YAZONG 我的开源

Kubernetes(三)(3.2容器运行时)Containerd全面上手实践

  , , ,
0 评论0 浏览

本节内容:

整体结构

安装

镜像管理、容器管理

常用命令实践

containerd官网:https://containerd.io/。

基于工业标准。2019年2月28日在CNCF毕业。

守护进程,在windows和Linux都能正常运行。

负责管理容器的完整的生命周期、镜像的传输和存储、容器的执行。

更多信息内容参考官网。

架构如下:

image.png

注意:以后所有的虚拟机配置都必须先参考:

(虚拟机)Centos7.X-64bit操作系统初始化配置

此台虚拟机的前置设置内容(学习务必一致):

hostname docker-containerd
hostnamectl set-hostname docker-containerd

[root@XX network-scripts]# pwd
/etc/sysconfig/network-scripts
#IP后缀都改成11
[root@XX network-scripts]# vim ifcfg-ens33
[root@XX network-scripts]# vim ifcfg-ens37
[root@XX network-scripts]# systemctl restart network
vim /etc/hosts
127.0.0.1   localhost
172.16.1.11 docker-containerd

安装containerd

[root@docker-containerd ~]# mkdir containerd
[root@docker-containerd ~]# cd containerd
[root@docker-containerd containerd]# wget https://github.com/containerd/containerd/releases/download/v1.4.3/cri-containerd-cni-1.4.3-linux-amd64.tar.gz
[root@docker-containerd containerd]# tar -zxf cri-containerd-cni-1.4.3-linux-amd64.tar.gz
[root@docker-containerd containerd]# ll
total 96868
-rw-r--r-- 1 root root 99176835 Dec  1  2020 cri-containerd-cni-1.4.3-linux-amd64.tar.gz
drwxr-xr-x 4 root root     4096 Dec  1  2020 etc
drwxr-xr-x 4 root root     4096 Dec  1  2020 opt
drwxr-xr-x 3 root root     4096 Dec  1  2020 usr
[root@docker-containerd containerd]# find . -type f
#下面这俩目录和文件是不需要的,要删掉
[root@docker-containerd containerd]# rm -rf opt/
[root@docker-containerd containerd]# find . -type f
[root@docker-containerd containerd]# rm -rf ./etc/cni
[root@docker-containerd containerd]# find . -type f
./usr/local/bin/crictl
./usr/local/bin/containerd-shim-runc-v2
./usr/local/bin/containerd-shim
./usr/local/bin/containerd
./usr/local/bin/critest
./usr/local/bin/ctr
./usr/local/bin/containerd-shim-runc-v1
./usr/local/sbin/runc
./cri-containerd-cni-1.4.3-linux-amd64.tar.gz
#crictl命令的配置文件
./etc/crictl.yaml
#containerd的服务文件
./etc/systemd/system/containerd.service
[root@docker-containerd containerd]# cp -r usr/ /
#这里最好都加软链接
[root@docker-containerd containerd]# cp -r etc/ /
#可以看下containerd的服务配置
[root@docker-containerd containerd]# vim /etc/systemd/system/containerd.service 
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/sbin/modprobe overlay
#这是刚才拷贝过去的usr目录的命令
ExecStart=/usr/local/bin/containerd

[root@docker-containerd containerd]# ll /etc/|grep containerd
[root@docker-containerd containerd]# containerd -h
#可以看到containerd的一些公共信息
VERSION:
   v1.4.3

#containerd默认是有配置文件的
[root@docker-containerd containerd]# containerd config default
#当然containerd也可以自己生成一个配置文件,生成到默认的读取位置。
[root@docker-containerd containerd]# mkdir -p /etc/containerd
[root@docker-containerd containerd]# containerd config default > /etc/containerd/config.toml
[root@docker-containerd containerd]# vim /etc/containerd/config.toml
#如果是docker,那么是/var/lib/docker。这个目录修改为磁盘空间比较充足的位置,软链接也可以。
root = "/var/lib/containerd"
#这里从0改为比较小的值,系统内存不足的时候更不容易被杀掉,毕竟是守护进程,更不应该容易被杀掉。
oom_score = -999
#其他配置暂不关注,一下学习太多细节的东西,学习没好处,不好消化。
[root@docker-containerd containerd]# systemctl enable containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /etc/systemd/system/containerd.service.
[root@docker-containerd containerd]# systemctl status containerd
? containerd.service - containerd container runtime
   Loaded: loaded (/etc/systemd/system/containerd.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: https://containerd.io
#ctr可以看做是直接照着containerd的API设计的客户端工具
[root@docker-containerd containerd]# ctr -h
#可以看到containerd的一些公共信息
VERSION:
   v1.4.3
[root@docker-containerd containerd]# ctr i -h
#查看镜像列表,先启动containerd再运行
[root@docker-containerd containerd]# ctr i ls
ctr: failed to dial "/run/containerd/containerd.sock": context deadline exceeded
[root@docker-containerd containerd]# systemctl restart containerd
[root@docker-containerd containerd]# systemctl status containerd
#下面可以做下containerd的练习
#containerd自带的命令ctr
#看containerd的一些功能
[root@docker-containerd containerd]# ctr -h
USAGE:
   ctr [global options] command [command options] [arguments...]

