487 Matching Annotations
  1. Last 7 days
    1. 这个个人博客看起来不错啊,k8s 相关

    1. An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

      An admission controller:

      • a piece of code
      • that intercepts requests to k8s API server


      • before persistence of the object
      • but after the request is authned & authzed
    1. In addition to compiled-in admission plugins, admission plugins can be developed as extensions and run as webhooks configured at runtime.

      Admission Controller 是 k8s 官方的代码,而用户可以通过 Admission Webhook 的方式,添加一些自己的逻辑,来修改和校验到 k8s api server 的请求

    1. 可算明白了 Monitor 和 Lock 的区别,Monitor 是一个完整的结构,其构成元素里包括 Lock,还包括若干 Condition Variables (条件变量)

      type Monitor struct {
        Lock Lock
        EntranceQueue []Thread
        CVs []ConditionVariable
      type ConditionVariable struct {
        WaitingQueue []Thread

      java monitor

      想象 Monitor 是一个房子,所有强锁的线程先进这个房子,如果 Lock 已被占,则在这个入口等着,否则拿着锁进入正厅,执行业务逻辑


      在 while 循环中等待条件变量成立,同时释放锁,进入等待室,等待其他入口处的线程进入正厅后,可能执行的 nofity,被唤醒后,去入口处,重新等待获锁,之后检查条件时候确实成立(在 while(P)中),如果否,则再次 wait,如果真,则可执行业务逻辑,有需要的话退出前也执行 nofity(), 退出释放锁,结束

      总结来说,monitor:一把 lock,两个 waiting queue

      ps. 这个图也不错

    2. wikipedia 的(有些)文章质量真高啊

    3. A Java style monitor

      nice and clean pic showing Java style monitor:

      • 1 implicit condition variable
    4. The operations notify c and notify all c are treated as "hints" that P may be true for some waiting thread.

      notify & notifyAll is a hint that condition might be true

    5. condition variable c

      这儿 c 是一个代称,指代 condition variable,对应右图中的 a, b

    6. The implementation given here is incorrect


    7. Sample Mesa-monitor implementation with Test-and-Set


    8. signal(queueEmptyCV); -- OR -- notifyAll(queueEmptyCV);

      wake up consumers waiting because of empty queue

    9. bounded producer/consumer problem

      这个 bounded producer/consumer problem 特别适合用来帮助理解 monitor

      • lock, 保护 bounded queue
      • condition variables:
        • producer: queue is not full
        • consumer: queue is not empty
    10. signal c

      notify() in Java

    11. broadcast c

      notifyAll() in Java

    12. Monitors provide a mechanism for threads to temporarily give up exclusive access in order to wait for some condition to be met, before regaining exclusive access and resuming their task.

      所以除了 lock 之外,monitor 还有一个功能就是可以让线程放弃🔒,直到它需要的条件成立,再才重新获得🔒

      这是 monitor 比 lock 多的一点涵义

    13. A monitor consists of a mutex (lock) object and condition variables.

      这儿看出点儿 monitor 和 lock 的区别了

      monitor 是一个结构,包括两个元素:

      • mutex (lock)
      • condition variables
    14. In concurrent programming (also known as parallel programming), a monitor is a synchronization construct that allows threads to have both mutual exclusion and the ability to wait (block) for a certain condition to become false.

      monitor, two feature:

      • mutex
      • the ability to wait for a certain condition to become true
    1. In retrospect, this design decision was probably a bad one: not only can it be confusing, but it forces JVM implementors to make tradeoffs between object size and locking performance.


    1. A mutual exclusion (mutex) is a program object that prevents simultaneous access to a shared resource.

      才发现 mutex 原来是 MUTual EXclusion 的缩写

      • mutual: 相互
      • exclusion: 排斥
      • mutual exclusion - mutex - 相互排斥 - 互斥
    1. intentionally

      ?for what

    2. It makes decisions by evaluating the incoming object against all defined ResourceQuota.Status.Hard resource limits in the request namespace.

      看起来官方的 ResourceQuota 也是用的 Admission Webhook 来实现的

    1. 信息量几乎为零的一篇文章。。。

    2. In Rancher, an administrator applies a resource quota to the Project, and then the quota propagates to each Namespace. Kubernetes then enforces the admin’s limits using the native version of resource quotas.

