帮助菜单

COMMANDS:
   plugins, plugin            provides information about containerd plugins
   version                    print the client and server versions
   containers, c, container   manage containers
   content                    manage content
   events, event              display containerd events
   images, image, i           manage images
   leases                     manage leases
   namespaces, namespace, ns  manage namespaces
   pprof                      provide golang pprof outputs for containerd
   run                        run a container
   snapshots, snapshot        manage snapshots
   tasks, t, task             manage tasks
   install                    install a new package
   oci                        OCI tools
   shim                       interact with a shim directly
   help, h                    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug                      enable debug output in logs
   --address value, -a value    address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
   --timeout value              total timeout for ctr commands (default: 0s)
   --connect-timeout value      timeout for connecting to containerd (default: 0s)
   --namespace value, -n value  namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
   --help, -h                   show help
   --version, -v                print the version

将镜像挂载到主机目录
#ctr i mount docker.io/library/nginx:alpine /mnt
 sha256:5da2ba1075ada2783aada4fa30ec8cdd56a072759ea7c283de1c505b56ed0e70
 [root@containerd ~]#tree -L 1 /mnt/
/mnt/
├── bin
├── dev
├── docker-entrypoint.d
├── docker-entrypoint.sh
├── etc
├── home
├── lib
├── media
├── mnt
├── opt
├── proc
├── root
├── run
├── sbin
├── srv
├── sys
├── tmp
├── usr
└── var

18 directories, 1 file
 ctr i unmount /mnt  #将镜像从主机目录上卸载
 ctr i check #主要查看其中的 `STATUS`，`complete` 表示镜像是完整可用的状态。
ctr -n k8s.io images ls              #查看镜像
ctr -n k8s.io images pull -k         #拉取镜像，拉取的时候忽略校验
ctr -n k8s.io images pull --tlscacert /etc/....../tls.crt   #拉取镜像，拉镜像的时候使用tls证书进行验证

#将离线镜像tar包导入到本地镜像缓存中，打tag并push镜像到镜像仓库

ctr -n k8s.io i import containerd-build-aarch64-1.1.0.tar
ctr -n k8s.io i ls |grep build-aarch64
ctr -n k8s.io i tag docker.io/containerd/build-aarch64:1.1.0 harbor.xxx.com/
ctr -n k8s.io i push --tlscacert /etc/containerd/certs.dxxxx/tls.crt harbor.xxx.com/ -u admin:Harbor12345
 
ctr -n k8s.io i push --tlscacert /etc/....../tls.crt  #上传镜像,基于tls验证
ctr -n k8s.io i push -k  #上传镜像,忽略认证
 
ctr -n k8s.io c ls     #查看容器对象元数据，不包含状态
ctr -n k8s.io task ls  #查看容器，包含容器状态
ctr -n k8s.io task kill -a -s 9  {id}     #根据容器id停止容器，停止时会杀死容器中的所有服务
ctr -n k8s.io c rm  {id}    #删除容器对象元数据，注意：如果容器状态为Running，则无法进行删除

#例：创建一个容器对象

ctr -n k8s.io c create -t  --net-host --privileged --env GOPATH=/go \
    --mount type=bind,src=${PWD}/containerd,dst=/go/src/github.com/containerd/containerd,options=rbind:rw \
    docker.io/containerd/build-aarch64:1.1.0 containerd-build-aarch64
 
#这里 --mount 与docker -v 作用相同,
 –null-io: 将容器内标准输出重定向到/dev/null
–net-host: 主机网络
-d: 当task执行后就进行下一步shell命令,如没有选项,则会等待用户输入,并定向到容器内


#启动一个容器进程，名称是上一步创建的容器对象的名称
ctr -n k8s.io task start -d containerd-build-aarch64
 
#连接到一个处于RUNNING状态容器的标准流，注意：如果在这里exit，会退出容器，并删除当前的容器进程，仅容器对象还在
ctr -n k8s.io task attach containerd-build-aarch64
 
#与docker run 的效果一样，在这里exit，会退出容器，但不会对容器状态产生影响，其还存在且是RUNNING
ctr -n k8s.io task exec -t --exec-id bash_1 containerd-build-aarch64 sh
 
#杀死一个容器进程中的所有子进程，执行之后容器状态为STOPPED,此时可以使用 task rm 进行删除
ctr -n k8s.io task kill -a -s 9 containerd-build-aarch64
 