VERSION:
   v1.4.3
COMMANDS:
#以下是比较重要的
   version                    print the client and server versions
   #管理容器
   containers, c, container   manage containers
   #管理镜像
   images, image, i           manage images
   #命名空间
   namespaces, namespace, ns  manage namespaces
   #启动容器
   run                        run a container
   #任务
   tasks, t, task             manage tasks

[root@docker-containerd containerd]# ctr i -h
[root@docker-containerd containerd]# ctr i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
#这样无法解析地址,不是合法地址,如果是docker,那么在前面会默认加上地址
[root@docker-containerd containerd]# ctr i pull redis:alpine
ctr: failed to resolve reference "redis:alpine": parse "dummy://redis:alpine": invalid port ":alpine" after host
#在使用containerd时,一定要把地址写全。
[root@docker-containerd containerd]# ctr i pull docker.io/library/redis:alpine
#可以看到下载的镜像
[root@docker-containerd containerd]# ctr i ls
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                                LABELS 
docker.io/library/redis:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:40b02b7a48829317e973114d07968d28eaaf75ec6b80ddef20f3999238aad7c8 11.3 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x - 
#命名空间
[root@docker-containerd containerd]# ctr ns -h
[root@docker-containerd containerd]# ctr ns ls
NAME    LABELS 
#一个默认的命名空间default
default   
[root@docker-containerd containerd]# ll /var/lib/containerd/
total 32
drwxr-xr-x 4 root root 4096 Dec 14 14:06 io.containerd.content.v1.content
drwx--x--x 2 root root 4096 Dec 14 14:04 io.containerd.metadata.v1.bolt
drwx--x--x 2 root root 4096 Dec 14 14:04 io.containerd.runtime.v1.linux
drwx--x--x 2 root root 4096 Dec 14 14:04 io.containerd.runtime.v2.task
drwxr-xr-x 2 root root 4096 Dec 14 14:04 io.containerd.snapshotter.v1.btrfs
drwx------ 3 root root 4096 Dec 14 14:04 io.containerd.snapshotter.v1.native
drwx------ 3 root root 4096 Dec 14 14:06 io.containerd.snapshotter.v1.overlayfs
drwx------ 2 root root 4096 Dec 14 14:06 tmpmounts

安装docker

[root@docker-containerd containerd]# uname -r
#返回值大于3.10
3.10.0-1160.el7.x86_64
#参考安装docker步骤
http://www.imooc.com/article/16448
[root@docker-containerd containerd]# cat docker.sh 
------------卸载旧版本
yum remove docker \
             docker-client \
             docker-client-latest \
             docker-common \
             docker-latest \
             docker-latest-logrotate \
             docker-logrotate \
             docker-engine
------------安装需要的软件包
#yum-util提供yum-config-manager功能
#另外两个是devicemapper驱动依赖的
yum install -y yum-utils \
  device-mapper-persistent-data \
  lvm2
------------设置yum源
yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
------------安装最新版本。作者安装的好的是:docker-ce.x86_64 3:20.10.2-3.el7
yum install -y docker-ce
[root@docker-containerd containerd]# chmod +x docker.sh
[root@docker-containerd containerd]# /bin/sh docker.sh 
#我这里安装好的版本是
Installed:
  docker-ce.x86_64 3:20.10.21-3.el7                                                                                       

