Elastic Compute Service:Use Cloud Assistant to run commands in containers

Limits

• Cloud Assistant can be used to run commands only in containers that are managed by Kubernetes based on the Container Runtime Interface (CRI) and run within the Docker, containerd, or CRI-O container runtime.

• The limits that are described in the following table are imposed by the CRI when you run commands in containers. The table also provides solutions to resolve the limits.

  Limits	Description and countermeasure
  You can use only the default user of a container to run commands in the container.	After you specify the ContainerId parameter, the ContainerName parameter, or both, the Username parameter does not take effect. The default user of the container is used to run the commands. If you want to change the user that is used to run the commands, run the sudo command in the container. Make sure that the container image supports user change.
  You can run commands only in the default working directory of a container.	After you specify the ContainerId parameter, the ContainerName parameter, or both, the WorkingDir parameter does not take effect. The commands are run in the default working directory of the container. If you want to change the working directory of the commands, add the cd command at the beginning of the shell script.
  You can run only shell scripts in a container. You cannot add a command in a format similar to #!/usr/bin/python at the beginning of a script to specify a script interpreter.	After you specify the ContainerId parameter, the ContainerName parameter, or both, Linux shell scripts are run by using /bin/sh in the container. The script interpreter specified by the command that starts with #! cannot be recognized. To run a script in another language in the container, call the interpreter of the language in the container and pass in the script. For example, you can add the /usr/bin/python -c 'import sys; print(sys.version_info)' command at the beginning of a script to call the Python interpreter in the container.

Procedure

1. View the ID and name of a Kubernetes container.

   Method 1: Run a kubectl command to view the ID and name of a Kubernetes container.

   You can run the kubectl --namespace <Specified namespace> describe pod <Specified pod> command to view the ContainerId value of a container in the specified pod, or use Kubernetes apiserver to query the ID and name of a Kubernetes container.

   1. Connect to an instance.

      For more information, see Connect to a Linux instance by using a password or key.

   2. Run the following command to query the ID of a Kubernetes container:

      kubectl --namespace <Specified namespace> describe pod <Specified pod>

      In this example, the namespace is kube-system and the container in the specified pod is kube-proxy-h4slq. A command output similar to the following one is returned:

      [test@localhost ~]# kubectl --namespace kube-system describe pod kube-proxy-h4slq
      Name:                 kube-proxy-h4slq
      Namespace:            kube-system
      Priority:             2000001000
      Priority Class Name:  system-node-critical
      Node:                 master1/192.168.1.11
      Start Time:           Thu, 11 Aug 2022 16:33:04 +0800
      Labels:               controller-revision-hash=9c5d7****
                            k8s-app=kube-proxy
                            pod-template-generation=1
      Annotations:          <none>
      Status:               Running
      IP:                   192.168.1.11
      IPs:
        IP:           192.168.1.11
      Controlled By:  DaemonSet/kube-proxy
      Containers:
        kube-proxy:
          Container ID:  docker://fe17ab0409739e63f526aed7c79e87989e90d19f0429********************
          Image:         k8s.gcr.io/kube-proxy:v1.23.9
          Image ID:      docker://sha256:9e6a540eeeb62a64450dad488760cc3769b23d19fc21********************
          Port:          <none>
          Host Port:     <none>
          Command:
            /usr/local/bin/kube-proxy
            --config=/var/lib/kube-proxy/config.conf
            --hostname-override=$(NODE_NAME)
          State:          Running
            Started:      Thu, 11 Aug 2022 16:33:06 +0800
          Ready:          True
          Restart Count:  0
          Environment:
            NODE_NAME:   (v1:spec.nodeName)
          Mounts:
            /lib/modules from lib-modules (ro)
            /run/xtables.lock from xtables-lock (rw)
            /var/lib/kube-proxy from kube-proxy (rw)
            /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-69g97 (ro)

      In the Containers section, the Container ID value of the kube-proxy container is docker://fe17ab0409739e63f526aed7c79e87989e90d19f0429********************. The value indicates that the container uses a Docker runtime and the container ID is fe17ab0409739e63f526aed7c79e87989e90d19f0429********************. The name of the container that is managed by Kubernetes based on the CRI is kube-proxy.

