nerdctl buildkitd containerd构建容器镜像

21. nerdctl buildkitd containerd构建容器镜像

21.1 概述

容器技术除了docker之外,还有coreOS的rkt、google的gvisor、以及docker开源的containerd、redhat的podman、阿里的pouch等,为了保证容器生态的标准性和健康可持续发展、包括Linux基金会、Docker、微软、红帽、谷歌和IBM等公司在2015年6月共同成立了一个叫open cintainer(OCI)的组织,其目的就是指定开放的标准的容器规范,目前OCI一共发布了两个规范,分别是runtime spec和image format spec,有了这两个规范,不同的容器公司开发的容器只要兼容这两个规范,就可以保证容器的可移植性和相互可操作性
  • 各个官方地址
https://containerd.io
https://gvisor.dev
https://podman.io
#阿里开源
https://github.com/alibaba/pouch
#已停止维护
https://github.com/rkt/rkt
#buildkit:从Docker公司的开源出来的一个镜像构建工具包,支持OCI标准的镜像构建
https://github.com/moby/buildkit

21.2 buildkitd组成部分

buildkitd(服务端)目前支持runc和containerd作为镜像构建环境,默认是runc,可以更换为containerd
buildctl(客户端)负责解析Dockerfile文件,并向服务端buildkitd发出构建请求

21.2 buildkitd部署

下载地址:Release v0.10.6 · moby/buildkit · GitHub

  • 过程
root@k8s-master1:/usr/local/src# wget https://github.com/moby/buildkit/releases/download/v0.10.6/buildkit-v0.10.6.linux-amd64.tar.gz
root@k8s-master1:/usr/local/src# tar xf buildkit-v0.10.6.linux-amd64.tar.gz -C /usr/local/bin/
root@k8s-master1:/usr/local/bin/bin# mv ./* ../

#buildkit服务链接文件
root@k8s-master1:/usr/local/bin# vim  /etc/systemd/system/buildkit.socket

[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Socket]
ListenStream=%t/buildkit/buildkitd.sock

[Install]
WantedBy=sockets.target

#buildkitd服务文件
root@k8s-master1:/usr/local/bin# vim /etc/systemd/system/buildkit.service

[Unit]
Description=BuildKit
Requires=buildkit.socket
After=buildkit.socketDocumentation=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

systemctl enable buildkitd.service
systemctl start buildkitd.service
  • 下载安装nerdctl命令
#自行安装
如果使用命令直接登录会报错
root@k8s-master1:~# nerdctl login harbor.nbrhce.com
Enter Username: quyi
Enter Password: 
ERRO[0017] failed to call tryLoginWithRegHost            error="failed to call rh.Client.Do: Get \"https://harbor.nbrhce.com/v2/\": x509: certificate relies on legacy Common Name field, use SANs instead" i=0
FATA[0017] failed to call rh.Client.Do: Get "https://harbor.nbrhce.com/v2/": x509: certificate relies on legacy Common Name field, use SANs instead 

#加上证书信任就可以登录 不过太麻烦
root@k8s-master1:~# nerdctl login  --insecure-registry  harbor.nbrhce.com
Enter Username: quyi
Enter Password: 
WARN[0007] skipping verifying HTTPS certs for "harbor.nbrhce.com" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
  • nerdctl常用命令 这是不用证书的登录方式
vim /etc/profile
	source <(nerdctl completion bash)
source /etc/profile

