containerd是从docker项目中剥离出来的一个容器运行时、几乎囊括了容器管理的所有功能,并且containerd内置了CRI插件K8S的kubelet组件可以直接调用containerd,相较于docker容器运行时要精简很多
OCI(Container Runtime Interface,开放工业标准)对容器运行时规范设定的标准定义了容器运行时状态的描述,以及运行时需要提供的容器管理功能,只要符合OCI接口的容器运行时均可被K8S调用
为了兼容OCI规范,docker项目自身也做了架构调整,自1.11.0版本起,docker引擎由一个单一组件,被拆分为四个项目分别是: 1、docker-daemon 2、containerd (捐给了CNCF)3、containerd-shim 4 、runc
安装containerd
到官网下载containerd的二进制包,选择你需要的版本进行安装
Releases · containerd/containerd · GitHub
安装安装手册进行一步步安装
下载解压
wget https://github.com/containerd/containerd/releases/download/v2.1.4/containerd-2.1.4-linux-amd64.tar.gz
tar Cxzvf /usr/local containerd-2.1.4-linux-amd64.tar.gz创建启动文件
vim /usr/local/lib/systemd/system/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target dbus.service
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
# 设置开机启动
systemctl daemon-reload
systemctl enable --now containerd安装runc
从 https://github.com/opencontainers/runc/releases 下载 runc.<ARCH> 二进制文件,验证其 sha256sum,并将其安装为 /usr/local/sbin/runc 。
$ install -m 755 runc.amd64 /usr/local/sbin/runc安装CNI插件
从 https://github.com/containernetworking/plugins/releases 下载 cni-plugins-<OS>-<ARCH>-<VERSION>.tgz 存档文件,验证其 sha256sum,并解压到 /opt/cni/bin :
$ mkdir -p /opt/cni/bin
$ tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
./
./macvlan
./static
./vlan
./portmap
./host-local
./vrf
./bridge
./tuning
./firewall
./host-device
./sbr
./loopback
./dhcp
./ptp
./ipvlan
./bandwidth安装容器运行时接口命令行工具(可选)
crictl 为兼容 CRI 的容器运行时提供命令行工具。这允许 CRI 运行时开发者无需设置 Kubernetes 组件即可调试他们的运行时。
crictl 可以从 release page下载:
VERSION="v1.30.0" # check latest version in /releases page
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-$VERSION-linux-amd64.tar.gz设置运行时端点配置
$ cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true自定义containerd默认配置
默认配置可以通过 containerd config default > /etc/containerd/config.toml 生成
在kubernetes中的配置
Configuring the systemd cgroup driver
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]
...
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
SystemdCgroup = trueOverriding the sandbox (pause) image
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "registry.k8s.io/pause:3.10"配置镜像仓库
配置registry endpoint
使用 containerd 时, docker.io 是默认的镜像仓库。你也可以像 docker 一样设置其他镜像仓库
要配置镜像仓库,请按以下方式创建/修改 /etc/containerd/config.toml
# Config file is parsed as version 1 by default.
# To use the long form of plugin names set "version = 2"
# explicitly use v2 config format
version = 2
[plugin."io.containerd.grpc.v1.cri".registry.mirrors]
[plugin."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.https-registry.io"]
endpoint = ["https://HostIP1:Port1"]
[plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
endpoint = ["http://HostIP2:Port2"]
# wildcard matching is supported but not required.
[plugin."io.containerd.grpc.v1.cri".registry.mirrors."*"]
endpoint = ["https://HostIP3:Port3"]# 实际使用配置
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
# docker.io的镜像,支持多个配置,但目前docker.m.daocloud.io公开且稳定
# 部署在云平台,例如阿里云、华为云可以增加各自的加速器
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://docker.m.daocloud.io",
"https://docker.1ms.run",
"https://docker.xuanyuan.me"]
# k8s.gcr.io的官方库镜像,阿里云服务,公开,速度快。
# 问题在于该镜像库不支持命名空间,扁平化处理,镜像存在名称转化的可能。
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
endpoint = ["registry.cn-hangzhou.aliyuncs.com/google_containers"]
# k8s的官方库镜像,阿里云服务,公开,速度快。
# 问题在于该镜像库不支持命名空间,扁平化处理,镜像存在名称转化的可能。
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]
endpoint = ["registry.cn-hangzhou.aliyuncs.com/google_containers"]
端点是一个列表,可以包含多个用逗号分隔的镜像仓库 URL。当从仓库拉取镜像时,containerd 会依次尝试这些端点 URL,并使用第一个可用的 URL。请注意,如果默认仓库端点尚未在端点列表中指定,它将在最后使用 https 方案和 v2 路径自动尝试,例如为 gcr.io 指定 https://gcr.io/v2
作为一个例子,对于镜像 gcr.io/library/busybox:latest ,端点如下:
gcr.iois configured: endpoints forgcr.io+ default endpointhttps://gcr.io/v2.gcr.io被配置:gcr.io的端点 + 默认端点https://gcr.io/v2。*is configured, andgcr.iois not: endpoints for*+ default endpointhttps://gcr.io/v2.*被配置,而gcr.io没有被配置:*的端点 + 默认端点https://gcr.io/v2。None of above is configured: default endpoint
https://gcr.io/v2.
以上都没有被配置:默认端点https://gcr.io/v2。
修改此配置后,需要重启 containerd 服务。