   3. (Optional) Run the following command to view the types and versions of the container runtimes that are used on the nodes in the Kubernetes cluster:

      kubectl get nodes -o wide

      A command output similar to the following one is returned:

      NAME    STATUS     ROLES                  AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                         KERNEL-VERSION                 CONTAINER-RUNTIME
      node1   Ready      <none>                 17h   v1.23.6   192.168.1.101   <none>        Ubuntu 20.04.4 LTS               5.4.0-123-generic              containerd://1.6.7
      node2   Ready      <none>                 17h   v1.23.6   192.168.1.102   <none>        openSUSE Leap 15.4               5.14.21-150400.24.11-default   cri-o://1.22.0
      master1 Ready      control-plane,master   18h   v1.23.6   192.168.1.11    <none>        CentOS Linux 7 (Core)            3.10.0-1160.71.1.el7.x86_64    docker://20.10.17
      node3   Ready      <none>                 17h   v1.23.6   192.168.1.103   <none>        Debian GNU/Linux 11 (bullseye)   5.10.0-16-amd64                docker://20.10.17

      The CONTAINER-RUNTIME column in the command output lists different container runtimes on different nodes.

   Method 2: Use Cloud Assistant Agent to view the ID and name of a Kubernetes container.

   Cloud Assistant Agent on Linux instances allows you to run commands in containers. Cloud Assistant Agent lists the containers that are managed by Kubernetes based on the CRI and run within the Docker, containerd, or CRI-O container runtime. Cloud Assistant Agent also allows you to view containers on the instances without the need to run the kubectl command.

   The subcommand used by Cloud Assistant Agent to list containers on instances is list-containers. You can specify parameters based on the subcommand. The following list provides examples on how to specify parameters based on the subcommand:

   • Run the aliyun-service list-containers --source cri command.

     Specify the --source cri parameter to list containers that are managed by Kubernetes based on the CRI and are running within the Docker, containerd, or CRI-O container runtime. A command output similar to the following one is returned.

     [test@localhost ~]# aliyun-service list-containers --source cri
     Container Id                                                      Container Name           Pod Name                                         Runtime  State    Data Source
     4f14883f30580007b2b386be16c743048d7b7b6a6522********************  etcd                     etcd-izbp199sm5j54**********                     docker   RUNNING  CRI
     60775315aa50765de7332764322f7697ded2783e4860********************  kube-apiserver           kube-apiserver-izbp199sm5j54**********           docker   RUNNING  CRI
     8d8dd01f09f451109285a0094eef0c144bdfdef6913e********************  coredns                  coredns-64897**********                          docker   RUNNING  CRI
     aee068814a7b10419186bb944832e65df2a8b3cab32b********************  kube-scheduler           kube-scheduler-izbp199sm5j54**********           docker   RUNNING  CRI
     b06609d4246be717c324b366d4e6c392fcf226ecbc4b********************  kube-flannel             kube-flanne**********                            docker   RUNNING  CRI
     c0992c3401ad52b3fce105ce5188026f28db7d5fe202********************  kube-controller-manager  kube-controller-manager-izbp199sm5j54**********  docker   RUNNING  CRI
     d1add169bb596f53d31030f84d69e494e7b23135acd2********************  coredns                  coredns-64897**********                          docker   RUNNING  CRI
     fe17ab0409739e63f526aed7c79e87989e90d19f0429********************  kube-proxy               kube-proxy-*****                                 docker   RUNNING  CRI

     The Container Id and Container Name values in the command output can be used for the ContainerId and ContainerName parameters in the commands that you want to run in containers. The Pod Name column lists the Kubernetes pods that correspond to the containers.

   • Run the aliyun-service list-containers --source cri --all command.

     Specify the --all parameter to list all containers that are managed by Kubernetes based on the CRI and exist within the Docker, containerd, or CRI-O container runtime. A command output similar to the following one is returned.

