containerd 容器概述 + yum配置安装 + 二进制安装

官方文档:https://containerd.io

　　在 2016 年 12 月 14 日，Docker 公司宣布将 containerd 从 Docker 中分离，由开源社区独立发展和 运营。Containerd 完全可以单独运行并管理容器，而 Containerd 的主要职责是镜像管理和容器执 行。同时，Containerd 提供了 containerd-shim 接口封装层，向下继续对接 runC 项目，使得容器 引擎 Docker Daemon 可以独立升级。

　　Containerd 可以在宿主机中管理完整的容器生命周期：容器镜像的传输和存储、容器的执行和管 理、存储和网络等。总结一下，它主要负责干以下事情：

　　• 管理容器的生命周期(从创建容器到销毁容器)

　　• 拉取/推送容器镜像

　　• 存储管理(管理镜像及容器数据的存储)

　　• 调用 runC 运行容器(与 runC 等容器运行时交互)

　　• 管理容器网络接口及网络

 

　　ctr：containerd 的命令行客户端。

1、Containerd 和 Docker 之间的关系

Docker 包含 Containerd，Containerd 专注于运行时的容器管理，而 Docker 除了容器管理之 外，还可以完成镜像构建之类的功能。

Containerd 提供的 API 偏底层，不是给普通用户直接用的，容器编排的开发者才需要 Containerd。

2、Containerd 在容器生态中扮演的角色

Containerd 并不是直接面向最终用户的，而是主要用于集成到更上层的系统里，比如 Kubernetes 等容器编排系统。

Containerd 以 daemon 的形式运行在系统上，通过 unix domain socket 暴露底层的 grpc API，上层系统可以通过这些 API 管理机器上的容器。

K8S 为什么要放弃使用 Docker 作为容器运行时，而使用 containerd 呢？

Docker，Kubernetes 等工具来运行一个容器时会调用容器运行时（CRI），比如 containerd，CRI-O，通过容器运行时来完成容器的创建、运行、销毁等实际工作，Docker 使用的是 containerd 作为 其运行时；Kubernetes 支持 docker（在 k8s1.24 版本之前用，1.24 开始废弃了）、containerd， CRI-O 等多种容器运行时，这些容器运行时都遵循了 OCI 规范，并通过 runc 来实现与操作系统内核 交互来完成容器的创建和运行

CRI:

　　CRI 是一个插件接口，它使 kubelet 能够使用各种容器运行时，你需要在集群中的每个节点上都有一个 可以正常工作的容器运行时， 这样 kubelet 能启动 Pod 及其容器。容器运行时接口（CRI）是 kubelet 和容器运行时之间通信的主要协议。

　　OCI： OCI， Open Container Initiative ，是一个轻量级，开放的治理结构（项目），在 Linux 基金会的支 持下成立，致力于围绕容器格式和运行时创建开放的行业标准。 OCI 项目由 Docker，CoreOS（后来被 Red Hat 收购了，相应的席位被 Red Hat 继承）和容器行业中的其他领导者在 2015 年 6 月的时 候启动。

　　如果你使用 Docker 作为 K8S 容器运行时的话，kubelet 需要先要通过 dockershim 去调用 Docker， 再通过 Docker 去调用 containerd。 如果你　　　　　　　　       使用 containerd 作为 K8S 容器运行时的话， kubelet 可以直接调用 containerd。

　　使用 containerd 不仅性能提高了（调用链变短了），而且资源占用也会变小（Docker 不是一个纯粹的 容器运行时，具有大量其他功能）。

总结：docker调用链路太长，containerd直接调用 效率更高。

　　调用链 Docker 作为 k8s 容器运行时，调用关系如下： kubelet --> docker shim （在 kubelet 进程中） --> dockerd --> containerd Containerd 作为 k8s 容器运行时，调用关系如下： kubelet --> cri plugin（在 containerd 进程中） --> containerd

 

