{"id":299530,"date":"2020-03-02T09:00:20","date_gmt":"2020-03-02T09:00:20","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=299530"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=299530","title":{"rendered":"\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c Kata Containers \u0432 Kubernetes"},"content":{"rendered":"\n<div class=\"post__text post__text-html\" id=\"post-content-body\" data-io-article-url=\"https:\/\/habr.com\/ru\/company\/southbridge\/blog\/490648\/\">\n<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/webt\/6g\/du\/nj\/6gdunj0e_gtz-p-4vu9xladlf5k.jpeg\"><\/p>\n<p>  <\/p>\n<p>\u0414\u0430\u043d\u043d\u0430\u044f \u0441\u0442\u0430\u0442\u044c\u044f \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u0442 <a href=\"https:\/\/habr.com\/ru\/company\/southbridge\/blog\/489940\/\">\u0442\u0435\u043c\u0443 \u0441 Kata Containers<\/a>, \u043f\u043e\u0434\u043d\u044f\u0442\u0443\u044e \u0432 \u043f\u0440\u043e\u0448\u043b\u044b\u0439 \u0440\u0430\u0437. \u0421\u0435\u0433\u043e\u0434\u043d\u044f \u044f \u0431\u0443\u0434\u0443 \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0442\u044c Kubernetes \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 Kata Containers.<\/p>\n<p><a name=\"habracut\"><\/a>  <\/p>\n<p>\u041d\u0430\u0447\u0438\u043d\u0430\u044f \u0441 Kubernetes 1.12 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c <code>RuntimeClass<\/code>, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043c\u043e\u0436\u043d\u043e \u0432\u044b\u0431\u0440\u0430\u0442\u044c \u0441\u0440\u0435\u0434\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430. \u0414\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.12 Kubernetes \u043d\u0435 \u0437\u043d\u0430\u043b \u043e \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0430\u0445 \u0438\u0441\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f, \u043d\u043e \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043b\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u044c \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 pod&#8217;\u043e\u0432 (\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c\u044b\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e runc) \u0438 \u043d\u0435 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 (\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c\u044b\u0435, \u043a \u043f\u0440\u0438\u043c\u0435\u0440\u0443, \u0432 \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u0435, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0442\u0435 \u0436\u0435 Kata Containers). \u0420\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0435 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 CRI (CRI-O, containerd, \u043e\u0431\u0430 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0442\u0441\u044f Kata Containers) \u0431\u044b\u043b\u0438 \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u044b \u0434\u043b\u044f \u0442\u043e\u0433\u043e, \u0447\u0442\u043e\u0431\u044b \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0438\u043c \u0442\u0440\u0435\u0431\u043e\u0432\u0430\u043d\u0438\u044f\u043c, \u0430 \u0434\u043b\u044f \u0442\u043e\u0433\u043e, \u0447\u0442\u043e\u0431\u044b \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u0441\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0441 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0435\u0439, \u0438 \u0431\u044b\u043b \u043f\u0440\u0438\u043d\u044f\u0442 <code>RuntimeClass<\/code>. \u042d\u0442\u043e \u0434\u0430\u0435\u0442 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0434\u0430\u043d\u0438\u044f \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0441\u0440\u0435\u0434 \u0438\u0441\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0431\u0435\u0437 \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432 CRI. <a href=\"https:\/\/asciinema.org\/a\/219790\">\u041f\u0440\u0438\u043c\u0435\u0440 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438<\/a> \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 Vagrant + CRIO + Kata Containers<\/p>\n<p>  <\/p>\n<p>\u0412 \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u044f \u0431\u0443\u0434\u0443 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c containerd, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0443\u043c\u0435\u0435\u0442 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0442\u044c RuntimeClass \u043d\u0430\u0447\u0438\u043d\u0430\u044f \u0441 \u0432\u0435\u0440\u0441\u0438\u0438 1.2.0. \u041d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0442\u044c \u0431\u0443\u0434\u0435\u043c \u0442\u0440\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0430\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430 Centos 7.