介绍
1、K8S发布的CRI(Container Runtime Interface)统一了容器运行时接口,凡是支持CRI的容器运行时的皆可作为K8S的底层容器运行时,而Docker 没有实现 CRI,为此必须安装一个额外的服务 cri-dockerd才可以在K8S中使用
2、K8S 1.24版本中从 kubelet 中移除了docker作为容器运行时,取而代之的是containerd容器运行时,它是从Docker中分离出来的底层容器运行时,使用起来与Docker相似
3、containerd 是一个工业级标准的容器运行时,它强调简单性、健壮性和可移植性
4、containerd 可以在宿主机中管理完整的容器生命周期,包括容器镜像的传输和存储、容器的执行和管理、存储和网络等
下载
-
containerd-xxx-linux-amd64.tar.gz(containerd)
-
cri-containerd-xxx-linux-amd64.tar.gz(containerd + runc)
Containerd不能直接操作容器,需要通过runc来运行容器
默认Containerd管理的容器仅有lo网络(无法访问容器之外的网络),如果需要访问容器之外的网络则需要安装CNI网络插件 -
cri-containerd-cni-xxx-linux-amd64.tar.gz(containerd + runc + cni)
CNI(Container Network Interface) 是一套容器网络接口规范,用于为容器分配ip地址,通过CNI插件Containerd管理的容器可以访问容器之外的网络
安装【cri-containerd-cni】
解压
tar xzf /home/lixing/k8s/containerd/cri-containerd-cni-1.7.0-linux-amd64.tar.gz -C / # 自动把内部etc、opt、usr目录解压到/目录
# 文件
cat /etc/cni/net.d/10-containerd-net.conflist
cat /etc/systemd/system/containerd.service
cat /etc/crictl.yaml
#
# 目录
cd /opt/cni/bin
## bandwidth、bridge、dhcp、dummy、firewall、host-device、host-local、ipvlan、loopback、macvlan、portmap、ptp、sbr、static、tuning、vlan、vrf
cd /opt/containerd/cluster
cd /usr/local/bin
## containerd、containerd-shim、containerd-shim-runc-v1、containerd-shim-runc-v2、containerd-stress、crictl、critest、ctd-decoder、ctr
cd /usr/local/sbin
## runc
生成配置文件
mkdir -p /etc/containerd && containerd config default > /etc/containerd/config.toml # 生成配置文件
vi /etc/containerd/config.toml # 编辑配置文件,修改如下配置
# 使用systemd作为Cgroup的驱动程序
SystemdCgroup = true
# 将镜像地址替换为国内阿里云
# sandbox_image = "registry.k8s.io/pause:3.8"
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.8"
# 自定义镜像仓库【该方式已经过时,未来可能会失效】
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.111.25".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.111.25".auth]
username = "admin"
password = "Harbor12345"
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://lixing5fl2j66y.mirror.aliyuncs.com","https://registry-1.docker.io"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
endpoint = ["https://registry.aliyuncs.com/google_containers"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]
endpoint = ["https://registry.aliyuncs.com/google_containers"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.111.25"]
endpoint = ["https://192.168.111.25"]
- 刷新配置文件
systemctl daemon-reload # 重新加载配置文件
- 设置开机启动
systemctl enable --now containerd # 设置开机自启并立即启动
systemctl status containerd.service # 查看服务状态
- 查看版本
containerd -version
# containerd github.com/containerd/containerd v1.7.0 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
ctr version
#Client:
#Version: v1.7.0
#Revision: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
#Go version: go1.20.2
#Server:
#Version: v1.7.0
#Revision: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
#UUID: 59999183-0768-40ec-91b7-4e3ecfd5cfa5
crictl version
#Version: 0.1.0
#RuntimeName: containerd
#RuntimeVersion: v1.7.0
#RuntimeApiVersion: v1
安装 runc
- 查看 runc 版本
runc -version
#runc version 1.1.4
#commit: v1.1.4-0-g5fd4c4d1
#spec: 1.0.2-dev
#go: go1.20.2
#libseccomp: 2.5.1
注意:cri-containerd-xx版本解压后默认包含runc,但是缺乏相关依赖,建议自行安装并覆盖默认的 runc
下载地址
cp -rf /home/lixing/k8s/containerd/runc.amd64 /usr/local/sbin/runc
chmod +x /usr/local/sbin/runc && runc -v # 覆盖默认的runc
部署Nginx应用
- 单机 containerd 使用 ctr 管理镜像
- K8S中 containerd 使用 crictl 管理镜像
ctr i ls # 查看镜像
ctr c ls # 查看容器
ctr t ls # 查看容器下的任务
拉取Nginx镜像
ctr i pull docker.io/library/nginx:alpine # 下载nginx镜像
- 给镜像打标签
