contained安装
通过containerd 来创建一个容器,会创建一个 containerd-shim 的进程(垫片),containerd-shim启动后会去启动/usr/bin/containerd-shim-runc-v2,然后立即退出,此时containerd-shim-runc-v2的父进程就变成了systemd(1),这样containerd-shim-runc-v2就和containerd脱离了关系,即便containerd退出也不会影响到容器(这也是containerd-shim套件的作用)。OCI标准(Open Container Initiative 开放容器协议)的具体实现就是runc,真正创建和维护容器最终便是由runc来完成的。/usr/bin/containerd-shim-runc-v2会启动runc去create、start容器,然后runc立即退出,容器的父进程就变成了containerd-shim-runc-v2,这也是容器内部可以看到的PID=1的进程。
containerd
https://github.com/containerd/containerd
https://github.com/containerd/containerd/releases
https://github.com/containerd/containerd/blob/main/docs/cri/crictl.md
https://github.com/containerd/containerd/blob/main/docs/getting-started.md
安装
1
2
3
4
5
6
7
8
9
| $ wget https://github.com/containerd/containerd/releases/download/v1.7.11/containerd-1.7.11-linux-amd64.tar.gz
$ tar Cxzvf /usr/local containerd-1.7.11-linux-amd64.tar.gz
bin/
bin/containerd-shim-runc-v2
bin/ctr
bin/containerd-shim
bin/containerd-shim-runc-v1
bin/containerd-stress
bin/containerd
|
配置
1
2
3
4
5
6
7
8
9
| 配置systemd管理
$ wget -O /usr/lib/systemd/system/containerd.service \
https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
$ mkdir -p /etc/containerd
$ systemctl daemon-reload
$ systemctl enable --now containerd
配置默认配置文件
$ containerd config default > /etc/containerd/config.toml
|
RUNC
https://github.com/opencontainers/runc
https://github.com/opencontainers/runc/releases
安装
1
2
| $ wget -O /usr/bin/runc https://github.com/opencontainers/runc/releases/download/v1.1.10/runc.amd64
$ sudo chmod +x /usr/bin/runc
|
注意: 如果安装了contained.io这个yum/dpkg包, 会默认安装runc,就不用单独安装了
cricrl
https://github.com/kubernetes-sigs/cri-tools
https://github.com/kubernetes-sigs/cri-tools/releases
https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md
安装
1
2
| $ wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-v1.28.0-linux-amd64.tar.gz
$ sudo tar Czxvf /usr/bin crictl-v1.28.0-linux-amd64.tar.gz
|
配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| $ echo "export CONTAINER_RUNTIME_ENDPOINT=unix:///run/containerd/containerd.sock" >> /etc/profile
$ source /etc/profile
or
$ cat << EOF > /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true
pull-image-on-create: false
EOF
|
cniPlugin
https://github.com/containernetworking/plugins
https://github.com/containernetworking/plugins/releases
https://www.cni.dev/docs/cnitool/
安装
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| $ mkdir -p /opt/cni/bin
$ wget https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz
$ tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.4.0.tgz
./
./loopback
./bandwidth
./ptp
./vlan
./host-device
./tuning
./vrf
./sbr
./tap
./dhcp
./static
./firewall
./macvlan
./dummy
./bridge
./ipvlan
./portmap
./host-local
|
cni的配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| $ mkdir -p /etc/cni/net.d
$ cat >/etc/cni/net.d/10-mynet.conf <<EOF
{
"cniVersion": "0.2.0",
"name": "mynet",
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "10.200.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
}
EOF
$ cat >/etc/cni/net.d/99-loopback.conf <<EOF
{
"cniVersion": "0.2.0",
"name": "lo",
"type": "loopback"
}
EOF
|
crictl创建pod
逐步创建
创建sandbox
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| $ cat <<EOF > pod-config.json
{
"metadata": {
"name": "netshoot",
"namespace": "default",
"attempt": 1,
"uid": "netshoot"
},
"log_directory": "/tmp",
"linux": {
}
}
EOF
$ crictl runp pod-config.json
d2fba6620370460cba02a9ac41ee2e04addc0b90775e6a8f0c45e22ccb7b0322
|
查看sanbox的状态
1
2
3
| $ crictl pods
POD ID CREATED STATE NAME NAMESPACE ATTEMPT
d2fba66203704 10 seconds ago Ready netshoot default 1
|
在沙箱中创建一个容器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| $ cat <<EOF > pod-config.json
{
"metadata": {
"name": "netshoot",
"namespace": "default",
"attempt": 1,
"uid": "netshoot"
},
"log_directory": "/tmp",
"linux": {
}
}
EOF
$ cat <<EOF > container-config.json
{
"metadata": {
"name": "netshoot"
},
"command":[
"sleep",
"inf"
],
"image":{
"image": "nicolaka/netshoot"
},
"log_path":"netshoot.0.log",
"linux": {
}
}
EOF
$ crictl create d2fba6620370460cba02a9ac41ee2e04addc0b90775e6a8f0c45e22ccb7b0322 container-config.json pod-config.json
30914a198096bc1170efac25573685f4b9aaf016188fb266f2c356cc3c9561ea
|
查看容器状态
1
2
3
| $ crictl ps -a
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID
30914a198096b nicolaka/netshoot About a minute ago Created netshoot 0 d2fba66203704
|
启动容器
1
2
3
4
5
6
| $ crictl start 30914a198096bc1170efac25573685f4b9aaf016188fb266f2c356cc3c9561ea
30914a198096bc1170efac25573685f4b9aaf016188fb266f2c356cc3c9561ea
$ crictl ps
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID
30914a198096b nicolaka/netshoot About a minute ago Running netshoot 0 d2fba66203704
|
进入容器执行命令
1
2
3
4
5
| $ crictl exec -i -t 30914a198096b route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.200.0.1 0.0.0.0 UG 0 0 0 eth0
10.200.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
|
一条命令创建和启动
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| $ cat <<EOF > pod-config.json
{
"metadata": {
"name": "netshoot",
"namespace": "default",
"attempt": 1,
"uid": "netshoot"
},
"log_directory": "/tmp",
"linux": {
}
}
EOF
$ cat <<EOF > container-config.json
{
"metadata": {
"name": "netshoot"
},
"command":[
"sleep",
"inf"
],
"image":{
"image": "nicolaka/netshoot"
},
"log_path":"netshoot.0.log",
"linux": {
}
}
EOF
$ crictl run container-config.json pod-config.json
51e11da943e5b1e39d2d9980f8bf87f362fe46e786eeb6ab75f91c0927035940
|
相关知识
https://www.cnblogs.com/zhangmingcheng/p/17524721.html
https://www.qikqiak.com/post/containerd-usage/