 

containerd安装和配置

(一)、yum 安装

[root@harbor-cloud ~]# yum install -y yum-utils
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel                                                                                                                                | 4.7 kB  00:00:00
extras                                                                                                                              | 2.9 kB  00:00:00
os                                                                                                                                  | 3.6 kB  00:00:00
updates                                                                                                                             | 2.9 kB  00:00:00
Package yum-utils-1.1.31-54.el7_8.noarch already installed and latest version
Nothing to do
[root@harbor-cloud ~]#
[root@harbor-cloud ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Loaded plugins: fastestmirror, langpacks
adding repo from: http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
grabbing file http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@harbor-cloud ~]# yum install containerd -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
docker-ce-stable                                                                                                                    | 3.5 kB  00:00:00
(1/2): docker-ce-stable/7/x86_64/updateinfo                                                                                         |   55 B  00:00:00
(2/2): docker-ce-stable/7/x86_64/primary_db                                                                                         |  97 kB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package containerd.io.x86_64 0:1.6.18-3.1.el7 will be installed
--> Processing Dependency: container-selinux >= 2:2.74 for package: containerd.io-1.6.18-3.1.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.119.2-1.911c772.el7_8 will be installed
--> Processing Dependency: policycoreutils-python for package: 2:container-selinux-2.119.2-1.911c772.el7_8.noarch
--> Running transaction check
---> Package policycoreutils-python.x86_64 0:2.5-34.el7 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-4 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-14 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-34.el7.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.8.5-4.el7 will be installed
---> Package checkpolicy.x86_64 0:2.5-8.el7 will be installed
---> Package libcgroup.x86_64 0:0.41-21.el7 will be installed
---> Package libsemanage-python.x86_64 0:2.5-14.el7 will be installed
---> Package python-IPy.noarch 0:0.75-6.el7 will be installed
---> Package setools-libs.x86_64 0:3.3.8-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================================================================
 Package                                  Arch                     Version                                        Repository                          Size
===========================================================================================================================================================
Installing:
 containerd.io                            x86_64                   1.6.18-3.1.el7                                 docker-ce-stable                    34 M
Installing for dependencies:
 audit-libs-python                        x86_64                   2.8.5-4.el7                                    os                                  76 k
 checkpolicy                              x86_64                   2.5-8.el7                                      os                                 295 k
 container-selinux                        noarch                   2:2.119.2-1.911c772.el7_8                      extras                              40 k
 libcgroup                                x86_64                   0.41-21.el7                                    os                                  66 k
 libsemanage-python                       x86_64                   2.5-14.el7                                     os                                 113 k
 policycoreutils-python                   x86_64                   2.5-34.el7                                     os                                 457 k
 python-IPy                               noarch                   0.75-6.el7                                     os                                  32 k
 setools-libs                             x86_64                   3.3.8-4.el7                                    os                                 620 k

Transaction Summary
===========================================================================================================================================================
Install  1 Package (+8 Dependent packages)

