早之前的 Docker Engine 中就有了 containerd,只不过现在是将 containerd 从 Docker Engine 里分离出来,作为一个独立的开源项目,目标是提供一个更加开放、稳定的容器运行基础设施。分离出来的 containerd 将具有更多的功能,涵盖整个容器运行时管理的所有需求,提供更强大的支持。

containerd 是一个工业级标准的容器运行时,它强调简单性健壮性可移植性,containerd 可以负责干下面这些事情:

  • 管理容器的生命周期(从创建容器到销毁容器)
  • 拉取/推送容器镜像
  • 存储管理(管理镜像及容器数据的存储)
  • 调用 runc 运行容器(与 runc 等容器运行时交互)
  • 管理容器网络接口及网络

containerd 可用作 Linux 和 Windows 的守护程序,它管理其主机系统完整的容器生命周期,从镜像传输和存储到容器执行和监测,再到底层存储到网络附件等等。

3.1 Containerd的优势

  • 简洁的基于 gRPC 的 API 和 client library
  • 完整的 OCI 支持(runtime 和 image spec)
  • 同时具备稳定性和高性能的定义良好的容器核心功能
  • 一个解耦的系统(让 image、filesystem、runtime 解耦合),实现插件式的扩展和重用

3.2 为什么需要独立的 Containerd

  • 以往隶属于docker项目中,现如今从整体 docker 引擎中分离出的项目(开源项目的思路)
  • 可以被 Kubernets CRI 等项目使用(通用化)
  • 为广泛的行业合作打下基础(就像 runC 一样)

3.3 Containerd 架构图

Containerd的架构设计图:

image-20230331110918435

4.Containerd安装

安装及使用视频请参考:11_Containerd容器镜像管理_容器镜像管理命令_修改容器镜像tag_哔哩哔哩_bilibili

Containerd安装分为两种方式:

  1. yum安装方式
  2. 二进制包安装方式

以下分别演示两种不同的安装。

4.1 yum方式安装

4.1.1 环境介绍

系统及软件版本号
Centos6.9
Containerd1.6.19

4.1.2 获取YUM源

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">备份源主机的yum源
><span style="color:#4ec9b0">cd</span> /etc/yum.repos.d/
><span style="color:#4ec9b0">mkdir</span> bak
><span style="color:#4ec9b0">mv</span> *.repo bak/
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">添加阿里云yum
>curl https://mirrors.aliyun.com/repo/Centos-7.repo -o /etc/yum.repos.d/Centos-7.repo
>curl https://mirrors.aliyun.com/repo/epel-7.repo -o /etc/yum.repos.d/epel-7.repo
>curl https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo  -o /etc/yum.repos.d/docker-ce.repo
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看yum源中containerd.io软件
>yum info containerd.io
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
Name        : containerd.io
Arch        : x86_64
Version     : 1.6.19
Release     : 3.1.el7
Size        : 34 M
Repo        : docker-ce-stable
Summary     : An industry-standard container runtime
URL         : https://containerd.io
License     : ASL 2.0
Description : containerd is an industry-standard container runtime with an emphasis on
            : simplicity, robustness and portability. It is available as a daemon <span style="color:#569cd6">for</span> Linux
            : and Windows, <span style="color:#4ec9b0">which</span> can manage the complete container lifecycle of its host
            : system: image transfer and storage, container execution and supervision,
            : low-level storage and network attachments, etc.
</code></span></span>

4.1.3 使用yum安装

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">安装containerd.io 软件
>yum install -y containerd.io
</code></span></span>

4.1.4 验证安装及启动服务

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>rpm -ql containerd.io
/etc/containerd
/etc/containerd/config.toml
/usr/bin/containerd
/usr/bin/containerd-shim
/usr/bin/containerd-shim-runc-v1
/usr/bin/containerd-shim-runc-v2
/usr/bin/ctr
/usr/bin/runc
/usr/lib/systemd/system/containerd.service
/usr/share/doc/containerd.io-1.6.19
/usr/share/doc/containerd.io-1.6.19/README.md
/usr/share/licenses/containerd.io-1.6.19
/usr/share/licenses/containerd.io-1.6.19/LICENSE
/usr/share/man/man5/containerd-config.toml.5
/usr/share/man/man8/containerd-config.8
/usr/share/man/man8/containerd.8
/usr/share/man/man8/ctr.8
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">启动服务及开机自启
>systemctl <span style="color:#4ec9b0">enable</span> containerd ; systemctl start containerd
</code></span></span>

