Looking at the actual VM, this seems like a typical distribution of CPU usage among the Kubernetes processes: 7 root S 153m 4% 0 7% kube-controller-manager -kubeconf1130 1015 root S 787m 20% 0 6% /usr/local/bin/dockerd -H unix:///1016 906 root S 247m 6% 0 4% kubelet -kubeconfig=/etc/kubernet4 root S 721m 18% 0 3% kube-apiserver -advertise-address2 root S 53468 1% 0 1% kube-scheduler -address=127.0.0.1First, looking at the logs, something is continuously calling Docker's API with requests such as /v1.31/containers/json. I'm going to assume this is the Kubelet. But the Kubelet doesn't log any activity corresponding to the frequency of requests, and neither does kube-controller-manager. I can confirm that this is happening for me too and most of the developers have complained about kubernetes using docker for desktop on their macs causes their computers to get very loud.
It happens most frequently when deploying and then begins to quiet down, but it's been over 10 minutes since I used the kubernetes api server, all of the deployed stuff is running without any restarts, and I'm still getting a large amount of cpu used. I do hope this is going to be addressed in the near future, even if it requires an upstream patch to one of the k8s components. I see the CPU usage is primarily the kube-controller-manager which spins at about 10% of a core, followed by kube-apiserver at about 7% of a core. Etcd and kube-scheduler take another 3% each or so.HyperKit itself is spinning at 50-60%, so I don't know where the other compute is coming from but it definitely settles down after Kubernetes is disabled.OSX 10.13.6Docker 18.09.0-ce-beta1. FWIW, Without kubernetes, docker behaves fine for me, but still spews tons of psynchcvwait Err#316 while at 3% cpu usage, so I'm going to re-focus on the kubernetes side of the picture for now.docker stats with kube enabled does show that kube-controller-manager and kube-apiserver are both using 5% of the CPU (those%s dont match up outside and inside the VM tho).
Docker Desktop creates a certificate bundle of all user-trusted CAs based on the Mac Keychain, and appends it to Moby trusted certificates. So if an enterprise SSL certificate is trusted by the user on the host, it is trusted by Docker Desktop. To manually add a custom, self-signed certificate. Install and run Docker Desktop on Mac. Double-click Docker.dmg to open the installer, then drag the Docker icon to the Applications folder. Double-click Docker.app in the Applications folder to start Docker. (In the example below, the Applications folder is in “grid” view mode.).
I think this idle load on those components is my source of pain. FWIW, in production on AWS on 1.10, I don't get CPU usage like this (and thats when there is actually stuff for kube-apiserver to do!).
2018 Update: Easiest option is Justin's repo and image
Just run this from your Mac terminal and it'll drop you in a container with full permissions on the Moby VM. This also works for Docker for Windows for getting in Moby Linux VM (doesn't work for Windows Containers).
docker run -it --rm --privileged --pid=host justincormack/nsenter1
more info: https://github.com/justincormack/nsenter1
Option 1: use Screen (not as easy as nsenter)
Note this isn't a list of commands to run in order. The first one gets you in the VM (hit return twiceto see a prompt). Then other commands are for managing that connection. Not a great CLI expirence but getsthe job done. Using the ctrl- options prevents garbled text on reconnect.
connect to tty on Docker for Mac VM
screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
disconnect that session but leave it open in background
Ctrl-a d
list that session that's still running in background
screen -ls
reconnect to that session (don't open a new one, that won't work and 2nd tty will give you garbled screen)
screen -r
kill this session (window) and exit
Ctrl-a k
Option 2 (easier): Use nsenter in priviledged containerdocker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Phil Estes (Docker Maintainer) says:
it’s running a container (using the debian image..nothing special about it other than it apparently has
nsenter installed), with pid=host (so you are in the process space of the mini VM running Docker4Mac),and then nsenter says “whatever is pid 1, use that as context, and enter all the namespaces of that, and run a shell there'
Or even easier, from Justin Cormack (Docker Maintainer)docker run -it --rm --privileged --pid=host justincormack/nsenter1
Justin Says:
Personally I mostly use screen, but then I also use the above too. That's my minimal nsenter image.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |