containerd安装部署

133 阅读10分钟

containerd安装部署

containerd 官方安装文档 | containerd

nerdctl 官方安装包 | nerdctl

一、安装二进制包

两种安装方式:

1. 单独安装(推荐):

containerd 的官方二进制版本适用于amd64​(也称为x86_64​)和arm64​(也称为aarch64​)架构。

通常,您还必须 从其官方网站安装runcCNI 插件。

步骤 1:安装 containerd

containerd-<VERSION>-<OS>-<ARCH>.tar.gz​从github.com/containerd/…下载档案,验证其 sha256sum,并将其解压到/usr/local​:

$ tar Cxzvf /usr/local containerd-1.6.2-linux-amd64.tar.gz
bin/
bin/containerd-shim-runc-v2
bin/containerd-shim
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd
bin/containerd-stress

containerd​二进制文件是针对基于 glibc 的 Linux 发行版(例如 Ubuntu 和 Rocky Linux)动态构建的。此二进制文件可能无法在基于 musl 的发行版(例如 Alpine Linux)上运行。此类发行版的用户可能必须从源代码或第三方软件包安装 containerd。

常见问题解答:对于 Kubernetes,我也需要下载吗cri-containerd-(cni-)<VERSION>-<OS-<ARCH>.tar.gz​?

答案:不是。

由于 Kubernetes CRI 功能已经包含在内containerd-<VERSION>-<OS>-<ARCH>.tar.gz​,因此您无需下载cri-containerd-....​档案即可使用 CRI。

这些cri-containerd-...​档案已被弃用,不适用于旧的 Linux 发行版,并将在 containerd 2.0 中删除。

systemd

如果你打算通过 systemd 启动 containerd,你还应该containerd.service​从 raw.githubusercontent.com/containerd/…下载单元文件到/etc/systemd/system/containerd.service​,并运行以下命令:

systemctl daemon-reload
systemctl enable --now containerd

第 2 步:安装 runc

runc.<ARCH>​从github.com/opencontain…下载二进制文件,验证其 sha256sum,并将其安装为/usr/local/sbin/runc​。

$ install -m 755 runc.amd64 /usr/local/sbin/runc

二进制文件是静态构建的,应该可以在任何 Linux 发行版上运行。

步骤 3:安装 CNI 插件(不要更改/opt/cni/bin的位置)

cni-plugins-<OS>-<ARCH>-<VERSION>.tgz​从github.com/containerne…下载档案,验证其 sha256sum,然后将其解压到/opt/cni/bin​:

$ mkdir -p /opt/cni/bin
$ tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
./
./macvlan
./static
./vlan
./portmap
./host-local
./vrf
./bridge
./tuning
./firewall
./host-device
./sbr
./loopback
./dhcp
./ptp
./ipvlan
./bandwidth

二进制文件是静态构建的,应该可以在任何 Linux 发行版上运行。

步骤4: 安装nerdctl

github.com/containerd/… 从这个页面进行下载,然后将其解压到 /usr/local/bin

tar Cxzvvf /usr/local/bin nerdctl-1.7.6-linux-amd64.tar.gz
-rwxr-xr-x root/root  25116672 2024-04-30 06:21 nerdctl
-rwxr-xr-x root/root     21916 2024-04-30 06:20 containerd-rootless-setuptool.sh
-rwxr-xr-x root/root      7187 2024-04-30 06:20 containerd-rootless.sh

步骤5: 更改containerd配置

生成配置文件

containerd config default > /etc/containerd/config.toml

更改镜像配置目录

vim /etc/containerd/config.toml
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""

2. 全部安装

步骤1: 下载安装包

打开链接 github.com/containerd/…,下载带有full的包.

image-20240903105109-x3rsywj

下载

curl -LO https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-full-1.7.6-linux-amd64.tar.gz