4.1.5 验证可用性

安装 containerd 时 ctr 命令作为客户端工具主要用于管理容器及容器镜像等。使用 ctr 命令查看 containerd客户端及服务器信息。

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr version
Client:
  Version:  1.6.19
  Revision: 1e1ea6e986c6c86565bc33d52e34b81b3e2bc71f
  Go version: go1.19.7

Server:
  Version:  1.6.19
  Revision: 1e1ea6e986c6c86565bc33d52e34b81b3e2bc71f
  UUID: 39c52ad7-5c2d-4d74-acd7-d027b90aec83
</code></span></span>

4.2 二进制方式安装

系统及软件版本号
Centos6.9
Containerd1.7.0

Containerd 有两种安装包:

  • 第一种是 containerd-xxx 这种包用于单机测试没问题,不包含runC,需要提前安装;
  • 第二种是 cri-containerd-cni-xxx ,包含runC和k8s里所需的相关文件。k8s集群里需要用到此包,虽然包含runC,但是依赖系统中的 seccomp

4.2.1 获取安装包

下载地址:https://github.com/containerd/containerd/releases

image-20230331151105639

下载 containerd 包

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">wget https://github.com/containerd/containerd/releases/download/v1.7.0/cri-containerd-cni-1.7.0-linux-amd64.tar.gz
</code></span></span>

4.2.2 安装containerd

安装 containerd

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>tar xf cri-containerd-cni-1.7.0-linux-amd64.tar.gz -C /
</code></span></span>

4.2.3 生成配置文件

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">创建目录
><span style="color:#4ec9b0">mkdir</span> /etc/containerd
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">生成配置文件
>containerd config default > /etc/containerd/config.toml
</code></span></span>

修改配置文件关键参数

1. 修改SystemCgroup 为 true

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>vim /etc/containerd/config.toml

...
SystemdCgroup = <span style="color:#569cd6">true</span>
...

</code></span></span>

2. 添加镜像加速

  1. 修改 config.toml 配置文件
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">[plugins.<span style="color:#d69d85">"io.containerd.grpc.v1.cri"</span>.registry]
      config_path = <span style="color:#d69d85">"/etc/containerd/certs.d"</span>  <span style="color:#57a64a"><em># 镜像地址配置文件</em></span>
</code></span></span>
  1. 创建对应目录
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">><span style="color:#4ec9b0">mkdir</span> -p /etc/containerd/certs.d/docker.io
</code></span></span>
  1. 配置加速
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">><span style="color:#4ec9b0">cat</span> << <span style="color:#d69d85">EOF >> /etc/containerd/certs.d/docker.io/hosts.toml
server = "https://docker.io"
[host."https://docker.mirrors.ustc.edu.cn"]
EOF</span>
</code></span></span>
  1. 重启 containerd
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>systemctl restart containerd
</code></span></span>

4.2.4 启动Containerd

启动 containerd

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>systemctl <span style="color:#4ec9b0">enable</span> containerd ; systemctl start containerd
</code></span></span>

4.2.5 查看并验证

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr version
Client:
  Version:  v1.7.0
  Revision: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
  Go version: go1.20.2

Server:
  Version:  v1.7.0
  Revision: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d
  UUID: 1f4630ff-27d5-46a4-b444-ca288c516127
</code></span></span>

4.2.6 安装runC并验证结果

由于二进制包中提供的runC默认需要系统中安装seccomp支持,需要单独安装,且不同版本runC对seccomp版本要求一致,所以建议单独下载runC二进制包进行安装,里面包含了 seccomp 模块支持。

下载地址:https://github.com/opencontainers/runc/releases

image-20230331154050685

下载runC

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>wget https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.amd64
</code></span></span>

安装runC

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">><span style="color:#4ec9b0">cp</span> -a runc.amd64 /usr/local/sbin/runc
><span style="color:#4ec9b0">chmod</span> +x /usr/local/sbin/runc
</code></span></span>

验证runC

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>runc -v
runc version 1.0.0-rc95
spec: 1.0.2-dev
go: go1.14.15
libseccomp: 2.5.1
</code></span></span>

