性，并且与开放式编辑器上下文的集成使得对错误的研究或请求聊天协助执行与焦点代码相关的任务变得轻而 易举。 57. Insomnia 试验 自从 Postman 在 2023 年 5 月宣布将逐渐淘汰具有离线功能的 Scratch Pad 模式以后，需要将 API 工作区数据 从第三方服务器上隔离的团队不得不寻找替代方案。Insomnia 就是可选的替代方案之一：这是一款专为 API 测 试、开发和调试而设计的开源桌面应用程序。虽然 相比，它更轻量、更快速并且更容易部署和使用。这个工具仍在开发阶段，所以目前功能较少，但其简洁和速 度已经显示出了它的巨大潜力。您也可以使用 OrbStack 在 macOS 上创建和管理 Linux 虚拟机。 81. Pixie 评估 Pixie 是一个用于 Kubernetes 原生应用程序的可观察性工具。它通过利用 eBPF 从多个 数据源 自动地采集遥测 数据，以一种有趣的方式

heal unhealthy Operands based on Operand metrics/alerts/logs • Operator can prevent the Operand from transitioning into an unhealthy state based on Operand metrics Auto-tuning • Operator is able to dynamically shifts workloads onto best suited nodes Abnormality detection • Operator determines deviations from a standard performance profile Observerbility 日志、系统指标等采集、分析；监控配置与报警；性能 指标收集与分析等等。 Backup & Restore *runtime.Scheme) error {...} ⚠️ Owns + SetControllerReference 配合，保证收到所有事件 实战：build an operator from scratch 实验描述： Kubernetes 中有一个支持用 Cron 表达式运行定时任务的对象叫 CronJob，本次实验会用 Kubebuilder 构建一个 Operator，重新实现 CronJob

集装箱 kubernetes 舵手，领航员 helm 舵轮，驾驶盘 chart 图表，海图 ①k8s对系统要求 linux内核在3.10及以上，服务器规格2核cpu，2G内存及以上，可以装在虚拟机 里，也可以装在实体机上 ②规划主机名及ip k8s的服务器使用固定ip地址，配置主机名，要求能解析相应的主机名（master /etc/yum.repos.d/ # wget h�ps://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo #aliyun的源 或者： h�ps://download.docker.com/linux/centos/docker-ce.repo #官方的 源 然后在/etc/yum.repos $basearch baseurl=h�ps://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=h�ps://mirrors.aliyun.com/docker-ce/linux/centos/gpg # yum install containerd.io -y #

to optimize 02 Comparison with industry Performance measurement 03 04 Future work 05 06 Lessons from eBPF What is K8s Service • It exposes a set of pods via VIP using a load balancer • Two types at PREROUTING chain • SNAT at POSTROUTING chain • Pros • Iptables is widely adopted in popular Linux distributions • Cons • O(N^2) in control plane / O(N) in data plane • Poor in scheduling algorithm • Iptables/conntrack SNAT • How IPVS bypasses conntrack? • Ingress • Move IPVS Netfilter hook from local-in to PREROUTING • The challenges • Skb’s pointer to route is NULL during PREROUTING • No de-fragment

【注】所有节点(k8s-master, k8s-node1, k8s-node2, k8s-node3)均需做以下 B~D： B. 升级&配置 centos7 Step1. 升级 linux 内核 uname –r wget https://cbs.centos.org/kojifiles/packages/kernel/4.9.220/37.el7/x86_64/kernel-4 device-mapper-persistent-data lvm2 # 添加 yum 源 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # 查看 docker-ce 安装包 yum list | grep docker-ce # 安装 docker-ce yum install ceph-mgr=enabled Step1: 安装 rook-ceph 集群 download from https://github.com/rook/rook/blob/master/cluster/examples/kubernetes/ceph/common.yaml download from https://github.com/rook/rook/blob/master/clust

NUMA host When Linux initially allocates a threads, it is assigned a preferred node, by default memory allocations come from this node the thread runs on, but can potentially come from other nodes with too For the vSphere hypervisor, there are advanced vNUMA settings, they rarely need to be changed from defaults. link 15 Kubernetes Resource Management How it works • Specified and “metered” on a per Kubernetes -> container runtime -> Linux -> hypervisor (optional) ​Kubernetes control plane manages desired policy. ​Enforcement passes Pod -> container runtime -> Linux OS ​Cgroups are used to map Pod

NUMA host When Linux initially allocates a threads, it is assigned a preferred node, by default memory allocations come from this node the thread runs on, but can potentially come from other nodes with too For the vSphere hypervisor, there are advanced vNUMA settings, they rarely need to be changed from defaults. link 15 Kubernetes Resource Management How it works • Specified and “metered” on a per Kubernetes -> container runtime -> Linux -> hypervisor (optional) Kubernetes control plane manages desired policy. Enforcement passes Pod -> container runtime -> Linux OS Cgroups are used to map Pod CPU

uname -s minix $ gcc linux.c Self hosting $ uname -s minix $ gcc linux.c Self hosting Self hosting $ uname -s linux $ gcc linux.c Self hosting $ uname -s linux $ gcc linux.c Self hosting Self-hosted run v1.4.5 ● API Server is v1.4.3 ● Scheduler is v1.4.3 Kubernetes Version Operator Differences from desired config ● API Server should be v1.4.5 ● Scheduler should be v1.4.5 How to get there ● Upgrade

Nomad Container OpenStack Others Why We Run VM on Kubernetes? • Traditional Applications • No linux based Applications • Functions provided by host kernel are not satisfied • OpenStack is too complex cluster addon • freedom - not limited by Pod definition Cons • VMs need to be managed separately from kubelet • a new controller • much bigger codebase RancherVM https://github.com/rancher/vm Package portion of the Linux system surface https://github.com/google/gvisor Why does gVisor exist? ü a single, shared kernel also mean that container escape is possible ü gVisor implements Linux by way of Linux

10，Docker已经原⽣⽀持了Kubernetes。你所要做的只是启⽤Kubernetes即可，如下图： Minikube ⼀些场景下，安装Minikube是个不错的选择。该⽅式适⽤于Windows 10、Linux、macOS 官⽅安装说明⽂档：https://github.com/kubernetes/minikube 如何在Windows 10上运⾏Docker和Kubernetes？：http://dockone 到在相同的Node上。 尽管Kubernetes⽐Docker⽀持更多的容器运⾏时，但Docker是最常⻅的运⾏时，这样有助于使⽤Docker术语中描述 Pod。 Pod的共享上下⽂是⼀组Linux命名空间、cgroups和潜在的其他⽅⾯的隔离机制——这⼀点与Docker容器的隔离机制⼀ 致。 在Pod的上下⽂中，各个应⽤程序可能会有更⼩的⼦隔离环境。 Pod中的容器共享IP地址和端⼝，并且可通过 Node上，被设为⽴即终⽌的Pod在被强制杀死之前仍然会有⼀个较⼩的优雅关闭时间。 强制删除对于某些Pod可能是危险的，应慎⽤。在StatefulSet Pod的情况下，请参阅deleting Pods from a StatefulSet 。 Pod phase Pod的 status 字段是⼀个PodStatus 对象，它有⼀个 phase 字段。 Pod的phase是Pod在其⽣命周期中