aws eks 集群container runtime升级容器管理工具的切换

参考资料

  • https://cloud-atlas.readthedocs.io/zh_CN/latest/kubernetes/debug/crictl.html
  • https://zhuanlan.zhihu.com/p/562014518

container runtime

Low-Level和High-Level容器运行时。runc、lxc、lmctfy、Docker(容器)、rkt、cri-o。每一个都是为不同的情况而构建的,并实现了不同的功能。有些,如 containerd 和 cri-o,实际上使用 runc 来运行容器,在High-Level实现镜像管理和 API。与 runc 的Low-Level实现相比,可以将这些功能(包括镜像传输、镜像管理、镜像解包和 API)视为High-Level功能。

aws eks 集群container runtime升级容器管理工具的切换_第1张图片

  • 只专注于正在运行的容器的runtime通常称为“Low-Level容器运行时”
  • 支持更多高级功能(如镜像管理和gRPC / Web API)的运行时通常称为“High-Level容器运行时”

在创建一个docker容器的时候,Docker Daemon 并不能直接帮我们创建了,而是请求 containerd 来创建一个容器。当containerd 收到请求后,也不会直接去操作容器,而是创建一个叫做 containerd-shim 的进程。让这个进程去操作容器,我们指定容器进程是需要一个父进程来做状态收集、维持 stdin 等 fd 打开等工作的,假如这个父进程就是 containerd,那如果 containerd 挂掉的话,整个宿主机上所有的容器都得退出了,而引入 containerd-shim 这个垫片就可以来规避这个问题了,就是提供的live-restore的功能。这里需要注意systemd的 MountFlags=slave。然后创建容器需要做一些 namespaces 和 cgroups 的配置,以及挂载 root 文件系统等操作。runc 就可以按照这个 OCI 文档来创建一个符合规范的容器。

container相比调用链更短,组件少且稳定

docker 运行时的调用关系为: kubelet --> dockershim (在 kubelet 进程中) --> dockerd --> containerd

containerd 运行时的调用关系为: kubelet --> cri plugin(在 containerd 进程中) --> containerd

aws eks 集群container runtime升级容器管理工具的切换_第2张图片

查看node上的进程

root     32041  0.0  0.2 712204  9712 ?        Sl   10:50   0:00 /usr/bin/containerd-shim-runc-v2 -namespace k8s.io -id c2d4f6f9df81a41d0b361700e76eb4e46ada1c7a12629b7b3895e8ab0215223d -address /run/containerd/containerd.sock
root     32042  0.0  0.2 712460 10040 ?        Sl   10:50   0:00 /usr/bin/containerd-shim-runc-v2 -namespace k8s.io -id 352402b119bc5ad4dd3c87e0617dec3a41f72747b39720a1a0aadef1c44e3c41 -address /run/containerd/containerd.sock

查看kubelet

ExecStart=/usr/bin/kubelet --cloud-provider aws \
    --image-credential-provider-config /etc/eks/ecr-credential-provider/ecr-credential-provider-config \
   --image-credential-provider-bin-dir /etc/eks/ecr-credential-provider \
    --config /etc/kubernetes/kubelet/kubelet-config.json \
    --kubeconfig /var/lib/kubelet/kubeconfig \
    --container-runtime remote \
    --container-runtime-endpoint unix:///run/containerd/containerd.sock \
    $KUBELET_ARGS $KUBELET_EXTRA_ARGS

查看containerd的配置文件

$ cat /etc/containerd/config.toml
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"

[grpc]
address = "/run/containerd/containerd.sock"

[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"

[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/eks/pause:3.5"

[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d:/etc/docker/certs.d"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true

[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"

ctr

ctrcontainerd的一个客户端工具。ctr客户端 主要区分了 3 个命名空间分别是k8s.iomobydefault

查看容器和任务

$ sudo ctr -n=k8s.io container ls

aws eks 集群container runtime升级容器管理工具的切换_第3张图片

查看容器info

sudo ctr -n=k8s.io container info f77f39a204f120e179140394b230fce0605251a21b50cbc327bee21c621aed82

