ctr & crictl $ nerdctl & containerd install【ctr & crictl $ nerdctl & containerd 安装】

1. 系统兼容

Operating System	Containerd 1.4 - 1.7
Ubuntu 20.04 LTS	Yes
Ubuntu 22.04 LTS	Yes
CentOS 7.9	Yes
Red Hat Core OS (RHCOS)	No
Red Hat Enterprise Linux 8.6, 8.7, 8.8	Yes

2. 下载安装

软件版本

软件	版本
runc	1.1.9
containerd	1.7.5
nerdctl	1.5.0
crictl	1.28.0
cni-plugin	1.3.0

此脚本包含下载与安装。

• sh install-containerd.sh d #下载
• sh install-containerd.sh download #下载
• sh install-containerd.sh i #安装
• sh install-containerd.sh install #安装

#!/bin/bash


name=`basename $0 .sh`
ENABLE_DOWNLOAD=${ENABLE_DOWNLOAD:-true}
BASE_DIR="$( dirname "$( readlink -f "${0}" )" )"

if [ ! -e files ]; then
    mkdir -p files
fi

FILES_DIR=./files
IMAGES_DIR=./images

# download files, if not found
download() {
    url=$1
    dir=$2

    filename=$(basename $1)
    mkdir -p ${FILES_DIR}/$dir

    if [ ! -e ${FILES_DIR}/$dir/$filename ]; then
        echo "==> download $url"
        (cd ${FILES_DIR}/$dir && curl -SLO $1)
    fi
}

download_files() {

if $ENABLE_DOWNLOAD; then
    # TODO: These version must be same as kubespray. Refer `roles/downloads/defaults/main.yml` of kubespray.
    RUNC_VERSION=1.1.9
    CONTAINERD_VERSION=1.7.5
    NERDCTL_VERSION=1.5.0
    CRICTL_VERSION=1.28.0
    CNI_VERSION=1.3.0

    download https://github.com/opencontainers/runc/releases/download/v${RUNC_VERSION}/runc.amd64 runc/v${RUNC_VERSION}
    download https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}-linux-amd64.tar.gz
    download https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-${NERDCTL_VERSION}-linux-amd64.tar.gz
    download https://github.com/kubernetes-sigs/cri-tools/releases/download/v${CRICTL_VERSION}/crictl-v${CRICTL_VERSION}-linux-amd64.tar.gz
    download https://github.com/containernetworking/plugins/releases/download/v${CNI_VERSION}/cni-plugins-linux-amd64-v${CNI_VERSION}.tgz kubernetes/cni

else
    FILES_DIR=./files
fi

}

select_latest() {
    local latest=$(ls $* | tail -1)
    if [ -z "$latest" ]; then
        echo "No such file: $*"
        exit 1
    fi
    echo $latest
}

install_runc() {

# Install runc
echo "==> Install runc"
sudo cp $(select_latest "${FILES_DIR}/runc/v*/runc.amd64") /usr/local/bin/runc
sudo chmod 755 /usr/local/bin/runc

}



install_nerdctl() {
# Install nerdctl
echo "==> Install nerdctl"
tar xvf $(select_latest "${FILES_DIR}/nerdctl-*-linux-amd64.tar.gz") -C /tmp
sudo cp /tmp/nerdctl /usr/local/bin
sudo mkdir /etc/nerdctl
sudo cat > /etc/nerdctl/nerdctl.toml <<EOF
debug             = false
debug_full        = false
address           = "unix:///var/run/containerd/containerd.sock"
namespace         = "k8s.io"
snapshotter       = "overlayfs"
cni_path          = "/opt/cni/bin"
cni_netconfpath   = "/etc/cni/net.d"
cgroup_manager    = "systemd"
hosts_dir         = ["/etc/containerd/certs.d"]
insecure_registry = true 
EOF