      看起来也是利用了原声的 resourceQuota,不知道如何实现的

    3. Rancher goes beyond Namespaces by including a Project resource that helps ease the administrative burden of clusters


    4. “If launching another resource in the Namespace would exceed the quota, then nothing else gets to launch,” Goins noted.


    1. Configurations for local ephemeral storage


    2. The amount of resources available to Pods is less than the node capacity, because system daemons use a portion of the available resources.

      Allocatable < Capacity

    3. more than 1120m CPUs or 6.23Gi of memory, it will not fit on the node

      how come the numbers?

      1120m CPUs or 6.23Gi of memory

      • CPU, allocatable - allocated = 1800m - 680m = 1120m
      • memory, allocatable - allocated = 7474992Ki - 920Mi = (7474992/1024.0 - 920) / 1024 = 6.23Gi
    4. CPU and memory are collectively referred to as compute resources, or just resources. Compute resources are measurable quantities that can be requested, allocated, and consumed. They are distinct from API resources. API resources, such as Pods and Services are objects that can be read and modified through the Kubernetes API server.

      两种 resource,不一样的东西

      • Compute Resources, or simply resources, are CPU & memory
      • API resources, e.g. Pods, Services
  2. Oct 2020
    1. 对于许多应用场合,互斥操作是不够用的。线程可能需要等待某个条件 P {\displaystyle P} 为真,才能继续执行。


    1. 算是释疑了,monitor 就是 lock, lock 就是 monitor

      甚至可以称为: monitor lock

    2. intrinsic lock or monitor lock. (The API specification often refers to this entity simply as a "monitor."


      • intrinsic lock
      • monitor lock
      • monitor

      所以,lock 和 monitor 是一个东西,就是锁,就是需要排他的访问一个共享资源的时候,需要从 object 上获取的东西

    1. When a thread releases the lock, a happens-before relationship is established between that action and any subsequent acquisition of the same lock.


    1. Under the Hood article: "The lean, mean virtual machine."
    2. two opcodes directly related to thread synchronization, the opcodes used for entering and exiting monitors.

      two opcodes entering & exiting monitors

      so what is monitor ?

    1. Quota Scopes

      三种 scope,主要是针对 Pod 的不同状态的

      • Terminating
      • NotTerminating
      • BestEffort
      • NotBestEffor
    2. provides constraints that limit aggregate resource consumption per namespace

      ResourceQuota is namespaced

      所以自然的它也不支持对 cluster 级别资源的限制

    3. was possible


    4. local ephemeral storage

      非 memory 的 local ephemeral storage 也需要实体硬盘来支撑吧

    1. A context is a combination of several properties. These include
      • name
      • endpoint config
      • TLS info
      • Orchestrator
    1. buildx 最详细的文档了。。。

    2. docker

      没太看懂和 image 的区别

    3. via https://docs.docker.com/engine/reference/commandline/build/#specifying-external-cache-sources

      This feature requires the BuildKit backend. You can either enable BuildKit or use the buildx plugin. The previous builder has limited support for reusing cache from pre-pulled images.

    4. mode - Specifies how many layers are exported with the cache.


      • “min” on only exports layers already in the final build build stage.
      • “max” exports layers for all stages.

      Metadata is always exported for the whole build.

    5. Supported types are registry, local and inline
      • registry exports build cache to a cache manifest in the registry,
      • local exports cache to a local directory on the client
      • inline writes the cache metadata into the image configuration.
    1. The OCI format is a specification for container images based on the Docker Image Manifest Version 2, Schema 2 format.

      OCI: Open Container Initiative

    1. You can run Buildx in different configurations that are exposed through a driver concept. Currently, Docker supports a “docker” driver that uses the BuildKit library bundled into the docker daemon binary, and a “docker-container” driver that automatically launches BuildKit inside a Docker container.

