Containerd的起源与发展

Docker 强势崛起,云计算开始容器时代,Dockers以独特的容器架构和容器“镜像”快速发展,对其他容器技术进行致命的降维打击,包括 Google在内的很多公司无法与之匹敌。Google和其它互联网公司为了不被Docker占领全部市场,与 Docker 公司联合推进一个开源的容器运行时作为 Docker 的核心依赖——Containerd,Containerd 是一个工业级标准的容器运行时,它强调简单性、健壮性和可移植性。其诞生于Docker,提供如下功能:

1、管理容器的生命周期(从创建容器到销毁容器)
2、拉取/推送容器镜像
3、存储管理(管理镜像及容器数据的存储)
4、调用 runc 运行容器(与 runc 等容器运行时交互)
5、管理容器网络接口及网络

Containerd架构如下图所示

 而后,Google 联合 Red Hat等与 Docker 公司商讨将libcontainer捐给中立的社区(OCI,Open Container Intiative),并改名为RuncDocker公司退役后,Google 等又合伙成立了CNCF(Cloud Native Computing Fundation)进行大规模容器编排,以此与Docker抗衡。Docker 公司推出了Swarm与Kubernetes进行抗衡,但结果一目了然。

Kubernetes 设计了一套接口规则CRI(Container Runntime Interface),第一个支持该接口规则的是Containerd。为继续支持Docker,专门组件中集成了一个shim,其可以将 CRI 调用翻译成 Docker 的 API,以此支持Docker使用。本文通过Kubeadm部署指定版本的Kubernetes,并同时安装Containerd+Docker,支持两种容器运行时。本文参考Containerd 使用教程kubeadm部署K8S集群并使用containerd做容器运行时

安装完成后,接下来的文章会汇总K8s基本操作命令、Containerd基本操作命令和Dockers基本操作命令,欢迎大家以前讨论。


 下面我们将实战安装一下kubernetes+Containerd+Docker

  • 本次安装主要是用来学习kubernetes指定版本安装的相关过程及组件的配置,若用于企业实践可根据具体需要在节点添加相应的组件
  • 前面文章给出了如何在物理机上安装centos操作系统——具体可参考安装配置centos7虚拟机(详精版)安装虚拟机,或者参考物理机安装centos7(u盘安装)——详细版配置物理机, 参考MobaXterm连接局域网的虚拟机连接虚拟机,也可直接操作虚拟机。(小白可直接参考本文内容直接完成K8s+Containerd+Docker的安装,需要改的参数会具体指出)
  • 如果是新安装的操作系统,可以安装下列组件,方便操作(其它可跳过第一阶段,直接看准备工作)——具体参考使用二进制安装包部署kubernetes(详细精讲版)中安装工具部分
  • 放在bash输入框中的都是命令,可复制直接使用
  • 虚拟机上安装可准备2台centos系统的虚拟机,一台master,一台node
  • 本文使用两台虚拟机,一台即是master也是node(通过taint实现),一台node
  • 本文使用的系统是centos7,内核版本为5.4.207-1.el7.elrepo.x86_64,可参考Centos7升级内核——图文详尽版升级内核,内存1G以上,硬盘20G以上,在物理机或虚拟机安装皆可
  • 安装如果出现错误,我会把遇到的问题汇总在文章尾部,大家可以参考本文安装过程中遇到的问题解决相关问题。

总体规划

总体规划
主机名IP地址角色
master192.168.110.129master
node1192.168.110.130node1

本文master和node1 组件说明

组件说明
角色组件
masterdocker、containerd、kubelet、kubeadm、kubectl
node1docker、containerd、kubelet、kubeadm、kubectl

1、准备工作

本文使用的主机IP为192.168.110.129(master)和192.168.110.130(node1),请根据自己主机IP修改为对应地址,文章后续不再强调。每个bash代码框(运行需要的命令)后会给出本文实践的代码效果(一般会有root和主机名),可对比看运行的有没有问题。