}

install_crictl () {
# Install crictl plugins
echo "==> Install crictl plugins"
sudo tar xvzf $(select_latest "${FILES_DIR}/crictl-v*-linux-amd64.tar.gz") -C /usr/local/bin

cat > /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF

}

install_containerd() {
# Install containerd
echo "==> Install containerd"


echo ""
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
systemctl restart systemd-modules-load.service
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sysctl --system

sudo tar xvf $(select_latest "${FILES_DIR}/containerd-*-linux-amd64.tar.gz") --strip-components=1 -C /usr/local/bin

cat > /etc/systemd/system/containerd.service <<EOF
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd

Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target
EOF

sudo mkdir -p \
     /etc/systemd/system/containerd.service.d \
     /etc/containerd \
     /var/lib/containerd \
     /run/containerd



cat > /etc/containerd/config.toml <<EOF
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  uid = 0
  gid = 0

[debug]
  address = "/run/containerd/debug.sock"
  uid = 0
  gid = 0
  level = "info"

[metrics]
  address = ""
  grpc_histogram = false

[cgroup]
  path = ""

[plugins]
  [plugins."io.containerd.grpc.v1.cri".containerd]
    default_runtime_name = "runc"
    snapshotter = "overlayfs"
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
    runtime_type = "io.containerd.runc.v2"
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    systemdCgroup = true
EOF


echo "==> Start containerd"
sudo systemctl daemon-reload && sudo systemctl enable --now containerd && sudo systemctl restart containerd && sudo systemctl status containerd | grep Active
}

install_cni() {
    
    
# Install cni plugins
echo "==> Install CNI plugins"
sudo mkdir -p /opt/cni/bin
sudo tar xvzf $(select_latest "${FILES_DIR}/kubernetes/cni/cni-plugins-linux-amd64-v*.tgz") -C /opt/cni/bin

}

action=$1

case $action in
  d )
    download_files
    ;;
  i|install)
    install_nerdctl
    install_crictl
    install_runc
    install_containerd
    install_cni
    ;;
   *)
    echo "Usage: $name [d|i]"
    echo "sh $name d: it is download packages."
    echo "sh$name i: it is install packages."
    ;;
esac
exit 0

下载介质

sh install-containerd.sh d

介质结构

$ tree
.
├── files
│   ├── containerd-1.7.5-linux-amd64.tar.gz
│   ├── crictl-v1.27.1-linux-amd64.tar.gz
│   ├── crictl-v1.28.0-linux-amd64.tar.gz
│   ├── kubernetes
│   │   └── cni
│   │       └── cni-plugins-linux-amd64-v1.3.0.tgz
│   ├── nerdctl-1.5.0-linux-amd64.tar.gz
│   └── runc
│       └── v1.1.9
│           └── runc.amd64
└── install-containerd.sh

5 directories, 7 files

拷贝离线机器节点安装

sh install-containerd.sh i

3. 检查

检查 containerd 服务状态

$ systemctl status containerd.service 
● containerd.service - containerd container runtime
   Loaded: loaded (/etc/systemd/system/containerd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2023-12-07 15:29:13 CST; 1h 1min ago
     Docs: https://containerd.io
  Process: 2069 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
 Main PID: 2073 (containerd)
    Tasks: 23
   Memory: 304.1M
   CGroup: /system.slice/containerd.service
           ├─2073 /usr/local/bin/containerd
           └─2733 /usr/local/bin/containerd-shim-runc-v2 -namespace default -id nginx1 -address /run/containerd/containerd.sock

