安装containerd并配置新版harbor免证书拉取

阅读需要一定功力

# 安装containerd.io

1 安装

## 削除旧的版本

sudo apt-get remove docker docker-engine docker.io containerd runc

sudo apt-get update

## 安装相关支持

sudo apt-get install \

  apt-transport-https \

  ca-certificates \

  curl \

  gnupg \

  lsb-release

### 添加证书

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

$ echo \

  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \

  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

## 安装

$ sudo apt-get update

$ sudo apt-get install containerd.io

#### 生成containerd默认配置文件

mkdir -p /etc/containerd

containerd config default | sudo tee /etc/containerd/config.toml

#### 修改配置文件 开启SystemdCgroup

sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml && \

grep 'SystemdCgroup' -B 11 /etc/containerd/config.toml

##### 老版本要手动追加这个参数SystemdCgroup = true

###### 显示内容

          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]

            BinaryName = ""

            CriuImagePath = ""

            CriuPath = ""

            CriuWorkPath = ""

            IoGid = 0

            IoUid = 0

            NoNewKeyring = false

            NoPivotRoot = false

            Root = ""

            ShimCgroup = ""

            SystemdCgroup = true

#### 配置容器镜像加速器

sed -i 's#endpoint = ""#endpoint = "https://1e60esib.mirror.aliyuncs.com"#g' /etc/containerd/config.toml && \

grep 'endpoint' -B 5 /etc/containerd/config.toml

#### 配置pause加速器

sed -i 's#sandbox_image = "k8s.gcr.io/pause#sandbox_image = "registry.aliyuncs.com/google_containers/pause#g' /etc/containerd/config.toml && \

grep 'sandbox_image' /etc/containerd/config.toml

#### 重启服务器加载配置

systemctl daemon-reload

systemctl restart containerd.service

## 配置harbor免证书拉取镜像、

### 配置containerd免证书拉取镜像

#### 配置ctr选择配置文件路径免证书拉取镜像

#通过ctr使用--hosts-dir选项来拉取容器映像时，告诉ctr 查找并使用位于指定路径中的主机配置文件，配置文件在下面

ctr image pull --hosts-dir /home/xingkong/ 192.168.0.226/library/nginx:latest

### 安装crictl

#1.24.0 k8s版本自己选择对应的

VERSION="v1.24.0"

wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz

sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin

rm -f crictl-$VERSION-linux-amd64.tar.gz

#### 配置crtctl的sock

tee /etc/crictl.yaml <<-'EOF'

{

runtime-endpoint: unix:///run/containerd/containerd.sock

image-endpoint: unix:///run/containerd/containerd.sock

timeout: 10

debug: false

}

EOF

### containred官方文档

https://github.com/containerd/containerd/blob/main/docs/hosts.md#ctr

#### 设置配置文件路径

#config_path = "/home/xingkong" 这个路径为注册表指向文件所在的路径

vi /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri".registry]

  config_path = "/home/xingkong"

  [plugins."io.containerd.grpc.v1.cri".registry.auths]

[plugins."io.containerd.grpc.v1.cri".registry.configs]

[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.0.226".auth]

[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.0.226".tls]

##### 配置完之后重启

systemctl daemon-reload

systemctl restart containerd.service

ctr image pull --hosts-dir /home/xingkong/ 192.168.0.226/library/nginx:latest

crictl pull 192.168.0.226/library/nginx:latest

### containerd免密证书拉取配置

#### IP配置

cat /home/xingkong/192.168.0.226/hosts.toml

server = "https://192.168.0.226"

[host."https://192.168.0.226"]

  capabilities = ["pull", "resolve", "push"]

  skip_verify = true

#### 域名配置

server = "https://hb.cn"

[host."https://hb.cn"]

  capabilities = ["pull", "resolve", "push"]

  skip_verify = true

#### hosts.toml配置完之后不需要重启

ctr image pull --hosts-dir /home/xingkong/ 192.168.0.226/library/nginx:latest

### 拉取测试

crictl pull 192.168.0.226/library/nginx:latest

#### 拉取没有报错拉取成功，已经存在镜像不会在拉取

Image is up to date for sha256:605c77e624ddb75e6110f997c58876baa13f8754486b461117934b24a9dc3a85