K8S cluster switches Docker to Containerd

1. Start node maintenance

  The purpose of enabling node maintenance is to drive the Pod deployed on the node to be Deploymentmaintained away the node and make it run on another normal node, so as to ensure the continuity of services. But if the number of instances of our service is 1, when the service is driven away, the service will be interrupted, and the continuity of the service will not be guaranteed. It is necessary to wait for the service to run and start on another node before the service can be restored. Therefore, in order not to affect the normal business operation in the production environment, it is best to set the minimum number of service instances to 2 instances.

1.1 Set the node to be unschedulable

kubectl cordon k8s-node1

  Check whether the status of the node is set to the unschedulable state.

  As shown in the figure above, the k8s-node1 node has been set to the unschedulable state.

1.2 Evicting Pods on Nodes

kubectl drain k8s-node1 --ignore-daemonsets 

  After executing the above command, except the Pod daemon setstarted , the Pod started through deployment will be driven away to other schedulable nodes to restart.

  By setting the nodes to be upgraded to maintenance mode, business services can be guaranteed to provide services normally during the cluster upgrade process.

1.3 Stop related services

systemctl stop kubelet
systemctl stop containerd
systemctl disable docker
systemctl stop docker
systemctl disable cri-docker
systemctl stop cri-docker

2. Upgrade to containerd

2.1 Install containerd

• Uninstall docker related functions

yum remove docker docker-client ocker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine docker-ce

• Install or upgrade containerd service

yum install containerd

2.2 Adjust containerd configuration

• Export default configuration

containerd config default > /etc/containerd/config.toml

• Edit the /etc/containerd/config.toml file

    sandbox_image = "registry.k8s.io/pause:3.6"
    
    替换成
    
    sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.6"

	[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
        SystemdCgroup = false
        
	替换成
	
	[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
        SystemdCgroup = true

It is very important to add a domestic mirror warehouse, otherwise the mirror download will fail and the service in the Pod will fail to start.

    [plugins."io.containerd.grpc.v1.cri".registry]
      ......
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
      
      在containerd 配置文件中找到上边内容，并在此处添加下边两行, 注意缩进，下边两行内容与上边一行有2个空格的缩进，下边两行内容之间也存在2个空格的缩进。
      
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["http://hub-mirror.c.163.com","https://docker.mirrors.ustc.edu.cn","https://registry.docker-cn.com"]

2.3 Modify the kubelet startup configuration parameters

  Add or modify the parameter values ​​​​of the following two variables in the kubelet startup file

--container-runtime=remote 
--container-runtime-endpoint=unix:///run/containerd/containerd.sock

3. Restart the node service

• Restart the containerd service

systemctl daemon-reload 
systemctl enable containerd
systemctl start containerd

• View containerd service startup status

systemctl status containerd

• restart kubelet

systemctl start kubelet

• View kubelet service status

systemctl status kubelet

• Cancel node maintenance state

kubectl uncordon k8s-node1

• View node information

kubectl get nodes -o wide

  As shown in the figure above, the k8s-node1 node has changed Readyto the state , and CONTAINER-RUNTIMEhas changed to containerd://1.6.18. Indicates that the k8s-node1 node has been switched from a docker container to a containerd container.

4. Verify the upgraded node

  If calico-node is deployed in the way daemon setof , then when the k8s node upgrades the containerd container runtime and restarts containerd and kubelet, calico-node will run again on the upgraded node. You can check whether the upgraded node successfully starts calico -node Pod to determine whether the node is upgraded successfully.

  As shown in the figure above, the calico cni Pod on the k8s-node1 node is being deployed automatically. As shown in the figure below, the calico-node Pod on the k8s-node1 node has been successfully running.

5. Container management tools

5.1 Comparison of container management command line tools

Function	docker	ctr	crictl
view container list	docker ps	ctr -n k8s.io c ls	crictl ps
Execute commands inside the container	docker exec	-	crictl exec
mount container	docker attach	-	crictl attach
pull image	docker pull	ctr -n k8s.io i pull	crictl pull
push image	docker push	ctr -n k8s.io i push	-
delete mirror	docker rmi	-	crictl rmi

  After using containerd dockerto the k8s container runtime, the docker command line tool needs to bectr replaced by or . It is a command-line tool for container management provided by containerd, but its function is relatively weaker than that of . Therefore, after switching from docker to containerd, it is recommended to use the command- line tool to manage containers. Using the command-line tool needs to be installed separately.crictlctrctrcrictlcrictlcrictl

  containerd stores k8s-related data in k8s.iothe space . By default, ctrthe data in the default space is used to operate. Therefore, if you want to use the data in the containerd default space in k8s, you can export the image in the default space and then import it into k8s.iothe space .

• Export images in the default space, such as exporting calico cni images

ctr -n default images export --platform=linux/amd64 cni.tar.gz docker.io/calico/cni:v3.24.5

• Import the calico cni image to the k8s.io space

ctr -n k8s.io i import cni.tar.gz

5.2 crictl command line tool installation

• crictl source address

https://github.com/kubernetes-sigs/cri-tools/releases

• Download the Linux x64 version tool

wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.0/crictl-v1.26.0-linux-amd64.tar.gz

• unzip and install

tar -zxvf crictl-v1.26.0-linux-amd64.tar.gz -C /usr/local/bin

• Configure crictl parameters

crictl config runtime-endpoint unix:///run/containerd/containerd.sock
crictl config image-endpoint unix:///run/containerd/containerd.sock

  The /etc/crictl.yaml configuration file will be generated. Now that the installation of the crictl command line tool is complete, the commands that were previously operated through the docker command can be executed later using crictl.

6. Summary

• When replacing the docker container runtime with containerd, it can be replaced node by node, which can ensure the continuity of services.
• After using containerd to replace docker, for versions after k8s 1.20, the cri-docker service is no longer needed to transfer the runtime of the docker container.
• K8s cluster-related components only need to modify the kubelet startup parameters, and do not need to adjust kube-apiserver, kube-scheduler, kube-controller-manager, kube-proxy and other components.