早之前的 Docker Engine 中就有了 containerd,只不过现在是将 containerd 从 Docker Engine 里分离出来,作为一个独立的开源项目,目标是提供一个更加开放、稳定的容器运行基础设施。分离出来的 containerd 将具有更多的功能,涵盖整个容器运行时管理的所有需求,提供更强大的支持。
containerd 是一个工业级标准的容器运行时,它强调简单性、健壮性和可移植性,containerd 可以负责干下面这些事情:
- 管理容器的生命周期(从创建容器到销毁容器)
- 拉取/推送容器镜像
- 存储管理(管理镜像及容器数据的存储)
- 调用 runc 运行容器(与 runc 等容器运行时交互)
- 管理容器网络接口及网络
containerd 可用作 Linux 和 Windows 的守护程序,它管理其主机系统完整的容器生命周期,从镜像传输和存储到容器执行和监测,再到底层存储到网络附件等等。
3.1 Containerd的优势
- 简洁的基于 gRPC 的 API 和 client library
- 完整的 OCI 支持(runtime 和 image spec)
- 同时具备稳定性和高性能的定义良好的容器核心功能
- 一个解耦的系统(让 image、filesystem、runtime 解耦合),实现插件式的扩展和重用
3.2 为什么需要独立的 Containerd
- 以往隶属于docker项目中,现如今从整体 docker 引擎中分离出的项目(开源项目的思路)
- 可以被 Kubernets CRI 等项目使用(通用化)
- 为广泛的行业合作打下基础(就像 runC 一样)
3.3 Containerd 架构图
Containerd的架构设计图:
4.Containerd安装
安装及使用视频请参考:11_Containerd容器镜像管理_容器镜像管理命令_修改容器镜像tag_哔哩哔哩_bilibili
Containerd安装分为两种方式:
- yum安装方式
- 二进制包安装方式
以下分别演示两种不同的安装。
4.1 yum方式安装
4.1.1 环境介绍
| 系统及软件 | 版本号 |
|---|---|
| Centos | 6.9 |
| Containerd | 1.6.19 |
4.1.2 获取YUM源
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">备份源主机的yum源
><span style="color:#4ec9b0">cd</span> /etc/yum.repos.d/
><span style="color:#4ec9b0">mkdir</span> bak
><span style="color:#4ec9b0">mv</span> *.repo bak/
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">添加阿里云yum
>curl https://mirrors.aliyun.com/repo/Centos-7.repo -o /etc/yum.repos.d/Centos-7.repo
>curl https://mirrors.aliyun.com/repo/epel-7.repo -o /etc/yum.repos.d/epel-7.repo
>curl https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看yum源中containerd.io软件
>yum info containerd.io
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
Name : containerd.io
Arch : x86_64
Version : 1.6.19
Release : 3.1.el7
Size : 34 M
Repo : docker-ce-stable
Summary : An industry-standard container runtime
URL : https://containerd.io
License : ASL 2.0
Description : containerd is an industry-standard container runtime with an emphasis on
: simplicity, robustness and portability. It is available as a daemon <span style="color:#569cd6">for</span> Linux
: and Windows, <span style="color:#4ec9b0">which</span> can manage the complete container lifecycle of its host
: system: image transfer and storage, container execution and supervision,
: low-level storage and network attachments, etc.