<\/p>\n<p>  <\/p>\n<p>\u041a\u0440\u0430\u0442\u043a\u043e \u043e\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u044e\u0441\u044c \u043d\u0430 Containerd Runtime V2, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u044b\u043b \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d \u043d\u0430\u0447\u0438\u043d\u0430\u044f \u0441 Kata Containers 1.5.0, \u0440\u0430\u0437\u043d\u0438\u0446\u0443 \u043c\u0435\u0436\u0434\u0443 V1 \u0438 V2 \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u043d\u0430 \u0438\u0437\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u0438 \u043d\u0438\u0436\u0435.<\/p>\n<p>  <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/webt\/0s\/-7\/7q\/0s-77qdtz9qm9j38llhgwtbsjhe.jpeg\"><br \/>  <em>\u0410\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0430 Kata Containers runtime v2 \u043f\u043e \u0441\u0440\u0430\u0432\u043d\u0435\u043d\u0438\u044e \u0441 v1<\/em><\/p>\n<p>  <\/p>\n<p>\u041f\u0440\u043e\u0432\u043e\u0434\u0438\u043c \u0440\u0430\u0431\u043e\u0442\u0443 \u0441\u043e \u0432\u0441\u0435\u043c\u0438 \u0442\u0440\u0435\u043c\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438, \u0435\u0441\u043b\u0438 \u043d\u0435 \u0441\u043a\u0430\u0437\u0430\u043d\u043e \u0438\u043d\u0430\u0447\u0435, \u0438\u043c\u0435\u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 kata-node1, kata-node2, kata-node3.<\/p>\n<p>  <\/p>\n<h2 id=\"ustanovka\">\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430<\/h2>\n<p>  <\/p>\n<p>\u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c Kata Containers \u043d\u0430 \u0447\u0438\u0441\u0442\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440 \u0441 Centos 7, \u0441\u0442\u0430\u0432\u0438\u043c \u0432\u0441\u0435 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u043e <a href=\"https:\/\/habr.com\/ru\/company\/southbridge\/blog\/489940\/\">\u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0435\u0439 \u0441\u0442\u0430\u0442\u044c\u0435<\/a>. \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0443 Docker \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043d\u0435 \u043d\u0443\u0436\u043d\u043e.<\/p>\n<p>  <\/p>\n<p>\u0414\u0430\u043b\u0435\u0435 \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438 \u0434\u043b\u044f containerd:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># yum -y install unzip tar btrfs-progs libseccomp util-linux socat libselinux-python<\/code><\/pre>\n<p>  <\/p>\n<p>\u041a\u0430\u0447\u0430\u0435\u043c \u0438 \u0441\u0442\u0430\u0432\u0438\u043c containerd (\u043c\u043e\u0436\u043d\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0447\u0443\u0442\u044c \u0431\u043e\u043b\u0435\u0435 \u0441\u0442\u0430\u0440\u0443\u044e \u0432\u0435\u0440\u0441\u0438\u044e \u0438\u0437 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f docker, \u043d\u0430\u0434\u043e 1.2.0+ \u2014 \u0432 \u043f\u0440\u0438\u043d\u0446\u0438\u043f\u0435 \u0434\u043e\u043b\u0436\u043d\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0442\u043e\u0436\u0435, \u043d\u043e \u044f \u043d\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u043b):<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># VERSION=1.3.3 # curl https:\/\/storage.googleapis.com\/cri-containerd-release\/cri-containerd-${VERSION}.linux-amd64.tar.gz -o cri-containerd-${VERSION}.linux-amd64.tar.gz # curl https:\/\/storage.googleapis.com\/cri-containerd-release\/cri-containerd-${VERSION}.linux-amd64.tar.gz.sha256 # sha256sum cri-containerd-${VERSION}.linux-amd64.tar.gz # \u0441\u0440\u0430\u0432\u043d\u0438\u0432\u0430\u0435\u043c \u0441 \u0432\u044b\u0432\u043e\u0434\u043e\u043c \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0435\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b, \u0435\u0441\u043b\u0438 \u0432\u0441\u0435 \u043e\u043a - \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u043c \u043d\u0430 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u0441\u0442\u0440\u043e\u0447\u043a\u0443 # tar --no-overwrite-dir -C \/ -xzvf cri-containerd-${VERSION}.linux-amd64.tar.gz # systemctl daemon-reload &amp;&amp; systemctl start containerd<\/code><\/pre>\n<p>  <\/p>\n<p>\u0421\u0442\u0430\u0432\u0438\u043c \u043f\u0430\u043a\u0435\u0442\u044b \u0434\u043b\u044f k8s:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># cat &lt;&lt;EOF &gt; \/etc\/yum.repos.d\/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https:\/\/packages.cloud.google.com\/yum\/repos\/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https:\/\/packages.cloud.google.com\/yum\/doc\/yum-key.gpg https:\/\/packages.cloud.google.com\/yum\/doc\/rpm-package-key.gpg EOF # yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes # systemctl enable --now kubelet<\/code><\/pre>\n<p>  <\/p>\n<h2 id=\"nastroyka-containerd\">\u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 containerd<\/h2>\n<p>  <\/p>\n<p>\u0421\u043e\u0437\u0434\u0430\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u0434\u043b\u044f containerd:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\">mkdir -p \/etc\/containerd containerd config default &gt; \/etc\/containerd\/config.toml<\/code><\/pre>\n<p>  <\/p>\n<p>\u041f\u043e\u0434\u043a\u043b\u044e\u0447\u0430\u0435\u043c Kata Containers \u0432 containerd, \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0432 \u0441\u0435\u043a\u0446\u0438\u0438 <code>[plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.untrusted_workload_runtime]<\/code> \u0432\u044b\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 <code>runtime_type<\/code> \u0432 <code>&quot;io.containerd.kata.v2&quot;<\/code>, \u043f\u043e\u0441\u043b\u0435 \u0441\u0435\u043a\u0446\u0438\u0438 <code>[plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes]<\/code> \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0441\u0435\u043a\u0446\u0438\u0438:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\">      [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.kata]          runtime_type = &quot;io.containerd.kata.v2&quot;          [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.kata.options]            ConfigPath = &quot;\/etc\/kata-containers\/config.toml&quot;       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.katacli]          runtime_type = &quot;io.containerd.runc.v1&quot;          [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.katacli.options]            NoPivotRoot = false            NoNewKeyring = false            ShimCgroup = &quot;&quot;            IoUid = 0            IoGid = 0            BinaryName = &quot;\/usr\/bin\/kata-runtime&quot;            Root = &quot;&quot;            CriuPath = &quot;&quot;            SystemdCgroup = false<\/code><\/pre>\n<p>  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u041f\u0440\u0438\u043c\u0435\u0440 \u043f\u043e\u043b\u043d\u043e\u0433\u043e \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"plaintext\">version = 2 root = &quot;\/var\/lib\/containerd&quot; state = &quot;\/run\/containerd&quot; plugin_dir = &quot;&quot; disabled_plugins = [] required_plugins = [] oom_score = 0  [grpc]   address = &quot;\/run\/containerd\/containerd.sock&quot;   tcp_address = &quot;&quot;   tcp_tls_cert = &quot;&quot;   tcp_tls_key = &quot;&quot;   uid = 0   gid = 0   max_recv_message_size = 16777216   max_send_message_size = 16777216  [ttrpc]   address = &quot;&quot;   uid = 0   gid = 0  [debug]   address = &quot;&quot;   uid = 0   gid = 0   level = &quot;&quot;  [metrics]   address = &quot;&quot;   grpc_histogram = false  [cgroup]   path = &quot;&quot;  [timeouts]   &quot;io.containerd.timeout.shim.cleanup&quot; = &quot;5s&quot;   &quot;io.containerd.timeout.shim.load&quot; = &quot;5s&quot;   &quot;io.containerd.timeout.shim.shutdown&quot; = &quot;3s&quot;   &quot;io.containerd.timeout.task.state&quot; = &quot;2s&quot;  [plugins]   [plugins.&quot;io.containerd.gc.v1.scheduler&quot;]     pause_threshold = 0.02     deletion_threshold = 0     mutation_threshold = 100     schedule_delay = &quot;0s&quot;     startup_delay = &quot;100ms&quot;   [plugins.