nerdctl login --insecure-registry harbor.nbrhce.com
nerdctl pull centos:7.9.2009
nerdctl tag  centos:7.9.2009 harbor.nbrhce.com/baseimages/centos:7.9.2009
nerdctl push --insecure-registry  centos:7.9.2009 harbor.nbrhce.com/baseimages/centos:7.9.2009
  • 分发harbor证书 来实现登录
root@k8s-master1:~# mkdir /etc/containerd/certs.d/harbor.nbrhce.com -p
#这是在harbor服务器上
root@deploy-harbor:/apps/certs# pwd
/apps/certs
#如果之前没有做过这个证书 就执行一下
root@deploy-harbor:/apps/certs# openssl x509 -inform PEM -in harbor.nbrhce.com.crt -out harbor.nbrhce.com.cert
#拷贝过去
root@deploy-harbor:/apps/certs# scp ca.crt harbor.nbrhce.com.cert harbor.nbrhce.com.key 192.168.1.70:/etc/containerd/certs.d/harbor.nbrhce.com
ca.crt                                                                                              100% 2061     1.6MB/s   00:00    
harbor.nbrhce.com.cert                                                                              100% 2155     1.4MB/s   00:00    
harbor.nbrhce.com.key                                                                               100% 3247     4.5MB/s   00:00    
#登录
root@k8s-master1:/etc/containerd/certs.d/harbor.nbrhce.com# nerdctl login harbor.nbrhce.com
Enter Username: quyi
Enter Password: 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@k8s-master1:~# nerdctl pull centos:7.9.2009
root@k8s-master1:~# nerdctl tag  centos:7.9.2009 harbor.nbrhce.com/baseimages/centos:7.9.2009
root@k8s-master1:~# nerdctl push harbor.nbrhce.com/baseimages/centos:7.9.2009
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.list.v2+json, sha256:48838bdd8842b5b6bf36ef486c5b670b267ed6369e2eccbf00d520824f753ee2) 
index-sha256:48838bdd8842b5b6bf36ef486c5b670b267ed6369e2eccbf00d520824f753ee2:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 1.8 s                                                                    total:  3.5 Ki (2.0 KiB/s)        
  • 上传一个Dockerfile 构建
FROM ubuntu:22.04
MAINTAINER "nginx"


#ADD sources.list /etc/apt/sources.list

RUN apt update && apt  install -y iproute2  ntpdate  tcpdump telnet traceroute nfs-kernel-server nfs-common  lrzsz tree  openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute  gcc openssh-server lrzsz tree  openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute iotop unzip zip make


ADD nginx-1.22.0.tar.gz /usr/local/src/
RUN cd /usr/local/src/nginx-1.22.0 && ./configure --prefix=/apps/nginx && make && make install  && ln -sv /apps/nginx/sbin/nginx /usr/bin
RUN groupadd  -g 2088 nginx && useradd  -g nginx -s /usr/sbin/nologin -u 2088 nginx && chown -R nginx.nginx /apps/nginx
ADD nginx.conf /apps/nginx/conf/
ADD frontend.tar.gz /apps/nginx/html/


EXPOSE 80 443
#ENTRYPOINT ["nginx"]
CMD ["nginx","-g","daemon off;"]

效果

  • 下载cni
自行安装
root@k8s-master1:~# mkdir -p /etc/nerdctl
root@k8s-master1:~# vim /etc/nerdctl/nerdctl.toml
#这里注意这个namespace 指定了哪个命令空间这个镜像就在哪里 否则你运行的时候不找不到镜像 找不到的话你可以先注释掉这个参数 运行起来在加回去 添加这个namespace就能看到k8s的镜像了
root@k8s-master1:~# cat /etc/nerdctl/nerdctl.toml
namespace = "k8s.io"
root@k8s-master1:/usr/local/src# mkdir -p /opt/cni/bin
root@k8s-master1:/usr/local/src# tar xf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin
root@k8s-master1:/usr/local/src# root@k8s-master1:/etc/nerdctl# nerdctl run --name nginx -p 80:80  harbor.nbrhce.com/image/nginx-base:1.22.0

21.3 业务容器构建规划

#由上述所示nerdctl来官方的仓库拉取一些官方镜像作为父镜像然后把父镜像上传到harbor中这样是可以的 但是由于是自己签发的证书,在父镜像的基础之上在构建镜像的话会有报错,拉取不到元数据信息,因为目前的harbor是https的是有证书的,会有一系列证书的报错估计是证书不信任这种,但是你的证书要是花钱的买的能被信任的就不会就这个问题,或者就在运行一个nginx服务,把证书放在nginx上面然后把harbor换成http协议的这样也是可以的。
  • 业务容器化优势
业务容器化优势
	1.提高资源利用率,节约部署IT成本
	2.提高部署效率,基于kubernetes实现微服务的快速部署与交付、容器的批量调度与秒级启动
	3.实现横向扩容、灰度部署、回滚、链路追踪、服务治理等
	4.可根据业务负载进行自动弹性伸缩
	5.容器将环境和代码打包在镜像内,保证了测试与生产运行环境的一致性
	6.紧跟云原生社区技术发展的步伐,不给公司遗留技术债,为后期技术升级务实基础
	7.为个人储备前沿技术,提供个人level