1)设置主机名(本文用的是root用户,非root用户可加入sudo命令)(可跳过该步骤,该步骤可需改主机名称为master和node1

在主机master(192.168.110.129)修改主机名

hostnamectl set-hostname master

在主机node1(192.168.110.130)修改主机名

hostnamectl set-hostname node1

2)修改 /etc/hostname 文件,添加主机名和 IP 的对应关系:(master(192.168.110.129),node1(192.168.110.130))(两台都需要修改)

vim /etc/hosts

i进入编辑状态,修改/etc/hosts为如下(修改IP为自己主机的IP,后续不再说明

[root@localhost ~]# cat /etc/hosts
192.168.110.129 master
192.168.110.130 node1

:wq保存并退出

reboot

重启后主机名就改为master和node1,同时可以通过master和node1访问192.168.110.129192.168.110.130

3)关闭防火墙,关闭服务,并设为开机不自启,并清空防火墙规则(两台都需要)

sudo systemctl stop firewalld && sudo systemctl disable firewalld

查看防火墙的状态,为关闭状态

systemctl status firewalld
[root@master ~]# systemctl stop firewalld && sudo systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@master ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

7月 28 20:03:32 master systemd[1]: Starting firewalld - dynamic firewall daemon...
7月 28 20:03:33 master systemd[1]: Started firewalld - dynamic firewall daemon.
7月 28 20:03:33 master firewalld[875]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configu...t now.
7月 28 20:10:41 master systemd[1]: Stopping firewalld - dynamic firewall daemon...
7月 28 20:10:41 master systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
sudo iptables -F && sudo iptables -X && sudo iptables -F -t nat && sudo iptables -X -t nat
sudo iptables -P FORWARD ACCEPT

4)如果开启了 swap 分区,kubelet 会启动失败(可以通过将参数 --fail-swap-on 设置为false 来忽略 swap on),故需要在每台机器上关闭 swap 分区(两台都需要)

sudo swapoff -a

为了防止开机自动挂载 swap 分区,可以注释 /etc/fstab 中相应的条目:

sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

5)关闭 SELinux,否则后续 K8S 挂载目录时可能报错 Permission denied (两台都需要)

sudo setenforce 0

修改配置文件,永久生效;

vi /etc/selinux/config

修改SELINUX=disabled,:wq保存并退出

 查询/etc/selinux/config

grep SELINUX /etc/selinux/config
SELINUX=disabled

本文执行效果

[root@master ~]# sudo iptables -F && sudo iptables -X && sudo iptables -F -t nat && sudo iptables -X -t nat
[root@master ~]# sudo iptables -P FORWARD ACCEPT
[root@master ~]# sudo swapoff -a
[root@master ~]# sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
[root@master ~]# sudo setenforce 0
[root@master ~]# vi /etc/selinux/config
[root@master ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
SELINUXTYPE=targeted

 6)时间同步 (两台都需要)

yum install ntpdate -y && ntpdate time.windows.com

7)配置内核参数 (两台都需要)

cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
[root@master ~]# yum install ntpdate -y && ntpdate time.windows.com
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * elrepo: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.ustc.edu.cn
 * updates: mirrors.ustc.edu.cn
base                                                                                                   | 3.6 kB  00:00:00
elrepo                                                                                                 | 3.0 kB  00:00:00
extras                                                                                                 | 2.9 kB  00:00:00
mysql-connectors-community                                                                             | 2.6 kB  00:00:00
mysql-tools-community                                                                                  | 2.6 kB  00:00:00
mysql57-community                                                                                      | 2.6 kB  00:00:00
updates                                                                                                | 2.9 kB  00:00:00
(1/3): mysql-tools-community/x86_64/primary_db                                                         |  87 kB  00:00:00
(2/3): mysql-connectors-community/x86_64/primary_db                                                    |  90 kB  00:00:00
(3/3): mysql57-community/x86_64/primary_db                                                             | 315 kB  00:00:00
软件包 ntpdate-4.2.6p5-29.el7.centos.2.x86_64 已安装并且是最新版本
无须任何处理
28 Jul 12:25:30 ntpdate[3081]: step time server 20.189.79.72 offset -28799.842816 sec
[root@master ~]# cat > /etc/sysctl.d/k8s.conf <<EOF
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@master ~]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /usr/lib/sysctl.d/60-libvirtd.conf ...
fs.aio-max-nr = 1048576
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/k8s.conf ...
* Applying /etc/sysctl.conf ...