     [test@localhost ~]# aliyun-service list-containers --source cri --all
     Container Id                                                      Container Name           Pod Name                                         Runtime  State    Data Source
     240246ecbb7b4bfc3e0fd1bad51a76d43603c9cdee6a********************  install-cni              kube-flannel-ds-*****                            docker   EXITED   CRI
     4f14883f30580007b2b386be16c743048d7b7b6a6522********************  etcd                     etcd-izbp199sm5j************                     docker   RUNNING  CRI
     60775315aa50765de7332764322f7697ded2783e4860********************  kube-apiserver           kube-apiserver-izbp199sm5j************           docker   RUNNING  CRI
     8d8dd01f09f451109285a0094eef0c144bdfdef6913e********************  coredns                  coredns-64897985d-8qz25                          docker   RUNNING  CRI
     aee068814a7b10419186bb944832e65df2a8b3cab32b********************  kube-scheduler           kube-scheduler-izbp199sm5j************           docker   RUNNING  CRI
     b06609d4246be717c324b366d4e6c392fcf226ecbc4b********************  kube-flannel             kube-flannel-ds-*****                            docker   RUNNING  CRI
     bdf9a2aff47a6858897d5c734c481535f7bb70321c8b********************  install-cni-plugin       kube-flannel-ds-*****                            docker   EXITED   CRI
     c0992c3401ad52b3fce105ce5188026f28db7d5fe202********************  kube-controller-manager  kube-controller-manager-izbp199sm53************  docker   RUNNING  CRI
     d1add169bb596f53d31030f84d69e494e7b23135acd2********************  coredns                  coredns-***************                          docker   RUNNING  CRI
     fe17ab0409739e63f526aed7c79e87989e90d19f0429********************  kube-proxy               kube-proxy-*****                                 docker   RUNNING  CRI

   • Run the aliyun-service list-containers command.

     Do not specify the --source parameter. This way, the following containers are listed: the containers that are managed by Kubernetes based on the CRI and run within the Docker, containerd, or CRI-O container runtime, and the containers that run within the Docker runtime and do not conform with the CRI. A command output similar to the following one is returned.

     Important

     You can run commands only in containers that are managed by Kubernetes based on the CRI and run within the Docker, containerd, or CRI-O container runtime. You cannot run commands in containers that are running within the Docker runtime and do not conform with the CRI.

     [test@localhost ~]# aliyun-service list-containers
     Container Id                                                      Container Name                                                                                          Pod Name                                         Runtime  State    Data Source
     4f14883f30580007b2b386be16c743048d7b7b6a6522********************  etcd                                                                                                    etcd-izbp199sm5j************                     docker   RUNNING  CRI
     60775315aa50765de7332764322f7697ded2783e4860********************  kube-apiserver                                                                                          kube-apiserver-izbp199sm5j************           docker   RUNNING  CRI
     8d8dd01f09f451109285a0094eef0c144bdfdef6913e********************  coredns                                                                                                 coredns-648************                          docker   RUNNING  CRI
     aee068814a7b10419186bb944832e65df2a8b3cab32b********************  kube-scheduler                                                                                          kube-scheduler-izbp199sm5j************           docker   RUNNING  CRI
     b06609d4246be717c324b366d4e6c392fcf226ecbc4b********************  kube-flannel                                                                                            kube-flannel-********                            docker   RUNNING  CRI
     c0992c3401ad52b3fce105ce5188026f28db7d5fe202********************  kube-controller-manager                                                                                 kube-controller-manager-izbp199sm5j************  docker   RUNNING  CRI
     d1add169bb596f53d31030f84d69e494e7b23135acd2********************  coredns                                                                                                 coredns-648************                          docker   RUNNING  CRI
     fe17ab0409739e63f526aed7c79e87989e90d19f0429********************  kube-proxy                                                                                              kube-proxy-*****                                 docker   RUNNING  CRI
     b6864279148b3cef6e72c983f7ffa041dfe7ab5e2c57********************  k8s_POD_coredns-64897985d-8qz25_kube-system_5422418e******************************                                                                       docker   RUNNING  docker
     fa99eaa067927e47f4e30795ad45065383efc8669687********************  k8s_POD_coredns-64897985d-cxvdq_kube-system_f59766f0******************************                                                                       docker   RUNNING  docker
     3236c0f21b4a8f15fadeaaf813afb21d59889163056c********************  k8s_POD_kube-flannel-ds-qwf9p_kube-flannel_66c0205*******************************                                                                        docker   RUNNING  docker
     016bd6794042da8d4eb3b8f5f90594bad104b360670d********************  k8s_POD_kube-proxy-h4slq_kube-system_e2ce593*******************************                                                                              docker   RUNNING  docker
     ae30393668288624472d1a594be2cb45996798d6b750********************  k8s_POD_kube-scheduler-izbp199sm5j54yl36as4h9z_kube-system_f77f******************************                                                            docker   RUNNING  docker
     c2ced280d972f54aab32fda8de1f74f8799237cc51e2********************  k8s_POD_kube-controller-manager-izbp199sm5j54yl36as4h9z_kube-system_5c6*******************************                                                   docker   RUNNING  docker
     c92bce6b84d133b807d0310d215423870101d730ede2********************  k8s_POD_kube-apiserver-izbp199sm5j54yl36as4h9z_kube-system_7f6f******************************                                                            docker   RUNNING  docker
     4a5fe93977ad8eb945889cffe29f9d99d1540e870e69********************  k8s_POD_etcd-izbp199sm5j54yl36as4h9z_kube-system_4a85******************************                                                                      docker   RUNNING  docker
     a87c87c7dc162e99749cb78f8f270765e90f3df921d2********************  modest_bose                                                                                                                                              docker   RUNNING  docker

