初识Containerd
2023-09-08
一、Containerd 功能
containerd 是一个工业级标准的容器运行时,它强调简单性、健壮性和可移植性,containerd 可以负责干下面这些事情:
- 管理容器的生命周期(从创建容器到销毁容器)
- 拉取/推送容器镜像
- 存储管理(管理镜像及容器数据的存储)
- 调用runc运行容器(与runc等容器运行时交互)
- 管理容器网络接口及网络
1. 安装
这里使用的系统 Centos7.9,首先安装 seccomp 依赖
# centos7.9默认是2.3的,但是runc需要2.4以上版本,所以需要升级
➜ rpm -e libseccomp-devel-2.3.1-4.el7.x86_64 --nodeps
➜ rpm -e libseccomp-devel-2.3.1-4.el7.x86_64 --nodeps
➜ wget http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/libseccomp-2.5.1-1.el8.x86_64.rpm
➜ rpm -ivh libseccomp-2.5.1-1.el8.x86_64.rpm
➜ ~ rpm -qa |grep libseccomp
libseccomp-2.5.1-1.el8.x86_64
下载 containerd 软件包,github 上包有很多种,有 containerd 版本也有 cri-containerd-cni 有依赖版本,此处下载依赖版本,包里会自带依赖 runc 等依赖包。
➜ wget https://github.com/containerd/containerd/releases/download/v1.7.1/cri-containerd-cni-1.7.1-linux-amd64.tar.gz
# -tf 只看包里文件路径不解压
➜ tar -tf cri-containerd-cni-1.7.1-linux-amd64.tar.gz
# 解压后会自动存放相关位置
➜ tar -C / -xzf cri-containerd-cni-1.7.1-linux-amd64.tar.gz
# 创建 containerd 配置文件目录,然后生成默认配置文件
➜ mkdir /etc/containerd && containerd config default > /etc/containerd/config.toml
初始化 containerd 的配置文件后,需要追加一下镜像下载加速器
➜ vi /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://bqr1dr1n.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
endpoint = ["https://registry.aliyuncs.com/k8sxio"]
# 此处的 plugins 也可以通过 ctr 命令查看
➜ ctr plugin ls
之前通过 tar -tf cri-containerd-cni-1.7.1-linux-amd64.tar.gz 查看的时候会发现包里自带了 system 管理的启动文件,解压后已经放到 /etc/systemd/system/ 下了,通过 systemctl 启动 containerd
➜ systemctl enable containerd
➜ systemctl start containerd
安装完成后需要查看一下各个命令是否可用
➜ ctr version
➜ runc --version
➜ containerd --version
2. 常用命令
镜像
# 下载镜像,此处需要补全仓库地址 docker.io/library 以及版本信息 alpine 才可以下载
➜ ctr i pull docker.io/library/nginx:alpine
# 查看镜像
➜ ctr i ls
# 重新打标签
➜ ctr i tag docker.io/library/nginx:alpine harbor.k8s.local/course/nginx:alpine
# 删除
➜ ctr i rm harbor.k8s.local/course/nginx:alpine
# 导出后再倒入需要 pull 时下载所有平台镜像才能够导出导入
➜ ctr i pull --all-platforms docker.io/library/nginx:alpine
➜ ctr i export --all-platforms nginx.tar docker.io/library/nginx:alpine
➜ ctr i import --all-platforms nginx.tar
运行
# containerd 跟 kubernetes 类似,需要先起一个声明,然后再通过声明 run 容器
# 创建容器
➜ ctr c create docker.io/library/nginx:alpine nginx
# 查看容器列表
➜ ctr c ls
# 查看相关信息
➜ ctr c info nginx
# 后台运行容器
➜ ctr task start -d nginx
# 查看运行任务列表
➜ ctr task ls
# 进入运行容器中
➜ ctr task exec --exec-id 1 -t nginx sh
# 暂停任务
➜ ctr task pause nginx
# 恢复任务
➜ ctr task resume nginx
# 停止任务
➜ ctr task kill nginx
# 删除任务
➜ ctr task rm nginx
# 查看任务资源指标
➜ ctr task metrics nginx
# 可以通过命名空间形式隔离资源
➜ ctr -n test i pull docker.io/library/nginx:alpine
二、 Nerdctl
摒弃 docker 后,用不了 docker 命令行工具,但是 containerd 的 ctr 又非常不好用,nerdctl 平替 docker 命令行,只不过调用的是 containerd
nerdctl 几乎和 docker 命令行一样,只不过把 docker ps 换成 nerdctl ps
# 安装 nerdctl
➜ wget https://github.com/containerd/nerdctl/releases/download/v1.4.0/nerdctl-1.4.0-linux-amd64.tar.gz
➜ mkdir -p /usr/local/containerd/bin/ && tar -zxvf nerdctl-1.4.0-linux-amd64.tar.gz nerdctl && mv nerdctl /usr/local/containerd/bin/
➜ ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
2.1 Run
# 启动容器
➜ nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:alpine
# 查看
➜ nerdctl ps -a
2.2 Image
# 查看镜像
➜ nerdctl images
# 删除镜像
➜ nerdctl rmi -f 02ffd439b71d
三、 crictl
1. crictl 安装
官方安装文档
https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md
VERSION="v1.27.0" # check latest version in /releases page
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-$VERSION-linux-amd64.tar.gz
2. crictl 包地址
https://github.com/kubernetes-sigs/cri-tools/releases
3. crictl 相关命令
注:使用 crictl 需要手动指定容器运行时,不然报错,当你安装kubelet 启动后,不用指定
crictl -r unix:///run/containerd/containerd.sock image ls
[root@master nerdctltag]# crictl -h
NAME:
crictl - client for CRI
USAGE:
crictl [global options] command [command options] [arguments...]