查看image

sudo ctr -n=k8s.io images ls
sudo ctr -n=k8s.io images list -q

aws eks 集群container runtime升级容器管理工具的切换_第4张图片

管理镜像

sudo ctr -n=k8s.io image image pull busybox
sudo ctr -n=k8s.io images rm docker.io/library/busybox:latest
sudo ctr -n=k8s.io images pull docker.io/library/busybox:latest

在这里插入图片描述

crictl

crictl是遵循 CRI 接口规范的一个命令行工具,通常用它来检查和管理kubelet节点上的容器运行时和镜像。

crictl 只有一个k8s.io命名空间,没有-n 参数。

参考资料

  • 使用 crictl 对 Kubernetes 节点进行调试
  • Container Runtime Interface (CRI) CLI
  • https://cloud-atlas.readthedocs.io/zh_CN/latest/kubernetes/debug/crictl.html
  • https://www.bookstack.cn/read/kubernetes-tasks-1.19-zh/0e2ab828b2c33e61.md

安装crictl

VERSION="v1.24.1"
curl -L https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-${VERSION}-linux-amd64.tar.gz --output crictl-${VERSION}-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-$VERSION-linux-amd64.tar.gz

配置/etc/crictl.yaml如下,或者在执行时通过-r指定endpoint:

runtime-endpoint:unix:///run/containerd/containerd.sock image-endpoint:unix:///run/containerd/containerd.sock timeout:10 debug:false

常用命令

$ crictl -v
$ crictl  pull nginx:alpine
$ crictl  rmi  nginx:alpine
$ crictl  images

设置代理

$ cat /etc/systemd/system/containerd.service.d/10-compat-symlink.conf
[Service]
ExecStartPre=/bin/ln -sf /run/containerd/containerd.sock /run/dockershim.sock

Set HTTP_PROXY and HTTPS_PROXY for containerd in /etc/systemd/system/containerd.service.d/http-proxy.conf:

[Service]
Environment="HTTP_PROXY=http://127.0.0.1:65001"
Environment="HTTPS_PROXY=http://127.0.0.1:65001"

查看容器

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock ps

在这里插入图片描述

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock images

aws eks 集群container runtime升级容器管理工具的切换_第5张图片

查看容器日志

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock logs d2910afb661ea
2022/12/30 10:50:57 Server is listening on :5678
2022/12/30 10:58:39 [ERR] Unknown signal terminated
# crictl logs bf37d99b64364

查看容器info

sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock inspect d2910afb661ea

查看stats

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock stats
CONTAINER           CPU %               MEM                 DISK                INODES
0a1ba2b85a2f4       0.00                1.528MB             0B                  13
2470b65dc9824       0.12                12.8MB              0B                  15
81dc5e769badb       0.00                1.884MB             0B                  13
89112d90b0d9b       0.09                12.82MB             0B                  15
a71f81a4af8b0       0.00                1.54MB              0B                  13
b3c937668a77c       0.01                47.42MB             0B                  26
d2910afb661ea       0.00                1.565MB             0B                  13
daf6338c1d55e       0.00                14.89MB             0B                  14
f77f39a204f12       0.00                1.528MB             0B                  13

stop和start容器

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock stop dead6a33fc0fd

查看pod

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock pods

aws eks 集群container runtime升级容器管理工具的切换_第6张图片

在容器中执行exec

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock exec -it 5f0e264ddd5c1 bash

拉取镜像

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock pull busybox
Image is up to date for sha256:827365c7baf137228e94bcfc6c47938b4ffde26c68c32bf3d3a7762cd04056a5