5.Containerd镜像管理

docker-cli 工具提供了需要增强用户体验的功能,containerd 同样也提供一个对应 CLI工具:ctr ,不过 ctr 的功能没有 docker 完善,但是关于镜像和容器的基本功能都是有的。接下来介绍下 ctr 的使用。

5.1 Containerd容器镜像管理命令

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">ctr i <span style="color:#4ec9b0">ls</span> - 查看镜像
ctr i pull docker.io/library/nginx:alpine - 下载镜像
ctr i mount docker.io/library/nginx:alpine /mnt/ - 挂载镜像
ctr i <span style="color:#4ec9b0">export</span> --platform linux/amd64 nginx.img docker.io/library/nginx:alpine - 导出镜像
ctr i <span style="color:#4ec9b0">rm</span> docker.io/library/nginx:alpine - 
</code></span></span>

5.2 查看镜像

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">i: 等价于 images
>ctr i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
</code></span></span>

5.3 下载镜像

containerd 支持 OCI 标准镜像,所有可以直接使用 docker 官方或 dockerfile构建的镜像

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr i pull docker.io/library/nginx:alpine
docker.io/library/nginx:alpine:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:01ccf4035840dd6c25042b2b5f6b09dd265b4ed5aa7b93ccc4714027c0ce5685: <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c23b4f8cf279507bb1dd3d6eb2d15ca84fac9eac215ab5b529aa8b5a060294c8:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
config-sha256:8e75cbc5b25c8438fcfe2e7c12c98409d5f161cbb668d6c444e02796691ada70:   <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:2ce963c369bc5690378d31c51dc575c7035f6adfcc1e286051b5a5d9a7b0cc5c:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:59b9d2200e632e457f800814693b3a01adf09a244c38ebe8d3beef5c476c4c55:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3e1e579c95fece6bbe0cb9c8c2949512a3f8caaf9dbe6219dc6495abb9902040:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:547a97583f72a32903ca1357d48fa302e91e8f83ffa18e0c40fd87adb5c06025:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1f21f983520d9a440d410ea62eb0bda61a2b50dd79878071181b56b82efa9ef3:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
elapsed: 8.7 s                                                                    total:  16.0 M (1.8 MiB/s)
unpacking linux/amd64 sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f...
<span style="color:#569cd6">done</span>: 1.595243191s
</code></span></span>

可根据系统架构进行下载,上面默认采用的是 linux/amd64 平台下载。

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">下载linux/arm64平台镜像
>ctr i pull --platform linux/arm64 docker.io/library/nginx:alpine
docker.io/library/nginx:alpine:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f:    exists         |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:5a3980760a3e6bd779d6ff3a029d24044e7660a1600dfd2f72298bf4657f1f6c: <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:7bcac465295e8cfefa26d0ad33a638a0415ad7c4e1afba500b9633f97e277c3c:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
config-sha256:510900496a6c312a512d8f4ba0c69586e0fbd540955d65869b6010174362c313:   <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c41833b44d910632b415cd89a9cdaa4d62c9725dc56c99a7ddadafd6719960f9:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:2c2c9b85ac58c9f389d42b1033672337110dba86c12d1b0d5c7c384a7cfe110b:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:40f94fa3619489012a181c2b217548ea718fe485578eec4afdef4b14b3bc536e:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ae26f20697dc7e3b86701a83a1ed42b81b1755f0763130d7f6f816a39adaf388:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e4fa283fba0e8150c05ba453aed98ff4f4bdd65a6248837101fc16b489d1101e:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4c53b6cdc37bcca61cf31d3308b58fda6d7d3192ddd56559cca2f67eafcb0cc1:    <span style="color:#569cd6">done</span>           |++++++++++++++++++++++++++++++++++++++|
elapsed: 9.7 s                                                                    total:  15.4 M (1.6 MiB/s)
unpacking linux/arm64 sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f...
<span style="color:#569cd6">done</span>: 1.660794241s
</code></span></span>

查看

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr i <span style="color:#4ec9b0">ls</span>
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                          LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
</code></span></span>

5.4 镜像挂载

方便查看镜像中包含的内容。

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">把已下载的容器镜像挂载至当前文件系统
>ctr i mount docker.io/library/nginx:alpine /mnt/
sha256:f301a4112756ab559d9c78e8ed3625dab81f91803dfeabbc4f9184c878b1f3b1
/mnt/