21.4 实现nginx代理habor

  • 操作如下
root@deploy-harbor:/apps/harbor# docker-compose stop
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping registry          ... done
Stopping redis             ... done
Stopping harbor-db         ... done
Stopping harbor-portal     ... done
Stopping registryctl       ... done
Stopping harbor-log        ... done
#关闭https 使用http
root@deploy-harbor:/apps/harbor# vim harbor.yml 
#更新配置文件
root@deploy-harbor:/apps/harbor# ./prepare 
#更新之后看这里有没有nginx配置文件
root@deploy-harbor:/apps/harbor# ll common/config/portal/nginx.conf 
#然后在运行harbor服务查看是否是http访问
root@deploy-harbor:/apps/harbor# docker-compose up -d
  • 安装nginx 实现代理
root@k8s-master1:~# wget https://nginx.org/download/nginx-1.22.0.tar.gz
root@k8s-master1:~# tar xf nginx-1.22.0.tar.gz
root@k8s-master1:~# cd nginx-1.22.0
root@k8s-master1:~# ./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
root@k8s-master1:~# make && make install
root@k8s-master1:~# mkdir /apps/nginx/certs -p
#把harbor的证书拷贝过来
root@k8s-master1:~# ls /apps/nginx/certs/
harbor.nbrhce.com.crt  harbor.nbrhce.com.key

#编辑配置文件 这样写是访问http或者是https都可以,最好还是http怕遇到证书不信任
root@k8s-master1:~# cat /etc/nginx/conf.d/nginx.conf 
#http区域写入这个文件上传限制
client_max_body_size 2048m;
server {
   listen 80;
   listen 443 ssl;
   server_name harbor.nbrhce.com;
   ssl_certificate /apps/nginx/certs/harbor.nbrhce.com.crt;
   ssl_certificate_key /apps/nginx/certs/harbor.nbrhce.com.key;
   ssl_session_cache shared:sslcache:20m;
   ssl_session_timeout 10m;

location / {
       proxy_pass http://192.168.1.75;

  }
}

#设置好域名解析 这个habor域名一定要指定在harbor哪台机器上 否则会遇到跳转404
root@k8s-master1:~# cat /etc/hosts
192.168.1.70 k8s-master1 
192.168.1.71 k8s-etcd1
192.168.1.72 k8s-etcd2
192.168.1.73 k8s-etcd3
192.168.1.74 k8s-node1
192.168.1.75 k8s-deploy-harbor harbor.nbrhce.com
192.168.1.75    easzlab.io.local

#buildkitd设置信任http 没有目录的话就创建
root@k8s-master1:~# cat /etc/buildkit/buildkitd.toml 
[registry."harbor.nbrhce.com"]
 http = true
 insecure = true

#nerdctl设置构建过程详细信息
root@k8s-master1:~# cat /etc/nerdctl/nerdctl.toml 
namespace = "k8s.io"
debug = false
debug_full = false
insecure_registry = true

#构建过程 要是别的节点想使用 需要安装nerdctl cni 分发证书 做域名解析 配置buildkit nerdctl
root@k8s-master1:~/k8s-data/dockerfile/web/pub-images/jdk-1.8.212# nerdctl build -t harbor.nbrhce.com/pub-image/jdk-base:v8.212 .

#上传
root@k8s-master1:~# nerdctl push harbor.nbrhce.com/pub-image/jdk-base:v8.212
  • 问题记录 没有识别到自签证书 但是我重启buildkitd服务之后就好使了 不是我证书的原因

image-20221210102236945

21.5 案例nginx toncat前后端分离加业务

  • 父镜像
nerdctl pull centos:7.9.2009
nerdctl tag  centos:7.9.2009 harbor.nbrhce.com/baseimages/centos:7.9.2009
  • 子镜像
root@k8s-master1:~/k8s-data/dockerfile/web/pub-images/jdk-1.8.212# cat Dockerfile
#JDK Base Image
FROM harbor.nbrhce.com/baseimages/centos:7.9.2009
#FROM centos:7.9.2009

MAINTAINER auth= this is tomcat image


ADD jdk-8u212-linux-x64.tar.gz /usr/local/src/
RUN ln -sv /usr/local/src/jdk1.8.0_212 /usr/local/jdk 
ADD profile /etc/profile


ENV JAVA_HOME /usr/local/jdk
ENV JRE_HOME $JAVA_HOME/jre
ENV CLASSPATH $JAVA_HOME/lib/:$JRE_HOME/lib/
ENV PATH $PATH:$JAVA_HOME/bin
  • 基础镜像
root@k8s-master1:~/k8s-data/dockerfile/web/pub-images/tomcat-base-8.5.43# cat Dockerfile 
#Tomcat 8.5.43基础镜像
FROM harbor.nbrhce.com/pub-image/jdk-base:v8.212

