Azure Container Instance (ACI)

02-01

Azure 容器實例（ACI）提供了在 Azure 中運行容器的最簡捷方式，它不需要用戶配置任何虛擬機或其它高級服務。ACI 適用於快速突髮式增長和資源調整的業務，但功能相對比較簡單。對於需要完整容器集群編排功能的場景建議使用 ACS 或 AKS。

ACI 的優勢包括

不需要用戶配置和管理虛擬機就可以提供虛擬機級別的安全隔離
啟動快速
支持自定義大小
支持綁定公網IP和持久化存儲
支持Linux 和 Windows 容器
支持容器組將多個容器運行在一起（類似於 Kubernetes Pod），它們共享相同的生命周期、網路協議棧、IP地址以及存儲
可以通過aci-connector-k8s將 ACI 作為 Kubernetes 集群的一個無限 Node 使用

注意：目前 ACI 僅在 westus、eastus 和 westeurope 等區域開放。

入門示例

# 創建資源組naz group create --name myResourceGroup --location eastusnn# 創建容器（對應 docker run）naz container create --name mycontainer --image microsoft/aci-helloworld --resource-group myResourceGroup --ip-address publicnn# 查詢容器（對應 docker ps或 docker inspect）naz container show --name mycontainer --resource-group myResourceGroup [-o table/json]nn# 查詢容器日誌naz container logs --name mycontainer --resource-group myResourceGroupnn# 刪除容器naz container delete --name mycontainer --resource-group myResourceGroupn

容器組

支持容器組將多個容器運行在一起（類似於 Kubernetes Pod），它們共享相同的生命周期、網路協議棧、IP地址以及持久化存儲。容器組常以 sidecar 模式運行一組功能管理的容器，如應用程序和監控容器、應用程序和日誌容器等。

目前，容器組僅支持以模板的方式來運行。模板格式為

{n "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",n "contentVersion": "1.0.0.0",n "parameters": {n },n "variables": {n "container1name": "aci-tutorial-app",n "container1image": "microsoft/aci-helloworld:latest",n "container2name": "aci-tutorial-sidecar", n "container2image": "microsoft/aci-tutorial-sidecar"n },n "resources": [n {n "name": "myContainerGroup",n "type": "Microsoft.ContainerInstance/containerGroups",n "apiVersion": "2017-08-01-preview",n "location": "[resourceGroup().location]",n "properties": {n "containers": [n {n "name": "[variables(container1name)]",n "properties": {n "image": "[variables(container1image)]",n "resources": {n "requests": {n "cpu": 1,n "memoryInGb": 1.5n }n },n "ports": [n {n "port": 80n }n ]n }n },n {n "name": "[variables(container2name)]",n "properties": {n "image": "[variables(container2image)]",n "resources": {n "requests": {n "cpu": 1,n "memoryInGb": 1.5n }n }n }n }n ],n "osType": "Linux",n "ipAddress": {n "type": "Public",n "ports": [n {n "protocol": "tcp",n "port": "80"n }n ]n }n }n }n ],n "outputs": {n "containerIPv4Address": {n "type": "string",n "value": "[reference(resourceId(Microsoft.ContainerInstance/containerGroups/, myContainerGroup)).ipAddress.ip]"n }n }n }n

而部署容器組也需要使用 az group deployment 命令

az group deployment create --name myContainerGroup --resource-group myResourceGroup --template-file azuredeploy.jsonn

部署成功後就可以通過 az container 命令來查看或操作容器了（使用 --container-name 指定操作的是哪個容器）。

私有鏡像

私有鏡像可以存儲在 Azure 容器註冊表（ACR）中。

# Create ACRnaz acr create --resource-group myResourceGroup --name <acrName> --sku Basic --admin-enabled truenn# Loginnaz acr login --name <acrName>nn# Tag the image.naz acr list --resource-group myResourceGroup --query "[].{acrLoginServer:loginServer}" --output tablendocker tag azure-vote-front <acrLoginServer>/azure-vote-front:redis-v1nn# push imagendocker push <acrLoginServer>/azure-vote-front:redis-v1nn# List images.naz acr repository list --name <acrName> --output tablen

使用私有鏡像創建容器時，需要通過 --registry-password 選項給每個容器設置密碼（比 docker login 麻煩一些）：

# Query password.naz acr credential show --name <acrName> --query "passwords[0].value"n# Create container.naz container create --name aci-tutorial-app --image <acrLoginServer>/aci-tutorial-app:v1 --cpu 1 --memory 1 --registry-password <acrPassword> --ip-address public --ports 80 -g myResourceGroupn

或者在部署模板（比如上述容器組示例）中設置

"imageRegistryCredentials": [n {n "server": "[parameters(imageRegistryLoginServer)]",n "username": "[parameters(imageRegistryUsername)]",n "password": "[parameters(imageRegistryPassword)]"n }n]n

持久化存儲

必須先創建 Azure 文件共享，才能將其用於 Azure 容器實例。

# Create the storage accountnaz storage account create -n mycontainerstorage -g myResourceGroup --sku Standard_LRSnn# Export the connection string as an environment variable, this is used when creating the Azure file sharenAZURE_STORAGE_CONNECTION_STRING=$(az storage account show-connection-string -n mycontainerstorage -g myResourceGroup -o tsv)nn# Create the sharenaz storage share create -n myacisharenn# Get storage account key.nSTORAGE_ACCOUNT="mycontainerstorage"nSTORAGE_KEY=$(az storage account keys list --resource-group myResourceGroup --account-name mycontainerstorage --query "[0].value" -o tsv)n