查看容器运行时信息

$ sudo /usr/local/bin/crictl -r unix:///run/containerd/containerd.sock info
{
  "config": {
    "containerd": {
      "snapshotter": "overlayfs",
      "defaultRuntimeName": "runc",
      "defaultRuntime": {
        "runtimeType": "",
        "runtimePath": "",
        "runtimeEngine": "",
        "PodAnnotations": null,
        "ContainerAnnotations": null,
        "runtimeRoot": "",
        "options": null,
        "privileged_without_host_devices": false,
        "baseRuntimeSpec": "",
        "cniConfDir": "",
        "cniMaxConfNum": 0
      },
      "untrustedWorkloadRuntime": {
        "runtimeType": "",
        "runtimePath": "",
        "runtimeEngine": "",
        "PodAnnotations": null,
        "ContainerAnnotations": null,
        "runtimeRoot": "",
        "options": null,
        "privileged_without_host_devices": false,
        "baseRuntimeSpec": "",
        "cniConfDir": "",
        "cniMaxConfNum": 0
      },
      "runtimes": {
        "runc": {
          "runtimeType": "io.containerd.runc.v2",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": null,
          "ContainerAnnotations": null,
          "runtimeRoot": "",
          "options": {
            "SystemdCgroup": true
          },
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        }
      },
      "noPivot": false,
      "disableSnapshotAnnotations": true,
      "discardUnpackedLayers": false,
      "ignoreRdtNotEnabledErrors": false
    },
    "cni": {
      "binDir": "/opt/cni/bin",
      "confDir": "/etc/cni/net.d",
      "maxConfNum": 1,
      "confTemplate": "",
      "ipPref": ""
    },
    "registry": {
      "configPath": "/etc/containerd/certs.d:/etc/docker/certs.d",
      "mirrors": null,
      "configs": null,
      "auths": null,
      "headers": null
    },
    "imageDecryption": {
      "keyModel": "node"
    },
    "disableTCPService": true,
    "streamServerAddress": "127.0.0.1",
    "streamServerPort": "0",
    "streamIdleTimeout": "4h0m0s",
    "enableSelinux": false,
    "selinuxCategoryRange": 1024,
    "sandboxImage": "918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/eks/pause:3.5",
    "statsCollectPeriod": 10,
    "systemdCgroup": false,
    "enableTLSStreaming": false,
    "x509KeyPairStreaming": {
      "tlsCertFile": "",
      "tlsKeyFile": ""
    },
    "maxContainerLogSize": 16384,
    "disableCgroup": false,
    "disableApparmor": false,
    "restrictOOMScoreAdj": false,
    "maxConcurrentDownloads": 3,
    "disableProcMount": false,
    "unsetSeccompProfile": "",
    "tolerateMissingHugetlbController": true,
    "disableHugetlbController": true,
    "device_ownership_from_security_context": false,
    "ignoreImageDefinedVolumes": false,
    "netnsMountsUnderStateDir": false,
    "enableUnprivilegedPorts": false,
    "enableUnprivilegedICMP": false,
    "containerdRootDir": "/var/lib/containerd",
    "containerdEndpoint": "/run/containerd/containerd.sock",
    "rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
    "stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
  },
  "golang": "go1.18.6",
  "lastCNILoadStatus": "OK",
  "lastCNILoadStatus.default": "OK"
}

nerdctl

参考资料

  • https://link.zhihu.com/?target=https%3A//github.com/containerd/nerdctl/releases
  • https://github.com/containerd/nerdctl
  • https://zhuanlan.zhihu.com/p/562014518

nttlabs贡献了一个名为nerdctl的containerd客户端,可以兼容docker命令行工具

安装nerdctl

wget https://github.com/containerd/nerdctl/releases/download/v1.1.0/nerdctl-1.1.0-linux-amd64.tar.gz
sudo tar -xzvf nerdctl-1.1.0-linux-amd64.tar.gz -C /usr/local/bin/
sudo su -
nerdctl -n k8s.io container ls

通过docker运行nerdctl

docker build -t nerdctl .
docker run -it --rm --privileged nerdctl

nerdctl兼容了docker命令,可以无痛切换

https://github.com/containerd/nerdctl

https://blog.csdn.net/weixin_39246554/article/details/120958424

查看名称空间

sudo nerdctl ns ls

查看image

nerdctl -n k8s.io image ls

拉取镜像,dockerhub

nerdctl pull nginx:latest
sudo nerdctl -n default image ls | grep nginx

查看容器

sudo nerdctl -n k8s.io container ls -a

拉取ecr镜像,需要确保在root用户下执行

aws ecr get-login-password --region cn-north-1 | nerdctl login --username AWS --password-stdin xxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn
WARNING! Your password will be stored unencrypted in /home/ec2-user/.docker/config.json.

你可能感兴趣的:(AWS,aws,docker,容器)