步骤2: 解压压缩包

tar Cxzvvf /usr/local nerdctl-full-1.7.6-linux-amd64.tar.gz

drwxr-xr-x 0/0               0 2024-04-30 06:28 bin/
-rwxr-xr-x 0/0        27644700 2015-10-21 00:00 bin/buildctl
-rwxr-xr-x 0/0        23724032 2022-09-05 09:52 bin/buildg
-rwxr-xr-x 0/0        53374823 2015-10-21 00:00 bin/buildkitd
-rwxr-xr-x 0/0         7277848 2024-04-30 06:26 bin/bypass4netns
-rwxr-xr-x 0/0         5308416 2024-04-30 06:26 bin/bypass4netnsd
-rwxr-xr-x 0/0        38946168 2024-04-30 06:27 bin/containerd
-rwxr-xr-x 0/0         9474048 2023-11-02 17:34 bin/containerd-fuse-overlayfs-grpc
-rwxr-xr-x 0/0           21916 2024-04-30 06:26 bin/containerd-rootless-setuptool.sh
-rwxr-xr-x 0/0            7187 2024-04-30 06:26 bin/containerd-rootless.sh
-rwxr-xr-x 0/0        12161024 2024-04-30 06:28 bin/containerd-shim-runc-v2
-rwxr-xr-x 0/0        45903872 2023-10-31 08:57 bin/containerd-stargz-grpc
-rwxr-xr-x 0/0        20630617 2024-04-30 06:28 bin/ctd-decoder
-rwxr-xr-x 0/0        18870272 2024-04-30 06:27 bin/ctr
-rwxr-xr-x 0/0        29671743 2024-04-30 06:28 bin/ctr-enc
-rwxr-xr-x 0/0        19931136 2023-10-31 08:58 bin/ctr-remote
-rwxr-xr-x 0/0         1785448 2024-04-30 06:28 bin/fuse-overlayfs
-rwxr-xr-x 0/0        65589641 2024-04-30 06:27 bin/ipfs
-rwxr-xr-x 0/0        25088000 2024-04-30 06:26 bin/nerdctl
-rwxr-xr-x 0/0        10666181 2024-03-05 22:20 bin/rootlessctl
-rwxr-xr-x 0/0        12358373 2024-03-05 22:20 bin/rootlesskit
-rwxr-xr-x 0/0        15074072 2024-04-30 06:26 bin/runc
-rwxr-xr-x 0/0         2346328 2024-04-30 06:28 bin/slirp4netns
-rwxr-xr-x 0/0          870496 2024-04-30 06:28 bin/tini
drwxr-xr-x 0/0               0 2024-04-30 06:28 lib/
drwxr-xr-x 0/0               0 2024-04-30 06:28 lib/systemd/
drwxr-xr-x 0/0               0 2024-04-30 06:28 lib/systemd/system/
-rw-r--r-- 0/0            1475 2024-04-30 06:28 lib/systemd/system/buildkit.service
-rw-r--r-- 0/0            1414 2024-04-30 06:25 lib/systemd/system/containerd.service
-rw-r--r-- 0/0             312 2024-04-30 06:28 lib/systemd/system/stargz-snapshotter.service
drwxr-xr-x 0/0               0 2024-04-30 06:28 libexec/
drwxr-xr-x 0/0               0 2024-04-30 06:28 libexec/cni/
-rw-r--r-- 0/0           11357 2024-03-12 10:56 libexec/cni/LICENSE
-rw-r--r-- 0/0            2343 2024-03-12 10:56 libexec/cni/README.md
-rwxr-xr-x 0/0         4119661 2024-03-12 10:56 libexec/cni/bandwidth
-rwxr-xr-x 0/0         4662227 2024-03-12 10:56 libexec/cni/bridge
-rwxr-xr-x 0/0        11065251 2024-03-12 10:56 libexec/cni/dhcp
-rwxr-xr-x 0/0         4306546 2024-03-12 10:56 libexec/cni/dummy
-rwxr-xr-x 0/0         4751593 2024-03-12 10:56 libexec/cni/firewall
-rwxr-xr-x 0/0         4198427 2024-03-12 10:56 libexec/cni/host-device
-rwxr-xr-x 0/0         3560496 2024-03-12 10:56 libexec/cni/host-local
-rwxr-xr-x 0/0         4324636 2024-03-12 10:56 libexec/cni/ipvlan
-rwxr-xr-x 0/0         3651038 2024-03-12 10:56 libexec/cni/loopback
-rwxr-xr-x 0/0         4355073 2024-03-12 10:56 libexec/cni/macvlan