&quot;io.containerd.grpc.v1.cri&quot;]     disable_tcp_service = true     stream_server_address = &quot;127.0.0.1&quot;     stream_server_port = &quot;0&quot;     stream_idle_timeout = &quot;4h0m0s&quot;     enable_selinux = false     sandbox_image = &quot;k8s.gcr.io\/pause:3.1&quot;     stats_collect_period = 10     systemd_cgroup = false     enable_tls_streaming = false     max_container_log_line_size = 16384     disable_cgroup = false     disable_apparmor = false     restrict_oom_score_adj = false     max_concurrent_downloads = 3     disable_proc_mount = false     [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd]       snapshotter = &quot;overlayfs&quot;       default_runtime_name = &quot;runc&quot;       no_pivot = false       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.default_runtime]         runtime_type = &quot;&quot;         runtime_engine = &quot;&quot;         runtime_root = &quot;&quot;         privileged_without_host_devices = false       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.untrusted_workload_runtime]         runtime_type = &quot;io.containerd.kata.v2&quot;         runtime_engine = &quot;&quot;         runtime_root = &quot;&quot;         privileged_without_host_devices = false       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes]         [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.runc]           runtime_type = &quot;io.containerd.runc.v1&quot;           runtime_engine = &quot;&quot;           runtime_root = &quot;&quot;           privileged_without_host_devices = false       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.kata]          runtime_type = &quot;io.containerd.kata.v2&quot;          [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.kata.options]        ConfigPath = &quot;\/etc\/kata-containers\/config.toml&quot;       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.katacli]          runtime_type = &quot;io.containerd.runc.v1&quot;          [plugins.&quot;io.containerd.grpc.v1.cri&quot;.containerd.runtimes.katacli.options]            NoPivotRoot = false            NoNewKeyring = false            ShimCgroup = &quot;&quot;            IoUid = 0            IoGid = 0            BinaryName = &quot;\/usr\/bin\/kata-runtime&quot;            Root = &quot;&quot;            CriuPath = &quot;&quot;            SystemdCgroup = false     [plugins.&quot;io.containerd.grpc.v1.cri&quot;.cni]       bin_dir = &quot;\/opt\/cni\/bin&quot;       conf_dir = &quot;\/etc\/cni\/net.d&quot;       max_conf_num = 1       conf_template = &quot;&quot;     [plugins.&quot;io.containerd.grpc.v1.cri&quot;.registry]       [plugins.&quot;io.containerd.grpc.v1.cri&quot;.registry.mirrors]         [plugins.&quot;io.containerd.grpc.v1.cri&quot;.registry.mirrors.&quot;docker.io&quot;]           endpoint = [&quot;https:\/\/registry-1.docker.io&quot;]     [plugins.&quot;io.containerd.grpc.v1.cri&quot;.x509_key_pair_streaming]       tls_cert_file = &quot;&quot;       tls_key_file = &quot;&quot;   [plugins.&quot;io.containerd.internal.v1.opt&quot;]     path = &quot;\/opt\/containerd&quot;   [plugins.&quot;io.containerd.internal.v1.restart&quot;]     interval = &quot;10s&quot;   [plugins.&quot;io.containerd.metadata.v1.bolt&quot;]     content_sharing_policy = &quot;shared&quot;   [plugins.&quot;io.containerd.monitor.v1.cgroups&quot;]     no_prometheus = false   [plugins.&quot;io.containerd.runtime.v1.linux&quot;]     shim = &quot;containerd-shim&quot;     runtime = &quot;runc&quot;     runtime_root = &quot;&quot;     no_shim = false     shim_debug = false   [plugins.&quot;io.containerd.runtime.v2.task&quot;]     platforms = [&quot;linux\/amd64&quot;]   [plugins.&quot;io.containerd.service.v1.diff-service&quot;]     default = [&quot;walking&quot;]   [plugins.&quot;io.containerd.snapshotter.v1.devmapper&quot;]     root_path = &quot;&quot;     pool_name = &quot;&quot;     base_image_size = &quot;&quot;<\/code><\/pre>\n<\/div>\n<\/div>\n<p>  <\/p>\n<p>\u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c containerd:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># service containerd restart<\/code><\/pre>\n<p>  <\/p>\n<h2 id=\"proverka-containerd\">\u041f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 containerd<\/h2>\n<p>  <\/p>\n<p>\u0421\u043c\u043e\u0442\u0440\u0438\u043c, \u0447\u0442\u043e \u0432\u0441\u0435 \u0432\u0435\u0440\u043d\u043e \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0438\u043b\u0438:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># crictl version Version:  0.1.0 RuntimeName:  containerd RuntimeVersion:  v1.3.3 RuntimeApiVersion:  v1alpha2 <\/code><\/pre>\n<p>  <\/p>\n<p>\u0421\u043a\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u043e\u0431\u0440\u0430\u0437 busybox \u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c, \u0432\u0432\u043e\u0434\u0438\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443 uname -a:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># uname -a Linux kata-node1 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU\/Linux # ctr image pull docker.io\/library\/busybox:latest docker.io\/library\/busybox:latest:                                                 resolved       |++++++++++++++++++++++++++++++++++++++| index-sha256:6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a:    done           |++++++++++++++++++++++++++++++++++++++| manifest-sha256:edafc0a0fb057813850d1ba44014914ca02d671ae247107ca70c94db686e7de6: done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:bdbbaa22dec6b7fe23106d2c1b1f43d9598cd8fc33706cc27c1d938ecd5bffc7:    done           |++++++++++++++++++++++++++++++++++++++| config-sha256:6d5fcfe5ff170471fcc3c8b47631d6d71202a1fd44cf3c147e50c8de21cf0648:   done           |++++++++++++++++++++++++++++++++++++++| elapsed: 2.8 s                                                                    total:  746.9  (266.5 KiB\/s) unpacking linux\/amd64 sha256:6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a... done # ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io\/library\/busybox:latest hello sh \/ # uname -a Linux clr-d8eb8b3fbe2e44a295900b931f3a11c3 4.19.86-6.1.container #1 SMP Thu Jan 1 00:00:00 UTC 1970 x86_64 GNU\/Linux<\/code><\/pre>\n<p>  <\/p>\n<h2 id=\"nastroyka-kubernetes\">\u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 Kubernetes<\/h2>\n<p>  <\/p>\n<p>\u041f\u043e\u0434\u043a\u043b\u044e\u0447\u0430\u0435\u043c containerd \u0432 k8s:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># echo &quot;KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=unix:\/\/\/run\/containerd\/containerd.sock&quot; &gt; \/etc\/sysconfig\/kubelet<\/code><\/pre>\n<p>  <\/p>\n<p>\u0421\u043e\u0437\u0434\u0430\u0435\u043c \u043a\u043b\u0430\u0441\u0442\u0435\u0440, \u043a\u043e\u043c\u0430\u043d\u0434\u0443 \u0432\u0432\u043e\u0434\u0438\u043c \u043d\u0430 kata-node1:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># kubeadm init W0302 07:30:35.064267   15873 validation.go:28] Cannot validate kube-proxy config - no validator is available W0302 07:30:35.064379   15873 validation.go:28] Cannot validate kubelet config - no validator is available [init] Using Kubernetes version: v1.17.3 [preflight] Running pre-flight checks [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [kubelet-start] Writing kubelet environment file with flags to file &quot;\/var\/lib\/kubelet\/kubeadm-flags.env&quot; [kubelet-start] Writing kubelet configuration to file &quot;\/var\/lib\/kubelet\/config.yaml&quot; [kubelet-start] Starting the kubelet [certs] Using certificateDir folder &quot;\/etc\/kubernetes\/pki&quot; [certs] Generating &quot;ca&quot; certificate and key [certs] Generating &quot;apiserver&quot; certificate and key [certs] apiserver serving cert is signed for DNS names [kata-node1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 XXXXXXXXX] [certs] Generating &quot;apiserver-kubelet-client&quot; certificate and key [certs] Generating &quot;front-proxy-ca&quot; certificate and key [certs] Generating &quot;front-proxy-client&quot; certificate and key [certs] Generating &quot;etcd\/ca&quot; certificate and key [certs] Generating &quot;etcd\/server&quot; certificate and key [certs] etcd\/server serving cert is signed for DNS names [kata-node1 localhost] and IPs [XXXXXXXXX 127.0.0.1 ::1] [certs] Generating &quot;etcd\/peer&quot; certificate and key [certs] etcd\/peer serving cert is signed for DNS names [kata-node1 localhost] and IPs [XXXXXXXXX 127.0.0.1 ::1] [certs] Generating &quot;etcd\/healthcheck-client&quot; certificate and key [certs] Generating &quot;apiserver-etcd-client&quot; certificate and key [certs] Generating &quot;sa&quot; key and public key [kubeconfig] Using kubeconfig folder &quot;\/etc\/kubernetes&quot; [kubeconfig] Writing &quot;admin.conf&quot; kubeconfig file [kubeconfig] Writing &quot;kubelet.conf&quot; kubeconfig file [kubeconfig] Writing &quot;controller-manager.conf&quot; kubeconfig file [kubeconfig] Writing &quot;scheduler.conf&quot; kubeconfig file [control-plane] Using manifest folder &quot;\/etc\/kubernetes\/manifests&quot; [control-plane] Creating static Pod manifest for &quot;kube-apiserver&quot; [control-plane] Creating static Pod manifest for &quot;kube-controller-manager&quot; W0302 07:30:38.966500   15873 manifests.go:214] the default kube-apiserver authorization-mode is &quot;Node,RBAC&quot;; using &quot;Node,RBAC&quot; [control-plane] Creating static Pod manifest for &quot;kube-scheduler&quot; W0302 07:30:38.968393   15873 manifests.go:214] the default kube-apiserver authorization-mode is &quot;Node,RBAC&quot;; using &quot;Node,RBAC&quot; [etcd] Creating static Pod manifest for local etcd in &quot;\/etc\/kubernetes\/manifests&quot; [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory &quot;\/etc\/kubernetes\/manifests&quot;. This can take up to 4m0s [apiclient] All control plane components are healthy after 15.502727 seconds [upload-config] Storing the configuration used in ConfigMap &quot;kubeadm-config&quot; in the &quot;kube-system&quot; Namespace [kubelet] Creating a ConfigMap &quot;kubelet-config-1.17&quot; in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node kata-node1 as control-plane by adding the label &quot;node-role.kubernetes.io\/master=''&quot; [mark-control-plane] Marking the node kata-node1 as control-plane by adding the taints [node-role.kubernetes.io\/master:NoSchedule] [bootstrap-token] Using token: qrk86x.ue30l5fhydrdgkx2 [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the &quot;cluster-info&quot; ConfigMap in the &quot;kube-public&quot; namespace [kubelet-finalize] Updating &quot;\/etc\/kubernetes\/kubelet.conf&quot; to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy  Your Kubernetes control-plane has initialized successfully!  To start using your cluster, you need to run the following as a regular user:    mkdir -p $HOME\/.kube   sudo cp -i \/etc\/kubernetes\/admin.conf $HOME\/.kube\/config   sudo chown $(id -u):$(id -g) $HOME\/.kube\/config  You should now deploy a pod network to the cluster. Run &quot;kubectl apply -f [podnetwork].yaml&quot; with one of the options listed at:   https:\/\/kubernetes.io\/docs\/concepts\/cluster-administration\/addons\/  Then you can join any number of worker nodes by running the following on each as root:  kubeadm join XXXXXXXXX:6443 --token qrk86x.ue30l5fhydrdgkx2 \\     --discovery-token-ca-cert-hash sha256:2364d351d6afbcc21b439719b6b00c9468e926a906eeb81d96061e15fdfb8f2e<\/code><\/pre>\n<p>  <\/p>\n<p>\u041f\u043e\u0434\u043a\u043b\u044e\u0447\u0430\u0435\u043c \u0441\u0435\u0442\u044c:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># export KUBECONFIG=\/etc\/kubernetes\/admin.conf # kubectl apply -f https:\/\/raw.githubusercontent.com\/coreos\/flannel\/master\/Documentation\/kube-flannel.yml podsecuritypolicy.policy\/psp.flannel.unprivileged created clusterrole.rbac.authorization.k8s.io\/flannel created clusterrolebinding.rbac.authorization.k8s.io\/flannel created serviceaccount\/flannel created configmap\/kube-flannel-cfg created daemonset.apps\/kube-flannel-ds-amd64 created daemonset.apps\/kube-flannel-ds-arm64 created daemonset.apps\/kube-flannel-ds-arm created daemonset.apps\/kube-flannel-ds-ppc64le created daemonset.apps\/kube-flannel-ds-s390x created<\/code><\/pre>\n<p>  <\/p>\n<p>\u041a\u043e\u043c\u0430\u043d\u0434\u0443 <code>kubeadm join<\/code> \u043a\u043e\u043f\u0438\u0440\u0443\u0435\u043c \u0441 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c\u0438 \u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c \u043d\u0430 \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445.<\/p>\n<p>  <\/p>\n<p>\u041a\u043e\u043f\u0438\u0440\u0443\u0435\u043c \u043a \u0441\u0435\u0431\u0435 \u0432 $HOME\/.kube\/config \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0444\u0430\u0439\u043b\u0430 \/etc\/kubernetes\/admin.conf \u0441 kata-node1.<\/p>\n<p>  <\/p>\n<h2 id=\"proverka-kubernetes\">\u041f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 kubernetes<\/h2>\n<p>  <\/p>\n<p>\u041d\u0430 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0434\u043e\u043b\u0436\u0435\u043d \u0431\u044b\u0442\u044c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d kubectl, \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0430\u044f \u0440\u0430\u0431\u043e\u0442\u0430 \u0431\u0443\u0434\u0435\u0442 \u0438\u043c\u0435\u043d\u043d\u043e \u0441 \u043d\u0438\u043c<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\">$ kubectl get nodes NAME         STATUS   ROLES    AGE     VERSION kata-node1   Ready    master   12m45s  v1.17.3 kata-node2   Ready    node     3m12s   v1.17.3 kata-node3   Ready    node     4m56s   v1.17.3 $ kubectl get pods --all-namespaces NAMESPACE     NAME                                 READY   STATUS    RESTARTS   AGE