><span style="color:#4ec9b0">ls</span> /mnt/
bin/  dev/  docker-entrypoint.d/  docker-entrypoint.sh*  etc/  home/  lib/  media/  mnt/  opt/  proc/  root/  run/  sbin/  srv/  sys/  tmp/  usr/  var/
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">卸载
>umount /mnt
</code></span></span>

5.5 镜像导出

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">把镜像导出
>ctr i <span style="color:#4ec9b0">export</span> --platform linux/amd64 nginx.img docker.io/library/nginx:alpine
><span style="color:#4ec9b0">du</span> -sh nginx.img
17M     nginx.img
</code></span></span>

5.6 镜像删除

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">删除指定容器镜像
>ctr i <span style="color:#4ec9b0">rm</span> docker.io/library/nginx:alpine
docker.io/library/nginx:alpine

再次查看容器镜像
>ctr i <span style="color:#4ec9b0">ls</span>
REF TYPE DIGEST SIZE PLATFORMS LABELS
</code></span></span>

5.7 镜像导入

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">导入容器镜像
>ctr i import --platform linux/amd64 nginx.img
</code></span></span>

注意:导出导入都必须指定 --platform 且一致,否则会报错!!!

5.8 修改镜像TAG

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr i tag docker.io/library/nginx:alpine nginx:alpine
>ctr i <span style="color:#4ec9b0">ls</span>
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                          LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
nginx:alpine                   application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
</code></span></span>

修改完成后对镜像做对比

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr i check
REF                            TYPE                                                      DIGEST                                                                  STATUS         SIZE         UNPACKED
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f complete (8/8) 16.0 MiB/16.0 MiB <span style="color:#569cd6">true</span>
nginx:alpine                   application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f complete (8/8) 16.0 MiB/16.0 MiB <span style="color:#569cd6">true</span>
</code></span></span>

6.Containerd容器管理

在 containerd 中,容器分为两种:静态容器 和 动态容器

  • 静态容器:命令创建容器后,容器并没有处于运行状态,其只是一个静态容器,这个 container对象只是包含了一个容器所需的资源及配置的数据结构
  • 动态容器:处于运行当中,有用户进程的容器

注意:在 container中,无法在没有镜像的情况下直接启动一个容器,必须遵循:1. pull镜像;2.启动容器。

6.1 查看容器

container表示静态容器,可用 c 缩写代表container

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE    RUNTIME

或者
>ctr container <span style="color:#4ec9b0">ls</span>
</code></span></span>

6.2 查看任务

task表示容器里跑的进程,可用 t 缩写代表 task

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr task <span style="color:#4ec9b0">ls</span> 
或者
>ctr t <span style="color:#4ec9b0">ls</span>
</code></span></span>

6.3 创建静态容器

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr c create docker.io/library/nginx:alpine ngx
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE                             RUNTIME
ngx          docker.io/library/nginx:alpine    io.containerd.runc.v2
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">查看容器详细信息
>ctr c info ngx
</code></span></span>

6.4 静态容器启动为动态容器

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">启动task,即表示在容器中运行进程,即为动态容器
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID    STATUS
>ctr t start -d ngx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking <span style="color:#569cd6">for</span> shell scripts <span style="color:#569cd6">in</span> /docker-entrypoint.d/

说明:-d 表示在后台运行,与docker一致


查看容器所在宿主机的进程,是宿主机进程的方式存在的
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16045    RUNNING

</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看容器的进程(都是物理机的进程)
>ctr t ps ngx
PID      INFO
16045    -
16080    -
16081    -
</code></span></span>

6.5 进入容器操作

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr t <span style="color:#4ec9b0">exec</span> --exec-id 1 -t ngx sh
/ <span style="color:#57a64a"><em>#ifconfig</em></span>
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
         
         
直接访问ngx
/ <span style="color:#57a64a"><em>#curl -Is 127.0.0.1</em></span>
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Mon, 03 Apr 2023 01:48:04 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 17:09:24 GMT
Connection: keep-alive
ETag: <span style="color:#d69d85">"64231f44-267"</span>
Accept-Ranges: bytes
</code></span></span>

