Containerd容器技术
前言:很早之前的Docker Engine中就有了containerd,只不过现在是将containerd从Docker Engine里分离出来,作为一个独立的开源项目,目标是提供一个更加开放、稳定的容器运行基础设施。分离出来的containerd将具有更多的功能,涵盖整个容器运行时管理的所有需求,提供更强大的支持。
什么是Containerd?
containerd 是一个工业级标准的容器运行时,它强调简单性、健壮性和可移植性。Containerd安装和使用
1.首先我们需要安装seccomp依赖包
#查看是否已经安装
rpm -qa |grep libseccomp
#安装libseccomp依赖安装包
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libseccomp-2.3.1-4.el7.x86_64.rpm
yum install libseccomp-2.3.1-4.el7.x86_64.rpm -y
2.下载containerd安装包
由于containerd需要调用runc,所以我们也需要先安装runc,不过containerd提供了一个包含相关依赖的压缩包
wget https://github.com/containerd/containerd/releases/download/v1.7.5/cri-containerd-cni-1.7.5-linux-amd64.tar.gz
# 如果有限制,也可以替换成下面的 URL 加速下载
wget https://download.fastgit.org/containerd/containerd/releases/download/v1.7.5/cri-containerd-cni-1.7.5-linux-amd64.tar.gz
3解压安装containerd安装包
tar -C / -xzf cri-containerd-cni-1.7.5-linux-amd64.tar.gz
可以通过tar命令查看解压的目录
tar -tf cri-containerd-cni-1.7.5-linux-amd64.tar.gz
--------------------------------------------------------
cri-containerd.DEPRECATED.txt
etc/
etc/crictl.yaml
etc/cni/
etc/cni/net.d/
etc/cni/net.d/10-containerd-net.conflist
etc/systemd/
etc/systemd/system/
etc/systemd/system/containerd.service
usr/
usr/local/
usr/local/bin/
usr/local/bin/critest
usr/local/bin/ctr
usr/local/bin/crictl
usr/local/bin/containerd-stress
usr/local/bin/containerd
usr/local/bin/containerd-shim
usr/local/bin/containerd-shim-runc-v1
usr/local/bin/containerd-shim-runc-v2
usr/local/bin/ctd-decoder
usr/local/sbin/
usr/local/sbin/runc
opt/
opt/cni/
opt/cni/bin/
opt/cni/bin/dhcp
opt/cni/bin/macvlan
opt/cni/bin/sbr
opt/cni/bin/static
opt/cni/bin/firewall
opt/cni/bin/ipvlan
opt/cni/bin/bandwidth
opt/cni/bin/host-local
opt/cni/bin/host-device
opt/cni/bin/bridge
opt/cni/bin/loopback
opt/cni/bin/ptp
opt/cni/bin/vlan
opt/cni/bin/vrf
opt/cni/bin/tuning
opt/cni/bin/portmap
opt/cni/bin/dummy
opt/containerd/
opt/containerd/cluster/
opt/containerd/cluster/version
opt/containerd/cluster/gce/
opt/containerd/cluster/gce/configure.sh
opt/containerd/cluster/gce/cloud-init/
opt/containerd/cluster/gce/cloud-init/master.yaml
opt/containerd/cluster/gce/cloud-init/node.yaml
opt/containerd/cluster/gce/env
opt/containerd/cluster/gce/cni.template
4.配置containerd配置文件
containerd 的默认配置文件为/etc/containerd/config.toml
mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml
5.启动containerd服务
安装包里会自带有个containerd.service文件
cat /etc/systemd/system/containerd.service
---------------------------------------------
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
这样我们就可以通过 systemd 来配置containerd作为守护进程运行了
systemctl enable containerd --now
我们可以通过以下命令查看运行环境
#查看containerd服务状态
systemctl status containerd
#查看ctr工具版本信息
ctr version
#查看runc版本信息
runc --version
一、ctr工具
containerd提供的一个对应CLI工具。
查看ctr命令使用详情
[root@docker ~]# ctr --help
NAME:
ctr -
__
_____/ /______
/ ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/
containerd CLI
USAGE:
ctr [global options] command [command options] [arguments...]
VERSION:
v1.7.5
DESCRIPTION:
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.