#删除非运行状态的容器，但是不删除容器元数据，使用ctr -n k8s.io -c ls 还可以查看到
ctr -n k8s.io task rm containerd-build-aarch64
 
#如果要删除容器元数据，下面的命令不光删除容器对象数据，同时还会级联删除对应的容器的task
ctr -n k8s.io c rm containerd-build-aarch64
 
# ctr c create hub.renwoxing.com/library/nginx:latest nginx
# ctr c ls

CONTAINER    IMAGE                                     RUNTIME                  
nginx        hub.renwoxing.com/library/nginx:latest    io.containerd.runc.v2    
# ctr c ls -q
nginx
[root@master01 ~]# ctr c info nginx
{
    "ID": "nginx",
    "Labels": {
        "io.containerd.image.config.stop-signal": "SIGQUIT"
    },
    "Image": "hub.renwoxing.com/library/nginx:latest",
    "Runtime": {
        "Name": "io.containerd.runc.v2",
        "Options": {
            "type_url": "containerd.runc.v1.Options"
        }
    },

# ctr task  start  -d nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
You have new mail in /var/spool/mail/root
[root@master01 ~]# ctr task  ls
TASK     PID      STATUS    
nginx    58028    RUNNING
[root@master01 ~]# ctr task  ls -q
nginx
[root@master01 ~]# ctr task  exec  --exec-id 0 -t nginx sh   # 注意必须要指定 --exec-id 参数，这个 id 可以随便写，只要唯一就行
# ls
bin   docker-entrypoint.d   home   media  proc	sbin  tmp
boot  docker-entrypoint.sh  lib    mnt	  root	srv   usr
dev   etc		    lib64  opt	  run	sys   var
[root@master01 ~]# ctr task pause  nginx
[root@master01 ~]# ctr task  ls 
TASK     PID      STATUS    
nginx    58028    PAUSED
[root@master01 ~]# ctr task resume  nginx
[root@master01 ~]# ctr task  ls 
TASK     PID      STATUS    
nginx    58028    RUNNING
[root@master01 ~]# ctr task kill  nginx
[root@master01 ~]# ctr task  ls 
TASK     PID      STATUS    
nginx    58028    STOPPED
[root@master01 ~]# ctr task rm  nginx
[root@master01 ~]# ctr task  ls 
TASK    PID    STATUS  
[root@master01 ~]# 
[root@master01 ~]# ctr task metrics nginx
ID       TIMESTAMP                                 
nginx    2022-01-09 09:13:15.82922356 +0000 UTC    

METRIC                   VALUE                  
memory.usage_in_bytes    2093056                
memory.limit_in_bytes    9223372036854771712    
memory.stat.cache        16384                  
cpuacct.usage            38240875               
cpuacct.usage_percpu     [21321842 16919033]    
pids.current             3                      
pids.limit               0                      
[root@master01 ~]# ctr task  ps nginx
PID      INFO
68922    -
68951    -
68952    -
[root@master01 ~]# ps -ef| grep nginx
root      68901      1  0 17:12 ?        00:00:00 /usr/local/bin/containerd-shim-runc-v2 -namespace default -id nginx -address /run/containerd/containerd.sock
root      68922  68901  0 17:12 ?        00:00:00 nginx: master process nginx -g daemon off;
101       68951  68922  0 17:12 ?        00:00:00 nginx: worker process
101       68952  68922  0 17:12 ?        00:00:00 nginx: worker process
root      70706 113990  0 17:14 pts/0    00:00:00 grep --color=auto nginx

*************************************************************************************************************
 
ctr --help
ctr i --help
ctr i pull --help

#example: 基于tls证书，使用ctr命令 ctr i pull --help

ctr -n k8s.io i pull -k harbor.xxx.com/
ctr -n k8s.io i pull --tlscacert /etc/containerd/certs.d/harbor.xxx.com/tls.crt harbor.xxx.com/
ctr -n k8s.io i push --tlscacert /etc/containerd/certs.d/harbor.xxx.com/tls.crt   harbor.xxx.com/
ctr -n k8s.io i push -k harbor.xxx.com/k8s-infra/us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v1.13.15-1

特别的:基于私有镜像仓库，如果上面的pull 或 push 报401错误, username与pwd使用对应镜像仓库的用户名和密码替换

ctr -n k8s.io i push -u username:pwd --tlscacert /etc/containerd/certs.d/xxx/tls.crt harbor.xxx.com/

注意：
ctr 不支持 build,commit 镜像