果冻的技术小屋
2022/12/05阅读:155主题:山吹
containerd安装使用
containerd
官方文档: https://github.com/containerd/containerd/blob/main/docs/getting-started.md
官方在 Kubernetes 1.20 版本的更新日志中声明已经废用对 Docker 的支持,在 Kubernetes 1.24 版本中,dockershim 代码也如期被删除。具体原因参考:https://kubernetes.io/blog/2022/05/03/dockershim-historical-context/
二进制安装containerd
使用containerd安装包需要自己安装RunC、CNI和crictl等插件。还有一种简单方式通过cri-containerd-< VERSION>-< OS>-< ARCH>.tar.gz安装,压缩包里面已经包含RunC、CNI和crictl等插件。
因为 Containerd 底层也是通过 RunC 管理容器,RunC 默认的编译配置是支持 seccomp。seccomp 的全称为 secure computing mode,即安全计算模型,这是 Linux 内核提供的功能。我们可以通过它来限制容器中进程的行为。关于 seccomp 的更多内容,请参考 Seccomp security profiles for Docker[1]。
安装containerd
从 release[2] 页面下载最新的压缩包:
由于 Kubernetes v1.24 CRI 功能已经包含在 中containerd-
- - .tar.gz,您无需下载cri-containerd-....档案即可使用 CRI。cri-containerd-...存档已弃用,不适用于旧的 Linux 发行版,并将在 containerd 2.0 中删除。
[root@VM-0-16-centos ~]# wget https://github.com/containerd/containerd/releases/download/v1.6.10/containerd-1.6.10-linux-amd64.tar.gz
[root@VM-0-16-centos ~]# tar Cxzvf /usr/local containerd-1.6.10-linux-amd64.tar.gz
bin/
bin/ctr
bin/containerd
bin/containerd-shim
bin/containerd-stress
bin/containerd-shim-runc-v2
bin/containerd-shim-runc-v1
Customizing containerd
containerd 使用一个配置文件/etc/containerd/config.toml来指定守护进程级别的选项。可以在此处[3]找到示例配置文件。
Containerd 的默认配置文件为 /etc/containerd/config.toml,我们可以通过如下所示的命令生成一个默认的配置:
[root@VM-0-16-centos ~]# mkdir -p /etc/containerd
[root@VM-0-16-centos ~]# containerd config default > /etc/containerd/config.toml
对于使用 systemd 作为 init system 的 Linux 的发行版,使用 systemd 作为容器的 cgroup driver 可以确 保节点在资源紧张的情况更加稳定,所以推荐将 containerd 的 cgroup driver 配置为 systemd。
修改前面生成的配置文件 /etc/containerd/config.toml,在plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options配置块下面将SystemdCgroup设置为 true.
然后再为镜像仓库配置一个加速器,需要在 cri 配置块下面的 registry 配置块下面进行配置 registry.mirrors :
[plugins."io.containerd.grpc.v1.cri"]
...
# sandbox_image = "registry.k8s.io/pause:3.6"
sandbox_image = "registry.aliyuncs.com/k8sxio/pause:3.8"
systemd
如果你打算通过 systemd 启动 containerd,你还应该从https://raw.githubusercontent.com/containerd/containerd/main/containerd.service containerd.service下载文件到/usr/local/lib/systemd/system/containerd.service目录,并运行以下命令:
systemctl daemon-reload systemctl enable --now containerd
[root@VM-0-16-centos ~]# wget https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
[root@VM-0-16-centos ~]# mkdir -p /usr/local/lib/systemd/system/
[root@VM-0-16-centos ~]# mv containerd.service /usr/local/lib/systemd/system/
[root@VM-0-16-centos ~]# systemctl daemon-reload
[root@VM-0-16-centos ~]# systemctl enable --now containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/local/lib/systemd/system/containerd.service.
安装RunC
首先需要在机器上安装 seccomp 依赖:
系统默认安装的 libseccomp 是 2.3.1 版本,该版本已经不能满足我们这里的 v1.6.10 版本的 Containerd 了(从 1.5.7 版本开始就不兼容 了),需要 2.4 以上的版本,所以我们需要重新安装一个高版本的 libseccomp。
因为chrony 依赖 libseccomp,卸载 libseccomp 时候,需要先卸载 chrony 在去卸载 libseccomp,然后再去安装chrony.
