containerd相关
一、修改containerd配置文件,添加私有仓库配置
查看containerd的默认配置
containerd config default
k3s集群配置文件位置:
/etc/rancher/k3s/registries.yaml
/var/lib/rancher/k3s/agent/etc/containerd/config.toml
(1)修改配置文件,内容如下:
cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
"harbor.test.in":
endpoint:
- "https://harbor.test.in"
"docker.io":
endpoint:
- "https://registry-1.docker.io"
configs:
"harbor.test.in":
auth:
username: admin # this is the registry username
password: 123456 # this is the registry password
tls:
ca_file: /etc/ssl/harbor.test.in.crt
EOF
(2)配置信任私有证书(k8s同样操作):
cp /etc/ssl/harbor.test.in.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
(3)重启k3s:
(经确认:不重启k3s,/var/lib/rancher/k3s/agent/etc/containerd/config.toml文件内容不会更新)
systemctl restart k3s #master
systemctl restart k3s-agent #work
注意:work节点需要先创建目录/etc/rancher/k3s/
(4)查看containerd的配置:
cat /var/lib/rancher/k3s/agent/etc/containerd/config.toml
参考:https://www.infoq.cn/article/jizyup2sl30kkfqjfbl
https://rancher.com/docs/k3s/latest/en/installation/private-registry/
二、containerd常用命令行工具
安装k3s集群时默认安装以下两个工具:
ctr:是containerd本身的CLI (对镜像相关操作,推荐ctr)
crictl :是Kubernetes社区定义的专门CLI工具(推荐使用)
| containerd命令 | docker命令 | 注解 | 其他 |
|---|---|---|---|
| crictl pull | docker pull | 拉取镜像 | |
| crictl images | docker images | 查看镜像 | crictl images -q 只打印镜像id |
| crictl inspecti | docker inspect | 查看镜像详情 | |
| crictl rmi | docker rmi | 删除镜像 | |
| 无 | docker push | 推送镜像 | 可使用ctr image push |
| 无 | docker load/save -i | 导入/导出镜像 | 可使用ctr images import/export |
| crictl ps | docker ps | 查看容器 | |
| crictl inspect | docker inspect | 查看容器详情 | |
| crictl logs | docker logs | 查看容器日志 | |
| crictl exec | docker exec | 容器内执行命令 | |
| crictl stats | docker stats | 查看容器资源使用情况 | |
| crictl create | docker create | 创建容器 | |
| crictl start/stop | docker start/stop | 启动/停止容器 | |
| crictl rm | docker rm | 删除容器 | |
| crictl pods | 无 | 查看Pod列表 | |
| crictl inspectp | 无 | 查看Pod详情 | |
| crictl runp | 无 | 启动Pod | |
| crictl stopp | 无 | 停止Pod |
crictl工具缺点:
(1)无法给镜像打tag,需要使用docker或ctr打好镜像标签
(2)无法导入/导出镜像
三、使用ctr导入/导出镜像
docker save -o stmp.tar 1a93cf297986 //1a93cf297986为镜像id
ctr image import stmp.tar //导入镜像。docker save -o 时,不能使用镜像id,要使用镜像名:tag,避免导入报错
ctr image ls //查看镜像列表
ctr images export stmp.tar <image-name> //ctr工具导出镜像命令
导出镜像遇到报错:
ctr: failed to dial “/run/containerd/containerd.sock”: context deadline exceeded
参考解决:https://github.com/containerd/containerd/issues/2758
常用命令:
| ctr命令 | 示例 | 说明 |
|---|---|---|
| ctr image ls | ctr -n k8s.io i ls | 查看本地镜像 |
| ctr image pull | ctr image pull docker.io/library/nginx:alpine | 拉取镜像 |
| ctr image push | ctr image push --plain-http --user admin:123456 192.168.20.11/test/coredns:1.2.0 或者 ctr -n=k8s.io image push --user admin:Harbor12345 harbor.test.in/security/sonarqube:8.9.2-community | 推送镜像 |
| ctr image import | ctr image import coredns.tar 或者 ctr --namespace default image import pg_dump.tar - docker.v1.1 | 导入镜像 |
| ctr image export | ctr image export coredns.tar 192.168.20.11/source/coredns:1.2.0 | 导出镜像 |
| ctr image tag | ctr -n=k8s.io image tag docker.io/library/sonarqube:8.9.2-community harbor.test.in/security/sonarqube:8.9.2-community | 打镜像标签 |
| ctr image rm | ctr image rm docker.io/rancher/pause:3.1 或 ctr i rm docker.io/rancher/pause:3.1 | 删除镜像 |
| ctr namespaces ls | ctr namespaces ls | 查看命名空间 |
| ctr task ls | 查看运行的容器 |
注意:
有的环境使用ctr导入镜像后,启动容器无法识别导入的镜像!