VERSION:
v1.27.0
COMMANDS:
attach Attach to a running container
create Create a new container
exec Run a command in a running container
version Display runtime version information
images, image, img List images
inspect Display the status of one or more containers
inspecti Return the status of one or more images
imagefsinfo Return image filesystem info
inspectp Display the status of one or more pods
logs Fetch the logs of a container
port-forward Forward local port to a pod
ps List containers
pull Pull an image from a registry
run Run a new container inside a sandbox
runp Run a new pod
rm Remove one or more containers
rmi Remove one or more images
rmp Remove one or more pods
pods List pods
start Start one or more created containers
info Display information of the container runtime
stop Stop one or more running containers
stopp Stop one or more running pods
update Update one or more running containers
config Get and set crictl client configuration options
stats List container(s) resource usage statistics
statsp List pod resource usage statistics
completion Output shell completion code
checkpoint Checkpoint one or more running containers
help, h Shows a list of commands or help for one command
4. crictl 相关命令报错的解决
4.1 crictl 有警告unix /var/run/dockershim.sock: connect: no such file or directory"
方案1
crictl -r unix:///run/containerd/containerd.sock image ls
方案2
# 生成配置,放置的位置是/etc/crictl.yaml
crictl config runtime-endpoint unix:///var/run/containerd/containerd.sock
[root@master ~]# cat /etc/crictl.yaml
runtime-endpoint: "unix:///var/run/containerd/containerd.sock"
image-endpoint: ""
timeout: 0
debug: false
pull-image-on-create: false
disable-pull-on-run: false
四、 Buildkit
使用了 nerdctl 常规用法没有问题,但是遇到制作镜像,没有安装 Buildkit 会报错,没有这个 sock 文件
ERRO[0000] `buildctl` needs to be installed and `buildkitd` needs to be running, see https://github.com/moby/buildkit error="2 errors occurred:\n\t* failed to ping to host unix:///run/buildkit-default/buildkitd.sock: exec: \"buildctl\": executable file not found in $PATH\n\t* failed to ping to host unix:///run/buildkit/buildkitd.sock: exec: \"buildctl\": executable file not found in $PATH\n\n"
FATA[0000] no buildkit host is available, tried 2 candidates: 2 errors occurred:
* failed to ping to host unix:///run/buildkit-default/buildkitd.sock: exec: "buildctl": executable file not found in $PATH
* failed to ping to host unix:///run/buildkit/buildkitd.sock: exec: "buildctl": executable file not found in $PATH
在这个情况下下载nerdctl的full版本里面包含了这个版本对应的依赖二进制包
➜ wget https://github.com/containerd/nerdctl/releases/download/v1.4.0/nerdctl-full-1.4.0-linux-amd64.tar.gz
➜ tar -xf nerdctl-full-1.4.0-linux-amd64.tar.gz
此时目录bin下二进制文件移动buildctl buildkitd
➜ cp buildctl /usr/local/bin
➜ cp buildkitd /usr/local/bin
4 Systemd 管理
➜ cat /etc/systemd/system/buildkit.service
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
4.1 启动
➜ systemctl daemon-reload
➜ systemctl enable buildkit --now
Created symlink from /etc/systemd/system/multi-user.target.wants/buildkit.service to /etc/systemd/system/buildkit.service.
再次制作镜像
nerdctl build -t nginx-demo:v0.1.0 .