COMMANDS:
plugins, plugin provides information about containerd plugins
version print the client and server versions
containers, c, container manage containers
content manage content
events, event display containerd events
images, image, i manage images
leases manage leases
namespaces, namespace, ns manage namespaces
pprof provide golang pprof outputs for containerd
run run a container
snapshots, snapshot manage snapshots
tasks, t, task manage tasks
install install a new package
oci OCI tools
shim interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug enable debug output in logs
--address value, -a value address for containerd‘s GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
--timeout value total timeout for ctr commands (default: 0s)
--connect-timeout value timeout for connecting to containerd (default: 0s)
--namespace value, -n value namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version
1.镜像操作
命令:ctr images/image/i
-q:只显示镜像名
#列出本地镜像
ctr images ls -q
#拉取镜像
ctr images pull docker.io/library/nginx:alpine
#重新给镜像打tag
ctr images tag docker.io/library/nginx:alpine docker.io/library/nginx:test
#删除镜像
ctr images rm docker.io/library/nginx:alpine
#挂载镜像目录到宿主机目录
ctr images mount docker.io/library/nginx:alpine /nginx
#卸载镜像目录
ctr images unmount /nginx
2.容器操作
命令:ctr containerd/container/c
-q:只显示镜像名
#列出容器列表
ctr containerd ls -q
#创建容器
ctr containerd create docker.io/library/nginx:alpine nginx
#查看容器详细情况
ctr containerd info nginx
#删除容器
ctr containerd rm nginx
3.容器任务
命令:ctr task
-d:后台执行,类似于docker的-d
-t:给容器分配一个tty
#查看容器任务列表
ctr task ls
#通过task启动容器
ctr task start -d nginx
#使容器变成暂停状态
ctr task pause nginx
#恢复容器状态
ctr task resume nginx
#杀死容器
ctr task kill nginx
#删除容器任务
ctr task rm nginx
#获取容器的内存、CPU和PID的限额与使用量
ctr task metrics nginx
#查看容器进程信息
ctr task ps nginx
#进入到容器内部
ctr task exec --exec-id 0 -t nginx sh
4.命名空间
命令:ctr namespaces/namespace/ns
-n:指定命名空间
#查看命名空间列表
ctr ns ls
#创建命名空间
ctr ns create test
#删除命名空间
ctr ns rm test
#指定命名空间查看、操作镜像
ctr -n test images ls
ctr -n test images pull docker.io/library/nginx:alpine
补充:
Docker其实也是默认调用的containerd,事实上Docker使用的 containerd下面的命名空间默认是moby,而不是 default,所以假如我们有用docker启动容器,那么我们也可以通过ctr -n moby来定位下面的容器
ctr -n moby container ls
同样Kubernetes下使用的 containerd 默认命名空间是 k8s.io,所以我们可以使用ctr -n k8s.io来查看Kubernetes下面创建的容器
ctr -n k8s.io container ls
二、nerdctl工具
nerdctl 是一个与 docker cli 风格兼容的 containerd 客户端工具,而且直接兼容 docker compose 的语法,使我们使用起来更加贴近docker命令。
安装nerdctl
安装nerdctl如果要使用build构建镜像需要单独安装buildkit工具
1.下载安装nerctl命令
wget https://github.com/containerd/nerdctl/releases/download/v1.5.0/nerdctl-1.5.0-linux-amd64.tar.gz
#创建目录并解压nerdctl命令到创建的目录下
mkdir -p /usr/local/containerd/bin
tar -zxvf nerdctl-1.5.0-linux-amd64.tar.gz && mv nerdctl /usr/local/containerd/bin
#优化命令路径
ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
2.下载安装buildkit工具
#下载并解压到工作目录下
wget https://github.com/moby/buildkit/releases/download/v0.12.2/buildkit-v0.12.2.linux-amd64.tar.gz
tar -zxf buildkit-v0.12.2.linux-amd64.tar.gz -C /usr/local/containerd/
#优化命令路径
ln -s /usr/local/containerd/bin/buildkitd /usr/local/bin/buildkitd
ln -s /usr/local/containerd/bin/buildctl /usr/local/bin/buildctl
#编辑buildkitd服务文件,使用systemctl来管理
cat > /etc/systemd/system/buildkit.service << EOF
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
EOF
#启动buildkitd服务
systemctl daemon-reload
systemctl enable buildkit --now
使用nerdctl
查看nerdctl命令使用详情
[root@docker ~]# nerdctl --help
nerdctl is a command line interface for containerd
Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml
Usage: nerdctl [flags]
Management commands:
apparmor Manage AppArmor profiles
builder Manage builds
container Manage containers
image Manage images
ipfs Distributing images on IPFS
namespace Manage containerd namespaces
network Manage networks
system Manage containerd
volume Manage volumes
Commands:
build Build an image from a Dockerfile. Needs buildkitd to be running.
commit Create a new image from a container’s changes
completion Generate the autocompletion script for the specified shell
compose Compose
cp Copy files/folders between a running container and the local filesystem.
create Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
events Get real time events from the server
exec Run a command in a running container
help Help about any command
history Show the history of an image
images List images
info Display system-wide information
inspect Return low-level information on objects.
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a container registry
logout Log out from a container registry
logs Fetch the logs of a container. Expected to be used with 'nerdctl run -d'.
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
push Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.
rename rename a container
restart Restart one or more running containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
save Save one or more images to a tar archive (streamed to STDOUT by default)
start Start one or more running containers
stats Display a live stream of container(s) resource usage statistics.
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update one or more running containers
version Show the nerdctl version information
wait Block until one or more containers stop, then print their exit codes.
Flags:
-H, --H string Alias of --address (default "/run/containerd/containerd.sock")
-a, --a string Alias of --address (default "/run/containerd/containerd.sock")
--address string containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
--cni-netconfpath string cni config directory [$NETCONFPATH] (default "/etc/cni/net.d")
--cni-path string cni plugins binary directory [$CNI_PATH] (default "/opt/cni/bin")
--data-root string Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl")
--debug debug mode
--debug-full debug mode (with full output)
--experimental Control experimental: https://github.com/containerd/nerdctl/blob/main/docs/experimental.md [$NERDCTL_EXPERIMENTAL] (default true)
-h, --help help for nerdctl
--host string Alias of --address (default "/run/containerd/containerd.sock")
--host-gateway-ip string IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host [$NERDCTL_HOST_GATEWAY_IP] (default "10.88.0.2")
--hosts-dir strings A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d])
--insecure-registry skips verifying HTTPS certs, and allows falling back to plain HTTP
-n, --n string Alias of --namespace (default "default")
--namespace string containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")
--snapshotter string containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")
--storage-driver string Alias of --snapshotter (default "overlayfs")
-v, --version version for nerdctl
Run 'nerdctl COMMAND --help' for more information on a command.