ctr i export nginx:alpine:localImg docker.io/library/nginx:alpine # 导出nginx镜像文件
ctr i import nginx:alpine:localImg # 导入nginx镜像文件
ctr i tag docker.io/library/nginx:alpine 192.168.233.132:5000/nginx:1.0.0 # 修改镜像标签
ctr i check # 检查镜像
挂载镜像到主机目录
mkdir -p /usr/local/nginx && ctr i mount docker.io/library/nginx:alpine /usr/local/nginx # 挂载镜像到本机指定目录
ctr i unmount /usr/local/nginx # 从本机目录卸载镜像
运行Nginx镜像
ctr run -d --net-host docker.io/library/nginx:alpine containerdNameForNginx # 创建容器(containerdNameForNginx)并运行
ctr t exec --exec-id $RANDOM -t containerdNameForNginx /bin/sh # 进入运行容器(containerdNameForNginx)内部
注意:创建容器并运行后还会自动创建一个Task
Nginx容器管理
- 运行、暂停、重启
ctr t start -d containerdNameForNginx # 运行容器(containerdNameForNginx),前提是创建后还没有运行的
ctr t pause containerdNameForNginx # 暂停容器(containerdNameForNginx)的任务
ctr t resume containerdNameForNginx # 重启容器(containerdNameForNginx)的任务
- 删除容器
ctr t kill containerdNameForNginx # 停止容器(containerdNameForNginx)的任务
ctr t rm containerdNameForNginx # 删除容器(containerdNameForNginx)的任务
ctr c rm containerdNameForNginx # 删除容器(containerdNameForNginx)
- 删除镜像
ctr i rm docker.io/library/nginx:alpine # 删除nginx镜像
从DockerHub拉取镜像
docker 下载
docker pull wangshun1024/ingress-nginx-controller:v1.1.0 --platform arm64 # 下载镜像
containerd 下载
ctr i pull docker.io/wangshun1024/ingress-nginx-controller:v1.1.0 --platform arm64 # 下载镜像
root@base:/etc/containerd# ctr i pull docker.io/wangshun1024/ingress-nginx-controller:v1.1.0 --platform arm64
docker.io/wangshun1024/ingress-nginx-controller:v1.1.0: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:86be28e506653cbe29214cb272d60e7c8841ddaf530da29aa22b1b1017faa956: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e6edcc4d35de5cfcfb972bda5937b299dc14573511f55e20c96f0ea278c7cd01: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:2ce5f292a0d4d246d4d4cfcdd3d95f7fdf69343581b9aa0f93c81a8fb025da6a: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:552d1f2373af9bfe12033568ebbfb0ccbb0de11279f9a415a29207e264d7f4d9: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:35d52cac75c1971e695ce97fcb6e6a17b758118b670cdf4ae392786d8bfdb03a: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5a7068f9e3c34c414ef4eb64120c9add8a4103de620aae01d47a0fc54782f218: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4a4372ad7c338cbad7f0d9b866ecf555ab9a80cfbbc8423faba2976b6a70a14c: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:55d0b245d24da8200878eaa866f1b0b4c1c0d402d436791de09bae821df457cd: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a1d297a8a8c9eb6130bf00196a6594f79b4de59e665c22e5e203cfd3f49b2976: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:fa68d96569f3da28616a9d7b6ea9e70a157f59bf80a2b2f579285bef0ee7c10c: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:098bb2d06864d7a43b97e23365ab7a86ad4d3b25c88b7116edfa05ff2fd75c53: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:23bc79f565c9da22b6c5ded8e78dc670dfce10910e62a0c439499b4ba3a3c31d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:41ddf8e4cb807eb5ad58a7bcc3c6c135512b890c140c8977a34c86143e18e23a: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1ce46a350a8d635927e210c2916f76bcecf8ba91d5ef0e2f19d03340a80a5ceb: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c1b50744614db3aa948ab44c98ae9874d6414f1e2e3063574aa7c19ea4ea6abc: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 3.2 s total: 0.0 B (0.0 B/s)
unpacking linux/arm64 sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a...
done: 7.346376ms