Total download size: 35 M
Installed size: 119 M
Downloading packages:
(1/9): container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm                                                                         |  40 kB  00:00:00
(2/9): audit-libs-python-2.8.5-4.el7.x86_64.rpm                                                                                     |  76 kB  00:00:00
(3/9): libcgroup-0.41-21.el7.x86_64.rpm                                                                                             |  66 kB  00:00:00
(4/9): checkpolicy-2.5-8.el7.x86_64.rpm                                                                                             | 295 kB  00:00:00
(5/9): libsemanage-python-2.5-14.el7.x86_64.rpm                                                                                     | 113 kB  00:00:00
(6/9): python-IPy-0.75-6.el7.noarch.rpm                                                                                             |  32 kB  00:00:00
(7/9): policycoreutils-python-2.5-34.el7.x86_64.rpm                                                                                 | 457 kB  00:00:00
(8/9): setools-libs-3.3.8-4.el7.x86_64.rpm                                                                                          | 620 kB  00:00:00
warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/containerd.io-1.6.18-3.1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY
Public key for containerd.io-1.6.18-3.1.el7.x86_64.rpm is not installed
(9/9): containerd.io-1.6.18-3.1.el7.x86_64.rpm                                                                                      |  34 MB  00:01:05
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                      551 kB/s |  35 MB  00:01:05
Retrieving key from https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
Importing GPG key 0x621E9F35:
 Userid     : "Docker Release (CE rpm) <docker@docker.com>"
 Fingerprint: 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35
 From       : https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : setools-libs-3.3.8-4.el7.x86_64                                                                                                         1/9
  Installing : libcgroup-0.41-21.el7.x86_64                                                                                                            2/9
  Installing : audit-libs-python-2.8.5-4.el7.x86_64                                                                                                    3/9
  Installing : python-IPy-0.75-6.el7.noarch                                                                                                            4/9
  Installing : libsemanage-python-2.5-14.el7.x86_64                                                                                                    5/9
  Installing : checkpolicy-2.5-8.el7.x86_64                                                                                                            6/9
  Installing : policycoreutils-python-2.5-34.el7.x86_64                                                                                                7/9
  Installing : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                                                      8/9
setsebool:  SELinux is disabled.
  Installing : containerd.io-1.6.18-3.1.el7.x86_64                                                                                                     9/9
  Verifying  : checkpolicy-2.5-8.el7.x86_64                                                                                                            1/9
  Verifying  : libsemanage-python-2.5-14.el7.x86_64                                                                                                    2/9
  Verifying  : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                                                      3/9
  Verifying  : containerd.io-1.6.18-3.1.el7.x86_64                                                                                                     4/9
  Verifying  : python-IPy-0.75-6.el7.noarch                                                                                                            5/9
  Verifying  : policycoreutils-python-2.5-34.el7.x86_64                                                                                                6/9
  Verifying  : audit-libs-python-2.8.5-4.el7.x86_64                                                                                                    7/9
  Verifying  : libcgroup-0.41-21.el7.x86_64                                                                                                            8/9
  Verifying  : setools-libs-3.3.8-4.el7.x86_64                                                                                                         9/9

Installed:
  containerd.io.x86_64 0:1.6.18-3.1.el7

Dependency Installed:
  audit-libs-python.x86_64 0:2.8.5-4.el7         checkpolicy.x86_64 0:2.5-8.el7                 container-selinux.noarch 2:2.119.2-1.911c772.el7_8
  libcgroup.x86_64 0:0.41-21.el7                 libsemanage-python.x86_64 0:2.5-14.el7         policycoreutils-python.x86_64 0:2.5-34.el7
  python-IPy.noarch 0:0.75-6.el7                 setools-libs.x86_64 0:3.3.8-4.el7

Complete!

初始化 Containerd 配置：

  [root@harbor-cloud ~]# containerd config default > /etc/containerd/config.toml

[root@harbor-cloud ~]# systemctl enable containerd
[root@harbor-cloud ~]# systemctl start containerd

[root@harbor-cloud ~]# vim /etc/containerd/config.toml

#sandbox_image = "k8s.gcr.io/pause:3.2" 替换成 registry.cnhangzhou.aliyuncs.com/google_containers/pause-amd64:3.2 应用配置并重新运行 containerd 服务

sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2"

[root@harbor-cloud ~]# systemctl daemon-reload
[root@harbor-cloud ~]# systemctl restart containerd

[root@harbor-cloud ~]# systemctl status containerd
● containerd.service - containerd container runtime
Loaded: loaded (/usr/lib/systemd/system/containerd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-02-24 11:59:01 CST; 6s ago
Docs: https://containerd.io
Process: 10639 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
Main PID: 10641 (containerd)
Tasks: 9
Memory: 16.1M
CGroup: /system.slice/containerd.service
└─10641 /usr/bin/containerd

Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.901523286+08:00" level=error msg="failed to load cni during init, plea... config"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.902862138+08:00" level=info msg=serving... address=/run/containerd/con...ck.ttrpc
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.902923122+08:00" level=info msg=serving... address=/run/containerd/con...erd.sock
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.903024840+08:00" level=info msg="containerd successfully booted in 0.030286s"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.911861390+08:00" level=info msg="Start subscribing containerd event"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.911964534+08:00" level=info msg="Start recovering state"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.912105095+08:00" level=info msg="Start event monitor"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.912164545+08:00" level=info msg="Start snapshots syncer"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.912199182+08:00" level=info msg="Start cni network conf syncer for default"
Feb 24 11:59:01 harbor-cloud containerd[10641]: time="2023-02-24T11:59:01.912216574+08:00" level=info msg="Start streaming server"

 

[root@harbor-cloud ~]# ctr images pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2
registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c74f8866df097496217c9f15efe8f8d3db05d19d678a02d01cc7eaed520bb136: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.7 s total: 526.0 (750.0 B/s)
unpacking linux/amd64 sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108...
done: 67.73232ms

(二)、二进制安装

Containerd二进制有两种安装包∶

1>. 第一种是containerd-xxx，这种包用于单机测试没问题，不包runC，需要提前安装。

2>. 第二种是cri-containerd-cni-xxx，包含runC和k8s里的所需要的相关文件。k8s集群里需要用到此包，呈然包含runC，但是依赖系统中的seccomp（安全计算模式，是一种限制容器调用系统资源的模式。）

1.containerd-xxx二进制包安装步骤

1.1安装containerd-xxx包

 提前下载好传入，github会很卡

#wget -c https://github.com/containerd/containerd/releases/download/v1.6.18/containerd-1.6.18-linux-amd64.tar.gz

tar xvf containerd-1.6.18-linux-amd64.tar.gz
bin/
bin/containerd-shim-runc-v2
bin/containerd-stress
bin/ctr
bin/containerd
bin/containerd-shim
bin/containerd-shim-runc-v1

 

cp usr/local/bin/* /usr/local/bin/
vim /etc/systemd/system/containerd.service 

# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/usr/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd

Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target

mkdir /etc/containerd
containerd config default > /etc/containerd/config.toml

1.2.修改containerd配置文件

1.  结合runc使用systemd cgroup驱动，在" /etc/containerd/config.toml "中设置，进行两处修改

反对法

vim /etc/containerd/config.toml
 
........
 
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
 
    ...
 
    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
      SystemdCgroup = true  ## 将该参数的值改为true
 
  ........
 
  [plugins."io.containerd.grpc.v1.cri".registry]
 
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
 
      ##添加两行参数，使用阿里云的镜像加速器
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."birkhoffaliyuncs.com"]  
          endpoint = ["https://qryj5zfu.mirror.aliyuncs.com"]

systemctl start containerd
systemctl status containerd
systemctl enabled constainerd
ctr version

[root@birkhoff-containerd containerd]# ctr version
Client:
Version: v1.6.18
Revision: 2456e983eb9e37e47538f59ea18f2043c9a73640
Go version: go1.19.6

Server:
Version: v1.6.18
Revision: 2456e983eb9e37e47538f59ea18f2043c9a73640
UUID: 9891c926-9a2a-4ba5-81b9-acb3db802ed3

1.3、安装runC

去网址上下载runc软件包：https://github.com/opencontainers/runc/releases。

mv runc.amd64 /usr/sbin/runc
chmod +x /usr/sbin/runc
runc -v

[root@birkhoff-containerd containerd]# runc -v
runc version 1.1.1
commit: v1.1.0-20-g52de29d7
spec: 1.0.2-dev
go: go1.17.6
libseccomp: 2.5.3

