How many checks does kubedm series-01-preflight have

We know kubeadm init There will be a lot of preflight The inspection of , These mainly refer to kernel parameters 、 modular 、CRI Etc , If there are any configurations that do not conform Kubernetes The requirements of , Will throw Warning perhaps Error Information about , The following is preflight Main logic of

// Checker validates the state of the system to ensure kubeadm will be
// successful as often as possible.
type Checker interface {
    
	Check() (warnings, errorList []error)
	Name() string
}

If there is diy Of check demand , You can inherit this interface in your code Expand , The following is an example. check Example , Obviously ContainerRuntimeCheck It's right CRI That is, the inspection carried out when the container is running

// ContainerRuntimeCheck verifies the container runtime.
type ContainerRuntimeCheck struct {
    
	runtime utilruntime.ContainerRuntime
}

// Name returns label for RuntimeCheck.
func (ContainerRuntimeCheck) Name() string {
    
	return "CRI"
}

// Check validates the container runtime
func (crc ContainerRuntimeCheck) Check() (warnings, errorList []error) {
    
	klog.V(1).Infoln("validating the container runtime")
	if err := crc.runtime.IsRunning(); err != nil {
    
		errorList = append(errorList, err)
	}
	return warnings, errorList
}

The real function of checking is the following function , In fact, it is the host computer that executes crictl info, And receive its return , Old irons might as well run it directly on the host to see the results

// IsRunning checks if runtime is running
func (runtime *CRIRuntime) IsRunning() error {
    
	if out, err := runtime.crictl("info").CombinedOutput(); err != nil {
    
		return errors.Wrapf(err, "container runtime is not running: output: %s, error", string(out))
	}
	return nil
}

be-all Check There will be small staggered parts inside , For example, check the firewall , First of all Firewall This service does service check, Then the specific port will be checked

Here's all check The statistics of

1. CRI: Check whether the container is running
2. Service: Check whether the enable and active
3. Firewall: Check whether the firewall is closed
4. Port: Check whether some ports are released
5. Privileged: Check some permissions
6. Dir Available: Check whether the directory is valid
7. File Available: Check whether the document is valid
8. File Existing: Check if the file exists
9. File Content: Check whether there is specified content in the file
10. In Path: Check whether some executable files are in the specified directory
11. Hostname: Check the format of the hostname
12. HTTP Proxy: Check if the machine has Proxy Set up
13. HTTP Proxy CIDR: Check which addresses of this machine will go Proxy
14. System Verification: Check the system version
15. Kubernetes Version: Check Kubernetes Version of
16. Kubelet Version: Check Kubelet Version of
17. SwapCheck: Check Swap Whether to shut down
18. External Etcd Version: Check external etcd Version of
19. Image Pull: Check whether the image warehouse is connected
20. Num CPU: Check the machine CPU Is the quantity in line with kubeadm Minimum requirements for
21. Mem: Check whether the local memory conforms to kubeadm Minimum requirements for

When really doing the examination , It will also distinguish between controlplane Or ordinary worker node , The specific checks to be done by different roles are different

Let's see In Path This check , That is to check whether some necessary binary files or commands have been installed , In addition, we have to see mandatory If it is true Words , That is what must be met , Otherwise, it is dispensable , But if not, it will prompt , Users will be advised to install

InPathCheck{
    executable: "crictl", mandatory: true, exec: execer},
InPathCheck{
    executable: "conntrack", mandatory: true, exec: execer},
InPathCheck{
    executable: "ip", mandatory: true, exec: execer},
InPathCheck{
    executable: "iptables", mandatory: true, exec: execer},
InPathCheck{
    executable: "mount", mandatory: true, exec: execer},
InPathCheck{
    executable: "nsenter", mandatory: true, exec: execer},
InPathCheck{
    executable: "ebtables", mandatory: false, exec: execer},
InPathCheck{
    executable: "ethtool", mandatory: false, exec: execer},
InPathCheck{
    executable: "socat", mandatory: false, exec: execer},
InPathCheck{
    executable: "tc", mandatory: false, exec: execer},
InPathCheck{
    executable: "touch", mandatory: false, exec: execer})

