control plane 所⽤的API 与开发⼈员和⽤户可⽤的API相同。⽤户可以使⽤ their own API 编写⾃⼰ 的控制器，例如 scheduler ，这些API可由通⽤ command-line tool 定位。 这种 design 使得许多其他系统可以构建在Kubernetes上。 Kubernetes不是什么？ Kubernetes不是⼀个传统的，全⾯的PaaS系统。 它保留了⽤户的重要选择。 10，Docker已经原⽣⽀持了Kubernetes。你所要做的只是启⽤Kubernetes即可，如下图： Minikube ⼀些场景下，安装Minikube是个不错的选择。该⽅式适⽤于Windows 10、Linux、macOS 官⽅安装说明⽂档：https://github.com/kubernetes/minikube 如何在Windows 10上运⾏Docker和Kubernetes？：http://dockone however version 18.0 is available. You should consider upgrading via the 'pip install --upgrade pip' command. 则执⾏ pip install --upgrade pip 升级pip，再执⾏ pip2 install jinja2 --upgrade 03-使⽤Kubespray部署⽣产可⽤的Kubernetes集群（1

Container configuration github.com/GoogleContainerTools/jib { "architecture" : "amd64", "os": "linux", "config": { "Env": [], "Entrypoint" : [ "java", "-cp", "/app/libs/* Development on Kubernetes Skaffold + Jib Continuous development for Kubernetes Skaffold is a command line tool that facilitates continuous development for Kubernetes applications. You can iterate on

集装箱 kubernetes 舵手，领航员 helm 舵轮，驾驶盘 chart 图表，海图 ①k8s对系统要求 linux内核在3.10及以上，服务器规格2核cpu，2G内存及以上，可以装在虚拟机 里，也可以装在实体机上 ②规划主机名及ip k8s的服务器使用固定ip地址，配置主机名，要求能解析相应的主机名（master /etc/yum.repos.d/ # wget h�ps://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo #aliyun的源 或者： h�ps://download.docker.com/linux/centos/docker-ce.repo #官方的 源 然后在/etc/yum.repos $basearch baseurl=h�ps://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=h�ps://mirrors.aliyun.com/docker-ce/linux/centos/gpg # yum install containerd.io -y #

即星际迷航中友好的Borg(博格人)角色。Kubernetes标识中舵轮有七个轮辐就是对该项目代 号的致意。 Kubernetes v1.0于2015年7月21日发布。随着v1.0版本发布，谷歌与Linux 基金会合作组建了 Cloud Native Computing Foundation (CNCF)并把Kubernetes作为种子技术来提供。目前最新的 版本是1.16版本。（https://github 每个Pod都有一个特殊的称之为“根容器”的Pause容器。Pause容器对应的镜像属于k8s平台的一部分，除了Pause容 器外，每个Pod还包含一个或多个紧急相关的用户业务容器。他为每个业务容器提供如下功能：①在pod中担任Linux命 名空间共享的基础。②启用pid命名空间，开启init进程。 引入这种方式的原因： 1. 一组容器运行的pod中，很难对整体进行判断，引入pasue作为根容器， 以他的状态代表整个容器组的状态。 Kubernetes常见命令介绍 kubectl是k8s客户端CLI工具，可以让用户通过命令行的方式对k8s集群进行操作。 kubectl命令行语法： kubectl [command] [TYPE] [NAME] {flags} command:子命令，用于操作k8s集群的资源对象的命令，例如create、delete、describe、get、apply等。 TYPE： 资源对象的类型，区分大小写，

memory as possible. Where does this lead? Node 0 32GB Node 1 21GB 2 CPU Nodes – NUMA host When Linux initially allocates a threads, it is assigned a preferred node, by default memory allocations come Application can be modified / reconfigured? • The application can be “wrapped” with a numactl command to interleave memory, or engage other options • potentially broad performance effects. (e.g interleaving Kubernetes -> container runtime -> Linux -> hypervisor (optional) ​Kubernetes control plane manages desired policy. ​Enforcement passes Pod -> container runtime -> Linux OS ​Cgroups are used to map Pod

memory as possible. Where does this lead? Node 0 32GB Node 1 21GB 2 CPU Nodes – NUMA host When Linux initially allocates a threads, it is assigned a preferred node, by default memory allocations come Application can be modified / reconfigured? • The application can be “wrapped” with a numactl command to interleave memory, or engage other options • potentially broad performance effects. (e.g interleaving Kubernetes -> container runtime -> Linux -> hypervisor (optional) Kubernetes control plane manages desired policy. Enforcement passes Pod -> container runtime -> Linux OS Cgroups are used to map Pod CPU

Kubernetes是云操作系统内核，整个集群是一个整体 Sealos是云操作系统发行版本 Linux发行版，如redhat Linux kernel CPU 内存 磁盘 Linux发行版，如redhat Linux kernel CPU 内存 磁盘 Linux发行版，如redhat Linux kernel CPU 内存 磁盘 有了 sealos 就可以一条命令构建一朵云 抛弃 抛弃 IaaS PaaS SaaS 拥抱 云内核 架构 传统云计算架构 基于云内核的云计算架构 SaaS PaaS IaaS 分层架构代表 openstack 内核架构代表 linux 我快黄了 我经久不衰 我一锅大杂烩 我高内聚高抽象 我装起来都费劲 我一键安装 我运行起来一堆问题 我小白都能稳定运行 我一堆模块 我大道至简海纳百川 不求最好，但求最贵 优秀还便宜 你真的需要虚拟机？真的需要 用户态内核态反复横跳 在 Sealos 上使用 GPU 在 Sealos 上利用 Cilium + BPF 实现流量统计 Slide source credit to: How to Make Linux Microservice-Aware with Cilium and eBPF (InfoQ, 2019) 集群生命周期管理 创建集群 装其它应用 增删集群节点 离线交付 sealos

uname -s minix $ gcc linux.c Self hosting $ uname -s minix $ gcc linux.c Self hosting Self hosting $ uname -s linux $ gcc linux.c Self hosting $ uname -s linux $ gcc linux.c Self hosting Self-hosted

at PREROUTING chain • SNAT at POSTROUTING chain • Pros • Iptables is widely adopted in popular Linux distributions • Cons • O(N^2) in control plane / O(N) in data plane • Poor in scheduling algorithm support in eBPF verifier (Linux 4.14) • #param unroll • Size limitation of BPF program <= 4096 • Move SNAT allocate port loop into IPVS kernel module • Bounded loop support in Linux 5.3 • Size limitation limitation of BPF program is one million after Linux 5.2 Lessons from eBPF • Too strict check in eBPF verifier • Example: s64 bpf_csum_diff(__be32 * from, u32 from_size, __be32 * to, u32 to_size); pass

Nomad Container OpenStack Others Why We Run VM on Kubernetes? • Traditional Applications • No linux based Applications • Functions provided by host kernel are not satisfied • OpenStack is too complex portion of the Linux system surface https://github.com/google/gvisor Why does gVisor exist? ü a single, shared kernel also mean that container escape is possible ü gVisor implements Linux by way of Linux Linux ü another approach to enhance container isolation gVisor is special Machine-level virtualization Rule-based execution gVisor Technology landscape DEMO