kube-system   coredns-6955765f44-j7pd6             1\/1     Running   0          5m35s kube-system   coredns-6955765f44-w7h9w             1\/1     Running   0          5m35s kube-system   etcd-kata-node1                      1\/1     Running   0          5m49s kube-system   kube-apiserver-kata-node1            1\/1     Running   0          5m48s kube-system   kube-controller-manager-kata-node1   1\/1     Running   0          5m49s kube-system   kube-flannel-ds-amd64-g7wv2          1\/1     Running   0          3m26s kube-system   kube-proxy-k8mmb                     1\/1     Running   0          5m35s kube-system   kube-scheduler-kata-node1            1\/1     Running   0          5m48s<\/code><\/pre>\n<p>  <\/p>\n<p>\u041f\u0440\u043e\u0431\u0443\u0435\u043c \u0441\u043e\u0437\u0434\u0430\u0442\u044c untrusted \u0441\u0435\u0440\u0432\u0438\u0441:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\">$ cat &lt;&lt; EOT | tee nginx-untrusted.yaml apiVersion: v1 kind: Pod metadata:   name: nginx-untrusted   annotations:     io.kubernetes.cri.untrusted-workload: &quot;true&quot; spec:   containers:   - name: nginx     image: nginx  EOT $ kubectl apply -f nginx-untrusted.yaml pod\/nginx-untrusted created $ kubectl get pods NAME              READY   STATUS    RESTARTS   AGE nginx-untrusted   1\/1     Running   0          31s<\/code><\/pre>\n<p>  <\/p>\n<p>\u0421\u043c\u043e\u0442\u0440\u0438\u043c \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u043f\u043e\u044f\u0432\u0438\u043b\u0441\u044f \u043b\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u043e\u0442 Kata Containers:<\/p>\n<p>  <\/p>\n<pre><code class=\"plaintext\"># ps aux | grep qemu root      5814  2.0  0.4 2871472 145096 ?      Sl   07:51   0:00 \/usr\/bin\/qemu-vanilla-system-x86_64 -name sandbox-11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e -uuid a7395bac-0a2c-4a16-b931-2fd181f3978e -machine pc,accel=kvm,kernel_irqchip,nvdimm -cpu host -qmp unix:\/run\/vc\/vm\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/qmp.sock,server,nowait -m 2048M,slots=10,maxmem=32725M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=false,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=\/run\/vc\/vm\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=\/usr\/share\/kata-containers\/kata-containers-image_clearlinux_1.10.1_agent_599ef22499.img,size=134217728 -device virtio-scsi-pci,id=scsi0,disable-modern=false,romfile= -object rng-random,id=rng0,filename=\/dev\/urandom -device virtio-rng,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=\/run\/vc\/vm\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=false,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=\/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e,security_model=none -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device driver=virtio-net-pci,netdev=network-0,mac=f2:dc:cf:85:fa:39,disable-modern=false,mq=on,vectors=4,romfile= -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -object memory-backend-ram,id=dimm1,size=2048M -numa node,memdev=dimm1 -kernel \/usr\/share\/kata-containers\/vmlinuz-4.19.86.60-6.1.container -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=\/dev\/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 quiet systemd.show_status=false panic=1 nr_cpus=8 agent.use_vsock=false systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket -pidfile \/run\/vc\/vm\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/pid -smp 1,cores=1,threads=1,sockets=8,maxcpus=8 # mount | grep 11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e shm on \/run\/containerd\/io.containerd.grpc.v1.cri\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k) overlay on \/run\/containerd\/io.containerd.runtime.v2.task\/k8s.io\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/rootfs type overlay (rw,relatime,lowerdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/14\/fs,upperdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2586\/fs,workdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2586\/work) overlay on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/rootfs type overlay (rw,relatime,lowerdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/14\/fs,upperdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2586\/fs,workdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2586\/work) overlay on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/58a6261df753edd9be35f41db0ba901489198359bdbd9541ab7c7247f46a76b7\/rootfs