[root@VM-0-16-centos ~]# rpm -qa |grep libseccomp
libseccomp-2.3.1-4.el7.x86_64
[root@VM-0-16-centos ~]# wget http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/libseccomp-2.5.1-1.el8.x86_64.rpm
--2022-12-01 23:08:18-- http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/libseccomp-2.5.1-1.el8.x86_64.rpm
...
2022-12-01 23:08:19 (88.2 KB/s) - 已保存 “libseccomp-2.5.1-1.el8.x86_64.rpm” [72676/72676])
[root@VM-0-16-centos ~]# rpm -e libseccomp-2.3.1-4.el7.x86_64
错误:依赖检测失败:
libseccomp.so.2()(64bit) 被 (已安裝) chrony-3.4-1.el7.x86_64 需要
[root@VM-0-16-centos ~]# rpm -e chrony-3.4-1.el7.x86_64
警告:/etc/chrony.conf 已另存为 /etc/chrony.conf.rpmsave
[root@VM-0-16-centos ~]# rpm -e libseccomp-2.3.1-4.el7.x86_64
[root@VM-0-16-centos ~]# rpm -qa | grep libseccomp
[root@VM-0-16-centos ~]# rpm -ivh libseccomp-2.5.1-1.el8.x86_64.rpm
警告:libseccomp-2.5.1-1.el8.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:libseccomp-2.5.1-1.el8 ################################# [100%]
[root@VM-0-16-centos ~]# yum install chrony -y # 安装chrony
[root@VM-0-16-centos ~]# systemctl enable chronyd # 开机启动
[root@VM-0-16-centos ~]# systemctl start chronyd # 启动
安装RunC
从RunC[4]下载runc.< ARCH> 二进制文件 ,安装到/usr/local/sbin/runc目录。
[root@VM-0-16-centos ~]# wget https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64
[root@VM-0-16-centos ~]# install -m 755 runc.amd64 /usr/local/sbin/runc
[root@VM-0-16-centos ~]# runc -v
runc version 1.1.4
commit: v1.1.4-0-g5fd4c4d1
spec: 1.0.2-dev
go: go1.17.10
libseccomp: 2.5.4
安装 CNI插件
从https://github.com/containernetworking/plugins/releases下载cni-plugins-< OS>-< ARCH>-< VERSION>.tgz,并将其解压到:/opt/cni/bin
[root@VM-0-16-centos ~]# mkdir -p /opt/cni/bin
[root@VM-0-16-centos ~]# tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
./
./macvlan
./static
./vlan
./portmap
./host-local
./vrf
./bridge
./tuning
./firewall
./host-device
./sbr
./loopback
./dhcp
./ptp
./ipvlan
./bandwidth
安装crictl插件
官方文档:https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md
[root@VM-0-16-centos ~]# wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.25.0/crictl-v1.25.0-darwin-amd64.tar.gz
[root@VM-0-16-centos ~]# tar zxvf crictl-v1.25.0-darwin-amd64.tar.gz -C /usr/local/bin
crictl
二进制安装cri-containerd
cri-containerd已经包含RunC、CNI和crictl等插件以及etc/systemd/system/containerd.service文件。
首先参考上步骤二进制安装containerd的安装 seccomp 依赖,更新seccomp 依赖版本。然后安装下面命令安装:
[root@VM-0-16-centos ~]# wget https://github.com/containerd/containerd/releases/download/v1.6.10/cri-containerd-1.6.10-linux-amd64.tar.gz
[root@VM-0-16-centos ~]# tar -C / -xzf cri-containerd-1.6.10-linux-amd64.tar.gz
参考上步骤二进制安装containerd的Customizing containerd更改自定义配置信息,改完之后执行下面命令:
[root@VM-0-16-centos ~]# systemctl daemon-reload
[root@VM-0-16-centos ~]# systemctl enable --now containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/local/lib/systemd/system/containerd.service.
