Containerd容器运行时介绍与应用
以下是Containerd的详细部署指南,涵盖主流 Linux 发行版的安装和基础配置。
一、安装方式
1. 二进制包安装(推荐)
适用于大多数 Linux 发行版,获取最新版本。
# 下载最新版本(请从 GitHub Release 页面获取最新版本号)VERSION="1.7.19"wgethttps://github.com/containerd/containerd/releases/download/v${VERSION}/containerd-${VERSION}-linux-amd64.tar.gz# 解压到系统目录sudotarCxzvf /usr/local containerd-${VERSION}-linux-amd64.tar.gz# 下载并安装 runc(必需组件)wgethttps://github.com/opencontainers/runc/releases/download/v1.1.12/runc.amd64sudoinstall-m755runc.amd64 /usr/local/sbin/runc# 下载并安装 cni-plugins(网络插件)wgethttps://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgzsudomkdir-p/opt/cni/binsudotarCxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.4.0.tgz2. 通过包管理器安装
Ubuntu/Debian
# 安装依赖sudoapt-getupdatesudoapt-getinstall-yca-certificatescurl# 添加 Docker 仓库(包含 containerd)curl-fsSLhttps://download.docker.com/linux/ubuntu/gpg|sudogpg--dearmor-o/etc/apt/keyrings/docker.gpgecho"deb [arch=$(dpkg --print-architecture)signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu$(lsb_release-cs)stable"|sudotee/etc/apt/sources.list.d/docker.list>/dev/null# 安装 containerdsudoapt-getupdatesudoapt-getinstall-ycontainerd.ioCentOS/RHEL/Rocky Linux
# 安装依赖sudoyuminstall-yyum-utils# 添加 Docker 仓库sudoyum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo# 安装 containerdsudoyuminstall-ycontainerd.io# 或者直接安装 containerd(不通过 Docker 仓库)sudoyuminstall-yhttps://github.com/containerd/containerd/releases/download/v1.7.19/containerd-1.7.19-1.el7.x86_64.rpm3. 通过 Kubernetes 工具安装
如果用于 Kubernetes 集群:
# 使用 kubeadm 工具安装 containerdcat<<EOF|sudotee/etc/modules-load.d/containerd.confoverlay br_netfilter EOFsudomodprobe overlaysudomodprobe br_netfilter二、配置 Containerd
1. 生成默认配置文件
# 创建配置目录sudomkdir-p/etc/containerd# 生成默认配置containerd config default|sudotee/etc/containerd/config.toml2. 关键配置修改
编辑/etc/containerd/config.toml:
# 修改 systemd cgroup 驱动(推荐用于 Kubernetes) [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] SystemdCgroup = true # 配置镜像仓库镜像(加速国内访问) [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://docker.mirrors.ustc.edu.cn", "https://registry-1.docker.io"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"] endpoint = ["https://gcr.mirrors.ustc.edu.cn"] # 配置 pause 镜像(Kubernetes 必需) sandbox_image = "registry.k8s.io/pause:3.9" # 修改存储路径(可选) root = "/var/lib/containerd" state = "/run/containerd"3. 配置 systemd 服务
# 创建 systemd 服务文件(如果二进制安装)sudotee/etc/systemd/system/containerd.service<<'EOF' [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/local/bin/containerd Type=notify Delegate=yes KillMode=process Restart=always RestartSec=5 LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=infinity TasksMax=infinity OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target EOF三、启动与验证
1. 启动服务
# 重载 systemd 配置sudosystemctl daemon-reload# 启动 containerdsudosystemctlenable--nowcontainerd# 查看状态sudosystemctl status containerd# 查看日志sudojournalctl-ucontainerd-f2. 验证安装
# 验证版本containerd--versionctr version# 测试基本功能sudoctr images pull docker.io/library/nginx:latestsudoctr images list# 测试容器运行sudoctr containers create docker.io/library/nginx:latest nginx-testsudoctr tasks start nginx-testsudoctr tasks list四、安装客户端工具
1. nerdctl(推荐,兼容 Docker CLI)
# 下载 nerdctlVERSION="1.7.2"wgethttps://github.com/containerd/nerdctl/releases/download/v${VERSION}/nerdctl-${VERSION}-linux-amd64.tar.gzsudotarCxzvvf /usr/local/bin nerdctl-${VERSION}-linux-amd64.tar.gz# 验证安装nerdctl--versionnerdctl run--rmhello-world2. crictl(Kubernetes CRI 工具)
# 安装 crictlVERSION="v1.30.0"wgethttps://github.com/kubernetes-sigs/cri-tools/releases/download/${VERSION}/crictl-${VERSION}-linux-amd64.tar.gzsudotarCxzvvf /usr/local/bin crictl-${VERSION}-linux-amd64.tar.gz# 配置 crictlsudotee/etc/crictl.yaml<<EOF runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF# 验证crictlps五、生产环境调优
1. 内核参数优化
# 创建 sysctl 配置sudotee/etc/sysctl.d/99-kubernetes-cri.conf<<EOF net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 EOFsudosysctl--system2. 存储配置优化
# 修改配置文件中的存储设置# /etc/containerd/config.toml[plugins."io.containerd.grpc.v1.cri".containerd]snapshotter="overlayfs"disable_snapshot_annotations=true[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]BinaryName="/usr/local/sbin/runc"NoPivotRoot=false3. 日志配置
# 配置日志轮转sudotee/etc/logrotate.d/containerd<<EOF /var/log/containerd/*.log { rotate 7 daily compress missingok delaycompress copytruncate } EOF六、故障排查
常用命令
# 查看 containerd 状态sudosystemctl status containerd# 查看详细日志sudojournalctl-xucontainerd-ocat# 检查 containerd 进程sudopsaux|grepcontainerd# 检查 socket 文件sudols-la/run/containerd/containerd.sock# 验证 CRI 插件sudoctr pluginls|grepcri常见问题
- 权限问题
sudochmod755/var/lib/containerd- 镜像拉取失败
# 检查镜像仓库配置sudoctr images pull --plain-http docker.io/library/nginx:latest- 网络问题
# 检查 CNI 插件sudols/opt/cni/bin/七、卸载 Containerd
# 停止服务sudosystemctl stop containerd# 卸载包管理器安装的版本sudoapt-getremove-ycontainerd.io# Ubuntu/Debiansudoyum remove-ycontainerd.io# CentOS/RHEL# 删除相关文件sudorm-rf/etc/containerdsudorm-rf/var/lib/containerdsudorm-rf/run/containerd# 删除二进制(如果是手动安装)sudorm-f/usr/local/bin/containerdsudorm-f/usr/local/bin/ctr注意事项:
- 生产环境建议使用二进制包安装以获得最新版本
- 如果用于 Kubernetes,必须配置
SystemdCgroup = true - 定期更新 containerd 和 runc 以获取安全补丁
- 建议配合
nerdctl使用以获得更好的用户体验
这样部署的 containerd 可以独立使用,也可以作为 Kubernetes 的容器运行时。