type overlay (rw,relatime,lowerdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2589\/fs:\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2588\/fs:\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2587\/fs,upperdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2590\/fs,workdir=\/var\/lib\/containerd\/io.containerd.snapshotter.v1.overlayfs\/snapshots\/2590\/work) \/dev\/mapper\/vg0-root on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/58a6261df753edd9be35f41db0ba901489198359bdbd9541ab7c7247f46a76b7-2d597d0df0adc62b-hosts type ext4 (rw,relatime,data=ordered) \/dev\/mapper\/vg0-root on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/58a6261df753edd9be35f41db0ba901489198359bdbd9541ab7c7247f46a76b7-86eb496cb8644f03-termination-log type ext4 (rw,relatime,data=ordered) \/dev\/mapper\/vg0-root on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/58a6261df753edd9be35f41db0ba901489198359bdbd9541ab7c7247f46a76b7-4d8cdf8b39958670-hostname type ext4 (rw,relatime,data=ordered) \/dev\/mapper\/vg0-root on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/58a6261df753edd9be35f41db0ba901489198359bdbd9541ab7c7247f46a76b7-20f62afd0d08f52d-resolv.conf type ext4 (rw,relatime,data=ordered) tmpfs on \/run\/kata-containers\/shared\/sandboxes\/11b2a0d00fb1948c379aad0d599ce74e1c0be6183bac43e19448401f2bc5b91e\/58a6261df753edd9be35f41db0ba901489198359bdbd9541ab7c7247f46a76b7-1af9d7ef02716752-serviceaccount type tmpfs (rw,relatime) <\/code><\/pre>\n<p>  <\/p>\n<h2 id=\"vyvody\">\u0412\u044b\u0432\u043e\u0434\u044b<\/h2>\n<p>  <\/p>\n<p>Kata Containers \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0432\u0430\u0436\u043d\u0435\u0439\u0448\u0438\u043c \u044d\u0442\u0430\u043f\u043e\u043c \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f \u043e\u0431\u043b\u0430\u0447\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439, \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u043c\u0430\u0448\u0438\u043d \u0432\u043c\u0435\u0441\u0442\u0435 \u0441\u043e \u0441\u043a\u043e\u0440\u043e\u0441\u0442\u044c\u044e \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432. \u0422\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u0431\u0435\u0437 \u043e\u0441\u043e\u0431\u044b\u0445 \u0437\u0430\u0442\u0440\u0430\u0442 \u043f\u0435\u0440\u0435\u0439\u0442\u0438 \u043d\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 Kata Containers \u0432 Kubernetes, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0431\u0435\u0441\u0448\u043e\u0432\u043d\u0430\u044f \u043c\u0438\u0433\u0440\u0430\u0446\u0438\u044f \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432 \u0431\u043b\u0430\u0433\u043e\u0434\u0430\u0440\u044f \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0438\u0437\u0430\u0446\u0438\u0438.<\/p>\n<\/div>\n<p> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habr.com\/ru\/company\/southbridge\/blog\/490648\/\"> https:\/\/habr.com\/ru\/company\/southbridge\/blog\/490648\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n<div class=\"post__text post__text-html\" id=\"post-content-body\" data-io-article-url=\"https:\/\/habr.com\/ru\/company\/southbridge\/blog\/490648\/\">\n<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/webt\/6g\/du\/nj\/6gdunj0e_gtz-p-4vu9xladlf5k.jpeg\"><\/p>\n<p>  <\/p>\n<p>\u0414\u0430\u043d\u043d\u0430\u044f \u0441\u0442\u0430\u0442\u044c\u044f \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u0442 <a href=\"https:\/\/habr.com\/ru\/company\/southbridge\/blog\/489940\/\">\u0442\u0435\u043c\u0443 \u0441 Kata Containers<\/a>, \u043f\u043e\u0434\u043d\u044f\u0442\u0443\u044e \u0432 \u043f\u0440\u043e\u0448\u043b\u044b\u0439 \u0440\u0430\u0437. \u0421\u0435\u0433\u043e\u0434\u043d\u044f \u044f \u0431\u0443\u0434\u0443 \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0442\u044c Kubernetes \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 Kata Containers.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-299530","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/299530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=299530"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/299530\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=299530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=299530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=299530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}