虚拟化容器,大数据,DBA,中间件,监控。

OpenEuler/Centos安装containerd容器,cni,nerdctl,buildkit,runc

23 05月
作者:admin|分类:容器虚拟化|标签:容器 openeuler

OpenEuler/Centos安装containerd容器,cni,nerdctl,buildkit,runc

举报

 一,Containerd 的技术方向和目标

  • 简洁的基于 gRPC 的 API 和 client library

  • 完整的 OCI 支持(runtime 和 image spec)

  • 同时具备稳定性和高性能的定义良好的容器核心功能

  • 一个解耦的系统(让 image、filesystem、runtime 解耦合),实现插件式的扩展和重用


 为什么需要独立的 containerd:

  • 以往隶属于docker项目中,现如今从整体 docker 引擎中分离出的项目(开源项目的思路)

  • 可以被 Kubernets CRI 等项目使用(通用化)

  • 为广泛的行业合作打下基础(就像 runC 一样)

二,安装步骤

1,Centos7需要升级内核,OpenEuler2203不需要。

[root@os-240 ~]#  rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
[root@os-240 ~]#   yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
#建议迁移lt长期支持内核
[root@os-240 ~]#   yum --enablerepo='elrepo-kernel' install kernel-lt kernel-lt-devel
[root@os-240 ~]#  grub2-set-default 0
[root@os-240 ~]#  reboot


不升级内核,启动containerd服务或是拉取镜像会报以下错误:

Mar 24 11:05:03 os-240 containerd: time="2023-03-24T11:05:03.870447561+08:00" level=error msg="(*service).Write failed" error="rpc error: code = Canceled desc = context canceled" expected="sha256:d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc" ref="layer-sha256:d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc" total=1405

FATA[0005] failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://registry-1.docker.io/v2/library/nginx/blobs/sha256:e9427fcfa8642f8ddf5106f742a75eca0dbac676cf8145598623d04fa45dd74e": dial tcp: lookup registry-1.docker.io on 114.114.114.114:53: no such host 

如果出现镜像无法下载情况,可以修改dns1=8.8.8.8


2,下载相关软件包, 需要安装的软件版本如下:

[root@os-240 ~]#  wget https://github.com/opencontainers/runc/releases/download/v1.1.12/libseccomp-2.5.4.tar.gz

[root@os-240 ~]#  wget https://github.com/opencontainers/runc/releases/download/v1.1.12/runc.amd64

[root@os-240 ~]#   wget https://github.com/containernetworking/plugins/releases/download/v1.5.0/cni-plugins-linux-amd64-v1.5.0.tgz

[root@os-240 ~]#   wget https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-1.7.6-linux-amd64.tar.gz

[root@os-240 ~]#   wget https://github.com/moby/buildkit/releases/download/v0.11.5/buildkit-v0.11.5.linux-amd64.tar.gz
[root@os-240 ~]#  wget https://github.com/containerd/containerd/releases/download/v1.6.32/containerd-1.6.32-linux-amd64.tar.gz



# 安装新版libseccomp软件包,runc需要使用


[root@os-240 ~]#   dnf groupinstall '开发工具' 或 dnf groupinstall 'Development Tools'

[root@os-240 ~]#   tar zxvf libseccomp-2.5.4.tar.gz

[root@os-240 ~]#  yum  -y install gperf           #根据情况安装编写环境

[root@os-240 ~]#  ./configure

[root@os-240 ~]#  make && make install


3,安装配置containerd

# 配置时区

timedatectl set-timezone Asia/Shanghai

[root@os-240 ~]#   tar xvf containerd-1.7.0-linux-amd64.tar.gz


# 二进制文件都安装到/usr/local/bin/目录下

[root@os-240 ~]#  mv /root/bin/* /usr/local/bin/ && rm -rf /root/bin


#创建containerd systemd service启动管理文件

[root@os-240 ~]#    cat << EOF > /usr/lib/systemd/system/containerd.service

[Unit]

Description=containerd container runtime

Documentation=https://containerd.io

After=network.target local-fs.target


[Service]

ExecStartPre=-/sbin/modprobe overlay

ExecStart=/usr/local/bin/containerd


Type=notify

Delegate=yes

KillMode=process

Restart=always

RestartSec=5


# Having non-zero Limit*s causes performance problems due to accounting overhead

# in the kernel. We recommend using cgroups to do container-local accounting.

LimitNPROC=infinity

LimitCORE=infinity


# Comment TasksMax if your systemd version does not supports it.

# Only systemd 226 and above support this version.

TasksMax=infinity

OOMScoreAdjust=-999


[Install]

WantedBy=multi-user.target

EOF


[root@os-240 ~]#   mkdir /etc/containerd

[root@os-240 ~]#   containerd config default > /etc/containerd/config.toml

[root@os-240 ~]#   systemctl daemon-reload


修改配置文件

vim下搜索/mirrors,添加镜像加速,使用docker镜像源即可,上下级配置,缩进两个空格。

   [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://dxc7f1d6.mirror.aliyuncs.com"]


或是使用: 

endpoint = ["https://registry-1.docker.io"]