     Description of the Data Source values in the last column of the command output:

     • CRI: indicates containers that are managed by Kubernetes based on the CRI.

     • docker: indicates containers that run within the Docker runtime and do not conform with the CRI.

   • Run the aliyun-service list-containers --source cri --json command.

     Specify the --json parameter to list the obtained container information in the JSON format. You can run the command by using Cloud Assistant to query, parse, and obtain the containers on an instance, and perform relevant O&M operations.

     [test@localhost ~]# aliyun-service list-containers --source cri --json
     [{"id":"4f14883f30580007b2b386be16c743048d7b7b6a6522********************","name":"etcd","podId":"4a5fe93977ad8eb945889cffe29f9d99d1540e870e6*********************","podName":"etcd-izbp199sm5j54**********","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"60775315aa50765de7332764322f7697ded2783e4860********************","name":"kube-apiserver","podId":"c92bce6b84d133b807d0310d215423870101d730ede2********************","podName":"kube-apiserver-izbp199sm5j54**********","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"8d8dd01f09f451109285a0094eef0c144bdfdef6913e********************","name":"coredns","podId":"b6864279148b3cef6e72c983f7ffa041dfe7ab5e2c57********************","podName":"coredns-64897**********","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"aee068814a7b10419186bb944832e65df2a8b3cab32b********************","name":"kube-scheduler","podId":"ae30393668288624472d1a594be2cb45996798d6b750********************","podName":"kube-scheduler-izbp199sm5j54**********","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"b06609d4246be717c324b366d4e6c392fcf226ecbc4b********************","name":"kube-flannel","podId":"3236c0f21b4a8f15fadeaaf813afb21d59889163056c********************","podName":"kube-flannel-ds-*****","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"c0992c3401ad52b3fce105ce5188026f28db7d5fe202********************","name":"kube-controller-manager","podId":"c2ced280d972f54aab32fda8de1f74f8799237cc51e2********************","podName":"kube-controller-manager-izbp199sm5j54**********","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"d1add169bb596f53d31030f84d69e494e7b23135acd2********************","name":"coredns","podId":"fa99eaa067927e47f4e30795ad45065383efc8669687********************","podName":"coredns-64897**********","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"},{"id":"fe17ab0409739e63f526aed7c79e87989e90d19f0429********************","name":"kube-proxy","podId":"016bd6794042da8d4eb3b8f5f90594bad104b360670d********************","podName":"kube-proxy-*****","runtimeName":"docker","state":"RUNNING","dataSource":"CRI"}]

2. Use Cloud Assistant to run commands in containers.

   You can run commands in specific containers only by calling API operations. When you call the RunCommand or InvokeCommand operation specific to Cloud Assistant to run a command in a specific container, you must specify the ContainerId parameter, the ContainerName parameter, or both.

   Note

   For information about limits on using Cloud Assistant to run commands, see the "Prerequisites" and "Background information" sections in the Use the immediate execution feature topic.