</code></span></span>4.1.3 使用yum安装
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">安装containerd.io 软件
>yum install -y containerd.io
</code></span></span>4.1.4 验证安装及启动服务
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>rpm -ql containerd.io
/etc/containerd
/etc/containerd/config.toml
/usr/bin/containerd
/usr/bin/containerd-shim
/usr/bin/containerd-shim-runc-v1
/usr/bin/containerd-shim-runc-v2
/usr/bin/ctr
/usr/bin/runc
/usr/lib/systemd/system/containerd.service
/usr/share/doc/containerd.io-1.6.19
/usr/share/doc/containerd.io-1.6.19/README.md
/usr/share/licenses/containerd.io-1.6.19
/usr/share/licenses/containerd.io-1.6.19/LICENSE
/usr/share/man/man5/containerd-config.toml.5
/usr/share/man/man8/containerd-config.8
/usr/share/man/man8/containerd.8
/usr/share/man/man8/ctr.8
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">启动服务及开机自启
>systemctl <span style="color:#4ec9b0">enable</span> containerd ; systemctl start containerd
</code></span></span>4.1.5 验证可用性
安装 containerd 时 ctr 命令作为客户端工具主要用于管理容器及容器镜像等。使用 ctr 命令查看 containerd客户端及服务器信息。
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr version
Client:
Version: 1.6.19
Revision: 1e1ea6e986c6c86565bc33d52e34b81b3e2bc71f
Go version: go1.19.7
Server:
Version: 1.6.19
Revision: 1e1ea6e986c6c86565bc33d52e34b81b3e2bc71f
UUID: 39c52ad7-5c2d-4d74-acd7-d027b90aec83
</code></span></span>4.2 二进制方式安装
| 系统及软件 | 版本号 |
|---|---|
| Centos | 6.9 |
| Containerd | 1.7.0 |
Containerd 有两种安装包:
- 第一种是
containerd-xxx这种包用于单机测试没问题,不包含runC,需要提前安装; - 第二种是
cri-containerd-cni-xxx,包含runC和k8s里所需的相关文件。k8s集群里需要用到此包,虽然包含runC,但是依赖系统中的 seccomp
4.2.1 获取安装包
下载地址:https://github.com/containerd/containerd/releases
下载 containerd 包
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">wget https://github.com/containerd/containerd/releases/download/v1.7.0/cri-containerd-cni-1.7.0-linux-amd64.tar.gz
</code></span></span>4.2.2 安装containerd
安装 containerd
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>tar xf cri-containerd-cni-1.7.0-linux-amd64.tar.gz -C /
</code></span></span>4.2.3 生成配置文件
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">创建目录
><span style="color:#4ec9b0">mkdir</span> /etc/containerd
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">生成配置文件
>containerd config default > /etc/containerd/config.toml
</code></span></span>修改配置文件关键参数
1. 修改SystemCgroup 为 true
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>vim /etc/containerd/config.toml
...
SystemdCgroup = <span style="color:#569cd6">true</span>
...
</code></span></span>2. 添加镜像加速
- 修改 config.toml 配置文件
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">[plugins.<span style="color:#d69d85">"io.containerd.grpc.v1.cri"</span>.registry]
config_path = <span style="color:#d69d85">"/etc/containerd/certs.d"</span> <span style="color:#57a64a"><em># 镜像地址配置文件</em></span>
</code></span></span>- 创建对应目录
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">><span style="color:#4ec9b0">mkdir</span> -p /etc/containerd/certs.d/docker.io
</code></span></span>- 配置加速
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">><span style="color:#4ec9b0">cat</span> << <span style="color:#d69d85">EOF >> /etc/containerd/certs.d/docker.io/hosts.toml
server = "https://docker.io"
[host."https://docker.mirrors.ustc.edu.cn"]
EOF</span>
</code></span></span>- 重启 containerd
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>systemctl restart containerd
</code></span></span>4.2.4 启动Containerd
启动 containerd
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>systemctl <span style="color:#4ec9b0">enable</span> containerd ; systemctl start containerd
</code></span></span>4.2.5 查看并验证
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr version
Client:
Version: v1.7.0
Revision: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
Go version: go1.20.2
Server:
Version: v1.7.0
Revision: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
UUID: 1f4630ff-27d5-46a4-b444-ca288c516127
</code></span></span>4.2.6 安装runC并验证结果
由于二进制包中提供的runC默认需要系统中安装seccomp支持,需要单独安装,且不同版本runC对seccomp版本要求一致,所以建议单独下载runC二进制包进行安装,里面包含了 seccomp 模块支持。
下载地址:https://github.com/opencontainers/runc/releases
下载runC