      一个聊胜于无的关于 docker builder driver 的解释

    1. nice walk through of how to use command: helm

    1. via ruanyifeng http://www.ruanyifeng.com/blog/2020/09/weekly-issue-127.html

      漫画家斯科特·亚当斯(Scott Adams)曾经提过一种建立个人护城河的方法,就是找到自己最擅长的2个~3个事物的交集。比如,他既不是最好的漫画家,也不是最好的作家,也不是最好的企业家,但他可以是最好的商业类漫画短文作者,这就是他的护城河。

    1. Java 内存模型是个很复杂的规范,可以从不同的视角来解读,站在我们这些程序员的视角,本质上可以理解为,Java 内存模型规范了 JVM 如何提供按需禁用缓存和编译优化的方法。具体来说,这些方法包括 volatile、synchronized 和 final 三个关键字,以及六项 Happens-Before 规则,这也正是本期的重点内容。


    1. If an environment variable is only needed during build, and not in the final image, consider setting a value for a single command instead:

      ENV 会在 container 中也生效,如果没有这个需求,而只是希望在 build 阶段用到变量,应该使用 ARG

    2. The ARG instruction defines a variable that users can pass at build-time to the builder with the docker build command using the --build-arg <varname>=<value> flag

      build image 的入参

    1. nice saas tool for generating pics for/from sns

    1. replicated three ways

      3 ways 啥意思?

    2. “Ongoing,” “Prepare commit,” and “Completed.”

      Transaction states:

      • ongoing
      • prepare commit
      • commited
    3. watch the Kafka summit talk where transactions were introduced.
  3. Aug 2020
    1. The PUT and POST verbs on objects MUST ignore the "status" values, to avoid accidentally overwriting the status in read-modify-write scenarios. A /status subresource MUST be provided to enable system components to update statuses of resources they manage.

      status 需要单独的接口更新


    1. When a TCP packet carrying some of those bytes is lost on the network path, it creates a gap in the stream and TCP needs to fill it by resending the affected packet when the loss is detected. While doing so, none of the successfully delivered bytes that follow the lost ones can be delivered to the application, even if they were not themselves lost and belong to a completely independent HTTP request. So they end up getting unnecessarily delayed as TCP cannot know whether the application would be able to process them without the missing bits. This problem is known as “head-of-line blocking”.

      head-of-line blocking

  4. Jul 2020
    1. QUIC 功能
      • ZERO-RTT 如何实现的?
      • TCP 如何重传?
      • TCP 基于 IP&PORT, UDP呢?
      • 加密?how?
    2. HTTP/2 特性
      • 二进制
      • 多路复用
      • header 压缩
      • server push
    1. nice article explaining HTTP/1.1 keep-alive

      a runnable demo worth thousand words

    2. We can actually check this difference using telnet.

      really cool


      ➜  telnet -4 taobao.com 80
      Connected to taobao.com.
      Escape character is '^]'.
      HEAD / HTTP/1.0
      host: taobao.com
      HTTP/1.1 302 Found
      Server: Tengine
      Date: Fri, 31 Jul 2020 03:21:12 GMT
      Content-Type: text/html
      Content-Length: 258
      Connection: close <<<<<<<<<<<<<<<<<<<<<<<
      Location: http://www.taobao.com/


      ➜  telnet -4 taobao.com 80
      Connected to taobao.com.
      Escape character is '^]'.
      HEAD / HTTP/1.1
      host: taobao.com
      HTTP/1.1 302 Found
      Server: Tengine
      Date: Fri, 31 Jul 2020 03:20:53 GMT
      Content-Type: text/html
      Content-Length: 258
      Connection: keep-alive <<<<<<<<<<<<<<<<<<<<<<<
      Location: http://www.taobao.com/
    1. keep in mind that no built-in controllers are running in the test context

      no build-in controllers are running

    1. The object is still visible via the REST API

      still visible for objects in deletion

    1. When a Certificate is created, a corresponding CertificateRequest resource is created by cert-manager containing the encoded x509 certificate request, Issuer reference, and other options based upon the specification of the Certificate resource.

      这里 Certificate 更像是一种声明或者说意图,需要 Issuer 的进一步处理,才能得到我们想象中的 certificate key pair

      CertificateRequest is created by cert-manager containing:

      • encoded x509 certificate request
      • issuer ref
      • other options
    1. generated labels
      }   0
    2. an endpoint you can scrape is called an instance, usually corresponding to a single process. A collection of instances with the same purpose, a process replicated for scalability or reliability for example, is called a job.