-rwxr-xr-x 0/0         4095898 2024-03-12 10:56 libexec/cni/portmap
-rwxr-xr-x 0/0         4476535 2024-03-12 10:56 libexec/cni/ptp
-rwxr-xr-x 0/0         3861176 2024-03-12 10:56 libexec/cni/sbr
-rwxr-xr-x 0/0         3120090 2024-03-12 10:56 libexec/cni/static
-rwxr-xr-x 0/0         4381887 2024-03-12 10:56 libexec/cni/tap
-rwxr-xr-x 0/0         3743844 2024-03-12 10:56 libexec/cni/tuning
-rwxr-xr-x 0/0         4319235 2024-03-12 10:56 libexec/cni/vlan
-rwxr-xr-x 0/0         4008392 2024-03-12 10:56 libexec/cni/vrf
drwxr-xr-x 0/0               0 2024-04-30 06:26 share/
drwxr-xr-x 0/0               0 2024-04-30 06:26 share/doc/
drwxr-xr-x 0/0               0 2024-04-30 06:26 share/doc/nerdctl/
-rw-r--r-- 0/0           12480 2024-04-30 06:20 share/doc/nerdctl/README.md
drwxr-xr-x 0/0               0 2024-04-30 06:20 share/doc/nerdctl/docs/
-rw-r--r-- 0/0            3953 2024-04-30 06:20 share/doc/nerdctl/docs/build.md
-rw-r--r-- 0/0            2570 2024-04-30 06:20 share/doc/nerdctl/docs/builder-debug.md
-rw-r--r-- 0/0            3996 2024-04-30 06:20 share/doc/nerdctl/docs/cni.md
-rw-r--r-- 0/0           74383 2024-04-30 06:20 share/doc/nerdctl/docs/command-reference.md
-rw-r--r-- 0/0            1814 2024-04-30 06:20 share/doc/nerdctl/docs/compose.md
-rw-r--r-- 0/0            5329 2024-04-30 06:20 share/doc/nerdctl/docs/config.md
-rw-r--r-- 0/0            9128 2024-04-30 06:20 share/doc/nerdctl/docs/cosign.md
-rw-r--r-- 0/0            5660 2024-04-30 06:20 share/doc/nerdctl/docs/cvmfs.md
-rw-r--r-- 0/0            2435 2024-04-30 06:20 share/doc/nerdctl/docs/dir.md
-rw-r--r-- 0/0             906 2024-04-30 06:20 share/doc/nerdctl/docs/experimental.md
-rw-r--r-- 0/0           14217 2024-04-30 06:20 share/doc/nerdctl/docs/faq.md
-rw-r--r-- 0/0             884 2024-04-30 06:20 share/doc/nerdctl/docs/freebsd.md
-rw-r--r-- 0/0            3228 2024-04-30 06:20 share/doc/nerdctl/docs/gpu.md
-rw-r--r-- 0/0           14463 2024-04-30 06:20 share/doc/nerdctl/docs/ipfs.md
-rw-r--r-- 0/0            1748 2024-04-30 06:20 share/doc/nerdctl/docs/multi-platform.md
-rw-r--r-- 0/0            2960 2024-04-30 06:20 share/doc/nerdctl/docs/notation.md
-rw-r--r-- 0/0            2596 2024-04-30 06:20 share/doc/nerdctl/docs/nydus.md
-rw-r--r-- 0/0            3277 2024-04-30 06:20 share/doc/nerdctl/docs/ocicrypt.md
-rw-r--r-- 0/0            1876 2024-04-30 06:20 share/doc/nerdctl/docs/overlaybd.md
-rw-r--r-- 0/0           15657 2024-04-30 06:20 share/doc/nerdctl/docs/registry.md
-rw-r--r-- 0/0            5088 2024-04-30 06:20 share/doc/nerdctl/docs/rootless.md
-rw-r--r-- 0/0            2015 2024-04-30 06:20 share/doc/nerdctl/docs/soci.md
-rw-r--r-- 0/0           10312 2024-04-30 06:20 share/doc/nerdctl/docs/stargz.md
drwxr-xr-x 0/0               0 2024-04-30 06:28 share/doc/nerdctl-full/
-rw-r--r-- 0/0            1154 2024-04-30 06:28 share/doc/nerdctl-full/README.md
-rw-r--r-- 0/0            6578 2024-04-30 06:28 share/doc/nerdctl-full/SHA256SUMS

