are deployed, the problem of load balancing has to be solved. That is, we want the QPS reaching B to be balanced across all instances of B.
In previous HTTP/1.1-like implementations, Service A needs to establish a TCP connection with B for each request. So the load balancing implementation is generally based on the number of connections.
Using Prometheus Pushgateway to push monitoring metrics
We know that Prometheus uses the pull mode, but in some network scenarios (such as not on a subnet or firewall), Prometheus cannot directly pull the monitoring metrics data, so we may need a mode that can actively push. Pushgateway is one of the tools in the Prometheus ecosystem to solve this problem. However, Pushgateway is not a panacea and has some drawbacks. Aggregating data from multiple nodes to pushgateway,
How to customize linter (static checking tool) in Go
Usually we use static code checking tools to ensure code quality in our business projects, through static code checking tools we can find some problems in advance, such as undefined variables, type mismatches, variable scope problems, array subscript overruns, memory leaks, etc. The tools will classify the severity of the problem according to their own rules, giving different signs and hints, static code checking The static code checker helps us
Deploying an Elasticsearch stack on a Kubernetes cluster
If Logstash is used to receive log input from Filebeat centrally, it is easy to cause performance bottleneck due to single machine; if Kafka is used to receive log input from Filebeat, the timeliness of logs is not guaranteed. Here, the logs collected by Filebeat are directly output to Elasticsearch.
1. Preparation Node planning
Instead of distinguishing master, data, and client nodes, three nodes of a cluster are directly multiplexed here.
Design and implementation of kube-apiserver
kube-apiserver is a component in kubernetes that interacts directly with etcd and controls changes to core resources in kubernetes. It provides the following main functions. Providing Kubernetes API, including authentication authorization, data validation, and cluster state changes, for clients and other components to call. Proxy some additional component components in the cluster, such as Kubernetes UI, metrics-server, npd, etc. Creating kubernetes services, i.e., Service that provides apiserver, kubernetes Service. conversion
Implementation of apiserver service in kube-apiserver
In kubernetes, the kubernetes API can be accessed from both outside and inside the cluster, directly outside the cluster by accessing the API provided by the apiserver, and inside the cluster by accessing the service as the ClusterIP for kubernetes. kubernetes clusters create a kubernetes service after initialization. A kubernetes service is created and maintained by kube-apiserver, as follows. 1 2 3 4 5 6 7 $ kubectl get service
knative serving component analysis
The created components can be seen under the knative-serving namespace after the deployment of knative.
1 2 3 4 5 6 7 8 9 10 $ kubectl get pod -n knative-serving NAME READY STATUS RESTARTS AGE activator-7fff689bcb-zt9pm 2/2 Running 2 28d autoscaler-5bcff95856-pr6nk 2/2 Running 3 28d autoscaler-hpa-75584dd678-fpk7w 2/2 Running 1 28d controller-bbdd78bc4-6cqm4 2/2 Running 1 28d istio-webhook-5f5794dcc4-sgzlj 2/2 Running 1 28d networking-istio-7d875675c7-gc55v 1/1 Running 0 28d storage-version-migration-f46wc 1/2 Running 2 28d webhook-68bb66b676-9xk4s 2/2 Running 11 28d Create knative serving First create a knative service for testing, the yaml file is shown below.
Blkio Cgroup
blkio cgroup basic functions blkio is a subsystem in cgroup v1. The main reason for using cgroup v1 blkio subsystem is to reduce the problem of mutual interference when processes read and write to the same disk together.
The cgroup v1 blkio control subsystem can limit the IOPS and throughput of process reads and writes, but it can only limit the speed of file reads and writes for Direct I/O, but not for Buffered I/O.
How Pod Eviction Happens in kubernetes
Recently, we found that many instances on our network are in Evicted state. Through pod yaml, we can see that the instances are being evicted because of insufficient node resources. However, these instances are not automatically cleaned up, and most users of the platform will think that there is a problem with the service or the platform when they see Evicted instances under the service, which affects the user experience. The Pods in the Evicted state have been destroyed in the underlying container, which has no impact on the user’s service.
The difference between function return values and pointers in Golang
Variable memory allocation and recycling Go programs allocate memory for variables in two places, one is the global heap and the other is the function call stack. The Go language has a garbage collection mechanism, and it is up to the compiler to decide whether a variable is allocated on the heap or stack in Go, so developers don’t need to pay much attention to whether a variable is allocated
Golang program startup flow analysis
1. Flow of Golang code being run up by the OS 1.1. Compilation The go source code is first compiled into an executable file by go build, which is an ELF format executable file on linux platform, and the compilation stage will go through three processes: compiler, assembler, and linker to finally generate an executable file. Compiler: *.go source code is generated as plan9 assembly code for *.s by the
Analysis of Golang GPM Models
Differences between threads, kernel threads and user threads Threads: From the kernel’s point of view there is no such concept as threads. Linux implements all threads as processes, and the kernel has no special scheduling algorithm to handle threads. A thread is simply seen as a process that shares some resources with other processes. Like processes, each thread has its own task_struct, so in the kernel, a thread appears to
Using and Extending the Descheduler Component in Kubernetes
Descheduler component introduction When an instance is created, the scheduler can select the best node for scheduling based on the cluster state at that time, but the resource usage within the cluster is dynamically changing, and the cluster will become unbalanced over time, requiring the Descheduler to migrate the pods already running on the node to other nodes to achieve a more balanced distribution of resources within the cluster. There are several reasons why we want to migrate the instances running on a node to other nodes.
OIDC (OpenID Connect) Introduction
I recently learned about OIDC in the authentication system and put together a blog that covers the concepts, processes, and usage of OIDC. Before introducing these, we need to clarify two terms Authorization and Authentication.
Authorization vs Authentication Here is OKTA’s definition of the two terms.
Authentication, in the form of a key. The lock on the door only grants access to someone with the correct key in much the same way that a system only grants access to users who have the correct credentials.
Self-signed certificate
Introduction CA provides certificate to ensure the security of transmitted information. Of course, individuals can also play the role of CA, but the client is not trusted at this time, and the CA certificate, i.e. CA public key, needs to be integrated into the client.
Information Security The security issues that need to be ensured during information transmission are: confidentiality of information, security of information, and identification of both parties.
Circuit Breaker Pattern
Introduction Circuit breaker mode, analogous to the circuit breaker mechanism in real circuits. When the line voltage is too high, the fuse will be broken, and the power can be restored after successful repair. Distributed scenarios also face service exceptions and network timeouts, which require a certain amount of time to recover. If the retry request is kept, it will return failure and take up resources during the unrecovered time.