性能分析 - 性能优化实践

# 多阶段构建
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o /app/server

FROM scratch
COPY --from=builder /app/server /server
ENTRYPOINT ["/server"]

# /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri"]
  # 最大并发下载数 (根据带宽调整)
  max_concurrent_downloads = 3

  # 最大并发上传数
  max_concurrent_uploads = 2

// 客户端配置
client.Pull(ctx, ref,
    containerd.WithMaxConcurrentDownloads(4),
    containerd.WithPlatformMatcher(platforms.Default()),
)

# 启用 stargz snapshotter
[proxy_plugins]
  [proxy_plugins.stargz]
    type = "snapshot"
    address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"

# /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  runtime_type = "io.containerd.runc.v2"

  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    # 使用 systemd cgroup 驱动 (Kubernetes 推荐)
    SystemdCgroup = true

    # 禁用 shim 调试
    ShimCgroup = ""

# 使用 RuntimeClass 预热
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: prewarmed
handler: runc
scheduling:
  nodeSelector:
    node.kubernetes.io/prewarmed: "true"

// 简化 Spec 配置
spec := &oci.Spec{
    Process: &specs.Process{
        Args: []string{"/app"},
        // 避免不必要的能力
        Capabilities: &specs.LinuxCapabilities{},
    },
    Linux: &specs.Linux{
        // 使用 cgroup v2
        CgroupsPath: "/system.slice/containerd.service",
        // 简化 seccomp
        Seccomp: nil,  // 或使用简化的 profile
    },
}

{
    "cniVersion": "1.0.0",
    "name": "containerd-net",
    "plugins": [
        {
            "type": "bridge",
            "bridge": "cni0",
            "isGateway": true,
            "ipMasq": true,
            "hairpinMode": true,
            "ipam": {
                "type": "host-local",
                "ranges": [[{"subnet": "10.88.0.0/16"}]],
                "routes": [{"dst": "0.0.0.0/0"}]
            }
        }
    ]
}

// 在同一 Pod 中重用网络命名空间
spec.Linux.Namespaces = []specs.LinuxNamespace{
    {
        Type: specs.NetworkNamespace,
        Path: fmt.Sprintf("/proc/%d/ns/net", sandboxPid),  // 共享
    },
    {
        Type: specs.MountNamespace,  // 独立
    },
}

# /etc/containerd/config.toml
oom_score = 0  # 防止被 OOM killer 杀死

// 定期清理未使用的镜像
images, _ := client.ImageService().List(ctx)
for _, img := range images {
    // 检查是否有容器使用
    if !isImageInUse(img) {
        client.ImageService().Delete(ctx, img.Name)
    }
}

# /var/lib/kubelet/config.yaml
containerRuntimeEndpoint: unix:///run/containerd/containerd.sock
imageServiceEndpoint: unix:///run/containerd/containerd.sock
serializeImagePulls: false  # 并行拉取
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80

apiVersion: v1
kind: Pod
spec:
  containers:
  - name: app
    resources:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "256Mi"
        cpu: "500m"
    # 使用 emptyDir 而非 hostPath 可减少挂载开销
    volumeMounts:
    - name: cache
      mountPath: /cache
  volumes:
  - name: cache
    emptyDir:
      sizeLimit: 100Mi

# DaemonSet 预拉取镜像
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: image-prepuller
spec:
  selector:
    matchLabels:
      app: prepuller
  template:
    spec:
      initContainers:
      - name: prepull
        image: myregistry/myapp:latest
        command: ["echo", "Image pulled"]
      containers:
      - name: pause
        image: k8s.gcr.io/pause:3.9

# Prometheus 告警规则
groups:
- name: containerd
  rules:
  - alert: ContainerdHighMemory
    expr: process_resident_memory_bytes{job="containerd"} > 2e9
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "containerd memory usage high"

  - alert: ContainerdHighGoroutines
    expr: go_goroutines{job="containerd"} > 1000
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "containerd goroutine count high"

  - alert: ContainerCreateSlow
    expr: histogram_quantile(0.99, rate(grpc_server_handling_seconds_bucket{method="/containerd.services.tasks.v1.Tasks/Create"}[5m])) > 1
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "Container creation is slow"