包含的所有包如下:

# nerdctl (full distribution)
- nerdctl: v1.7.6
- containerd: v1.7.16
- runc: v1.1.12
- CNI plugins: v1.4.1
- BuildKit: v0.12.5
- Stargz Snapshotter: v0.15.1
- imgcrypt: v1.1.10
- RootlessKit: v2.0.2
- slirp4netns: v1.2.3
- bypass4netns: v0.4.0
- fuse-overlayfs: v1.13
- containerd-fuse-overlayfs: v1.0.8
- Kubo (IPFS): v0.27.0
- Tini: v0.19.0
- buildg: v0.4.1

## License
- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/v1.2.3/COPYING)
- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/v1.13/COPYING)
- bin/ipfs: [Combination of MIT-only license and dual MIT/Apache-2.0 license](https://github.com/ipfs/kubo/blob/v0.27.0/LICENSE)
- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)
- bin/tini: [MIT License](https://github.com/krallin/tini/blob/v0.19.0/LICENSE)
- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)

步骤3: 配置 systemd

如果你打算通过 systemd 启动 containerd,你还应该containerd.service​从 raw.githubusercontent.com/containerd/…下载单元文件到/etc/systemd/system/containerd.service​,并运行以下命令:

systemctl daemon-reload
systemctl enable --now containerd

步骤4: 更改containerd配置

生成配置文件

containerd config default > /etc/containerd/config.toml

更改cni目录位置

vim /etc/containerd/config.toml
    [plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/usr/local/libexec/cni"
      conf_dir = "/etc/cni/net.d"
      conf_template = ""
      ip_pref = ""
      max_conf_num = 1
      setup_serially = false

更改镜像配置目录

vim /etc/containerd/config.toml
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""

二、配置加速镜像

镜像加速地址 | registry

1. config_path 了解

上面我们将文件路径改为 config_path = "/etc/containerd/certs.d"​,所以镜像的配置应该配置到该目录下.该目录的结构应该如下:

$ tree /etc/containerd/certs.d
/etc/containerd/certs.d
└── docker.io
    └── hosts.toml

$ cat /etc/containerd/certs.d/docker.io/hosts.toml
server = "https://docker.io"

[host."https://registry-1.docker.io"]
  capabilities = ["pull", "resolve"]

目录名为镜像仓库地址,hosts.toml中可以指定对应的加速地址.

2.使用镜像加速

编写一个shell脚本

root@master1:/opt/k8s-init# cat registrys.sh 
#!/bin/bash

dirs=(docker.io gcr.io ghcr.io k8s.gcr.io registry.k8s.io quay.io)
registrys=(docker.m.daocloud.io gcr.m.daocloud.io ghcr.m.daocloud.io k8s-gcr.m.daocloud.io k8s.m.daocloud.io quay.m.daocloud.io)

if [ ! -d "/etc/containerd/certs.d" ]; then
    mkdir -p /etc/containerd/certs.d
fi

for ((i=0; i<${#dirs[@]}; i++)); do
    if [ ! -d "/etc/containerd/certs.d/${dirs[i]}" ]; then
        mkdir -p /etc/containerd/certs.d/${dirs[i]}
    fi
    host="[host.\"https://${registrys[i]}\"]\n    capabilities = [\"pull\", \"resolve\"]"
    echo -e $host > /etc/containerd/certs.d/${dirs[i]}/hosts.toml
done

执行脚本

bash registrys.sh

查看 /etc/containerd/certs.d​ 的目录结构.

tree /etc/containerd/certs.d/
/etc/containerd/certs.d/
├── docker.io
│   └── hosts.toml
├── gcr.io
│   └── hosts.toml
├── ghcr.io
│   └── hosts.toml
├── k8s.gcr.io
│   └── hosts.toml
├── quay.io
│   └── hosts.toml
└── registry.k8s.io
    └── hosts.toml

三、进行测试

运行nginx容器

nerdctl --debug=true run -d --name nginx -p 80:80 nginx:alpine

查看容器

nerdctl ps -a
CONTAINER ID    IMAGE                             COMMAND                   CREATED           STATUS    PORTS                 NAMES
fce1a2183dd7    docker.io/library/nginx:alpine    "/docker-entrypoint.…"    37 minutes ago    Up        0.0.0.0:80->80/tcp    nginx

访问页面

image-20240903111733-o66jnjq

停止容器

nerdctl rm -f nginx