Dependency Installed:
  audit-libs-python.x86_64 0:2.8.5-4.el7                            checkpolicy.x86_64 0:2.5-8.el7                        
  container-selinux.noarch 2:2.119.2-1.911c772.el7_8                containerd.io.x86_64 0:1.6.9-3.1.el7                  
  docker-ce-cli.x86_64 1:20.10.21-3.el7                             docker-ce-rootless-extras.x86_64 0:20.10.21-3.el7     
  docker-scan-plugin.x86_64 0:0.21.0-3.el7                          fuse-overlayfs.x86_64 0:0.7.2-6.el7_8                 
  fuse3-libs.x86_64 0:3.6.1-4.el7                                   libcgroup.x86_64 0:0.41-21.el7                        
  libseccomp.x86_64 0:2.3.1-4.el7                                   libsemanage-python.x86_64 0:2.5-14.el7                
  policycoreutils-python.x86_64 0:2.5-34.el7                        python-IPy.noarch 0:0.75-6.el7                        
  setools-libs.x86_64 0:3.3.8-4.el7                                 slirp4netns.x86_64 0:0.4.3-4.el7_8
------------另外附上安装指定docker-ce版本的方式

#查询版本列表
$ yum list docker-ce --showduplicates | sort -r
#发现这个命令只有安装完docker后才有下述可安装列表
已加载插件:fastestmirror, langpacks
已安装的软件包
可安装的软件包
 * updates: mirrors.163.com
Loading mirror speeds from cached hostfile
 * extras: mirrors.163.com
docker-ce.x86_64            17.09.1.ce-1.el7.centos            docker-ce-stable
docker-ce.x86_64            17.09.0.ce-1.el7.centos            docker-ce-stable
...
#指定版本安装(这里的例子是安装上面列表中的第二个)
$ yum install -y docker-ce-17.09.0.ce
------------
#操作docker
[root@docker-containerd containerd]# systemctl status docker
? docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: https://docs.docker.com
[root@docker-containerd containerd]# systemctl start docker 
   Active: active (running) since Tue 2021-12-14 14:25:26 CST; 1s ago
[root@docker-containerd containerd]# systemctl status docker
[root@docker-containerd containerd]# ll /var/lib/docker/
total 44
drwx--x--x 4 root root 4096 Dec 14 14:25 buildkit
drwx--x--- 2 root root 4096 Dec 14 14:25 containers
drwx------ 3 root root 4096 Dec 14 14:25 image
drwxr-x--- 3 root root 4096 Dec 14 14:25 network
drwx--x--- 3 root root 4096 Dec 14 14:25 overlay2
drwx------ 4 root root 4096 Dec 14 14:25 plugins
drwx------ 2 root root 4096 Dec 14 14:25 runtimes
drwx------ 2 root root 4096 Dec 14 14:25 swarm
drwx------ 2 root root 4096 Dec 14 14:25 tmp
drwx------ 2 root root 4096 Dec 14 14:25 trust
drwx-----x 2 root root 4096 Dec 14 14:25 volumes

[root@docker-containerd containerd]# docker version
Client: Docker Engine - Community
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:04:24 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 18:02:38 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[root@docker-containerd containerd]# docker pull redis:alpine
alpine: Pulling from library/redis
213ec9aee27d: Pull complete 
fb541f77610a: Pull complete 
dc2e3041aaa5: Pull complete 
aadae582a31f: Pull complete 
996b5def1876: Pull complete 
bed3be2507e6: Pull complete 
Digest: sha256:40b02b7a48829317e973114d07968d28eaaf75ec6b80ddef20f3999238aad7c8
Status: Downloaded newer image for redis:alpine
docker.io/library/redis:alpine
[root@docker-containerd containerd]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
redis        alpine    d29f18e8bc92   3 weeks ago   28.4MB

验证镜像存储目录不同


#Containerd有命名空间、查看镜像、容器的方式。如果系统里还有个docker,Docker pull下载之后,containerd的default命名空间中是否可以看到?

[root@docker-containerd containerd]# ctr ns ls
NAME    LABELS 
default  
#如果未显示containerd的default命名空间,那么就拉取一个镜像.
#这个时候未显示docker的moby命名空间,那么就拉取一个镜像.

