[英]livenessprobe failed with EOF (nginx container)
我有一個運行 nginx 的容器,它偵聽 pod id 的端口 443。 它自己運行良好; 但是,如果我指定一個活性探測,那么探測將失敗
5m54s Warning Unhealthy Pod Liveness probe failed: Get https://192.168.2.243:443/: EOF
有人可以請指出我做錯了什么嗎? 謝謝。
當它在沒有活性探針的情況下運行時:
root@ip-192-168-2-243:/etc/nginx# netstat -tupln | grep 443
tcp 0 0 192.168.2.243:1443 0.0.0.0:* LISTEN -
tcp 0 0 192.168.2.243:443 0.0.0.0:* LISTEN 7/nginx: master pro
root@ip-192-168-2-243:/# telnet 192.168.2.243 443
Trying 192.168.2.243...
Connected to 192.168.2.243.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@ip-192-168-2-243:/# curl https://192.168.2.243
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
探針聲明:
livenessProbe:
initialDelaySeconds: 10
timeoutSeconds: 4
failureThreshold: 3
httpGet:
scheme: HTTPS
port: 443
Nginx 拆分客戶端聲明:
split_clients "${remote_addr}AAA" $localips {
* 192.168.2.243;
}
事件:
skwok-mbp:kubernetes skwok$ kubectl get event -w
LAST SEEN TYPE REASON OBJECT MESSAGE
7s Normal SuccessfulDelete statefulset/mnsvr delete Pod mnsvr-0 in StatefulSet mnsvr successful
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-proxy:Need to kill Pod
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-node0:Need to kill Pod
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-node1:Need to kill Pod
0s Normal SuccessfulCreate statefulset/mnsvr create Pod mnsvr-0 in StatefulSet mnsvr successful
0s Normal Scheduled pod/mnsvr-0 Successfully assigned staging/mnsvr-0 to ip-192-168-2-243.us-west-2.compute.internal
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr:1.1" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr:1.1" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-proxy:Container failed liveness probe.. Container will be killed and recreated.
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Normal Killing pod/mnsvr-0 Killing container with id docker://mnsvr-proxy:Container failed liveness probe.. Container will be killed and recreated.
0s Normal Pulled pod/mnsvr-0 Container image "171421899218.dkr.ecr.us-west-2.amazonaws.com/mnsvr-proxy:0.96" already present on machine
0s Normal Created pod/mnsvr-0 Created container
0s Normal Started pod/mnsvr-0 Started container
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning Unhealthy pod/mnsvr-0 Liveness probe failed: Get https://192.168.2.243:443/: EOF
0s Warning BackOff pod/mnsvr-0 Back-off restarting failed container
我認為 EOF 是 TLS 握手問題的症狀。 我目前看到的是相同的。
curl 的某些版本可以產生類似的結果。 curl 的解決方法似乎是使用--tls-max 1.2 。
我目前的懷疑是客戶端(探針)正在嘗試與服務器協商 TLS 1.3,但失敗了(可能是由於密碼)。 我正在嘗試查看我們是否可以將 k8s 探針配置為使用 TLS 1.2。 或者,我們可以在服務器端關閉 TLS 1.3。 在您的情況下,這是在 nginx 上。 就我而言,我有一個 JDK 11.0.6 的 jetty 9.4 服務器。
另一種選擇可能是升級 k8s。 我們似乎在 k8s v1.15 集群中看到了這一點,但在 k8s v1.16.2 集群中卻沒有。 但我不確定這是由於 k8s 版本還是底層操作系統庫(在我的情況下為 CentOS 7)。
Kubernetes 有兩種單獨的方法來跟蹤 pod 的健康狀況,一種是在部署期間,另一種是在部署之后。 LivenessProbe 是導致 Kubernetes 用新的 Pod 替換失敗的 Pod 的原因,但它在應用程序部署期間絕對沒有影響。 另一方面,就緒探測是 Kubernetes 用來確定 pod 是否成功啟動的。
因此,當您的容器成功運行時,您必須定義readinessProbe 。
有時,應用程序暫時無法提供流量。 例如,應用程序可能需要在啟動過程中加載大數據或配置文件,或者在啟動后依賴外部服務。 在這種情況下,您不想殺死應用程序,但也不想向它發送請求。 Kubernetes 提供就緒探針來檢測和緩解這些情況。 帶有容器報告它們尚未准備好的 pod 不會通過 Kubernetes 服務接收流量。
描述探針的官方 kubernetes 文檔: kubernetes-probes 。
這是有用的文章: kubernetes-liveness-and-readiness-probes 。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.