[root@os-240 ~]# mkdir -p /opt/cni/bin

[root@os-240 ~]# mkdir -p /etc/containerd 

[root@os-240 ~]# systemctl enable --now containerd


4,安装runc

[root@os-240 ~]#  install -m 755 runc.amd64 /usr/local/sbin/runc

[root@k8sm1 ~]# runc  -version

runc version 1.1.12

commit: v1.1.12-0-g51d5e946

spec: 1.0.2-dev

go: go1.20.13

libseccomp: 2.5.4



5,安装buildkit,实现Dockerfile构建镜像
[root@os-240 ~]#   
mkdir buildkit

[root@os-240 ~]#   tar zxvf buildkit-v0.13.2.linux-amd64.tar.gz -C buildkit

[root@os-240 ~]#    cp -a buildkit/bin/build* /usr/local/sbin/

添加启动服务
[root@os-240 ~]#  

cat  << EOF > /etc/systemd/system/buildkit.service  

   [Unit]

   Description=BuildKit

   Documentation=https://github.com/moby/buildkit

   [Service]

   ExecStart=/usr/local/sbin/buildkitd --oci-worker=false --containerd-worker=true 

   [Install]

   WantedBy=multi-user.target


EOF


[root@os-240 ~]#    systemctl daemon-reload 
[root@os-240 ~]#    systemctl enable buildkit --now
[root@os-240 ~]#    systemctl status buildkit.service 


6,安装cni网络插件

CNI:Container network interface容器网络接口,为容器分配ip地址网卡等

[root@os-240 ~]#   mkdir  -p /opt/cni/bin

[root@os-240 ~]#   tar zxvf cni-plugins-linux-amd64-v1.5.0.tgz  -C /opt/cni/bin/


 cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf

           overlay

           br_netfilter

EOF



# 给containerd配置一个网络
root@containerd:/tools# nerdctl network create docker0


#如不配置网络,会有以下报错。
# Mar 24 10:14:51 os-240 containerd: time="2023-03-24T10:14:51.282280892+08:00" level=error msg="failed to load cni during init, please check CRI plugin status before setting up network for pods" error="cni config load failed: no network config found in /etc/cni/net.d: cni plugin not initialized: failed to load cni config"



[root@os-240 ~]# nerdctl network ls
NETWORK ID      NAME       FILE
17f29b073143    bridge     /etc/cni/net.d/nerdctl-bridge.conflist
297a8b73df18    docker0    /etc/cni/net.d/nerdctl-docker0.conflist
                host       
                none       

[root@os-240 ~]# nerdctl network create bridge


# 最后重启containerd
root@containerd:/tools#   systemctl restart containerd.service 


# 创建容器时,不加--netwrok 参数时,默认使用bridge网卡。


[root@os-240 ~]# nerdctl run -dt --name=nginx --network docker0 -p 8082:80 docker.io/library/nginx:latest
#以上添加network命令使用docker0网络,网络配置文件内容可以修改 /etc/cni/net.d/nerdctl-docker0.conflist。


7,安装命令工具,这里使用nerdctl,与docker命令基本一样。

[root@os-240 ~]#  tar zxvf buildkit-v0.13.2.linux-amd64.tar.gz -C /usr/local/sbin/

[root@os-240 ~]# 

cat  << EOF > /etc/systemd/system/buildkit.service  

   [Unit]

   Description=BuildKit

   Documentation=https://github.com/moby/buildkit

   [Service]

   ExecStart=/usr/local/sbin/buildkitd --oci-worker=false --containerd-worker=true 

   [Install]

   WantedBy=multi-user.target


EOF


[root@os-240 ~]# systemctl daemon-reload 

[root@os-240 ~]# systemctl enable buildkit --now



[root@os-240 ~]#  sudo modprobe overlay
[root@os-240 ~]#  sudo modprobe br_netfilter


[root@os-240 ~]#  systemctl restart containerd.service 


8,命令补全

[root@os-240 ~]#   source /usr/share/bash-completion/bash_completion
[root@os-240 ~]#   source <(nerdctl completion bash)
[root@os-240 ~]#   echo "source <(nerdctl completion bash)" >> ~/.bashrc
[root@os-240 ~]#   source ~/.bashrc


[root@os-240 ~]#   ln -s /usr/local/sbin/nerdctl /usr/local/sbin/docker


# 实现与docker命令操作一样的效果


9,命令测试

[root@os-240 ~]# nerdctl run -dt --name=nginxweb --network docker0 -p 8083:80 docker.io/library/nginx:latest
7181edec2d8a556ac8d2fbbff36123797963ac7091ec2d44a66efacb2732237d
 
[root@os-240 ~]# docker  ps 
CONTAINER ID    IMAGE                             COMMAND                   CREATED              STATUS    PORTS                   NAMES
7181edec2d8a    docker.io/library/nginx:latest    "/docker-entrypoint.…"    5 seconds ago        Up        0.0.0.0:8083->80/tcp    nginxweb
 
[root@os-240 ~]# 
[root@os-240 ~]# curl -i 127.0.0.1:8083


浏览213 评论0
返回
目录
返回
首页
openEuler 22.03系统上intel源码编译成rpm包方法 Openeuler2203编译安装openssh9.7p1,RPM打包,解决漏洞问题