疯狂k8s之containerd部署

一、前言

相信使用过docker的你们，或多或少都听说过containerd。为了让读者更加深刻，接下来简要介绍一下containerd，下面是第一段英文介绍：

containerd is an industry-standard container runtime with an emphasis on simplicity, robustness, and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.

containerd是行业标准的容器运行时（容器运行环境）；强调简单、健壮性和可移植；同时适用于linux和window，可管理容器完整的生命周期等。

containerd is a member of CNCF with 'graduated' status.containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.

containerd是来自CNCF组织，它主要是作为大型系统的底座，非直接给开发者或用户使用，也就是如果你的系统需要容器运行时，那么containerd可以作为底层组件去辅助你的系统。

下面是一张containerd的架构图

下面将开始其安装部署教程。

二、containerd的二进制文件安装

2.1 环境

目前教程使用的是 Linux Centos 8 环境。

2.2 下载

这是containered的github的地址：github.com/containerd/… 可根据需求和系统，选择下载的版本与文件类型。

我这里选择下载最新的V1.7.1，对应路径是：github.com/containerd/…

下载的方式可下载到本地后通过远程工具上传，也可以通过命令行下载

wget https://github.com/containerd/containerd/releases/download/v1.7.1/containerd-1.7.1-linux-amd64.tar.gz

2.3 安装

通过命令对压缩包进行解压

tar xf containerd-1.7.1-linux-amd64.tar.gz

通过cp命令复制解压的bin目录到/user/local/bin

cp -r bin/* /usr/local/bin/

接下来进入bin目录实行对应操作

cd bin

通过containerd命令、创建其服务

./containerd systemd service

进行containerd的配置文件修改

cd /etc/systemd/system/
cat containerd.service

更改文件内容中ExecStart、更改为containerd的路径

# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
 
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
 
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
 
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
 
[Install]
WantedBy=multi-user.target
[root@VM-12-2-centos system]# :q
bash: :q: command not found
[root@VM-12-2-centos system]# cat containerd.service 
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
 
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
 
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
 
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
 
[Install]
WantedBy=multi-user.target

通过:wq保存并退出、执行命令重新加载系统服务文件

systemctl daemon-reload

接下来，需要创建containerd的配置文件。

mkdir /etc/containerd

通过命令生成配置文件、同时置于上一步创建的文件夹内

containerd config default > /etc/containerd/config.toml

修改配置文件、主要为了设置镜像源（这里可设置私有镜像源哦）

cd /etc/containerd
vi config.toml

在config.toml内，找到registry.mirrors并在该行下增加内容（需要注意替换成自己的url以及注意内容格式的缩进）

[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://*******.mirror.aliyuncs.com"]

通过:wq保存并退出、启动containerd并设为开机启动

systemctl enable containerd --now

三、runc的安装

3.1 下载安装

runc是一个CLI工具，用于根据OCI规范在Linux上生成和运行容器，github下载链接为：github.com/containerd/…

根据containerd的情况，我选择下载的是runc1.1.7、并通过命令下载

wget https://github.com/opencontainers/runc/releases/download/v1.1.7/runc.amd64

下载完毕后需要修改文件权限并移动位置

chmod +x runc.amd64
cp runc.amd64 /usr/local/bin/runc

3.2 验证

通过命令查看其用法

ctr -help

可以获得输出

COMMANDS:
   plugins, plugin            Provides information about containerd plugins
   version                    Print the client and server versions
   containers, c, container   Manage containers
   content                    Manage content
   events, event              Display containerd events
   images, image, i           Manage images
   leases                     Manage leases
   namespaces, namespace, ns  Manage namespaces
   pprof                      Provide golang pprof outputs for containerd
   run                        Run a container
   snapshots, snapshot        Manage snapshots
   tasks, t, task             Manage tasks
   install                    Install a new package
   oci                        OCI tools
   sandboxes, sandbox, sb, s  Manage sandboxes
   info                       Print the server info
   shim                       Interact with a shim directly
   help, h                    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug                      Enable debug output in logs
   --address value, -a value    Address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
   --timeout value              Total timeout for ctr commands (default: 0s)
   --connect-timeout value      Timeout for connecting to containerd (default: 0s)
   --namespace value, -n value  Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
   --help, -h                   show help
   --version, -v                print the version

3.3 拉取镜像

通过命令执行拉取动作

ctr images pull docker.io/library/nginx:latest

3.4 查看镜像

通过命令执行拉取动作

ctr images ls

3.5 运行镜像

通过命令执行拉取动作

ctr run -t  docker.io/library/nginx:latest 

四、客户端工具的安装

4.1 下载安装

客户端工具有两种：crictl 和 nerdctl。这里推荐使用nerdctl。

nerdctl的官方github：github.com/containerd/…

我选择下载的是v1.3.1、并通过命令下载

wget https://github.com/containerd/nerdctl/releases/download/v1.3.1/nerdctl-1.3.1-linux-amd64.tar.gz

下载完毕后，通过命令解压并复制到/usr/local/bin目录内

tar xvf nerdctl-1.3.1-linux-amd64.tar.gz
cp nerdctl /usr/local/bin

4.2 版本验证

通过命令获取版本

nerdctl version

通过命令查看用法帮助

nerdctl --help

4.3 查看镜像、容器

通过命令查看镜像

nerdctl images

4.4 拉取镜像

nerdctl pull alpine

4.5 拉取容器

五、安装网络插件

网络插件，英文Container netword interface、缩写CNI，主要作用是为容器分配IP地址网卡（由于docker已集成CNI和containerd，所以可能开发者并未察觉）。

5.1 安装部署

我选择下载的是v1.3.0、并通过命令下载

wget https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz

创建目录并解压到/opt/cni/bin

mkdir /opt/cni/bin -p
tar xf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/

通过命令查看CNI插件文件

ll /opt/cni/bin

通过nerdctl运行容器后，通过nerdctl container ls可通过容器信息看到映射端口，从而通过IP+端口进行外部访问。

六、疑问

5.1 为何我的执行文件已在/usr/local/bin却提示 containerd not found？

因为环境变量未囊括/usr/local/bin，所以无法找到此命令。若想执行命令，可以建立软链接、或更改环境变量、或在bin目录下通过./命令

5.2 nerdctl与ctr的区别？

nerdctl和ctr皆是命令行工具，都可用于容器创建、停止、删除。它们的区别在于：

• nerdctl是由containerd的开发者开发的，而ctr是由runc的开发者开发的。
• nerdctl支持使用Dockerfile构建镜像，而ctr不支持。
• nerdctl支持使用compose文件来定义和管理多个容器，而ctr不支持。
• nerdctl支持在容器内运行systemd，而ctr不支持。
• nerdctl支持使用CNI插件来配置容器网络，而ctr不支持。

基本来说，nerdctl比ctr更加强大与复杂，建议开发者多学习与了解。