Containerd安装与使用

2022-10-12

1|0Containerd 的技术方向和目标

简洁的基于 gRPC 的 API 和 client library
完整的 OCI 支持(runtime 和 image spec)
同时具备稳定性和高性能的定义良好的容器核心功能
一个解耦的系统(让 image、filesystem、runtime 解耦合)，实现插件式的扩展和重用

为什么需要独立的 containerd：

以往隶属于docker项目中，现如今从整体 docker 引擎中分离出的项目(开源项目的思路)
可以被 Kubernets CRI 等项目使用(通用化)
为广泛的行业合作打下基础(就像 runC 一样)

containerd的架构设计图：

2|0安装containerd

验证仓库版本：

root@containerd:~ apt-cache madison containerd

ubuntu在线仓库版本不是最新，可以使用github仓库中的新版本，使用二进制方式部署

下载二进制安装包

github链接地址：https://github.com/containerd/containerd/releases

选择64位x86架构系统安装包

上传安装包到服务器并开始解压安装

解压缩并将containerd执行文件放入系统默认命令路径下

root@containerd:/tools tar xf containerd-1.6.6-linux-amd64.tar.gz root@containerd:/tools cp -r bin/* /usr/local/bin/

创建containerd systemd service启动管理文件：

修改ExecStart=/usr/local/bin/containerd为当前containerd文件路径

root@containerd:/tools cd /etc/systemd/system/ root@containerd:/etc/systemd/system# cat containerd.service # Copyright The containerd Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/local/bin/containerd Type=notify Delegate=yes KillMode=process Restart=always RestartSec=5 # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=infinity # Comment TasksMax if your systemd version does not supports it. # Only systemd 226 and above support this version. TasksMax=infinity OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target

重新加载系统管理服务文件

root@containerd:/etc/systemd/system# systemctl daemon-reload

创建配置文件

root@containerd:/etc/systemd/system# mkdir /etc/containerd

生成模板配置文件

root@containerd:/etc/systemd/system# containerd config default > /etc/containerd/config.toml

修改配置文件

root@containerd:/etc/systemd/system# cd /etc/containerd/ root@containerd:/etc/containerd# vim config.toml

vim下搜索/mirrors，添加镜像加速，使用docker镜像源即可，上下级配置，缩进两个空格。

[plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://dxc7f1d6.mirror.aliyuncs.com"]

如果是从docker.io下载进行，则使用endpoint配置的镜像站点加速下载

启动containerd并设置开机自启动

root@containerd:/etc/containerd# systemctl enable containerd --now

3|0安装runc

github下载链接：https://github.com/opencontainers/runc/releases

下载最新版本

上传到服务器

root@containerd:/tools# chmod +x runc.amd64 root@containerd:/tools# cp runc.amd64 /usr/local/bin/runc

4|0验证使用containerd

containerd是ctrl工具在服务器上创建、管理和使用容器

root@containerd:~# ctr --help NAME: ctr - __ _____/ /______ / ___/ __/ ___/ / /__/ /_/ / \___/\__/_/ containerd CLI USAGE: ctr [global options] command [command options] [arguments...] VERSION: v1.6.6 DESCRIPTION: ctr is an unsupported debug and administrative client for interacting with the containerd daemon. Because it is unsupported, the commands, options, and operations are not guaranteed to be backward compatible or stable from release to release of the containerd project. COMMANDS: plugins, plugin provides information about containerd plugins version print the client and server versions containers, c, container manage containers content manage content events, event display containerd events images, image, i manage images leases manage leases namespaces, namespace, ns manage namespaces pprof provide golang pprof outputs for containerd run run a container snapshots, snapshot manage snapshots tasks, t, task manage tasks install install a new package oci OCI tools shim interact with a shim directly help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --debug enable debug output in logs --address value, -a value address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS] --timeout value total timeout for ctr commands (default: 0s) --connect-timeout value timeout for connecting to containerd (default: 0s) --namespace value, -n value namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE] --help, -h show help --version, -v print the version

