k8s之安装问题汇总(持续更新中)
一、pause镜像问题
- 原因
导入pause镜像时,没有指定 namespace,pause 导入在 default 空间,整晚上创建 Pod 均处于如下状态。
Warning FailedCreatePodSandBox 116s (x5064 over 18h) kubelet (combined from similar events):
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to get sandbox image "registry.cn-hangzhou.aliyuncs.com/chenby/pause:3.6":
failed to pull image "registry.cn-hangzhou.aliyuncs.com/chenby/pause:3.6": failed to pull and unpack image "registry.cn-hangzhou.aliyuncs.com/chenby/pause:3.6":
failed to resolve reference "registry.cn-hangzhou.aliyuncs.com/chenby/pause:3.6": failed to do request: Head "https://registry.cn-hangzhou.aliyuncs.com/v2/chenby/pause/manifests/3.6": dial tcp: lookup registry.cn-hangzhou.aliyuncs.com on [::1]:53: read udp [::1]:36711->[::1]:53: read: connection refused
Warning FailedCreatePodSandBox 9s kubelet, worker-2 Failed to create pod sandbox: rpc error:
code = Unknown desc = failed to get sandbox image "k8s.gcr.io/pause:3.1": failed to pull image "k8s.gcr.
io/pause:3.1": failed to pull and unpack image "k8s.gcr.io/pause:3.1": failed to resolve reference "k8s.
gcr.io/pause:3.1": failed to do request: Head https://k8s.gcr.io/v2/pause/manifests/3.1: dial tcp 108.
177.97.82:443: i/o timeout
- 解决
在k8s集群中尝试使用 containerd 作为 CRI,发现镜像下载和导入与 docker 存在一些区别,大致如下:
containerd 命令行工具 ctr 特性不如 docker 丰富,如 ctr 1.2 并没有 tag 子命令,直到 1.3 才有,为支持多租户隔离,containerd 有 namespace 概念,不同 namespace 下的 image、container 均不同,直接使用 ctr 操作时,会使用 default namespace
如果使用的是 ctr 1.2,可以通过 docker tag 镜像,再使用 ctr 导入镜像
docker save k8s.gcr.io/pause -o pause.tar
ctr -n <namespace> images import pause.tar
k8s 只会使用 k8s.io namespace 中镜像。于是再往 k8s.io 导入镜像,containerd worker 终于能正常被调度了。
$ ctr namespace ls
NAME LABELS
default
k8s.io
$ ctr -n k8s.io images import pause.tar
二、libseccomp版本问题
- 问题
ctr: failed to create shim task: OCI runtime create failed: unable to retrieve OCI runtime error (open /run/containerd/io.containerd.runtime.v2.task/default/redis/log.json: no such file or directory): runc did not terminate successfully: exit status 127: runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond
: unknown
-
原因
这个是说缺少依赖包 libseccomp ,需要注意的是centos 7中yum下载的版本是2.3的,版本不满足我们最新containerd的需求,需要下载2.4以上的,故而我这里提供一个2.5.1的版本,公众号“运维家”后台回复“libseccomp”即可获得下载地址。 -
解决
[yunweijia@localhost ~]$ sudo rpm -qa | grep libseccomp
libseccomp-devel-2.3.1-4.el7.x86_64
libseccomp-2.3.1-4.el7.x86_64
[yunweijia@localhost ~]$ sudo rpm -e libseccomp-devel-2.3.1-4.el7.x86_64 --nodeps
[yunweijia@localhost ~]$ sudo rpm -e libseccomp-2.3.1-4.el7.x86_64 --nodeps
[yunweijia@localhost ~]$ sudo rpm -ivh libseccomp-2.5.1-1.el8.x86_64.rpm
