容器运行时选择
K8s 1.24 之后移除了 Dockershim,推荐三种容器运行时:
| 运行时 | 接口 | 说明 |
|---|---|---|
| containerd | CRI | 官方推荐,轻量高性能 |
| CRI-O | CRI | 专为 K8s 设计 |
| Docker + cri-dockerd | CRI | 需要额外适配层 |
选择建议:
- containerd:适合生产环境,K8s 集群中高效管理大量容器
- Docker:适合开发测试环境,需要 Docker Compose 或 Docker Swarm 的场景
在线安装
Ubuntu 安装 containerd
# 卸载旧版本
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
# 安装依赖
sudo apt-get update
sudo apt-get install ca-certificates curl
# 添加 Docker 官方 GPG key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# 添加 apt 源
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# 安装 containerd
sudo apt-get install -y containerd.io
bash
配置 containerd
# 生成默认配置
mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml
# 修改配置
vi /etc/containerd/config.toml
# 1. sandbox_image 改为: registry.k8s.io/pause:3.9
# 2. SystemdCgroup 改为: true(约137行)
# 启动服务
systemctl daemon-reload
systemctl enable --now containerd
bash
安装 CNI 插件
wget https://github.com/containernetworking/plugins/releases/download/v1.5.1/cni-plugins-linux-amd64-v1.5.1.tgz
mkdir -p /opt/cni/bin
tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.5.1.tgz
bash
离线安装
使用统一脚本完成 containerd 及相关工具的离线安装:
#!/bin/bash
set -e
ContainerdVersion=${1:-1.7.19}
RuncVersion=${2:-1.7.19}
CniVersion=${3:-1.5.1}
NerdctlVersion=${4:-1.7.6}
CrictlVersion=${5:-1.30.1}
# 安装 containerd
wget https://github.com/containerd/containerd/releases/download/v${ContainerdVersion}/containerd-${ContainerdVersion}-linux-amd64.tar.gz
tar Cxzvf /usr/local containerd-${ContainerdVersion}-linux-amd64.tar.gz
# 安装 containerd service
wget https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
mv containerd.service /lib/systemd/system/
# 生成配置
mkdir -p /etc/containerd/
containerd config default > /etc/containerd/config.toml
sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
# 安装 runc
wget https://github.com/opencontainers/runc/releases/download/v${RuncVersion}/runc.amd64
chmod +x runc.amd64
mv runc.amd64 /usr/local/bin/runc
# 安装 CNI 插件
wget https://github.com/containernetworking/plugins/releases/download/v${CniVersion}/cni-plugins-linux-amd64-v${CniVersion}.tgz
rm -fr /opt/cni/bin
mkdir -p /opt/cni/bin
tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v${CniVersion}.tgz
# 安装 nerdctl(类 Docker CLI)
wget https://github.com/containerd/nerdctl/releases/download/v${NerdctlVersion}/nerdctl-${NerdctlVersion}-linux-amd64.tar.gz
tar Cxzvf /usr/local/bin nerdctl-${NerdctlVersion}-linux-amd64.tar.gz
# 安装 crictl(K8s CRI CLI)
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v${CrictlVersion}/crictl-v${CrictlVersion}-linux-amd64.tar.gz
tar Cxzvf /usr/local/bin crictl-v${CrictlVersion}-linux-amd64.tar.gz
cat > /etc/crictl.yaml << \EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: false
pull-image-on-create: false
EOF
# 启动 containerd 服务
systemctl daemon-reload
systemctl enable --now containerd
bash
手动离线安装步骤
# 安装 containerd
wget https://github.com/containerd/containerd/releases/download/v1.7.14/containerd-1.7.14-linux-amd64.tar.gz
tar Cxzvf /usr/local containerd-1.7.14-linux-amd64.tar.gz
# 创建 systemd 服务文件
cat > /usr/local/lib/systemd/system/containerd.service << 'EOF'
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
EOF
# 安装 runc
install -m 755 runc.amd64 /usr/local/sbin/runc
# 安装 CNI 插件
mkdir -p /opt/cni/bin
tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
# 启动
systemctl daemon-reload
systemctl enable --now containerd
bash
containerd 镜像加速
为常用镜像仓库配置加速源:
# Docker Hub 镜像加速
mkdir -p /etc/containerd/certs.d/docker.io
cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://docker.io"
[host."https://docker-proxy.toimc.cn"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
# registry.k8s.io 镜像加速
mkdir -p /etc/containerd/certs.d/registry.k8s.io
cat > /etc/containerd/certs.d/registry.k8s.io/hosts.toml << EOF
server = "https://registry.k8s.io"
[host."https://k8s.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# gcr.io 镜像加速
mkdir -p /etc/containerd/certs.d/gcr.io
cat > /etc/containerd/certs.d/gcr.io/hosts.toml << EOF
server = "https://gcr.io"
[host."https://gcr.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# quay.io 镜像加速
mkdir -p /etc/containerd/certs.d/quay.io
cat > /etc/containerd/certs.d/quay.io/hosts.toml << EOF
server = "https://quay.io"
[host."https://quay.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
bash
ctr 常用命令
ctr 是 containerd 的 CLI 工具,用于与 containerd 守护进程交互:
镜像管理
# 拉取镜像
ctr images pull docker.io/library/nginx:latest
# 列出所有镜像
ctr images ls
# 删除镜像
ctr images rm docker.io/library/nginx:latest
# 检查镜像信息
ctr images inspect docker.io/library/nginx:latest
bash
容器管理
# 创建并运行容器
ctr run --rm -t docker.io/library/nginx:latest mynginx
# 列出所有容器
ctr containers ls
# 删除容器
ctr containers delete <container-id>
bash
任务管理
# 启动任务
ctr tasks start <task-id>
# 列出任务
ctr tasks ls
# 查看任务日志
ctr tasks logs <task-id>
# 停止任务
ctr tasks kill <task-id>
# 删除任务
ctr tasks delete <task-id>
bash
快照管理
# 列出快照
ctr snapshots ls
# 删除快照
ctr snapshots rm <snapshot-id>
bash
↑