#containerd已经下载过redis了,docker又下载了一遍,说明它俩存储的目录并不是一样的,它俩的目录并不是共享的

[root@docker-containerd containerd]# ctr ns ls
NAME    LABELS 
default  
moby

#显示docker的moby命名空间.当卸载了docker后,moby命名空间如何删除?
#这里使用K8S的话,会生成K8S.IO的命名空间,并且只使用 K8S.IO 的命名空间。

#核实containerd默认命名空间default下的镜像
[root@docker-containerd containerd]# ctr -n default i ls
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                                LABELS 
docker.io/library/redis:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:40b02b7a48829317e973114d07968d28eaaf75ec6b80ddef20f3999238aad7c8 11.3 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -  

#通过containerd查看docker命名空间moby下载的镜像是空的。
[root@docker-containerd containerd]# ctr -n moby i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS 
#用docker下载redis,还需要重新下载,说明存储的目录不同,和containerd的底层存储目录并不是共享的。
[root@docker-containerd containerd]# ll /var/lib/containerd/
[root@docker-containerd containerd]# ll /var/lib/docker/

#查看存储目录大小
[root@docker-containerd containerd]# du -sh /var/lib/containerd
45M     /var/lib/containerd
[root@docker-containerd containerd]# du -sm /var/lib/containerd
45      /var/lib/containerd
[root@docker-containerd containerd]# du -sh /var/lib/docker/
35M     /var/lib/docker/
[root@docker-containerd containerd]# du -sm /var/lib/docker/
35      /var/lib/docker/

共享镜像存储目录


[root@docker-containerd containerd]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
redis        alpine    3900abf41552   2 weeks ago   32.4MB

#使用阿里云镜像中心,创建个人镜像,创建命名空间。

image.png

#登录阿里云镜像库
[root@docker-containerd containerd]# docker login --username=XX registry.cn-beijing.aliyuncs.com
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

#一种比较优雅的方式,给仓库打tag
[root@docker-containerd containerd]# docker tag redis:alpine registry.cn-beijing.aliyuncs.com/yazong/redis:alpine
#推送给仓库
[root@docker-containerd containerd]# docker push registry.cn-beijing.aliyuncs.com/yazong/redis:alpine
The push refers to repository [registry.cn-beijing.aliyuncs.com/yazong/redis]
1cabea1f4937: Pushed 
799b2ec874e0: Pushed 
9ab3e89e2c97: Pushed 
566910633016: Pushed 
6dbd9594c43d: Pushed 
994393dc58e7: Pushed 
alpine: digest: sha256:f0d4e9e7a59a94e096e22b825545d8dc1a04f501a9fff9dbb25c9d15dad19d16 size: 1571

[root@docker-containerd containerd]# docker images
REPOSITORY                                      TAG       IMAGE ID       CREATED       SIZE
registry.cn-beijing.aliyuncs.com/yazong/redis   alpine    d29f18e8bc92   3 weeks ago   28.4MB
redis                                           alpine    d29f18e8bc92   3 weeks ago   28.4MB

#核实阿里云个人镜像仓库是否推送上去yazong/redis:alpine

image.png

image.png

#测试ctr拉取docker推送到阿里云仓库的镜像
[root@docker-containerd containerd]# ctr i pull registry.cn-beijing.aliyuncs.com/yazong/redis:alpine
registry.cn-beijing.aliyuncs.com/yazong/redis:alpine: resolving      |--------------------------------------| 
elapsed: 0.4 s                                        total:   0.0 B (0.0 B/s)                               
#发现这个问题,其实应该考虑的是阿里云镜像的权限问题,而不是其他的情况,因为此时你并没有操作过别的权限内容。
ctr: failed to resolve reference "registry.cn-beijing.aliyuncs.com/yazong/redis:alpine": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

#修改镜像权限为公开,而不是修改命名空间为公开!

image.png

#说明containerd和docker的镜像是可以通用的
[root@docker-containerd containerd]# ctr i pull registry.cn-beijing.aliyuncs.com/yazong/redis:alpine
registry.cn-beijing.aliyuncs.com/yazong/redis:alpine:                             resolved       |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:f0d4e9e7a59a94e096e22b825545d8dc1a04f501a9fff9dbb25c9d15dad19d16: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:bed3be2507e6c47aa154ced68ba7f7d2f8f455ac36d73a898af748663ebbe42f:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:d29f18e8bc92c5bd50db90a1dd37d8c62bb26220088ae9d97b4b07691f4e5641:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:213ec9aee27d8be045c6a92b7eac22c9a64b44558193775a1a7f626352392b49:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:fb541f77610a7550755893b11853752742e9b173e4e9967f4db6b02c2e51ce4a:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:dc2e3041aaa57579fe87bf26fbb56fcf7aef49b3f5a0e0ee37eab519855dd37e:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:aadae582a31f5fd67d2286cecf95c4045d2c9828c73dd7ffe8a866d7df916cff:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:996b5def187670b227d8b6c6081c0d35a03d4d95bbfd96c005fa9fd9204b97af:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 0.5 s                                                                    total:   0.0 B (0.0 B/s)                               
unpacking linux/amd64 sha256:f0d4e9e7a59a94e096e22b825545d8dc1a04f501a9fff9dbb25c9d15dad19d16...
done

