? Secret創(chuàng)建完成后����,我們將用戶明文密碼從Deployment去除,采用環(huán)境變量方式引用Secret數(shù)據(jù)��,參見如下Yaml修改�����,做了3個(gè)調(diào)整:
鏡像初始化時(shí)自動(dòng)創(chuàng)建MYSQL_DATABASE環(huán)境變量1設(shè)置的數(shù)據(jù)庫(kù)���;
鏡像初始化時(shí)將MYSQL_DATABASE數(shù)據(jù)庫(kù)賦予MYSQL_USER用戶����;
root用戶及MYSQL_USER用戶����,其密碼均通過(guò)secretKeyRef從secret獲取;
spec:
...
containers:
- image: mysql
name: mysql
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-user-pwd
key: mysql-root-pwd
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-user-pwd
key: mysql-app-user-pwd
- name: MYSQL_USER
value: app
- name: MYSQL_DATABASE
value: appdb
容器健康檢查
? K8S鏡像控制器可通過(guò)livenessProbe判斷容器是否異常��,進(jìn)而決定是否重建容器�����;而Service服務(wù)可通過(guò)readinessProbe判斷容器服務(wù)是否正常�����,從而確保服務(wù)可用性��。
? 本例�����,作者配置的livenessProbe與readinessProbe是一樣的����,即連續(xù)3次查詢數(shù)據(jù)庫(kù)失敗��,則定義為異常��。對(duì)livenessProbe與readinessProbe詳細(xì)用法���,不在本文的討論范圍內(nèi)����,可參考K8S官方文檔:
Configure Liveness and Readiness Probes
Pod Lifecycle
spec:
containers:
- image: mysql
...
livenessProbe:
exec:
command:
- /bin/sh
- "-c"
- MYSQL_PWD="${MYSQL_ROOT_PASSWORD}"
- mysql -h 127.0.0.1 -u root -e "SELECT 1"
initialDelaySeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
exec:
command:
- /bin/sh
- "-c"
- MYSQL_PWD="${MYSQL_ROOT_PASSWORD}"
- mysql -h 127.0.0.1 -u root -e "SELECT 1"
initialDelaySeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
...
容器初始化
假設(shè),我們有這樣的需求:“初始部署MySQL時(shí)��,其已包應(yīng)用所需的數(shù)據(jù)庫(kù)����、用戶、權(quán)限���、表結(jié)構(gòu)與數(shù)據(jù)”���。研究MySQL官方鏡像的Dockerfile可知,數(shù)據(jù)庫(kù)初始化時(shí)將自動(dòng)執(zhí)行目錄/docker-entrypoint-initdb.d內(nèi)的.sh���、.sql���、.sql.gz文件,鑒于此�����,我們可有如下兩種方法:
基于官方鏡像重新編寫Dockerfile,將腳本copy到新鏡像/docker-entrypoint-initdb.d目錄���,因需編譯新鏡像��,故此方法不靈活����;
初始化容器(initContainers)在常規(guī)容器(containers)前運(yùn)行���,故在初始化容器中可將腳本拷貝到共享目錄����,而后MySQL鏡像掛載此目錄到/docker-entrypoint-initdb.d�����,此方法靈活�。
本例����,作者采用初始化容器方案,功能如下:
初始化與常規(guī)容器共享名為mysql-initdb的emptyDir�,均被掛載到/docker-entrypoint-initdb.d目錄;
初始化容器將.sql文件置于共享的/docker-entrypoint-initdb.d目錄,其含初始化testdb與appdb數(shù)據(jù)庫(kù)�����;
為了避免MySQL數(shù)據(jù)庫(kù)目錄內(nèi)的lost+found目錄被誤認(rèn)為是數(shù)據(jù)庫(kù)���,初始化容器中將其刪除�����;
spec:
initContainers:
- name: mysql-init
image: busybox
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_TEST_USER_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-user-pwd
key: mysql-test-user-pwd
command:
- sh
- "-c"
- |
set -ex
rm -fr /var/lib/mysql/lost+found
cat > /docker-entrypoint-initdb.d/mysql-testdb-init.sql < /docker-entrypoint-initdb.d/mysql-appdb-init.sql <
完整Deployment
? 通過(guò)如上多步調(diào)整�����,MySQL數(shù)據(jù)庫(kù)的Deplyment如下所示:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: mysql
name: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
initContainers:
- name: mysql-init
image: busybox
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_TEST_USER_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-user-pwd
key: mysql-test-user-pwd
command:
- sh
- "-c"
- |
set -ex
rm -fr /var/lib/mysql/lost+found
cat > /docker-entrypoint-initdb.d/mysql-testdb-init.sql < /docker-entrypoint-initdb.d/mysql-appdb-init.sql <
創(chuàng)建此Deployment后����,我們有如下組件:
# kubectl get all,pvc,cm,secret
# MySQL Deployment:
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deploy/mysql 1 1 1 1 1m
# RS被Deployment調(diào)用����,其是自動(dòng)生成的
NAME DESIRED CURRENT READY AGE
rs/mysql-998977cdd 1 1 1 1m
# Pod:
NAME READY STATUS RESTARTS AGE
po/mysql-998977cdd-v2ks2 1/1 Running 1 1m
# Service:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/mysql NodePort 172.30.3.200 3306:30006/TCP 8h
# Pvc:
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
pvc/mysql Bound pvc-fe.. 1Gi ROX glusterfs-raid0 2m
# Configmap:
NAME DATA AGE
cm/mysql-config 1 6h
# Secret:
NAME TYPE DATA AGE
secrets/mysql-user-pwd Opaque 3 1h
定期自動(dòng)備份
? 考慮到數(shù)據(jù)安全性,我們定期備份數(shù)據(jù)庫(kù)���,在K8S集群中���,我們可配置CronJob實(shí)現(xiàn)自動(dòng)備份作業(yè)��。首先�,創(chuàng)建一個(gè)持久化存儲(chǔ)供備份用:
# kubectl create -f - <
? 繼而�����,配置實(shí)際的自動(dòng)化作業(yè)任務(wù)�,如下所示,每天凌晨0點(diǎn)將使用mysqldump備份appdb數(shù)據(jù)庫(kù)�。
# kubectl create -f - < /mysql-backup/mysql-`date +"%Y%m%d"`.sql
volumeMounts:
- name: mysql-backup
mountPath: /mysql-backup
restartPolicy: OnFailure
volumes:
- name: mysql-backup
persistentVolumeClaim:
claimName: mysql-backup
EOF
結(jié)束語(yǔ)
? 本文揉合K8S多項(xiàng)技術(shù),構(gòu)建了一個(gè)復(fù)雜且可做生產(chǎn)使用的范例�����,當(dāng)然�,此庫(kù)是單實(shí)例數(shù)據(jù)庫(kù),倘若需構(gòu)建數(shù)據(jù)庫(kù)高可用方案���,需部署如MySQL HA、PXC集群��,其中自動(dòng)作業(yè)備份范例僅使用mysqldump備份��,在生產(chǎn)環(huán)境不是很實(shí)用,我們需要考慮使用xtrabackup備份以及mysqlbinlog備份日志���。
參見docker-entrypoint.sh�。 ?
