Docker

总体来看clickhouse的ddl操作方式和mysql很像。比如use database_name， create user ... identified by ''等。 server docker run 启动clickhouse服务： 1 docker run -d --name clickhouse-server -p 8123:8123 -p 9000:9000 --ulimit nofile=262144:262144 yandex/clickhouse-server:21.8.10.19 default user权限 默认defualt 用户不能添加新的用户，需要修改default权限，否则会报错Code: 497. DB::Exception: Received from localhost:9000. DB::Exception: default: Not enough privileges. To execute this query it's necessary to have the grant CREATE USER ON *.*. : 1 2 3 4 5 6 7 docker exec -it clickhouse-server bash apt update -y apt install vim vi /etc/clickhouse-server/users.xml # update <access_management>1</access_management> exit docker restart clickhouse-server ...

docker run调试某个container报如下所示x509证书错误，一开始怀疑是容器网络（--network host) 的问题 : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [deoops@dev-3 ~]# docker run --network host datewu/controller:v0.0.2 {"level":"panic","error":"Get https://google.com: x509: certificate signed by unknown authority","time":1555498448,"message":"get max item failed"} panic: get max item failed goroutine 26 [running]: github.com/rs/zerolog.(*Logger).Panic.func1(0x7773e9, 0x13) /Users/deoops/go/pkg/mod/github.com/rs/[email protected]/log.go:307 +0x4f github.com/rs/zerolog.(*Event).msg(0xc00012e8a0, 0x7773e9, 0x13) /Users/deoops/go/pkg/mod/github.com/rs/[email protected]/event.go:141 +0x1c1 github.com/rs/zerolog.(*Event).Msg(...) /Users/deoops/go/pkg/mod/github.com/rs/[email protected]/event.go:105 main.catchUp() /Users/deoops/github/controller/work.go:69 +0x326 main.populate(0xc000114000) /Users/deoops/github/controller/worker.go:10 +0x26 created by main.initWork /Users/deoops/github/controller/work.go:84 +0x7f 错误信息大概是说 client 不能识别google的https 证书， 可能是base image alpine的问题。 ...

PLEG 不熟悉PLEG(Pod Lifecycle Event Generator)的同学，可以先看下这篇文章What is PLEG?。 这篇文章对pleg是什么和常见的unhealthy问题有很详细的介绍。 cni 当k8s的 cni 插件性能较差，node上的pod 数量较多（大于 80）的时候，我们常常会遇到PLEG出错的问题: PLEG is not healthy: pleg was last seen active 6m55.488150776s ago; threshold is 3m0s 调试kuryr cni的时候，发现当openstack neutron服务压力比较大的时候。 cni这边申请和释放 port的时延会相应的增加，导致虚拟机大量堆积无效的netns， 然后就会遇到由kueblet PLEG not healthy引起的docker hang 住问题。 docker 重启 docker 和 kueblet 可以暂时解决PLEG unhealthy。 1 2 3 4 5 systemctl restart docker systemctl restart kubelet # do NOT use `docker rm -vf`, # which will kill running containers docker rm -v `docker ps -qa` 建议同时修改 kubelet 启动参数 –housekeeping-interval=30s ...

今天调试容器应用的时候发现，app运行一段时间后，容器外挂的一个volumn会偶发性的被删除。 于是需要监控下到底是谁/哪个进程把文件目录给删除了。 google一阵子后，发现可以使用auditd 服务来监控和搜索出都有那些进程操作够目标文件/目录。 整个过程分为3步： 开启 auditd 服务； 使用auditctl 配置 auditd服务； 一段时间之后 使用 ausearch 来查看/搜索审计的日志。 启动监控 开启auditd服务： 1 2 systemctl start auditd ## you may need `mkdir /var/log/audit` 添加监控规则 编辑审计规则： 1 2 3 4 5 6 7 8 ## list existing rules auditctl -l ## clean existing rules auditctl -D ## watch /var/run/yourfolder auditctl -w /var/run/yourfolder -p war -k serachkey auditctl语法 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 [root@ddeoops ~]# auditctl -h usage: auditctl [options] -a <l,a> Append rule to end of <l>ist with <a>ction -A <l,a> Add rule at beginning of <l>ist with <a>ction -b <backlog> Set max number of outstanding audit buffers allowed Default=64 -c Continue through errors in rules -C f=f Compare collected fields if available: Field name, operator(=,!=), field name -d <l,a> Delete rule from <l>ist with <a>ction l=task,exit,user,exclude a=never,always -D Delete all rules and watches -e [0..2] Set enabled flag -f [0..2] Set failure flag 0=silent 1=printk 2=panic -F f=v Build rule: field name, operator(=,!=,<,>,<=, >=,&,&=) value -h Help -i Ignore errors when reading rules from file -k <key> Set filter key on audit rule -l List rules -m text Send a user-space message -p [r|w|x|a] Set permissions filter on watch r=read, w=write, x=execute, a=attribute -q <mount,subtree> make subtree part of mount point's dir watches -r <rate> Set limit in messages/sec (0=none) -R <file> read rules from file -s Report status -S syscall Build rule: syscall name or number -t Trim directory watches -v Version -w <path> Insert watch at <path> -W <path> Remove watch at <path> --loginuid-immutable Make loginuids unchangeable once set --reset-lost Reset the lost record counter 分析日志 查看/搜索 审计日志： ...