MAINTAINER auth= this is tomcat image

RUN mkdir /apps /data/tomcat/webapps /data/tomcat/logs -pv 
ADD apache-tomcat-8.5.43.tar.gz  /apps
RUN useradd tomcat -u 2050 && ln -sv /apps/apache-tomcat-8.5.43 /apps/tomcat && chown -R tomcat.tomcat /apps /data -R
  • 业务镜像
root@k8s-master1:~/k8s-data/dockerfile/web/magedu/tomcat-app1# cat Dockerfile 
#tomcat web1
FROM harbor.nbrhce.com/pub-image/tomcat-base:v8.5.43 

ADD catalina.sh /apps/tomcat/bin/catalina.sh
ADD server.xml /apps/tomcat/conf/server.xml
#ADD myapp/* /data/tomcat/webapps/myapp/
ADD app1.tar.gz /data/tomcat/webapps/myapp/
ADD run_tomcat.sh /apps/tomcat/bin/run_tomcat.sh
#ADD filebeat.yml /etc/filebeat/filebeat.yml 
RUN useradd nginx && chown  -R nginx.nginx /data/ && chown -R nginx.nginx /apps/
#ADD filebeat-7.5.1-x86_64.rpm /tmp/
#RUN cd /tmp && yum localinstall -y filebeat-7.5.1-amd64.deb

EXPOSE 8080 8443

CMD ["/apps/tomcat/bin/run_tomcat.sh"]

root@k8s-master1:~/k8s-data/dockerfile/web/magedu/tomcat-app1# cat build-command.sh 
#!/bin/bash
TAG=$1
#docker build -t  harbor.nbrhce.com/demo/tomcat-app1:${TAG} .
#sleep 3
#docker push  harbor.nbrhce.com/demo/tomcat-app1:${TAG}

nerdctl build -t  harbor.nbrhce.com/demo/tomcat-app1:${TAG} .
nerdctl push  harbor.nbrhce.com/demo/tomcat-app1:${TAG}
  • 测试运行业务
root@k8s-master1:~/k8s-data/dockerfile/web/magedu/tomcat-app1# nerdctl run --rm -p 8080:8080 harbor.nbrhce.com/demo/tomcat-app1:v1
Tomcat started.

  • tomcat运行在k8s上
root@k8s-node1:~/k8s-data/yaml/magedu/tomcat-app1# cat tomcat-app1.yaml 
kind: Deployment
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
metadata:
  labels:
    app: magedu-tomcat-app1-deployment-label
  name: magedu-tomcat-app1-deployment
  namespace: magedu
spec:
  replicas: 1
  selector:
    matchLabels:
      app: magedu-tomcat-app1-selector
  template:
    metadata:
      labels:
        app: magedu-tomcat-app1-selector
    spec:
      containers:
      - name: magedu-tomcat-app1-container
        image: harbor.nbrhce.com/demo/tomcat-app1:v1
        #command: ["/apps/tomcat/bin/run_tomcat.sh"]
        imagePullPolicy: IfNotPresent
        #imagePullPolicy: Always
        ports:
        - containerPort: 8080
          protocol: TCP
          name: http
        env:
        - name: "password"
          value: "123456"
        - name: "age"
          value: "18"
        #resources:
        #  limits:
        #    cpu: 1
        #    memory: "512Mi"
        #  requests:
        #    cpu: 500m
        #    memory: "512Mi"
        volumeMounts:
        - name: magedu-images
          mountPath: /usr/local/nginx/html/webapp/images
          readOnly: false
        - name: magedu-static
          mountPath: /usr/local/nginx/html/webapp/static
          readOnly: false
      volumes:
      - name: magedu-images
        nfs:
          server: 192.168.1.75
          path: /data/k8sdata/images
      - name: magedu-static
        nfs:
          server: 192.168.1.75
          path: /data/k8sdata/static
#      nodeSelector:
#        project: magedu
#        app: tomcat
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: magedu-tomcat-app1-service-label
  name: magedu-tomcat-app1-service
  namespace: magedu
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
    nodePort: 30092
  selector:
    app: magedu-tomcat-app1-selector
root@k8s-node1:~/k8s-data/yaml/magedu/tomcat-app1# 
  • nginx父镜像
root@k8s-master1:~/k8s-data/yaml/magedu/tomcat-app1# nerdctl pull centos:7.9.2009
root@k8s-master1:~/k8s-data/yaml/magedu/tomcat-app1# nerdctl tag centos:7.9.2009 harbor.nbrhce.com/baseimages/nbrhce-centos-base:7.9.2009
root@k8s-master1:~/k8s-data/yaml/magedu/tomcat-app1# nerdctl push harbor.nbrhce.com/baseimages/nbrhce-centos-base:7.9.2009

