contained安装
通过containerd 来创建一个容器,会创建一个 containerd-shim 的进程(垫片),containerd-shim启动后会去启动/usr/bin/containerd-shim-runc-v2,然后立即退出,此时containerd-shim-runc-v2的父进程就变成了systemd(1),这样containerd-shim-runc-v2就和containerd脱离了关系,即便containerd退出也不会影响到容器(这也是containerd-shim套件的作用)。OCI标准(Open Container Initiative 开放容器协议)的具体实现就是runc,真正创建和维护容器最终便是由runc来完成的。/usr/bin/containerd-shim-runc-v2会启动runc去create、start容器,然后runc立即退出,容器的父进程就变成了containerd-shim-runc-v2,这也是容器内部可以看到的PID=1的进程。
containerd
https://github.com/containerd/containerd
https://github.com/containerd/containerd/releases
https://github.com/containerd/containerd/blob/main/docs/cri/crictl.md
https://github.com/containerd/containerd/blob/main/docs/getting-started.md
安装
1 2 3 4 5 6 7 8 9
| $ wget https://github.com/containerd/containerd/releases/download/v1.7.11/containerd-1.7.11-linux-amd64.tar.gz $ tar Cxzvf /usr/local containerd-1.7.11-linux-amd64.tar.gz bin/ bin/containerd-shim-runc-v2 bin/ctr bin/containerd-shim bin/containerd-shim-runc-v1 bin/containerd-stress bin/containerd
|
配置
1 2 3 4 5 6 7 8 9
| 配置systemd管理 $ wget -O /usr/lib/systemd/system/containerd.service \ https://raw.githubusercontent.com/containerd/containerd/main/containerd.service $ mkdir -p /etc/containerd $ systemctl daemon-reload $ systemctl enable --now containerd
配置默认配置文件 $ containerd config default > /etc/containerd/config.toml
|
RUNC
https://github.com/opencontainers/runc
https://github.com/opencontainers/runc/releases
安装
1 2
| $ wget -O /usr/bin/runc https://github.com/opencontainers/runc/releases/download/v1.1.10/runc.amd64 $ sudo chmod +x /usr/bin/runc
|
注意: 如果安装了contained.io
这个yum/dpkg包, 会默认安装runc,就不用单独安装了
cricrl
https://github.com/kubernetes-sigs/cri-tools
https://github.com/kubernetes-sigs/cri-tools/releases
https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md
安装
1 2
| $ wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-v1.28.0-linux-amd64.tar.gz $ sudo tar Czxvf /usr/bin crictl-v1.28.0-linux-amd64.tar.gz
|
配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| $ echo "export CONTAINER_RUNTIME_ENDPOINT=unix:///run/containerd/containerd.sock" >> /etc/profile $ source /etc/profile or
$ cat << EOF > /etc/crictl.yaml runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 2 debug: true pull-image-on-create: false EOF
|
cniPlugin
https://github.com/containernetworking/plugins
https://github.com/containernetworking/plugins/releases
https://www.cni.dev/docs/cnitool/
安装
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| $ mkdir -p /opt/cni/bin $ wget https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz $ tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.4.0.tgz ./ ./loopback ./bandwidth ./ptp ./vlan ./host-device ./tuning ./vrf ./sbr ./tap ./dhcp ./static ./firewall ./macvlan ./dummy ./bridge ./ipvlan ./portmap ./host-local
|
cni的配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| $ mkdir -p /etc/cni/net.d $ cat >/etc/cni/net.d/10-mynet.conf <<EOF { "cniVersion": "0.2.0", "name": "mynet", "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "subnet": "10.200.0.0/16", "routes": [ { "dst": "0.0.0.0/0" } ] } } EOF
$ cat >/etc/cni/net.d/99-loopback.conf <<EOF { "cniVersion": "0.2.0", "name": "lo", "type": "loopback" } EOF
|
crictl创建pod
逐步创建
创建sandbox
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| $ cat <<EOF > pod-config.json { "metadata": { "name": "netshoot", "namespace": "default", "attempt": 1, "uid": "netshoot" }, "log_directory": "/tmp", "linux": { } } EOF
$ crictl runp pod-config.json d2fba6620370460cba02a9ac41ee2e04addc0b90775e6a8f0c45e22ccb7b0322
|
查看sanbox的状态
1 2 3
| $ crictl pods POD ID CREATED STATE NAME NAMESPACE ATTEMPT d2fba66203704 10 seconds ago Ready netshoot default 1
|
在沙箱中创建一个容器
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| $ cat <<EOF > pod-config.json { "metadata": { "name": "netshoot", "namespace": "default", "attempt": 1, "uid": "netshoot" }, "log_directory": "/tmp", "linux": { } } EOF
$ cat <<EOF > container-config.json { "metadata": { "name": "netshoot" }, "command":[ "sleep", "inf" ], "image":{ "image": "nicolaka/netshoot" }, "log_path":"netshoot.0.log", "linux": { } } EOF
$ crictl create d2fba6620370460cba02a9ac41ee2e04addc0b90775e6a8f0c45e22ccb7b0322 container-config.json pod-config.json 30914a198096bc1170efac25573685f4b9aaf016188fb266f2c356cc3c9561ea
|
查看容器状态
1 2 3
| $ crictl ps -a CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID 30914a198096b nicolaka/netshoot About a minute ago Created netshoot 0 d2fba66203704
|
启动容器
1 2 3 4 5 6
| $ crictl start 30914a198096bc1170efac25573685f4b9aaf016188fb266f2c356cc3c9561ea 30914a198096bc1170efac25573685f4b9aaf016188fb266f2c356cc3c9561ea
$ crictl ps CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID 30914a198096b nicolaka/netshoot About a minute ago Running netshoot 0 d2fba66203704
|
进入容器执行命令
1 2 3 4 5
| $ crictl exec -i -t 30914a198096b route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.200.0.1 0.0.0.0 UG 0 0 0 eth0 10.200.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
|
一条命令创建和启动
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| $ cat <<EOF > pod-config.json { "metadata": { "name": "netshoot", "namespace": "default", "attempt": 1, "uid": "netshoot" }, "log_directory": "/tmp", "linux": { } } EOF
$ cat <<EOF > container-config.json { "metadata": { "name": "netshoot" }, "command":[ "sleep", "inf" ], "image":{ "image": "nicolaka/netshoot" }, "log_path":"netshoot.0.log", "linux": { } } EOF
$ crictl run container-config.json pod-config.json 51e11da943e5b1e39d2d9980f8bf87f362fe46e786eeb6ab75f91c0927035940
|
相关知识
https://www.cnblogs.com/zhangmingcheng/p/17524721.html
https://www.qikqiak.com/post/containerd-usage/