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>wget https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.amd64
</code></span></span>安装runC
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">><span style="color:#4ec9b0">cp</span> -a runc.amd64 /usr/local/sbin/runc
><span style="color:#4ec9b0">chmod</span> +x /usr/local/sbin/runc
</code></span></span>验证runC
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>runc -v
runc version 1.0.0-rc95
spec: 1.0.2-dev
go: go1.14.15
libseccomp: 2.5.1
</code></span></span>5.Containerd镜像管理
docker-cli 工具提供了需要增强用户体验的功能,containerd 同样也提供一个对应 CLI工具:ctr ,不过 ctr 的功能没有 docker 完善,但是关于镜像和容器的基本功能都是有的。接下来介绍下 ctr 的使用。
5.1 Containerd容器镜像管理命令
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">ctr i <span style="color:#4ec9b0">ls</span> - 查看镜像
ctr i pull docker.io/library/nginx:alpine - 下载镜像
ctr i mount docker.io/library/nginx:alpine /mnt/ - 挂载镜像
ctr i <span style="color:#4ec9b0">export</span> --platform linux/amd64 nginx.img docker.io/library/nginx:alpine - 导出镜像
ctr i <span style="color:#4ec9b0">rm</span> docker.io/library/nginx:alpine -
</code></span></span>5.2 查看镜像
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">i: 等价于 images
>ctr i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
</code></span></span>5.3 下载镜像
containerd 支持 OCI 标准镜像,所有可以直接使用 docker 官方或 dockerfile构建的镜像
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr i pull docker.io/library/nginx:alpine
docker.io/library/nginx:alpine: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:01ccf4035840dd6c25042b2b5f6b09dd265b4ed5aa7b93ccc4714027c0ce5685: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c23b4f8cf279507bb1dd3d6eb2d15ca84fac9eac215ab5b529aa8b5a060294c8: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
config-sha256:8e75cbc5b25c8438fcfe2e7c12c98409d5f161cbb668d6c444e02796691ada70: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:2ce963c369bc5690378d31c51dc575c7035f6adfcc1e286051b5a5d9a7b0cc5c: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:59b9d2200e632e457f800814693b3a01adf09a244c38ebe8d3beef5c476c4c55: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3e1e579c95fece6bbe0cb9c8c2949512a3f8caaf9dbe6219dc6495abb9902040: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:547a97583f72a32903ca1357d48fa302e91e8f83ffa18e0c40fd87adb5c06025: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1f21f983520d9a440d410ea62eb0bda61a2b50dd79878071181b56b82efa9ef3: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
elapsed: 8.7 s total: 16.0 M (1.8 MiB/s)
unpacking linux/amd64 sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f...
<span style="color:#569cd6">done</span>: 1.595243191s
</code></span></span>可根据系统架构进行下载,上面默认采用的是 linux/amd64 平台下载。
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">下载linux/arm64平台镜像
>ctr i pull --platform linux/arm64 docker.io/library/nginx:alpine
docker.io/library/nginx:alpine: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f: exists |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:5a3980760a3e6bd779d6ff3a029d24044e7660a1600dfd2f72298bf4657f1f6c: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:7bcac465295e8cfefa26d0ad33a638a0415ad7c4e1afba500b9633f97e277c3c: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
config-sha256:510900496a6c312a512d8f4ba0c69586e0fbd540955d65869b6010174362c313: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c41833b44d910632b415cd89a9cdaa4d62c9725dc56c99a7ddadafd6719960f9: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:2c2c9b85ac58c9f389d42b1033672337110dba86c12d1b0d5c7c384a7cfe110b: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:40f94fa3619489012a181c2b217548ea718fe485578eec4afdef4b14b3bc536e: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ae26f20697dc7e3b86701a83a1ed42b81b1755f0763130d7f6f816a39adaf388: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e4fa283fba0e8150c05ba453aed98ff4f4bdd65a6248837101fc16b489d1101e: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4c53b6cdc37bcca61cf31d3308b58fda6d7d3192ddd56559cca2f67eafcb0cc1: <span style="color:#569cd6">done</span> |++++++++++++++++++++++++++++++++++++++|
elapsed: 9.7 s total: 15.4 M (1.6 MiB/s)
unpacking linux/arm64 sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f...