8)配置br_netfilter,不配置初始化易出错


modprobe br_netfilter
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 > /proc/sys/net/ipv4/ip_forward

 准备工作完成!

2、安装Containerd(两台都需要)

安装Containerd环境依赖并设置yum源并查看Containerd版本

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum list | grep containerd
[root@node1 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * elrepo: mirrors.tuna.tsinghua.edu.cn
 * extras: ftp.sjtu.edu.cn
 * updates: ftp.sjtu.edu.cn
base                                                                                                   | 3.6 kB  00:00:00
elrepo                                                                                                 | 3.0 kB  00:00:00
extras                                                                                                 | 2.9 kB  00:00:00
updates                                                                                                | 2.9 kB  00:00:00
(1/2): elrepo/primary_db                                                                               | 396 kB  00:00:02
(2/2): updates/7/x86_64/primary_db                                                                     |  16 MB  00:00:21
软件包 yum-utils-1.1.31-54.el7_8.noarch 已安装并且是最新版本
软件包 device-mapper-persistent-data-0.8.5-3.el7_9.2.x86_64 已安装并且是最新版本
软件包 7:lvm2-2.02.187-6.el7_9.5.x86_64 已安装并且是最新版本
无须任何处理
[root@node1 ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
已加载插件:fastestmirror, langpacks
adding repo from: http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
grabbing file http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@node1 ~]# yum list | grep containerd
containerd.io.x86_64                      1.6.6-3.1.el7                docker-ce-stable

选择安装Containerd的版本,如containerd.io-1.6.6-3.1.el7(7如上图查询结果中出现的版本皆可选择,本文containerd.io-1.6.6-3.1.el1​​​​​​7),默认版本安装使用如下命名

yum -y install containerd

指定版本安装,这里以containerd.io-1.6.6-3.1.el1​​​​​​7为例

yum -y install containerd.io-1.6.6-3.1.el1​​​​​​7
[root@node1 ~]# yum -y install containerd
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * elrepo: mirrors.tuna.tsinghua.edu.cn
 * extras: ftp.sjtu.edu.cn
 * updates: ftp.sjtu.edu.cn
正在解决依赖关系
There are unfinished transactions remaining. You might consider running yum-complete-transaction, or "yum-complete-transaction --cleanup-only" and "yum history redo last", first to finish them. If those don't work you'll have to try removing/installing packages by hand (maybe package-cleanup can help).
--> 正在检查事务
---> 软件包 containerd.io.x86_64.0.1.6.6-3.1.el7 将被 安装
--> 正在处理依赖关系 container-selinux >= 2:2.74,它被软件包 containerd.io-1.6.6-3.1.el7.x86_64 需要
--> 正在检查事务
---> 软件包 container-selinux.noarch.2.2.119.2-1.911c772.el7_8 将被 安装
--> 解决依赖关系完成

依赖关系解决

==============================================================================================================================
 Package                       架构               版本                                     源                            大小
==============================================================================================================================
正在安装:
 containerd.io                 x86_64             1.6.6-3.1.el7                            docker-ce-stable              33 M
为依赖而安装:
 container-selinux             noarch             2:2.119.2-1.911c772.el7_8                extras                        40 k

事务概要
==============================================================================================================================
安装  1 软件包 (+1 依赖软件包)

总下载量:33 M
安装大小:125 M
Downloading packages:
(1/2): container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm                                            |  40 kB  00:00:00
warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/containerd.io-1.6.6-3.1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY
containerd.io-1.6.6-3.1.el7.x86_64.rpm 的公钥尚未安装
(2/2): containerd.io-1.6.6-3.1.el7.x86_64.rpm                                                          |  33 MB  00:00:44
------------------------------------------------------------------------------------------------------------------------------
总计                                                                                          760 kB/s |  33 MB  00:00:44
从 https://mirrors.aliyun.com/docker-ce/linux/centos/gpg 检索密钥
导入 GPG key 0x621E9F35:
 用户ID     : "Docker Release (CE rpm) <docker@docker.com>"
 指纹       : 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35
 来自       : https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安装    : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                        1/2
  正在安装    : containerd.io-1.6.6-3.1.el7.x86_64                                                                        2/2
  验证中      : containerd.io-1.6.6-3.1.el7.x86_64                                                                        1/2
  验证中      : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                        2/2

已安装:
  containerd.io.x86_64 0:1.6.6-3.1.el7

作为依赖被安装:
  container-selinux.noarch 2:2.119.2-1.911c772.el7_8

完毕!

