受Linux社区内核补丁对eBPF程序的影响,若集群使用了Terway容器网络插件,并开启了基于eBPF技术的DataPath V2 (含开启NetworkPolicy)功能,可能出现节点CPU利用率偶发异常升高的情况。
影响范围
同时满足下列情况的节点将会受到影响:
节点操作系统为Alibaba Cloud Linux3或ContainerOS,内核版本为介于5.10.134-15及5.10.134-19.1之间的版本。
集群使用Terway容器网络插件,且开启了DataPath V2模式(开启NetworkPolicy支持时自动开启DataPath V2)。
解决方案
检测节点是否需要修复
首先需要判断集群中节点是否需要修复。通过ECS云助手,在集群中的节点上批量执行下方命令:
如节点需要进行修复,则返回如下结果:
Alibaba Cloud Linux3节点
Detected /sys/fs/bpf/tc/globals/cilium_ct4_global, proceeding with kernel version check...
Current kernel release: 5.10.134-18.al8.x86_64
Detected kernel type: al8
Kernel version 5.10.134-18 is within range 5.10.134-15~5.10.134-19.1.
kpatch_22519882 module is not loaded. Hotfix package 'kernel-hotfix-22519882-5.10.134-18' needs to be installed.
Running in dry-run mode.Use2yto install the hotfix.
ContainerOS节点
Detected /sys/fs/bpf/tc/globals/cilium_ct4_global, proceeding with kernel version check...
Current kernel release: 5.10.134-18.0.1.lifsea8.x86_64
Detected kernel type: lifsea8
Kernel version 5.10.134-18.0 is within range 5.10.134-15 ~ 5.10.134-19.1.
WARNING: This is a lifsea8 kernel (5.10.134-18.0.1.lifsea8.x86_64).
The issue cannot be fixed by hotpatch. You must upgrade to ContainerOS 3.5.1 or later.
See official documentation or contact support for upgrade instructions.
返回下列结果时,则表明节点无需修复:
节点未启用Terway eBPF功能,跳过补丁安装。
Path /sys/fs/bpf/tc/globals/cilium_ct4_global does not exist, skipping check.
已经安装过补丁,无需再次安装。
... kpatch_22519882 module is already loaded, no actions needed.
执行修复操作
根据操作系统为ContainerOS或Alibaba Cloud Linux3,需执行不同的修复操作:
ContainerOS节点修复
对ContainerOS节点,该问题将在近期发布的ContainerOS 3.5.1版本中自动修复,请关注ContainerOS镜像发布记录,在3.5.1发布后参照更换操作系统升级版本。
Alibaba Cloud Linux3节点修复
为新扩容节点添加自定义数据
新建节点池或编辑已有节点池时,在实例预自定义数据中添加下方脚本,即可使新扩容的节点在启动后自动安装内核热补丁。具体操作,请参见创建和管理节点池。
为已有节点安装补丁
对已有的Alibaba Cloud Linux3节点,通过ECS云助手,在需要修复的节点上执行下方命令:
预期输出如下,表明补丁安装完成:
......
Total 1.0 MB/s | 52 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : kpatch-dnf-0.9.7_0.4-2.0.1.al8.noarch 1/3
Running scriptlet: kpatch-dnf-0.9.7_0.4-2.0.1.al8.noarch 1/3
To enable automatic kpatch-patch subscription, run:
$ dnf kpatch auto
Installing : kpatch-0.9.7-2.0.1.al8.noarch 2/3
Running scriptlet: kernel-hotfix-22519882-5.10.134-18-1.0-20250804154834.al8.x86_64 3/3
Installing : kernel-hotfix-22519882-5.10.134-18-1.0-20250804154834.al8.x86_64 3/3
Running scriptlet: kernel-hotfix-22519882-5.10.134-18-1.0-20250804154834.al8.x86_64 3/3
Created symlink /etc/systemd/system/multi-user.target.wants/kpatch.service → /usr/lib/systemd/system/kpatch.service.
installing /var/khotfix/5.10.134-18.al8.x86_64/22519882/kpatch-22519882.ko (5.10.134-18.al8.x86_64)
loading patch module: /var/khotfix/5.10.134-18.al8.x86_64/22519882/kpatch-22519882.ko
Verifying : kpatch-0.9.7-2.0.1.al8.noarch 1/3
Verifying : kpatch-dnf-0.9.7_0.4-2.0.1.al8.noarch 2/3
Verifying : kernel-hotfix-22519882-5.10.134-18-1.0-20250804154834.al8.x86_64 3/3
Installed:
kernel-hotfix-22519882-5.10.134-18-1.0-20250804154834.al8.x86_64 kpatch-0.9.7-2.0.1.al8.noarch kpatch-dnf-0.9.7_0.4-2.0.1.al8.noarch
Complete!
Installation successful.
相关文档
该文章对您有帮助吗?