<span style="color:#569cd6">done</span>: 1.660794241s
</code></span></span>查看
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
</code></span></span>5.4 镜像挂载
方便查看镜像中包含的内容。
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">把已下载的容器镜像挂载至当前文件系统
>ctr i mount docker.io/library/nginx:alpine /mnt/
sha256:f301a4112756ab559d9c78e8ed3625dab81f91803dfeabbc4f9184c878b1f3b1
/mnt/
><span style="color:#4ec9b0">ls</span> /mnt/
bin/ dev/ docker-entrypoint.d/ docker-entrypoint.sh* etc/ home/ lib/ media/ mnt/ opt/ proc/ root/ run/ sbin/ srv/ sys/ tmp/ usr/ var/
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">卸载
>umount /mnt
</code></span></span>5.5 镜像导出
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">把镜像导出
>ctr i <span style="color:#4ec9b0">export</span> --platform linux/amd64 nginx.img docker.io/library/nginx:alpine
><span style="color:#4ec9b0">du</span> -sh nginx.img
17M nginx.img
</code></span></span>5.6 镜像删除
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">删除指定容器镜像
>ctr i <span style="color:#4ec9b0">rm</span> docker.io/library/nginx:alpine
docker.io/library/nginx:alpine
再次查看容器镜像
>ctr i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
</code></span></span>5.7 镜像导入
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">导入容器镜像
>ctr i import --platform linux/amd64 nginx.img
</code></span></span>注意:导出导入都必须指定 --platform 且一致,否则会报错!!!
5.8 修改镜像TAG
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr i tag docker.io/library/nginx:alpine nginx:alpine
>ctr i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
</code></span></span>修改完成后对镜像做对比
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr i check
REF TYPE DIGEST STATUS SIZE UNPACKED
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f complete (8/8) 16.0 MiB/16.0 MiB <span style="color:#569cd6">true</span>
nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f complete (8/8) 16.0 MiB/16.0 MiB <span style="color:#569cd6">true</span>
</code></span></span>6.Containerd容器管理
在 containerd 中,容器分为两种:静态容器 和 动态容器
- 静态容器:命令创建容器后,容器并没有处于运行状态,其只是一个静态容器,这个 container对象只是包含了一个容器所需的资源及配置的数据结构
- 动态容器:处于运行当中,有用户进程的容器
注意:在 container中,无法在没有镜像的情况下直接启动一个容器,必须遵循:1. pull镜像;2.启动容器。
6.1 查看容器
container表示静态容器,可用 c 缩写代表container
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
或者
>ctr container <span style="color:#4ec9b0">ls</span>
</code></span></span>6.2 查看任务
task表示容器里跑的进程,可用 t 缩写代表 task
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr task <span style="color:#4ec9b0">ls</span>
或者
>ctr t <span style="color:#4ec9b0">ls</span>
</code></span></span>6.3 创建静态容器
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr c create docker.io/library/nginx:alpine ngx
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
ngx docker.io/library/nginx:alpine io.containerd.runc.v2
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">查看容器详细信息
>ctr c info ngx
</code></span></span>6.4 静态容器启动为动态容器
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">启动task,即表示在容器中运行进程,即为动态容器
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
>ctr t start -d ngx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking <span style="color:#569cd6">for</span> shell scripts <span style="color:#569cd6">in</span> /docker-entrypoint.d/
说明:-d 表示在后台运行,与docker一致
查看容器所在宿主机的进程,是宿主机进程的方式存在的
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16045 RUNNING
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看容器的进程(都是物理机的进程)
>ctr t ps ngx
PID INFO
16045 -
16080 -
16081 -
</code></span></span>6.5 进入容器操作
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr t <span style="color:#4ec9b0">exec</span> --exec-id 1 -t ngx sh
/ <span style="color:#57a64a"><em>#ifconfig</em></span>
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
直接访问ngx
/ <span style="color:#57a64a"><em>#curl -Is 127.0.0.1</em></span>
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Mon, 03 Apr 2023 01:48:04 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 17:09:24 GMT