Dec 07 16:05:16 localhost.localdomain containerd[2073]: time="2023-12-07T16:05:16.070075409+08:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.pause\"..." runtime=i...rd.ttrpc.v1
Dec 07 16:05:16 localhost.localdomain containerd[2073]: time="2023-12-07T16:05:16.070225781+08:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runti...rd.event.v1
Dec 07 16:05:16 localhost.localdomain containerd[2073]: time="2023-12-07T16:05:16.070487356+08:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io...rd.ttrpc.v1
Dec 07 16:05:25 localhost.localdomain containerd[2073]: time="2023-12-07T16:05:25.314451770+08:00" level=info msg="shim disconnected" id=nginx1 namespace=default
Dec 07 16:05:25 localhost.localdomain containerd[2073]: time="2023-12-07T16:05:25.314619808+08:00" level=warning msg="cleaning up after shim disconnected" id=nginx1 namespace=default
Dec 07 16:05:25 localhost.localdomain containerd[2073]: time="2023-12-07T16:05:25.314660589+08:00" level=info msg="cleaning up dead shim" namespace=default
Dec 07 16:07:07 localhost.localdomain containerd[2073]: time="2023-12-07T16:07:07.682100420+08:00" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." run...internal.v1
Dec 07 16:07:07 localhost.localdomain containerd[2073]: time="2023-12-07T16:07:07.682320004+08:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.pause\"..." runtime=i...rd.ttrpc.v1
Dec 07 16:07:07 localhost.localdomain containerd[2073]: time="2023-12-07T16:07:07.682429251+08:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runti...rd.event.v1
Dec 07 16:07:07 localhost.localdomain containerd[2073]: time="2023-12-07T16:07:07.682477794+08:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io...rd.ttrpc.v1
Hint: Some lines were ellipsized, use -l to show in full.

检查ctr & crictl $ nerdctl & containerd命令是否安装成功。

$ containerd --version
containerd github.com/containerd/containerd v1.7.5 fe457eb99ac0e27b3ce638175ef8e68a7d2bc373

$ crictl version
Version:  0.1.0
RuntimeName:  containerd
RuntimeVersion:  v1.7.5
RuntimeApiVersion:  v1

$ nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH 
Client:
 Version:       v1.5.0
 OS/Arch:       linux/amd64
 Git commit:    b33a58f288bc42351404a016e694190b897cd252
 buildctl:
  Version:

Server:
 containerd:
  Version:      v1.7.5
  GitCommit:    fe457eb99ac0e27b3ce638175ef8e68a7d2bc373
 runc:
  Version:      1.1.9
  GitCommit:    v1.1.9-0-gccaecfcb

$ ctr version
Client:
  Version:  v1.7.5
  Revision: fe457eb99ac0e27b3ce638175ef8e68a7d2bc373
  Go version: go1.20.7

Server:
  Version:  v1.7.5
  Revision: fe457eb99ac0e27b3ce638175ef8e68a7d2bc373
  UUID: 86b0073d-e329-4184-b319-e4c965369e7a

4. 测试

创建镜像仓库容器

cat > start-registry.sh <<EOF
#!/bin/bash


REGISTRY_IMAGE=${REGISTRY_IMAGE:-registry:2.8.2}
REGISTRY_DIR=${REGISTRY_DIR:-/var/lib/registry}
REGISTRY_PORT=${REGISTRY_PORT:-35000}

if [ ! -e $REGISTRY_DIR ]; then
    sudo mkdir $REGISTRY_DIR
fi

echo "===> Start registry"
sudo /usr/local/bin/nerdctl --insecure-registry=true  run -d \
    --network host \
    -e REGISTRY_HTTP_ADDR=0.0.0.0:${REGISTRY_PORT} \
    --restart always \
    --name registry \
    -v $REGISTRY_DIR:/var/lib/registry \
    $REGISTRY_IMAGE
EOF

sh start-registry.sh 

配置 /etc/hosts

$ cat /etc/hosts
10.70.0.73 registry.demo

推送镜像入库

nerdctl pull  registry:2.8.2
nerdctl tag registry:2.8.2 registry.demo:35000/registry:2.8.2
nerdctl --insecure-registry=true push  registry.demo:35000/registry:2.8.2
nerdctl --insecure-registry=true pull  registry.demo:35000/registry:2.8.2

参考：

• https://github.com/opencontainers/runc/releases
• https://github.com/containerd/containerd
• https://github.com/containerd/nerdctl
• https://github.com/kubernetes-sigs/cri-tools
• https://github.com/containernetworking