      • instance: 被扒的那个进程
      • job: 同性质的 instance 的集合

      比如 api 服务,在k8s 中以 deployment 部署,scale 为 5。

      则 api-1... api-5 是一个个的 instance,而这五个pod,是一个job

  5. Jun 2020
    1. 这篇好啊,特别是这张对应代码的图,对Heap & Stack 的作用展示的很清晰

    1. via limin

      also heavily mentioned in book: k8s operator

      alternative for kubebuilder? this one get more starts

  6. May 2020
    1. As circuit breaking applies to “real” mesh destinations in a load balancing pool, you configure circuit breaker thresholds in destination rules, with the settings applying to each individual host in the service.

      还是没懂这个怎么就放在 DestinationRules 上了,前面都是配置在 VirtualService

      另外这个 circuit breaker 的规则是在每一个 host 上生效,如果一个服务有多个 pods,会每个 pod 去连一遍么,还是单个失败了,就直接短路

    2. Istio failure recovery features are completely transparent to the application

      ? 怎么个透明法?

    3. You don’t need to add a service entry for every external service that you want your mesh services to use. By default, Istio configures the Envoy proxies to passthrough requests to unknown services.

      未知的服务 Envoy 会放行,所以并不需要每个外部服务都做配置?

    1. MARK

    2. Exercise: Loop over the string using the %q format on each byte. What does the output tell you?]


      '½''²''=''¼'' ''â''\u008c''\u0098'
    1. Some resources in the v1 API contain fields called phase, and associated message, reason, and other status fields. The pattern of using phase is deprecated

      phase is deprecated, use conditions instead...

    2. Conditions represent the latest available observations of an object's state.


    3. PUT expects the whole object to be specified. Therefore, if a field is omitted it is assumed that the client wants to clear that field's value. The PUT verb does not accept partial updates.

      PUT 是覆盖式的

    1. For example a client may acquire the lock, get blocked in some operation for longer than the lock validity time (the time at which the key will expire), and later remove the lock, that was already acquired by some other client.


      这种设计下,还是有corner case:

      当 原先持有锁的 A因为某些原因暂停了一段时间,导致自己失去了锁,等它醒来之后锁已经被 B 获取,而 A 还以为自己有锁,这时会出现一个短暂的时间段,A 和 B 都认为自己有锁,BOOM!

      反驳的文章也提到了这一点,解决的办法是使用乐观锁,例如数据库里记录增加 version 字段


      不过这时候,例如数据库有乐观锁的支持,那也不需要靠redis 来提供分布式锁的支持了。

    2. split brain conditions


    1. a B-tree is a self-balancing tree data structure that maintains sorted data and allows searches, sequential access, insertions, and deletions in logarithmic time. The B-tree generalizes the binary search tree, allowing for nodes with more than two children.

      key word:

      • self-balancing
      • generalize BST by allowing more than 2 children
    1. InnoDB 中用于存储数据的文件总共有两个部分,一是系统表空间文件


    2. 默认情况下,表空间中的页大小都为 16KB

      一个 page 挺小的啊,16k,只能存几行记录

    1. To control the cascading deletion policy, set the propagationPolicy field on the deleteOptions argument when deleting an Object. Possible values include “Orphan”, “Foreground”, or “Background”.

      删除 owner 时,可以指定级联删除的策略,包括:

      • Orphan - 不删除 dependents
      • Foreground - 先删除 dependents, 完事儿后再删除 owner
      • background - 先删除 owner,之后处理 dependents
    1. Indexer: An indexer provides indexing functionality over objects.

      还是不太懂这个 Indexer 是干啥的,哪儿能用到

    1. 192.77 Sai / ETH 的价格

      3456.79 个 Sai 换成了 17.9 个 ETH

      0xb4 的地址剩余 10Sai ,看看 Sai 关停后处理流程是啥

    1. 文章不错不过对面试帮助不大,因为面试要涉及的几个概念,文章都没太讲到:

      • mark-sweep
      • tri-color
      • write barrier
    2. While the Marking work is happening on P1, application work can continue concurrently on P2, P3 and P4.

      GC runs with user app

    3. The only way to do that is for the collector to watch and wait for each goroutine to make a function call.

      make a function call?