Connection: keep-alive
ETag: <span style="color:#d69d85">"64231f44-267"</span>
Accept-Ranges: bytes
</code></span></span>6.6 直接运行一个动态容器
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr run -d --net-host docker.io/library/nginx:alpine ngx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking <span style="color:#569cd6">for</span> shell scripts <span style="color:#569cd6">in</span> /docker-entrypoint.d/
说明:
-d 代表后台运行
--net-host 代表容器的IP就是宿主机的IP(相当于docker里面的 host 类型网络)
测试是否运行成功
>curl -Is 127.0.0.1
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Mon, 03 Apr 2023 01:52:20 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 17:09:24 GMT
Connection: keep-alive
ETag: <span style="color:#d69d85">"64231f44-267"</span>
Accept-Ranges: bytes
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看静态容器
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
ngx docker.io/library/nginx:alpine io.containerd.runc.v2
查看动态容器
root@containerd(192.168.199.101)~>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16366 RUNNING
进入容器内部查看
>ctr t <span style="color:#4ec9b0">exec</span> --exec-id 1 ngx sh
ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:E8:88:2B
inet addr:192.168.199.101 Bcast:192.168.199.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fee8:882b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:992892 errors:0 dropped:158 overruns:0 frame:0
TX packets:72942 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:465982699 (444.3 MiB) TX bytes:7003786 (6.6 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:848 (848.0 B) TX bytes:848 (848.0 B)
</code></span></span><span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">为容器中运行的网站添加网站文件
/ <span style="color:#57a64a"><em>#echo "nginx" > /usr/share/nginx/html/index.html</em></span>
/ <span style="color:#57a64a"><em>#curl -s 127.0.0.1</em></span>
nginx
/ <span style="color:#57a64a"><em>#exit</em></span>
宿主机访问:
>curl localhost
nginx
>curl 192.168.199.101
nginx
</code></span></span>6.7 暂停容器
如果只是希望容器暂停工作一段时间,比如要对容器的文件系统做个快照,host需要使用CPU,处于暂停的容器不占用CPU资源。
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看容器状态
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16366 RUNNING
暂停容器
>ctr t pause ngx
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16366 PAUSED
宿主机无法访问网站
>curl -s 192.168.199.101
</code></span></span>6.8 恢复容器
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">使用repause命令恢复容器
>ctr t resume ngx
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16366 RUNNING
</code></span></span>6.9 停止容器
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">使用<span style="color:#4ec9b0">kill</span>命令停止容器中运行的进程,即为停止容器
>ctr t <span style="color:#4ec9b0">kill</span> ngx
状态从 RUNNING 变为 STOPPED
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16366 STOPPED
</code></span></span>6.10 删除容器
删除容器之前必须停止容器。
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 16366 STOPPED
>ctr t <span style="color:#4ec9b0">rm</span> ngx
>ctr t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
查看静态容器还存在系统中
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
ngx docker.io/library/nginx:alpine io.containerd.runc.v2
>ctr c <span style="color:#4ec9b0">rm</span> ngx
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
</code></span></span>7.命名空间
containerd 中是支持命名空间的概念.
7.1 查看命名空间
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr namespace <span style="color:#4ec9b0">ls</span>
NAME LABELS
default
或者
>ctr ns <span style="color:#4ec9b0">ls</span>
NAME LABELS
default
</code></span></span>7.2 创建名称空间
如果不指定, ctr 默认使用 default 空间,同样也可以使用 ns create 命令创建一个命名空间:
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr ns create <span style="color:#4ec9b0">test</span>
>ctr ns <span style="color:#4ec9b0">ls</span>
NAME LABELS
default
<span style="color:#4ec9b0">test</span>
</code></span></span>7.3 指定名称空间启动容器
验证问题:当default 空间中有镜像,能否启动容器在test空间?