启动完成后就可以使用 Containerd 的 CLI 工具 ctr 和 crictl 了
containerd使用
有几个命令行界面 (CLI) 项目可用于与 containerd 交互:
| Name | Community | API | Target | Web site| |
|---|---|---|---|---|
| ctr | containerd | Native | For debugging only | (None, see ctr --help to learn the usage) |
| nerdctl | containerd (non-core) | Native | General-purpose | https://github.com/containerd/nerdctl |
| crictl | Kubernetes SIG-node | CRI | For debugging only | https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md |
虽然该ctr工具与 containerd 捆绑在一起,但应注意该ctr工具仅用于调试 containerd。该nerdctl工具提供稳定且人性化的用户体验。
ctr
拉取镜像
拉取镜像可以使用 ctr image pull 来完成,比如拉取 Docker Hub 官方镜像 nginx:alpine,需要注意的是镜像地址需要加上 docker.io Host 地址:
[root@VM-0-16-centos ~]# ctr image pull docker.io/library/nginx:alpine
docker.io/library/nginx:alpine: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:455c39afebd4d98ef26dd70284aa86e6810b0485af5f4f222b19b89758cabf1e: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:0f2ab24c6aba5d96fcf6e7a736333f26dca1acf5fa8def4c276f6efc7d56251f: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:19dd4d73108a1feefc29d299f3727467ac02486c83474fc3979e4a7637291fe6: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ca7dd9ec2225f2385955c43b2379305acd51543c28cf1d4e94522b3d94cce3ce: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:2f12a0e7c01d607251a4040fa41518fd2542f3ebab83a6f7817867d0de111c96: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1a7b9b9bbef6853211515e42f58be7763749950c244a0c485bb4afd1946e06d7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:b704883c57afcf77f6bc48709943bcf808c9e9945d7e04926be41226fa415d33: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4342b1ab302e894161372b32fe2976899a978bf8ff2241fb1655dc25e6645a34: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:76a48b0f58980a64d28bc3575ae4733eb337f7b82403559122b13d5e2ced3921: done |++++++++++++++++++++++++++++++++++++++|
列出本地镜像
[root@VM-0-16-centos ~]# ctr image ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:455c39afebd4d98ef26dd70284aa86e6810b0485af5f4f222b19b89758cabf1e 9.8 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
使用 -q(--quiet) 选项可以只打印镜像名称。
检测本地镜像
[root@VM-0-16-centos ~]# ctr image check
REF TYPE DIGEST STATUS SIZE UNPACKED
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:455c39afebd4d98ef26dd70284aa86e6810b0485af5f4f222b19b89758cabf1e complete (7/7) 9.8 MiB/9.8 MiB true
重新打标签
[root@VM-0-16-centos ~]# ctr image tag docker.io/library/nginx:alpine test.k8s.local/course/nginx:alpine
test.k8s.local/course/nginx:alpine
[root@VM-0-16-centos ~]# ctr image ls -q
docker.io/library/nginx:alpine
test.k8s.local/course/nginx:alpine
删除镜像
[root@VM-0-16-centos ~]# ctr image rm test.k8s.local/course/nginx:alpine
test.k8s.local/course/nginx:alpine
[root@VM-0-16-centos ~]# ctr image ls -q
docker.io/library/nginx:alpine
加上 --sync 选项可以同步删除镜像和所有相关的资源。
将镜像挂载到主机目录
[root@VM-0-16-centos ~]# ctr image mount docker.io/library/nginx:alpine /mnt
将镜像从主机目录上卸载
[root@VM-0-16-centos ~]# ctr image unmount /mnt
将镜像导出为压缩包
[root@VM-0-16-centos ~]# ctr image export --all-platforms nginx.tar.gz docker.io/library/nginx:alpine
nerdctl
二进制安装
从https://github.com/containerd/nerdctl/releases选择下载的版本
[root@VM-0-16-centos ~]# wget https://github.com/containerd/nerdctl/releases/download/v1.0.0/nerdctl-1.0.0-linux-amd64.tar.gz
[root@VM-0-16-centos ~]# tar Cxzvvf /usr/local/bin nerdctl-1.0.0-linux-amd64.tar.gz
[root@VM-0-16-centos ~]# nerdctl version
命令
只简单列几个命令,详细文档参考 https://github.com/containerd/nerdctl#command-reference.
nerdctl run
nerdctl run命令和docker run 命令类似,比如:
[root@VM-0-16-centos ~]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:alpine
nerdctl exec
使用 nerdctl ps 命令可以列出所有容器。
[root@VM-0-16-centos ~]# nerdctl ps
crictl
crictl 是 CRI 兼容的容器运行时命令行接口。 你可以使用它来检查和调试 Kubernetes 节点上的容器运行时和应用程序。 crictl 和它的源代码在 cri-tools 代码库。
命令详细文档参考https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/
参考资料
Seccomp security profiles for Docker: https://docs.docker.com/engine/security/seccomp/
[2]release: https://github.com/containerd/containerd/releases
[3]此处: https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md
[4]RunC: https://github.com/opencontainers/runc/releases
作者介绍