6.6 直接运行一个动态容器

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr run -d --net-host docker.io/library/nginx:alpine ngx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking <span style="color:#569cd6">for</span> shell scripts <span style="color:#569cd6">in</span> /docker-entrypoint.d/

说明:
-d 代表后台运行
--net-host 代表容器的IP就是宿主机的IP(相当于docker里面的 host 类型网络)

测试是否运行成功
>curl -Is 127.0.0.1
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Mon, 03 Apr 2023 01:52:20 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 17:09:24 GMT
Connection: keep-alive
ETag: <span style="color:#d69d85">"64231f44-267"</span>
Accept-Ranges: bytes
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看静态容器
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE                             RUNTIME
ngx          docker.io/library/nginx:alpine    io.containerd.runc.v2

查看动态容器
root@containerd(192.168.199.101)~>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16366    RUNNING

进入容器内部查看
>ctr t <span style="color:#4ec9b0">exec</span> --exec-id 1 ngx sh

ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:00:E8:88:2B
          inet addr:192.168.199.101  Bcast:192.168.199.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fee8:882b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:992892 errors:0 dropped:158 overruns:0 frame:0
          TX packets:72942 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:465982699 (444.3 MiB)  TX bytes:7003786 (6.6 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:848 (848.0 B)  TX bytes:848 (848.0 B)
</code></span></span>
<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">为容器中运行的网站添加网站文件
/ <span style="color:#57a64a"><em>#echo "nginx" > /usr/share/nginx/html/index.html</em></span>
/ <span style="color:#57a64a"><em>#curl -s 127.0.0.1</em></span>
nginx
/ <span style="color:#57a64a"><em>#exit</em></span>

宿主机访问:
>curl localhost
nginx
>curl 192.168.199.101
nginx
</code></span></span>

6.7 暂停容器

如果只是希望容器暂停工作一段时间,比如要对容器的文件系统做个快照,host需要使用CPU,处于暂停的容器不占用CPU资源。

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">查看容器状态
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16366    RUNNING

暂停容器
>ctr t pause ngx
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16366    PAUSED

宿主机无法访问网站
>curl -s 192.168.199.101
</code></span></span>

6.8 恢复容器

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">使用repause命令恢复容器
>ctr t resume ngx
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16366    RUNNING
</code></span></span>

6.9 停止容器

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">使用<span style="color:#4ec9b0">kill</span>命令停止容器中运行的进程,即为停止容器
>ctr t <span style="color:#4ec9b0">kill</span> ngx
状态从 RUNNING 变为 STOPPED
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16366    STOPPED
</code></span></span>

6.10 删除容器

删除容器之前必须停止容器。

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     16366    STOPPED
>ctr t <span style="color:#4ec9b0">rm</span> ngx
>ctr t <span style="color:#4ec9b0">ls</span>
TASK    PID    STATUS

查看静态容器还存在系统中
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE                             RUNTIME
ngx          docker.io/library/nginx:alpine    io.containerd.runc.v2
>ctr c <span style="color:#4ec9b0">rm</span> ngx
>ctr c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE    RUNTIME
</code></span></span>

7.命名空间

containerd 中是支持命名空间的概念.

7.1 查看命名空间

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr namespace <span style="color:#4ec9b0">ls</span>
NAME    LABELS
default

或者
>ctr ns <span style="color:#4ec9b0">ls</span>
NAME    LABELS
default
</code></span></span>

7.2 创建名称空间

如果不指定, ctr 默认使用 default 空间,同样也可以使用 ns create 命令创建一个命名空间:

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr ns create <span style="color:#4ec9b0">test</span>
>ctr ns <span style="color:#4ec9b0">ls</span>
NAME    LABELS
default
<span style="color:#4ec9b0">test</span>
</code></span></span>

7.3 指定名称空间启动容器

验证问题:当default 空间中有镜像,能否启动容器在test空间?