#ctr拉取docker的镜像到ctr的命名空间存储目录中
[root@docker-containerd containerd]# ctr -n default i ls
REF                                                  TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                                LABELS 
docker.io/library/redis:alpine                       application/vnd.docker.distribution.manifest.list.v2+json sha256:40b02b7a48829317e973114d07968d28eaaf75ec6b80ddef20f3999238aad7c8 11.3 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -  
registry.cn-beijing.aliyuncs.com/yazong/redis:alpine application/vnd.docker.distribution.manifest.v2+json      sha256:f0d4e9e7a59a94e096e22b825545d8dc1a04f501a9fff9dbb25c9d15dad19d16 11.3 MiB linux/amd64

#容器管理:启动redis容器,镜像名,最后的redis名称是自己起的标识
[root@docker-containerd containerd]# ctr run -t -d registry.cn-beijing.aliyuncs.com/yazong/redis:alpine redis
#启动redis容器后的运行状态
[root@docker-containerd containerd]# ctr c ls
CONTAINER    IMAGE                                                   RUNTIME   
																	 #启动的是containerd的runc的v2版本
redis        registry.cn-beijing.aliyuncs.com/yazong/redis:alpine    io.containerd.runc.v2  
#containerd还有一个任务的概念,task,启动redis容器后的任务状态
[root@docker-containerd containerd]# ctr t ls
TASK     PID     STATUS 
#redis这个进程的运行状态   
redis    5018    RUNNING
#查看进程
[root@docker-containerd containerd]# ps -ef|grep redis
root       4999      1  0 22:58 ?        00:00:00 /usr/local/bin/containerd-shim-runc-v2 -namespace default -id redis -address /run/containerd/containerd.sock
polkitd    5018   4999  0 22:58 pts/0    00:00:01 redis-server *:6379
root       5073   1468  0 23:09 pts/0    00:00:00 grep --color=auto redis

#必须先停任务,再删任务.
[root@docker-containerd containerd]# ctr t rm redis
ERRO[0000] unable to delete redis                        error="task must be stopped before deletion: running: failed precondition"
ctr: task must be stopped before deletion: running: failed precondition
#杀掉任务
[root@docker-containerd containerd]# ctr t kill redis
[root@docker-containerd containerd]# ctr t ls
TASK     PID     STATUS  
redis    5018    STOPPED
[root@docker-containerd containerd]# ps -ef|grep redis
root       4999      1  0 22:58 ?        00:00:00 /usr/local/bin/containerd-shim-runc-v2 -namespace default -id redis -address /run/containerd/containerd.sock
root       5096   1468  0 23:10 pts/0    00:00:00 grep --color=auto redis
#删除任务
[root@docker-containerd containerd]# ctr t rm redis
#只有删除任务后才不显示任务列表
[root@docker-containerd containerd]# ctr t ls
TASK    PID    STATUS  
[root@docker-containerd containerd]# ps -ef|grep redis
root       5119   1468  0 23:14 pts/0    00:00:00 grep --color=auto redis
#任务不在了,但是容器依然会存在,这里的容器是指刚启动的容器,而不是镜像.
[root@docker-containerd containerd]# ctr c ls
CONTAINER    IMAGE                                                   RUNTIME        
redis        registry.cn-beijing.aliyuncs.com/yazong/redis:alpine    io.containerd.runc.v2  

#删除容器
[root@docker-containerd containerd]# ctr c rm redis
[root@docker-containerd containerd]# ctr c ls
CONTAINER    IMAGE    RUNTIME

容器关系

#考虑一下containerd中的容器和docker中的容器是什么关系

[root@docker-containerd containerd]# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