创建Containerd的配置文件并修改相应配置

Containerd 的默认配置文件为/etc/containerd/config.toml,我们可以通过命令来生成一个默认的配置,,需要把Containerd相关的文件都放入/etc/containerd文件夹,创建/etc/containerd文件夹并生成Containerd的配置文件。

mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml

在国内拉取公共镜像仓库的速度比较慢,为了节约拉取时间,需要为 Containerd 配置镜像仓库的mirro,其中Containerd和Docker相比的区别(来源于文章Containerd 使用教程)

  • Containerd 只支持通过CRI拉取镜像的mirro,也就是说,只有通过crictl或者K8s调用时mirro 才会生效,通过ctr拉取是不会生效的。
  • Docker只支持为Docker Hub配置mirror,而Containerd支持为任意镜像仓库配置mirror。

配置文件具体如下,需要修改配置文件中的registry 配置块 


[root@node1 ~]# cat /etc/containerd/config.toml
disabled_plugins = []
imports = []
oom_score = 0
plugin_dir = ""
required_plugins = []
root = "/var/lib/containerd"
state = "/run/containerd"
temp = ""
version = 2

[cgroup]
  path = ""

[debug]
  address = ""
  format = ""
  gid = 0
  level = ""
  uid = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216
  tcp_address = ""
  tcp_tls_ca = ""
  tcp_tls_cert = ""
  tcp_tls_key = ""
  uid = 0

[metrics]
  address = ""
  grpc_histogram = false

[plugins]

  [plugins."io.containerd.gc.v1.scheduler"]
    deletion_threshold = 0
    mutation_threshold = 100
    pause_threshold = 0.02
    schedule_delay = "0s"
    startup_delay = "100ms"

  [plugins."io.containerd.grpc.v1.cri"]
    device_ownership_from_security_context = false
    disable_apparmor = false
    disable_cgroup = false
    disable_hugetlb_controller = true
    disable_proc_mount = false
    disable_tcp_service = true
    enable_selinux = false
    enable_tls_streaming = false
    enable_unprivileged_icmp = false
    enable_unprivileged_ports = false
    ignore_image_defined_volumes = false
    max_concurrent_downloads = 3
    max_container_log_line_size = 16384
    netns_mounts_under_state_dir = false
    restrict_oom_score_adj = false
    sandbox_image = "k8s.gcr.io/pause:3.6"
    selinux_category_range = 1024
    stats_collect_period = 10
    stream_idle_timeout = "4h0m0s"
    stream_server_address = "127.0.0.1"
    stream_server_port = "0"
    systemd_cgroup = false
    tolerate_missing_hugetlb_controller = true
    unset_seccomp_profile = ""

    [plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      conf_template = ""
      ip_pref = ""
      max_conf_num = 1

    [plugins."io.containerd.grpc.v1.cri".containerd]
      default_runtime_name = "runc"
      disable_snapshot_annotations = true
      discard_unpacked_layers = false
      ignore_rdt_not_enabled_errors = false
      no_pivot = false
      snapshotter = "overlayfs"

      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
        base_runtime_spec = ""
        cni_conf_dir = ""
        cni_max_conf_num = 0
        container_annotations = []
        pod_annotations = []
        privileged_without_host_devices = false
        runtime_engine = ""
        runtime_path = ""
        runtime_root = ""
        runtime_type = ""

        [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]

      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]

        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          base_runtime_spec = ""
          cni_conf_dir = ""
          cni_max_conf_num = 0
          container_annotations = []
          pod_annotations = []
          privileged_without_host_devices = false
          runtime_engine = ""
          runtime_path = ""
          runtime_root = ""
          runtime_type = "io.containerd.runc.v2"