此时:ctr image ls 可以查看到镜像列表,但使用crictl images ls 无法查看到导入的镜像。
原因:镜像导入需在特定目录(/var/lib/rancher/k3s/agent/images/)执行导入命令,必要时导入镜像后,需要重启k3s
相关命令:
ctr -n=k8s.io image import xxx.tar (-n=k8s.io必不可少,否则导入的镜像无法用于集群)
crictl image list <==> ctr -n=k8s.io image list
四、ctr私有仓库配置以及使用
1、运行私有仓库
1.1 下载docker私有仓库镜像
镜像:docker.io/library/registry:latest
ctr images import registry.tar
mkdir /home/registry
1.2 生成证书
生成证书(需使用最新版的openssl:https://blog.csdn.net/jugtba/article/details/115484589):
mkdir /home/registry/certs
cd /home/registry/
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-addext "subjectAltName = DNS:registry-1.docker.io" \
-x509 -days 365 -out certs/domain.crt
查看证书有效期
openssl x509 -in domain.crt -noout -dates
1.3 创建registry配置文件
配置私有仓库config.yml,内容如下:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000 #运行到虚拟机上面不能使用443端口,运行到k8s环境中可以使用443端口
tls:
certificate: /home/registry/certs/domain.crt
key: /home/registry/certs/domain.key
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
1.4 运行私有仓库
方法一:运行容器(ctr命令)
ctr run --null-io --net-host -d --mount type=bind,src=/home/registry,dst=/var/lib/registry,options=rbind:rw --mount type=bind,src=/home/registry/certs,dst=/certs,options=rbind:rw --mount type=bind,src=/home/registry/config.yml,dst=/etc/docker/registry/config.yml,options=rbind:rw docker.io/library/registry:latest v2
##src=/home/registry 表示设置改目录为存放镜像路径
查看容器创建是否成功
ctr c list
netstat -tulnp|grep 5000
方法二:deployment运行私有仓库
镜像名: harbor.test.in/image/registry-server:v1.0 创建deployment:
kubectl create deployment registry -n registry --image=harbor.test.in/iamge/registry-server:v1.0
创建service
kubectl expose deployment registry -n registry --type=NodePort --port=443 --target-port=443
2、配置使用私有仓库(所有节点)
mkdir /etc/rancher/k3s/
touch /etc/rancher/k3s/registries.yaml
cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
"harbor.test.in":
endpoint:
- "https://harbor.test.in:5000"
configs:
"harbor.test.in:5000":
tls:
ca_file: /home/registry/certs/domain.crt
EOF
重启k3s服务
systemctl restart k3s 或 systemctl restart k3s-agent
查看配置 cat /var/lib/rancher/k3s/agent/etc/containerd/config.toml
配置主机信任自签名证书
cp /home/registry/certs/* /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
- 1
- 2
3、添加harbor域名映射:
vi /etc/hosts
192.168.1.10 harbor.test.in
10.67.240.91 registry-1.docker.io
访问:https://192.168.1.10:5000/v2/_catalog
或https://harbor.test.in:5000/v2/_catalog
4、测试(默认push到443端口,以ctr部署为例):
修改镜像tag
ctr i tag docker.io/rancher/pause:3.1 harbor.test.in:5000/library/pause:3.1
push到本地私有仓库
ctr i push harbor.test.in:5000/library/pause:3.1
五、查看containerd运行时某个pod对应的主机虚拟网卡信息
brctl show //查看虚拟化网络设备列表
crictl ps //找到运行的pod对应的containerd id,如:f3a1d5beb595c
crictl inspect f3a1d5beb595c | grep -i pid //查看该containerd对应的进程id
"pid": 24739,
"pid": 1
"type": "pid"
crictl inspect f3a1d5beb595c | grep proc //获取容器在主机上的工作目录
nsenter -n -t 24739 //进入容器netns,24739为进程id
ethtool -S eth0 //查看容器对应的主机网卡id
NIC statistics:
peer_ifindex: 52
主机上输入:ip a
找到52对应的网卡名:vetha0e21ec6
手动设置网络该网卡延迟时间:tc qdisc add dev vetha0e21ec6 root netem delay 100ms
此时ping该pod ip:
[root@node1 ~]# ping 10.50.13.36
PING 10.50.13.36 (10.50.13.36) 56(84) bytes of data.
64 bytes from 10.50.13.36: icmp_seq=1 ttl=63 time=100 ms
64 bytes from 10.50.13.36: icmp_seq=2 ttl=63 time=100 ms
64 bytes from 10.50.13.36: icmp_seq=3 ttl=63 time=100 ms
64 bytes from 10.50.13.36: icmp_seq=4 ttl=63 time=100 ms