欢迎访问欧博网址!

晋中生活网:CentOS 7 yum安装 k8s 建立Pod一直处于ContainerCreating状态 问题解决

admin1个月前7

问题形貌

使用CentOS7的 yum 包治理器安装了 Kubernetes 集群,使用 kubectl 建立服务乐成后,执行 kubectl get pods,发现AGE虽然在不停增添,但状态始终不变

本文内容

  • 剖析问题缘故原由
  • 给出直接解决此问题的方式 (不完善)
  • 给出其他方案

且听我娓娓道来~

问题剖析与解决

kubectl 提供了 describe 子下令来输出指定的一个/多个资源的详细信息。

执行 kubectl describe pod mytomcat-9lcq5,查看问题 Pod 的状态信息,输出如下:

[root@kube-master app]# kubectl describe pod mytomcat-9lcq5
Name:		mytomcat-9lcq5
Namespace:	default
Node:		kube-node-2/192.168.87.145
Start Time:	Fri, 17 Apr 2020 15:53:50 +0800
Labels:		app=mytomcat
Status:		Pending
IP:		
Controllers:	ReplicationController/mytomcat
Containers:
  mytomcat:
    Container ID:		
    Image:			tomcat:9-jre8-alpine
    Image ID:			
    Port:			8080/TCP
    State:			Waiting
      Reason:			ContainerCreating
    Ready:			False
    Restart Count:		0
    Volume Mounts:		<none>
    Environment Variables:	<none>
Conditions:
  Type		Status
  Initialized 	True 
  Ready 	False 
  PodScheduled 	True 
No volumes.
QoS Class:	BestEffort
Tolerations:	<none>
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  5m		5m		1	{default-scheduler }			Normal		Scheduled	Successfully assigned mytomcat-9lcq5 to kube-node-2
  4m		4m		1	{kubelet kube-node-2}			Warning		FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request.  details: (Get https://registry.access.redhat.com/v1/_ping: net/http: TLS handshake timeout)"

  3m	3m	1	{kubelet kube-node-2}		Warning	FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request.  details: (Network timed out while trying to connect to https://registry.access.redhat.com/v1/repositories/rhel7/pod-infrastructure/images. You may want to check your internet connection or if you are behind a proxy.)"

  2m	2m	1	{kubelet kube-node-2}		Warning	FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request.  details: (Error: image rhel7/pod-infrastructure:latest not found)"

  3m	1m	3	{kubelet kube-node-2}		Warning	FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ImagePullBackOff: "Back-off pulling image \"registry.access.redhat.com/rhel7/pod-infrastructure:latest\""

通过查看最下方的输出信息,Successfully assigned mytomcat-9lcq5 to kube-node-2 说明这个 Pod 分配到 kube-node-2 这个主机上了,然后在这个主机上建立 Pod 失败,

缘故原由是 image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request.

通过以上信息,我们领会到通过红帽自家的 docker 堆栈 pull 镜像,需要使用 CA 证书举行认证,才气 pull 乐成

docker的证书在 /etc/docker/certs.d 目录下,凭据上边的错误提醒域名是 registry.access.redhat.com,证书在这个目录中

经由 ll 下令查看,发现 /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt 是一个软链接(软链接是什么?),指向到 /etc/rhsm/ca/redhat-uep.pem

熟悉软毗邻的我们知道,处于红色闪灼状态的目的是不存在,需要天生 /etc/rhsm/ca/redhat-uep.pem 证书文件

天生证书:

# openssl s_client -showcerts -servername registry.access.redhat.com -connect registry.access.redhat.com:443 </dev/null 2>/dev/null | openssl x509 -text > /etc/rhsm/ca/redhat-uep.pem

天生证书下令执行有时会泛起 unable to load certificate 139930742028176:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE 问题,重新执行就好

下令执行完毕后,查看软链接指向的证书文件:

[root@kube-node-2 registry.access.redhat.com]# ll /etc/rhsm/ca/redhat-uep.pem
-rw-r--r-- 1 root root 9233 Apr 17 16:55 /etc/rhsm/ca/redhat-uep.pem

证书文件已经存在,我们去 k8s 治理节点 kube-master 主机删除适才的 Pods,守候 Pod 重新建立乐成 (第二个节点由于网络问题没有拉乐成镜像……)

至此完成 Pod 的建立

然则另有存在些问题的,当前海内网络环境接见外边的网络偶然会有问题,导致建立 Pod 失败,通过 describe 形貌照样同样的信息提醒,然则查看证书文件却存在且有内容

缘故原由剖析与其他方案

k8s 治理节点分配建立 Pod 到执行节点,到达执行节点后,拉取红帽 docker 堆栈的 Pod基础镜像 pod-infrastructure:latest,由于其堆栈使用 https 需要验证证书,证书不存在导致失败

另外就是由于拉取的镜像是红帽 docker 堆栈中的,在海内网络环境下握手失败,无法下载镜像

以是问题就成了 若何解决 k8s pod-infrastructure 镜像拉取失败,这里给出一个方案,步骤如下:

  • 拉取 docker 官方堆栈其他人上传的 pod-infrastructure 镜像,docker pull tianyebj/pod-infrastructure

  • 添加tag标签,改为私有堆栈地址,如:docker tag tianyebj/pod-infrastructure 10.2.7.70:5000/dev/pod-infrastructure

  • push镜像到私有堆栈,如:docker push 10.2.7.70:5000/dev/pod-infrastructure

    晋中生活网:CentOS 7 yum安装 k8s 建立Pod一直处于ContainerCreating状态 问题解决 第1张

  • 修改所有 worker 节点的 /etc/kubernetes/kubelet,修改 registry.access.redhat.com/rhel7/pod-infrastructure 为适才设置的 tag 标签

    sed -i "s#registry.access.redhat.com/rhel7/pod-infrastructure#<私有堆栈pod-infrastructure镜像tag>#" /etc/kubernetes/kubelet
    

    晋中生活网:CentOS 7 yum安装 k8s 建立Pod一直处于ContainerCreating状态 问题解决 第2张

  • 重启所有 worker 节点的 kubelet,systemctl restart kubelet,即可

注意事项:

  • 上传的镜像要设为公然镜像,否则 kubelet 自己没权限拉镜像的,另外也可以去 ssh 登录 worker 节点登录堆栈,执行docker pull <私有堆栈pod-infrastructure镜像tag>

最后的效果:
晋中生活网:CentOS 7 yum安装 k8s 建立Pod一直处于ContainerCreating状态 问题解决 第3张

参考

https://github.com/CentOS/sig-atomic-buildscripts/issues/329
https://cloud.tencent.com/developer/article/1156329

本文接纳 CC BY 4.0 协议举行授权,转载请标注作者署名及泉源。
https://www.cnblogs.com/hellxz/p/k8s-pod-always-container-creating-status-problem.html

,

阳光在线

阳光在线www.0913esg.com(原诚信在线)现已开放阳光在线手机版下载。阳光在线游戏公平、公开、公正,用实力赢取信誉。

上一篇 下一篇

猜你喜欢

最新文章
热门文章
热评文章
随机文章
热门标签