          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            BinaryName = ""
            CriuImagePath = ""
            CriuPath = ""
            CriuWorkPath = ""
            IoGid = 0
            IoUid = 0
            NoNewKeyring = false
            NoPivotRoot = false
            Root = ""
            ShimCgroup = ""
            SystemdCgroup = false

      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
        base_runtime_spec = ""
        cni_conf_dir = ""
        cni_max_conf_num = 0
        container_annotations = []
        pod_annotations = []
        privileged_without_host_devices = false
        runtime_engine = ""
        runtime_path = ""
        runtime_root = ""
        runtime_type = ""

        [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]

    [plugins."io.containerd.grpc.v1.cri".image_decryption]
      key_model = "node"

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""

  [plugins."io.containerd.internal.v1.opt"]
    path = "/opt/containerd"

  [plugins."io.containerd.internal.v1.restart"]
    interval = "10s"

  [plugins."io.containerd.internal.v1.tracing"]
    sampling_ratio = 1.0
    service_name = "containerd"

  [plugins."io.containerd.metadata.v1.bolt"]
    content_sharing_policy = "shared"

  [plugins."io.containerd.monitor.v1.cgroups"]
    no_prometheus = false

  [plugins."io.containerd.runtime.v1.linux"]
    no_shim = false
    runtime = "runc"
    runtime_root = ""
    shim = "containerd-shim"
    shim_debug = false

  [plugins."io.containerd.runtime.v2.task"]
    platforms = ["linux/amd64"]
    sched_core = false

  [plugins."io.containerd.service.v1.diff-service"]
    default = ["walking"]

  [plugins."io.containerd.service.v1.tasks-service"]
    rdt_config_file = ""

  [plugins."io.containerd.snapshotter.v1.aufs"]
    root_path = ""

  [plugins."io.containerd.snapshotter.v1.btrfs"]
    root_path = ""

  [plugins."io.containerd.snapshotter.v1.devmapper"]
    async_remove = false
    base_image_size = ""
    discard_blocks = false
    fs_options = ""
    fs_type = ""
    pool_name = ""
    root_path = ""

  [plugins."io.containerd.snapshotter.v1.native"]
    root_path = ""

  [plugins."io.containerd.snapshotter.v1.overlayfs"]
    root_path = ""
    upperdir_label = false

  [plugins."io.containerd.snapshotter.v1.zfs"]
    root_path = ""

  [plugins."io.containerd.tracing.processor.v1.otlp"]
    endpoint = ""
    insecure = false
    protocol = ""

[proxy_plugins]

[stream_processors]

  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
    path = "ctd-decoder"
    returns = "application/vnd.oci.image.layer.v1.tar"

  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
    path = "ctd-decoder"
    returns = "application/vnd.oci.image.layer.v1.tar+gzip"

[timeouts]
  "io.containerd.timeout.bolt.open" = "0s"
  "io.containerd.timeout.shim.cleanup" = "5s"
  "io.containerd.timeout.shim.load" = "5s"
  "io.containerd.timeout.shim.shutdown" = "3s"
  "io.containerd.timeout.task.state" = "2s"

[ttrpc]
  address = ""
  gid = 0
  uid = 0
 vim /etc/containerd/config.toml

i进入插入修改,修改如下部分(在plugins."io.containerd.grpc.v1.cri".registry.mirrors部分添加),加入镜像源,修改完成后:wq保存并退出

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
    endpoint = ["https://dockerhub.mirrors.nwafu.edu.cn"]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
    endpoint = ["https://registry.aliyuncs.com/k8sxio"]
  • registry.mirrors."xxx" : 表示需要配置 mirror 的镜像仓库。例如,registry.mirrors."docker.io" 表示配置 docker.io 的 mirror。
  • endpoint : 表示提供 mirror 的镜像加速服务。例如,这里推荐使用西北农林科技大学提供的镜像加速服务作为 docker.io 的 mirror。

启动Containerd

systemctl daemon-reload
systemctl enable containerd
systemctl restart containerd

执行完成未出现错误,可直接跳过报错解决和重新安装部分。直接开始安装k8s和Docker 

 报错解决

执行到这里,我的Containerd出现一个错误,无法正常重启,并且查询报错出现

containerd Job for containerd.service failed because a timeout was exceeded.我查询错误的具体原因是failed to load cni during init, please check CRI plugin status before settin...