#运行docker容器的redis,加d后台运行
[root@docker-containerd containerd]# docker run -idt redis:alpine
ad89695bea6057258e6b545c4b65285aa2c676ed93966169ee87461af84579c7
[root@docker-containerd containerd]# docker ps
CONTAINER ID   IMAGE          COMMAND                  CREATED         STATUS        PORTS      NAMES
ad89695bea60   redis:alpine   "docker-entrypoint.s…"   2 seconds ago   Up 1 second   6379/tcp   serene_hermann
#看一下docker启动的这个容器跟containerd的关系
#查看docker容器的命名空间default下的task任务
[root@docker-containerd containerd]# ctr -n moby t ls
TASK                                                                PID     STATUS  
#对应上面ad89695bea60
ad89695bea6057258e6b545c4b65285aa2c676ed93966169ee87461af84579c7    5203    RUNNING
#这里可以说明docker和containerd的本质区别:只是命名空间的不同!
#这里如果使用K8S的话,会生成K8S.IO的命名空间,并且只使用 K8S.IO 的命名空间。
#不是看containerd容器的默认命名空间default下的task任务
[root@docker-containerd containerd]# ctr -n default t ls
TASK    PID    STATUS

K8S的crictl命令(二进制)

#用cri命令有点不太顺手,K8S提供了一个工具

#查看镜像
[root@docker-containerd containerd]# crictl images
IMAGE               TAG                 IMAGE ID            SIZE
#查看容器
[root@docker-containerd containerd]# crictl ps
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID
#查看PODS,这是docker所不具备的。
[root@docker-containerd containerd]# crictl pods
POD ID              CREATED             STATE               NAME                NAMESPACE           ATTEMPT             RUNTIME
#上述都是空,没有容器,没有镜像,没有POD,因为这里连K8S.IO的命名空间都没有,而crictl是为K8S而生的,命令格式大部分与docker相同。
#可以在K8S的node节点上去使用这个工具。类似于替代docker。
#其中的命令基本上和docker是相通的,减少了命令切换到学习成本。K8S的操作大都使用这个命令。
[root@docker-containerd containerd]# crictl -h|less
[root@docker-containerd containerd]# which crictl
/usr/local/bin/crictl

小总结

image.png

ctr是containerd自带的客户端工具,可以对各种命名空间进行操作,几乎是照着containerd的API设计的客户端工具。
Docker底层仅使用containerd的moby的命名空间,但这个使用仅限用容器而没有镜像,因为镜像存储的是不同的目录,完全是物理隔离的。
crictl是K8S的专用命名,用了containerd的k8s.io这个命名空间去处理其容器和镜像。

命名空间(namespace)-->任务(task)-->镜像(image)

命令命名空间(namespace)任务(task)镜像(image)
ctrdefaultctr -n default t lsctr i ls
ctrmobyctr -n moby t lsctr i ls
dockermobydocker psdocker images
[root@docker-containerd containerd]# ctr -n default t ls
TASK    PID    STATUS  
[root@docker-containerd containerd]# ctr -n moby t ls   
TASK                                                                PID     STATUS  
ad89695bea6057258e6b545c4b65285aa2c676ed93966169ee87461af84579c7    5203    RUNNING
[root@docker-containerd containerd]# ctr i ls
REF                                                  TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                                LABELS 
docker.io/library/redis:alpine                       application/vnd.docker.distribution.manifest.list.v2+json sha256:40b02b7a48829317e973114d07968d28eaaf75ec6b80ddef20f3999238aad7c8 11.3 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -  
registry.cn-beijing.aliyuncs.com/yazong/redis:alpine application/vnd.docker.distribution.manifest.v2+json      sha256:f0d4e9e7a59a94e096e22b825545d8dc1a04f501a9fff9dbb25c9d15dad19d16 11.3 MiB linux/amd64                                                                              -  
[root@docker-containerd containerd]# docker ps
CONTAINER ID   IMAGE          COMMAND                  CREATED          STATUS          PORTS      NAMES
ad89695bea60   redis:alpine   "docker-entrypoint.s…"   59 minutes ago   Up 59 minutes   6379/tcp   serene_hermann
[root@docker-containerd containerd]# docker images
REPOSITORY                                      TAG       IMAGE ID       CREATED       SIZE
redis                                           alpine    d29f18e8bc92   3 weeks ago   28.4MB
registry.cn-beijing.aliyuncs.com/yazong/redis   alpine    d29f18e8bc92   3 weeks ago   28.4MB

标题:Kubernetes(三)(3.2容器运行时)Containerd全面上手实践
作者:yazong
地址:https://blog.llyweb.com/articles/2022/10/29/1666974476226.html