持久化存儲也是需要通過模板來引用，創建下面的模板文件

{n "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",n "contentVersion": "1.0.0.0",n "parameters": {n "storageaccountname": {n "type": "string"n },n "storageaccountkey": {n "type": "securestring"n }n },n "resources":[{n "name": "hellofiles",n "type": "Microsoft.ContainerInstance/containerGroups",n "apiVersion": "2017-08-01-preview",n "location": "[resourceGroup().location]",n "properties": {n "containers": [{n "name": "hellofiles",n "properties": {n "image": "seanmckenna/aci-hellofiles",n "resources": {n "requests": {n "cpu": 1,n "memoryInGb": 1.5n }n },n "ports": [{n "port": 80n }],n "volumeMounts": [{n "name": "myvolume",n "mountPath": "/aci/logs/"n }]n }n }],n "osType": "Linux",n "ipAddress": {n "type": "Public",n "ports": [{n "protocol": "tcp",n "port": "80"n }]n },n "volumes": [{n "name": "myvolume",n "azureFile": {n "shareName": "myacishare",n "storageAccountName": "[parameters(storageaccountname)]",n "storageAccountKey": "[parameters(storageaccountkey)]"n }n }]n }n }]n}n

最後部署容器

# deploy container groupnaz group deployment create --name hellofilesdeployment --template-file hellofiles.json --resource-group myResourceGroup --parameters storageaccountname=$STORAGE_ACCOUN storageaccountkey=$STORAGE_KEYnn# list containernaz container list -g myResourceGroup -o tablen

Kubernetes集成

aci-connector-k8s 可以將 ACI 作為 Kubernetes 集群的一個無限 Node 使用。

下載 aci-connector-k8s 源碼後，可以運行 examples/generateManifest.py 命令自動生成一個部署 aci-connector 的配置（不包含RBAC配置）。

python3 generateManifest.py -g myResourceGroup -s <my-subscription-id> -l westusn

而在開啟RBAC的系統中，需要配置相應的許可權，比如使用下面的部署文件

apiVersion: extensions/v1beta1nkind: Deploymentnmetadata:n name: aci-connectorn namespace: defaultnspec:n replicas: 1n template:n metadata:n labels:n app: aci-connectorn spec:n serviceAccount: aci-connectorn containers:n - name: aci-connectorn image: microsoft/aci-connector-k8s:latestn imagePullPolicy: Alwaysn env:n - name: AZURE_CLIENT_IDn value: <your-client-id>n - name: AZURE_CLIENT_KEYn value: <your-client-key>n - name: AZURE_TENANT_IDn value: <your-tenant-id>n - name: AZURE_SUBSCRIPTION_IDn value: <your-subsription-id>n - name: ACI_RESOURCE_GROUPn value: <your-resource-group>n---napiVersion: v1nkind: ServiceAccountnmetadata:n name: aci-connectorn---napiVersion: v1nkind: Listnitems:n- apiVersion: rbac.authorization.k8s.io/v1n kind: ClusterRolen metadata:n name: "aci-connector"n rules:n - apiGroups: [""]n resources: ["namespaces"]n verbs: ["get", "list", "watch"]n - apiGroups: [""]n resources: ["pods", "pods/status"]n verbs: ["get","list","watch","create","patch","update","delete"]n - apiGroups: [""]n resources: ["nodes", "nodes/status"]n verbs: ["get","list","watch","create","patch","update","delete"]n- apiVersion: rbac.authorization.k8s.io/v1n kind: ClusterRoleBindingn metadata:n name: "aci-connector"n roleRef:n apiGroup: rbac.authorization.k8s.ion kind: ClusterRolen name: "aci-connector"n subjects:n - apiGroup: ""n kind: ServiceAccountn name: "aci-connector"n namespace: "default"n

這樣，Deployment部署後，很快就可以發現它自動創建了一個 aci-connector 的 Node

# kubectl get node aci-connectornNAME STATUS ROLES AGE VERSIONnaci-connector Ready <none> 1m v1.6.6n

這樣，Pod可以通過指定 nodeName 或者容忍 taint azure.com/aci=NoSchedule 調度到ACI上面：

apiVersion: v1nkind: Podnmetadata:n name: nginxn labels:n run: nginxnspec:n containers:n - image: nginxn imagePullPolicy: Alwaysn name: nginxn dnsPolicy: ClusterFirstn nodeName: aci-connectorn# kubectl get pods -l run=nginx -o widenNAME READY STATUS RESTARTS AGE IP NODEnnginx 1/1 Running 0 28s x.x.x.x aci-connectornn# az container list -g myResourceGroup -o tablenName ResourceGroup ProvisioningState Image IP:ports CPU/Memory OsType Locationn------ --------------- ------------------- ------- ---------------- --------------- -------- ----------nnginx myResourceGroup Succeeded nginx x.x.x.x:80 1.0 core/1.5 gb Linux westusn

參考文檔

Azure Container Instances Documentation
Azure Container Instances Connector for Kubernetes (experimental)