问题描述

RHEL9 VM里安装了Microk8s，且使用了Nginx ingress Controller插件，443端口正常。 VM重启一次后，发现443端口没有LISTEN，不能对外提供服务。

定位过程

查看ingress pod状态，为CrashLoopBackOff

# kubectl -n ingress get pods
NAME                                      READY   STATUS             RESTARTS         AGE
nginx-ingress-microk8s-controller-b6krf   0/1     CrashLoopBackOff   1102 (55s ago)   8d

再查看启动日志，通过kubectl logs命令

kubectl -n ingress logs nginx-ingress-microk8s-controller-b6krf | head -n 20
-------------------------------------------------------------------------------
NGINX Ingress controllerRelease:       v1.2.0Build:         a2514768cd282c41f39ab06bda17efefc4bd233aRepository:    https://github.com/kubernetes/ingress-nginxnginx version: nginx/1.19.10-------------------------------------------------------------------------------W0903 07:03:51.041545       7 client_config.go:617] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0903 07:03:51.041798       7 main.go:230] "Creating API client" host="https://10.152.183.1:443"
I0903 07:03:51.079803       7 main.go:274] "Running in Kubernetes cluster" major="1" minor="23+" git="v1.23.10-2+b9088462d1df8c" state="clean" commit="b9088462d1df8ccd2a1856d329af381fa2bce5a3" platform="linux/amd64"
I0903 07:03:51.203652       7 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0903 07:03:51.259671       7 nginx.go:256] "Starting NGINX Ingress controller"
F0903 07:03:51.259727       7 main.go:345] listen tcp :10254: bind: address already in use
goroutine 117 [running]:
k8s.io/klog/v2.stacks(0x1)k8s.io/klog/v2@v2.60.1/klog.go:860 +0x8a

发现报错：listen tcp :10254: bind: address already in use, 10254端口是ingress用于健康检查的端口

kubectl -n ingress get ds nginx-ingress-microk8s-controller -o yaml
...
livenessProbe:httpGet:path: /healthzport: 10254

netstat查下10254端口被哪个进程占用了

[root@sg3 svc]# netstat -antp | grep containerd
tcp        0      0 127.0.0.1:1338          0.0.0.0:*               LISTEN      3631/containerd
tcp        0      0 127.0.0.1:10254         0.0.0.0:*               LISTEN      3631/containerd

发现是containerd占用了10254端口。因为重启前ingress是正常的，于是猜测这个containerd端口是随机分配的，接着验证一下猜测是否正确。

下一份containerd代码看看，先查containerd版本：

snap list
microk8s  v1.23.10  3699   -         canonical✓  classicmicrok8s ctr version
Client:Version:  v1.5.13

发现containerd版本为v.1.5.13，找到源码 https://github.com/containerd/containerd/releases/tag/v1.5.13

简单扫下源码，找到containerd配置文件的路径：/var/snap/microk8s/current/args/containerd-template.toml，内容如下：

[grpc]
# ......[metrics]address="127.0.0.1:1338"
# ......[ plugins. "io.containerd.grpc.v1.cri" ]stream_server_address = "127.0.0.1"stream_server_port = "0"

journalctl -xeu snap.microk8s.daemon-containerd.service查下启动日志，通过启动日志中的关键字快速定位到相关代码：

分析配置文件和代码，找到原因：containerd配置文件中的stream_server_port默认为0, 说明监听了随机端口号，所以可能存在端口冲突。

解决方法

可以给containerd指定一个端口号，防止端口冲突。 比如改成10300（具体改哪个端口根据你的情况定，这里只举个例子)，如下：

sed -i 's/stream_server_port = "[^"]*"/stream_server_port = "10300"/' /var/snap/microk8s/current/args/containerd-template.toml
microk8s stop
microk8s start

github上找到类似了issue：https://github.com/containerd/containerd/issues/7097

参考

https://www.thebyte.com.cn/container/CRI-in-Kubernetes.html