1.4. 测试是否可以下载进行进行部署

 [root@birkhoff-containerd containerd]# ctr images pull docker.io/library/alpine:latest
docker.io/library/alpine:latest:                                                  resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a:    done           |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501: done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c:    done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:b2aa39c304c27b96c1fef0c06bee651ac9241d49c4fe34381cab8453f9a89c7d:   done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 6.2 s                                                                    total:  3.2 Mi (532.0 KiB/s)                            
unpacking linux/amd64 sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a...
done: 212.71913ms
[root@birkhoff-containerd containerd]# ctr run -t --net-host docker.io/library/alpine:latest container1 sh
/ # ping www.baidu.com
PING www.baidu.com (112.80.248.75): 56 data bytes
64 bytes from 112.80.248.75: seq=0 ttl=53 time=9.591 ms
64 bytes from 112.80.248.75: seq=1 ttl=53 time=10.291 ms

2.cri-containerd-cni-xxx二进制包安装步骤 (省略)

containerd 客户端:

可参考：https://zhuanlan.zhihu.com/p/544146528

crictl:

https://kubernetes.io/zh/docs/tasks/debug-application-cluster/crictl/
https://github.com/kubernetes-sigs/cri-tools/releases  #下载地址
2.1.1:下载 crictl:
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.23.0/crict-v1.23.0-linux-amd64.tar.gz
# tar xvf crictl-v1.23.0-linux-amd64.tar.gz
crictl
# cp crictl /usr/local/bin/

2.1.2:配置crictl 运行环境

默认连接 unix:///var/run/dockershim.sock

但是 containerd 的在以下路径:

root@containerd-server:~# Is /run/containerd/containerd.sock

/run/containerd/containerd.sock
所以，修改配置文件:
root@containerd-server:~# cat /etc/crictl.yaml #没有要新建

cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
pull-image-on-create: false
disable-pull-on-run: false

#systemctl restart containerd

 

检测是否正常
[root@birkhoff-containerd containerd]# crictl pull nginx:1.20.2
Image is up to date for sha256:0584b370e957bf9d09e10f424859a02ab0fda255103f75b3f8c7d410a4e96ed5
[root@birkhoff-containerd containerd]# crictl pull centos
Image is up to date for sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6
[root@birkhoff-containerd containerd]# crictl images list
IMAGE TAG IMAGE ID SIZE
docker.io/library/centos latest 5d0da3dc97646 83.5MB
docker.io/library/nginx 1.20.2 0584b370e957b 56.7MB

 

ctr和crictl区别

 背景：在部署k8s的过程中，经常要对镜像进行操作（拉取、删除、查看等）

 问题：使用过程中会发现ctr和crictl有很多相同功能，也有些不同，那区别到底在哪里？

 说明：

 1.ctr是containerd自带的CLI命令行工具，crictl是k8s中CRI（容器运行时接口）的客户端，k8s使用该客户端和containerd进行交互；

cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
pull-image-on-create: false
disable-pull-on-run: false

 systemctl restart  containerd

2.ctr和crictl命令具体区别如下，也可以--help查看。crictl缺少对具体镜像的管理能力，可能是k8s层面镜像管理可以由用户自行控制，能配置pod里面容器的统一镜像仓库，镜像的管理可以有habor等插件进行处理。‘’

 

nerdctl-推荐使用：

https://github.com/containerd/nerdctl

安装 nerdctl:和docker很像
root@containerd-server:~# wget https://github.com/containerd/nerdctl/releases/download/v0.18.0/nerdctl-0.18.0-linux-amd64.tar.gz
root@containerd-server:~# tar xvf nerdctl-0.18.0-linux-amd64.tar.gz

root@containerd-server:~# cp nerdctl /usr/sbin/
root@containerd-server:~# nerdctl version