Finally, let's take a look System Verification, Mainly for the host system to carry out some module detection , Let's mainly take a look at Linux Inspection under , Many modules of the kernel have and do not , There is still a big difference , So don't underestimate this part of the inspection , I think the main thing is Linux There is nothing wrong with the system , Sometimes it is precisely this part of the content that is more difficult to check

// DefaultSysSpec is the default SysSpec for Linux
var DefaultSysSpec = SysSpec{
    
	OS: "Linux",
	KernelSpec: KernelSpec{
    
		Versions: []string{
    `^3\.[1-9][0-9].*$`, `^([4-9]|[1-9][0-9]+)\.([0-9]+)\.([0-9]+).*$`}, // Requires 3.10+, or newer
		// TODO(random-liu): Add more config
		// TODO(random-liu): Add description for each kernel configuration:
		Required: []KernelConfig{
    
			{
    Name: "NAMESPACES"},
			{
    Name: "NET_NS"},
			{
    Name: "PID_NS"},
			{
    Name: "IPC_NS"},
			{
    Name: "UTS_NS"},
			{
    Name: "CGROUPS"},
			{
    Name: "CGROUP_CPUACCT"},
			{
    Name: "CGROUP_DEVICE"},
			{
    Name: "CGROUP_FREEZER"},
			{
    Name: "CGROUP_PIDS"},
			{
    Name: "CGROUP_SCHED"},
			{
    Name: "CPUSETS"},
			{
    Name: "MEMCG"},
			{
    Name: "INET"},
			{
    Name: "EXT4_FS"},
			{
    Name: "PROC_FS"},
			{
    Name: "NETFILTER_XT_TARGET_REDIRECT", Aliases: []string{
    "IP_NF_TARGET_REDIRECT"}},
			{
    Name: "NETFILTER_XT_MATCH_COMMENT"},
			{
    Name: "FAIR_GROUP_SCHED"},
		},
		Optional: []KernelConfig{
    
			{
    Name: "OVERLAY_FS", Aliases: []string{
    "OVERLAYFS_FS"}, Description: "Required for overlayfs."},
			{
    Name: "AUFS_FS", Description: "Required for aufs."},
			{
    Name: "BLK_DEV_DM", Description: "Required for devicemapper."},
			{
    Name: "CFS_BANDWIDTH", Description: "Required for CPU quota."},
			{
    Name: "CGROUP_HUGETLB", Description: "Required for hugetlb cgroup."},
			{
    Name: "SECCOMP", Description: "Required for seccomp."},
			{
    Name: "SECCOMP_FILTER", Description: "Required for seccomp mode 2."},
		},
		Forbidden: []KernelConfig{
    },
	},
	Cgroups: []string{
    "cpu", "cpuacct", "cpuset", "devices", "freezer", "memory", "pids"},
	CgroupsOptional: []string{
    
		// The hugetlb cgroup is optional since some kernels are compiled without support for huge pages
		// and therefore lacks corresponding hugetlb cgroup
		"hugetlb",
		// The blkio cgroup is optional since some kernels are compiled without support for block I/O throttling.
		// Containerd and cri-o will use blkio to track disk I/O and throttling in both cgroup v1 and v2.
		"blkio",
	},
	CgroupsV2:         []string{
    "cpu", "cpuset", "devices", "freezer", "memory", "pids"},
	CgroupsV2Optional: []string{
    "hugetlb", "blkio"},
	RuntimeSpec: RuntimeSpec{
    
		DockerSpec: &DockerSpec{
    
			Version:     []string{
    `1\.1[1-3]\..*`, `17\.0[3,6,9]\..*`, `18\.0[6,9]\..*`, `19\.03\..*`, `20\.10\..*`},
			GraphDriver: []string{
    "aufs", "btrfs", "overlay", "overlay2", "devicemapper", "zfs"},
		},
	},
}