我尝试查询解决方案,未能成功解决,欢迎大家提问和讨论,给出解决方案!


错误处理

这里后面在写文章下半部分发现未修改配置文件的k8s.gcr.io会出现错误

  

执行如下命令修改文件中的地址未阿里云地址 

sed -i "s#k8s.gcr.io#registry.cn-hangzhou.aliyuncs.com/google_containers#g"  /etc/containerd/config.toml

后来只能重新安装,卸载原来的Containerd版本,删除/etc/containerd文件夹

yum remove containerd
rm -rf /etc/containerd

重新安装

这次我未用yum安装,使用wget下载安装包安装

wget https://download.fastgit.org/containerd/containerd/releases/download/v1.4.3/cri-containerd-cni-1.4.3-linux-amd64.tar.gz

解压,这里下载的1.4.3版本,需要其它版本请修改版本号

sudo tar -C / -xzf cri-containerd-cni-1.4.3-linux-amd64.tar.gz

追加到配置文件并使之生效

export PATH=$PATH:/usr/local/bin:/usr/local/sbin
source ~/.bashrc

查询Containerd版本

ctr version

查询出现一个错误 

ctr: failed to dial "/run/containerd/containerd.sock": context deadline exceeded

重启Containerd即可

systemctl restart containerd
[root@master ~]# ctr version
Client:
  Version:  v1.4.3
  Revision: 269548fa27e0089a8b8278fc4fc781d7f65a939b
  Go version: go1.15.5

ctr: failed to dial "/run/containerd/containerd.sock": context deadline exceeded
[root@master ~]# systemctl restart containerd
[root@master ~]# ctr version
Client:
  Version:  v1.4.3
  Revision: 269548fa27e0089a8b8278fc4fc781d7f65a939b
  Go version: go1.15.5

Server:
  Version:  v1.4.3
  Revision: 269548fa27e0089a8b8278fc4fc781d7f65a939b
  UUID: e4c49cb6-919e-4093-b787-e6835710f1a0

继续上述步骤中的配置Containerd

mkdir /etc/containerd
containerd config default > /etc/containerd/config.toml

镜像加速的配置就在 cri 插件配置块下面的 registry 配置块

配置文件如下


[root@master ~]# cat /etc/containerd/config.toml
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
plugin_dir = ""
disabled_plugins = []
required_plugins = []
oom_score = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  tcp_address = ""
  tcp_tls_cert = ""
  tcp_tls_key = ""
  uid = 0
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216

[ttrpc]
  address = ""
  uid = 0
  gid = 0

[debug]
  address = ""
  uid = 0
  gid = 0
  level = ""

[metrics]
  address = ""
  grpc_histogram = false

[cgroup]
  path = ""

[timeouts]
  "io.containerd.timeout.shim.cleanup" = "5s"
  "io.containerd.timeout.shim.load" = "5s"
  "io.containerd.timeout.shim.shutdown" = "3s"
  "io.containerd.timeout.task.state" = "2s"