拉取镜像

与docker区别在于拉取官方镜像必须指定镜像的完整名称包括镜像仓库地址

root@containerd:~# ctr images pull docker.io/library/nginx:latest

查看本地的镜像

root@containerd:~# ctr images ls

运行容器

root@containerd:~# ctr run -t docker.io/library/nginx:latest container1 bash

5|0container客户端工具

客户端工具有两种，分别是crictl和nerdctl

推荐使用nerdctl，使用效果与docker命令的语法一致

github下载链接：https://github.com/containerd/nerdctl/releases

下载安装nerdctl

解压安装nerdctl

拷贝nerdctl到系统二进制命令路径下

root@containerd:/tools# cp nerdctl /usr/local/bin/

验证版本

查看nerdctl使用帮助，与docker客户端工具使用方法基本一致

root@containerd:~# nerdctl --help nerdctl is a command line interface for containerd Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml Usage: nerdctl [flags] nerdctl [command] Management commands: apparmor Manage AppArmor profiles builder Manage builds container Manage containers image Manage images ipfs Distributing images on IPFS namespace Manage containerd namespaces network Manage networks system Manage containerd volume Manage volumes Commands: build Build an image from a Dockerfile. Needs buildkitd to be running. commit Create a new image from a container's changes completion Generate the autocompletion script for the specified shell compose Compose cp Copy files/folders between a running container and the local filesystem. create Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS. events Get real time events from the server exec Run a command in a running container help Help about any command history Show the history of an image images List images info Display system-wide information inspect Return low-level information on objects. kill Kill one or more running containers load Load an image from a tar archive or STDIN login Log in to a Docker registry logout Log out from a Docker registry logs Fetch the logs of a container. Currently, only containers created with `nerdctl run -d` are supported. pause Pause all processes within one or more containers port List port mappings or a specific mapping for the container ps List containers pull Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS. push Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS. rename rename a container restart Restart one or more running containers rm Remove one or more containers rmi Remove one or more images run Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS. save Save one or more images to a tar archive (streamed to STDOUT by default) start Start one or more running containers stats Display a live stream of container(s) resource usage statistics. stop Stop one or more running containers tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE top Display the running processes of a container unpause Unpause all processes within one or more containers update Update one or more running containers version Show the nerdctl version information wait Block until one or more containers stop, then print their exit codes. Flags: -H, --H string Alias of --address (default "/run/containerd/containerd.sock") -a, --a string Alias of --address (default "/run/containerd/containerd.sock") --address string containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock") --cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "cgroupfs") --cni-netconfpath string cni config directory [$NETCONFPATH] (default "/etc/cni/net.d") --cni-path string cni plugins binary directory [$CNI_PATH] (default "/opt/cni/bin") --data-root string Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl") --debug debug mode --debug-full debug mode (with full output) -h, --help help for nerdctl --host string Alias of --address (default "/run/containerd/containerd.sock") --hosts-dir strings A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d]) --insecure-registry skips verifying HTTPS certs, and allows falling back to plain HTTP -n, --n string Alias of --namespace (default "default") --namespace string containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default") --snapshotter string containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs") --storage-driver string Alias of --snapshotter (default "overlayfs") -v, --version version for nerdctl Use "nerdctl [command] --help" for more information about a command.

查看镜像、容器：

拉取镜像：

6|0安装cni网络插件

CNI：Container network interface容器网络接口，为容器分配ip地址网卡等

github链接：

https://github.com/containernetworking/plugins/releases

下载安装cni，并解压到/usr/local/cni/bin目录下

root@containerd:/tools# mkdir /opt/cni/bin -p root@containerd:/tools# tar xf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/

查看解压后的cni插件文件：

注意：必须将cni解压到/opt/cni/bin，否则nerdctl为容器映射端口时，会出现找不到cni插件的报错

root@containerd:~# nerdctl run -d -p 80:80 --name=web --restart=always nginx:latest FATA[0000] needs CNI plugin "bridge" to be installed in CNI_PATH ("/opt/cni/bin"), see https://github.com/con stat /opt/cni/bin/bridge: no such file or directory