Client:
Version: v0.18.0
Git commit: 77276ff0fffad3f855ab9f2f5a4ad5527ef76485

Server:
containerd:
Version: v1.6.18
GitCommit: 2456e983eb9e37e47538f59ea18f2043c9a73640安装 cni：必须安装 否则启动之后会报错

https://github.com/containernetworking/plugins/releases
root@containerd-server:~# wge https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
root@containerd-server:~# mkdir /opt/cni/bin -p #保存 cni 插件的路径

root@containerd-server:~# tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/
./macvlan
./static
./vlan/portmap/host-loca./vrf./bridge./tuning/firewall
/host-device
/sbr
/loopback
/dhcp
./ptp/ipvlan
/bandwidth

#测试

#nerdctl run -d -p 80:80 --name=nginx-web1  --restart=always nginx #必须安装cni模块

#nerdctl ps

#nerdctl exec -it XXXXX  bash

 

containerd 容器相关操作

##查看 containerd 命名空间
[root@harbor-cloud ~]# ctr namespace ls
NAME    LABELS
default
ctr 有命名空间 namespace 来指定类似于工作空间的隔离区域。使用方法 ctr -n default images ls 来查看 default 命名空间的镜像，不加 -n 参数，默认也是使用 default 的命名空间。


#查看默认名称空间镜像有哪些

[root@harbor-cloud ~]# ctr image ls
REF                                                                 TYPE                                                 DIGEST                                                                  SIZE      PLATFORMS   LABELS
registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2 application/vnd.docker.distribution.manifest.v2+json sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108 290.8 KiB linux/amd64 -


#查看 k8s 命名空间下的镜像

　[root@harbor-cloud ~]# ctr -n=k8s.io images ls
　REF TYPE DIGEST SIZE PLATFORMS LABELS

#拉取 busybox 镜像
[root@harbor-cloud ~]# ctr image pull docker.io/library/busybox:latest
docker.io/library/busybox:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:205dae5015e78dd8c4d302e3db4eb31576fac715b46d099fe09680ba28093a7a: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.7 s total: 0.0 B (0.0 B/s)
unpacking linux/amd64 sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c...
done: 10.984866ms
注：必须全路径，从 dockerhub 上下载默认 busybox 镜像。
 
#删除镜像
[root@harbor-cloud ~]# ctr images rm docker.io/library/busybox:latest
docker.io/library/busybox:latest
 
#压缩镜像
[root@harbor-cloud ~]# ctr images pull docker.io/library/mysql:latest
[root@harbor-cloud ~]# ctr images export mysql.tar.gz
ctr: please provide both an output filename and an image reference to export
[root@harbor-cloud ~]# ctr images export mysql.tar.gz docker.io/library/mysql:latest
[root@harbor-cloud ~]# ll
total 172408
-rw-r--r-- 1 root root 0 Feb 24 11:53 =
-rw-r--r-- 1 root root 0 Feb 24 11:53 Finished
drwxr-xr-x 3 root root 4096 Feb 23 12:09 harbor
-rw-r--r-- 1 root root 19922347 Feb 23 12:20 harbor-offline-installer-v2.3.0.tgz
-rw-r--r-- 1 root root 156616704 Feb 24 12:14 mysql.tar.gz
-rw-r--r-- 1 root root 0 Feb 24 11:53 Package
-rw-r--r-- 1 root root 0 Feb 24 11:53 Processing
-rw-r--r-- 1 root root 0 Feb 24 11:53 Running
#导出镜像
[root@harbor-cloud ~]# ctr images import mysql.tar.gz
unpacking docker.io/library/mysql:latest (sha256:d8dc78532e9eb3759344bf89e6e7236a34132ab79150607eb08cc746989aa047)...done
[root@harbor-cloud ~]# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/mysql:latest application/vnd.docker.distribution.manifest.list.v2+json sha256:d8dc78532e9eb3759344bf89e6e7236a34132ab79150607eb08cc746989aa047 149.3 MiB linux/amd64,linux/arm64/v8 -

docker 的镜像和 containerd 镜像通用

>通用的，docker save -o 生成的镜像文件，可以基于 ctr images import 导出来