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr -n default i <span style="color:#4ec9b0">ls</span>
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                          LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -

在<span style="color:#4ec9b0">test</span>空间中启动容器
>ctr -n <span style="color:#4ec9b0">test</span> run -d docker.io/library/nginx:alpine ngx
ctr: image <span style="color:#d69d85">"docker.io/library/nginx:alpine"</span>: not found
</code></span></span>

上面报错信息为:找不到 镜像。看来名称空间将镜像也隔离使用。

第一步,pull 镜像到 test 空间

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">注意命令选项位置:
>ctr -n <span style="color:#4ec9b0">test</span> i pull docker.io/library/nginx:alpine

查看镜像
>ctr -n <span style="color:#4ec9b0">test</span> i <span style="color:#4ec9b0">ls</span>
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                          LABELS
docker.io/library/nginx:alpine application/vnd.docker.distribution.manifest.list.v2+json sha256:c94a22b036afa972426b82d5b0a49c959786005b4f6f81ac7467ca5538d0158f 16.0 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
</code></span></span>

第二步,启动容器

启动容器前,请确认其他命名空间容器端口不存在冲突,否则容器状态为 STOPPED 

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">>ctr -n <span style="color:#4ec9b0">test</span> run -d --net-host docker.io/library/nginx:alpine ngx
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">ls</span>
TASK    PID      STATUS
ngx     17853    RUNNING

>curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Mon, 03 Apr 2023 03:53:51 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 17:09:24 GMT
Connection: keep-alive
ETag: <span style="color:#d69d85">"64231f44-267"</span>
Accept-Ranges: bytes
</code></span></span>

7.4 删除命名空间

尝试删除有容器、有镜像的命名空间。

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr ns <span style="color:#4ec9b0">rm</span> <span style="color:#4ec9b0">test</span>
ERRO[0000] unable to delete <span style="color:#4ec9b0">test</span>                         error=<span style="color:#d69d85">"namespace \"test\" must be empty, but it still has images, blobs, containers, snapshots on \"overlayfs\" snapshotter: failed precondition"</span>
ctr: unable to delete <span style="color:#4ec9b0">test</span>: namespace <span style="color:#d69d85">"test"</span> must be empty, but it still has images, blobs, containers, snapshots on <span style="color:#d69d85">"overlayfs"</span> snapshotter: failed precondition
</code></span></span>

报错了, 因为 test 命名空间非空,需要先删除容器和镜像。

<span style="color:#c2c2c2"><span style="background-color:#252525"><div style="text-align:start"></div><code class="language-bash">删除容器
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">kill</span> ngx
>ctr  -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">rm</span> ngx
>ctr -n <span style="color:#4ec9b0">test</span> c <span style="color:#4ec9b0">rm</span> ngx

删除镜像
>ctr -n <span style="color:#4ec9b0">test</span> i <span style="color:#4ec9b0">rm</span> docker.io/library/nginx:alpine
docker.io/library/nginx:alpine

查看容器及镜像
>ctr -n <span style="color:#4ec9b0">test</span> t <span style="color:#4ec9b0">ls</span> ; ctr -n <span style="color:#4ec9b0">test</span> c <span style="color:#4ec9b0">ls</span>; ctr -n <span style="color:#4ec9b0">test</span> i <span style="color:#4ec9b0">ls</span>
TASK    PID    STATUS
CONTAINER    IMAGE    RUNTIME
REF TYPE DIGEST SIZE PLATFORMS LABELS

删除命名空间
>ctr ns <span style="color:#4ec9b0">rm</span> <span style="color:#4ec9b0">test</span>
<span style="color:#4ec9b0">test</span>
>ctr ns <span style="color:#4ec9b0">ls</span>
NAME    LABELS
default
</code></span></span>

7.5 命名空间的异同

Docker 其实也是默认调用的 containerd,事实上 Docker 使用的 containerd 下面的命名空间默认是 moby,而不是 default,所以假如我们有用 docker 启动容器,那么我们也可以通过 ctr -n moby 来定位下面的容器:

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr -n moby c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE    RUNTIME
</code></span></span>

同样 Kubernetes 下使用的 containerd 默认命名空间是 k8s.io,所以我们可以使用 ctr -n k8s.io 来查看 Kubernetes 下面创建的容器。

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">>ctr -n k8s.io c <span style="color:#4ec9b0">ls</span>
CONTAINER    IMAGE    RUNTIME
</code></span></span>

注意:这三者之间的 ns 是不同的,需要区分开。

<span style="color:#c2c2c2"><span style="background-color:#252525"><code class="language-bash">containerd -> namespace(隔离) -> (和k8s里面的命名空间要区分开) -> namespace + cgroup + rootfs</code></span></span>
Logo

腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。

更多推荐