  • 基础镜像
root@k8s-node1:~/k8s-data/dockerfile/web/pub-images/nginx-base# cat Dockerfile 
#Nginx Base Image
FROM harbor.nbrhce.com/baseimages/nbrhce-centos-base:7.9.2009
MAINTAINER  zhangshijie@magedu.net

RUN yum install -y vim wget tree  lrzsz gcc gcc-c++ automake pcre pcre-devel zlib zlib-devel openssl openssl-devel iproute net-tools iotop
ADD nginx-1.22.0.tar.gz /usr/local/src/
RUN cd /usr/local/src/nginx-1.22.0 && ./configure  && make && make install && ln -sv  /usr/local/nginx/sbin/nginx /usr/sbin/nginx  &&rm -rf /usr/local/src/nginx-1.22.0.tar.gz 

root@k8s-node1:~/k8s-data/dockerfile/web/pub-images/nginx-base# cat build-command.sh 
#!/bin/bash
#docker build -t harbor.nbrhce.com/pub-images/nginx-base:v1.18.0  .
#sleep 1
#docker push  harbor.nbrhce.com/pub-images/nginx-base:v1.18.0

nerdctl build -t  harbor.nbrhce.com/pub-image/nginx-base:v1.22.0  .

nerdctl push harbor.nbrhce.com/pub-image/nginx-base:v1.22.0
  • 业务镜像
root@k8s-node1:~/k8s-data/dockerfile/web/magedu/nginx# cat Dockerfile 
#Nginx 1.22.0
FROM harbor.nbrhce.com/pub-image/nginx-base:v1.22.0 

ADD nginx.conf /usr/local/nginx/conf/nginx.conf
ADD app1.tar.gz  /usr/local/nginx/html/webapp/
ADD index.html  /usr/local/nginx/html/index.html

#静态资源挂载路径
RUN mkdir -p /usr/local/nginx/html/webapp/static /usr/local/nginx/html/webapp/images && useradd nginx

EXPOSE 80 443

CMD ["nginx"] 
  • nginx配置文件 匹配了一个url
user  nginx nginx;
worker_processes  auto;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;
daemon off;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

upstream  tomcat_webserver {
        server  magedu-tomcat-app1-service.magedu.svc.magedu.local:80;
}

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        location /webapp {
            root   html;
            index  index.html index.htm;
        }
  • nginx-k8s-YAML
root@k8s-node1:~/k8s-data/yaml/magedu/nginx# cat nginx.yaml 
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    app: magedu-nginx-deployment-label
  name: magedu-nginx-deployment
  namespace: magedu
spec:
  replicas: 1
  selector:
    matchLabels:
      app: magedu-nginx-selector
  template:
    metadata:
      labels:
        app: magedu-nginx-selector
    spec:
      containers:
      - name: magedu-nginx-container
        image: harbor.nbrhce.com/demo/nginx-web1:v1
        #command: ["/apps/tomcat/bin/run_tomcat.sh"]
        imagePullPolicy: IfNotPresent
        #    imagePullPolicy: Always
        ports:
        - containerPort: 80
          protocol: TCP
          name: http
        - containerPort: 443
          protocol: TCP
          name: https
        env:
        - name: "password"
          value: "123456"
        - name: "age"
          value: "20"
          #        resources:
          #          limits:
          #            cpu: 500m
          #            memory: 512Mi
          #          requests:
          #            cpu: 500m
          #            memory: 256Mi

        volumeMounts:
        - name: magedu-images
          mountPath: /usr/local/nginx/html/webapp/images
          readOnly: false
        - name: magedu-static
          mountPath: /usr/local/nginx/html/webapp/static
          readOnly: false
      volumes:
      - name: magedu-images
        nfs:
          server: 192.168.1.75
          path: /data/k8sdata/images 
      - name: magedu-static
        nfs:
          server: 192.168.1.75
          path: /data/k8sdata/static
      #nodeSelector:
      #  group: magedu

    

---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: magedu-nginx-service-label
  name: magedu-nginx-service
  namespace: magedu
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
    nodePort: 30090
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
    nodePort: 30091
  selector:
    app: magedu-nginx-selector


posted @ 2023-01-01 22:09  YIDADA-SRE  阅读(849)  评论(0编辑  收藏  举报