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr -n default i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
在<span style="color:#4ec9b0">test</span>空间中启动容器
>ctr -n <span style="color:#4ec9b0">test</span> run -d docker.io/library/nginx:alpine ngx
ctr: image <span style="color:#d69d85">"docker.io/library/nginx:alpine"</span>: not found
</code></span></span>上面报错信息为:找不到 镜像。看来名称空间将镜像也隔离使用。
第一步,pull 镜像到 test 空间
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">注意命令选项位置:
>ctr -n <span style="color:#4ec9b0">test</span> i pull docker.io/library/nginx:alpine
查看镜像
>ctr -n <span style="color:#4ec9b0">test</span> i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
</code></span></span>第二步,启动容器
启动容器前,请确认其他命名空间容器端口不存在冲突,否则容器状态为 STOPPED
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr -n <span style="color:#4ec9b0">test</span> run -d --net-host docker.io/library/nginx:alpine ngx
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
ngx 17853 RUNNING
>curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Mon, 03 Apr 2023 03:53:51 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 17:09:24 GMT
Connection: keep-alive
ETag: <span style="color:#d69d85">"64231f44-267"</span>
Accept-Ranges: bytes
</code></span></span>7.4 删除命名空间
尝试删除有容器、有镜像的命名空间。
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr ns <span style="color:#4ec9b0">rm</span> <span style="color:#4ec9b0">test</span>
ERRO[0000] unable to delete <span style="color:#4ec9b0">test</span> error=<span style="color:#d69d85">"namespace \"test\" must be empty, but it still has images, blobs, containers, snapshots on \"overlayfs\" snapshotter: failed precondition"</span>
ctr: unable to delete <span style="color:#4ec9b0">test</span>: namespace <span style="color:#d69d85">"test"</span> must be empty, but it still has images, blobs, containers, snapshots on <span style="color:#d69d85">"overlayfs"</span> snapshotter: failed precondition
</code></span></span>报错了, 因为 test 命名空间非空,需要先删除容器和镜像。
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">删除容器
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">kill</span> ngx
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">rm</span> ngx
>ctr -n <span style="color:#4ec9b0">test</span> c <span style="color:#4ec9b0">rm</span> ngx
删除镜像
>ctr -n <span style="color:#4ec9b0">test</span> i <span style="color:#4ec9b0">rm</span> docker.io/library/nginx:alpine
docker.io/library/nginx:alpine
查看容器及镜像
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">ls</span> ; ctr -n <span style="color:#4ec9b0">test</span> c <span style="color:#4ec9b0">ls</span>; ctr -n <span style="color:#4ec9b0">test</span> i <span style="color:#4ec9b0">ls</span>
TASK PID STATUS
CONTAINER IMAGE RUNTIME
REF TYPE DIGEST SIZE PLATFORMS LABELS
删除命名空间
>ctr ns <span style="color:#4ec9b0">rm</span> <span style="color:#4ec9b0">test</span>
<span style="color:#4ec9b0">test</span>
>ctr ns <span style="color:#4ec9b0">ls</span>
NAME LABELS
default
</code></span></span>7.5 命名空间的异同
Docker 其实也是默认调用的 containerd,事实上 Docker 使用的 containerd 下面的命名空间默认是 moby,而不是 default,所以假如我们有用 docker 启动容器,那么我们也可以通过 ctr -n moby 来定位下面的容器:
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr -n moby c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
</code></span></span>同样 Kubernetes 下使用的 containerd 默认命名空间是 k8s.io,所以我们可以使用 ctr -n k8s.io 来查看 Kubernetes 下面创建的容器。
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr -n k8s.io c <span style="color:#4ec9b0">ls</span>
CONTAINER IMAGE RUNTIME
</code></span></span>注意:这三者之间的 ns 是不同的,需要区分开。
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">containerd -> namespace(隔离) -> (和k8s里面的命名空间要区分开) -> namespace + cgroup + rootfs</code></span></span>