[plugins]
  [plugins."io.containerd.gc.v1.scheduler"]
    pause_threshold = 0.02
    deletion_threshold = 0
    mutation_threshold = 100
    schedule_delay = "0s"
    startup_delay = "100ms"
  [plugins."io.containerd.grpc.v1.cri"]
    disable_tcp_service = true
    stream_server_address = "127.0.0.1"
    stream_server_port = "0"
    stream_idle_timeout = "4h0m0s"
    enable_selinux = false
    selinux_category_range = 1024
    sandbox_image = "k8s.gcr.io/pause:3.2"
    stats_collect_period = 10
    systemd_cgroup = false
    enable_tls_streaming = false
    max_container_log_line_size = 16384
    disable_cgroup = false
    disable_apparmor = false
    restrict_oom_score_adj = false
    max_concurrent_downloads = 3
    disable_proc_mount = false
    unset_seccomp_profile = ""
    tolerate_missing_hugetlb_controller = true
    disable_hugetlb_controller = true
    ignore_image_defined_volumes = false
    [plugins."io.containerd.grpc.v1.cri".containerd]
      snapshotter = "overlayfs"
      default_runtime_name = "runc"
      no_pivot = false
      disable_snapshot_annotations = true
      discard_unpacked_layers = false
      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
        runtime_type = ""
        runtime_engine = ""
        runtime_root = ""
        privileged_without_host_devices = false
        base_runtime_spec = ""
      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
        runtime_type = ""
        runtime_engine = ""
        runtime_root = ""
        privileged_without_host_devices = false
        base_runtime_spec = ""
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          runtime_type = "io.containerd.runc.v2"
          runtime_engine = ""
          runtime_root = ""
          privileged_without_host_devices = false
          base_runtime_spec = ""
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    [plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
    [plugins."io.containerd.grpc.v1.cri".image_decryption]
      key_model = ""
    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""
  [plugins."io.containerd.internal.v1.opt"]
    path = "/opt/containerd"
  [plugins."io.containerd.internal.v1.restart"]
    interval = "10s"
  [plugins."io.containerd.metadata.v1.bolt"]
    content_sharing_policy = "shared"
  [plugins."io.containerd.monitor.v1.cgroups"]
    no_prometheus = false
  [plugins."io.containerd.runtime.v1.linux"]
    shim = "containerd-shim"
    runtime = "runc"
    runtime_root = ""
    no_shim = false
    shim_debug = false
  [plugins."io.containerd.runtime.v2.task"]
    platforms = ["linux/amd64"]
  [plugins."io.containerd.service.v1.diff-service"]
    default = ["walking"]
  [plugins."io.containerd.snapshotter.v1.devmapper"]
    root_path = ""
    pool_name = ""
    base_image_size = ""
    async_remove = false

修改镜像

vim /etc/containerd/config.toml

 修改为如下配置文件格式

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
    endpoint = ["https://dockerhub.mirrors.nwafu.edu.cn"]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
    endpoint = ["https://registry.aliyuncs.com/k8sxio"]

保存并退出

启动Containerd,并查询状态

systemctl daemon-reload
systemctl enable containerd
systemctl restart containerd
systemctl status containerd
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl enable containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /etc/systemd/system/containerd.service.
[root@node1 ~]# systemctl restart containerd
[root@node1 ~]# systemctl status containerd
● containerd.service - containerd container runtime
   Loaded: loaded (/etc/systemd/system/containerd.service; enabled; vendor preset: disabled)
   Active: active (running) since 日 2022-07-31 14:01:53 CST; 8s ago
     Docs: https://containerd.io
  Process: 61077 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
 Main PID: 61080 (containerd)
    Tasks: 8
   Memory: 56.3M
   CGroup: /system.slice/containerd.service
           └─61080 /usr/local/bin/containerd

7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.252033825+08:00" level=info msg="loading plugin \...rpc.v1
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.253187854+08:00" level=info msg=serving... addres....ttrpc
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.253258189+08:00" level=info msg=serving... addres...d.sock
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.260183023+08:00" level=info msg="containerd succe...2919s"
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.273749848+08:00" level=info msg="Start subscribin...event"
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.273888661+08:00" level=info msg="Start recovering state"
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.274076640+08:00" level=info msg="Start event monitor"
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.274097447+08:00" level=info msg="Start snapshots syncer"
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.274112469+08:00" level=info msg="Start cni networ...yncer"
7月 31 14:01:53 node1 containerd[61080]: time="2022-07-31T14:01:53.274123474+08:00" level=info msg="Start streaming server"
Hint: Some lines were ellipsized, use -l to show in full.

安装Containerd完成!

由于文章到这里过长,避免大家的观感疲劳,文章分为上下两个部分,下版部分是安装Dockers+K8s的部分,请看文章

kubeadm部署指定版本的K8s+containerd+docker——图文详细版(下)

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