Centos7.9安装containerd容器与cni网络插件

一，Containerd 的技术方向和目标

• 简洁的基于 gRPC 的 API 和 client library

• 完整的 OCI 支持(runtime 和 image spec)

• 同时具备稳定性和高性能的定义良好的容器核心功能

• 一个解耦的系统(让 image、filesystem、runtime 解耦合)，实现插件式的扩展和重用

  为什么需要独立的 containerd：

• 以往隶属于docker项目中，现如今从整体 docker 引擎中分离出的项目(开源项目的思路)

• 可以被 Kubernets CRI 等项目使用(通用化)

• 为广泛的行业合作打下基础(就像 runC 一样)

二，安装步骤

1，升级内核

[root@os-240 ~]#  rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
[root@os-240 ~]#   yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
#建议迁移lt长期支持内核
[root@os-240 ~]#   yum --enablerepo='elrepo-kernel' install kernel-lt kernel-lt-devel
[root@os-240 ~]#  grub2-set-default 0
[root@os-240 ~]#  reboot

不升级内核，启动containerd服务或是拉取镜像会报以下错误：

Mar 24 11:05:03 os-240 containerd: time="2023-03-24T11:05:03.870447561+08:00" level=error msg="(*service).Write failed" error="rpc error: code = Canceled desc = context canceled" expected="sha256:d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc" ref="layer-sha256:d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc" total=1405

FATA[0005] failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://registry-1.docker.io/v2/library/nginx/blobs/sha256:e9427fcfa8642f8ddf5106f742a75eca0dbac676cf8145598623d04fa45dd74e": dial tcp: lookup registry-1.docker.io on 114.114.114.114:53: no such host 

如果出现镜像无法下载情况，可以修改dns1=8.8.8.8

2，下载相关软件包，系统采用Centos7.9，需要安装的软件版本如下：

[root@os-240 ~]#  wget https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64
[root@os-240 ~]#  wget https://github.com/opencontainers/runc/releases/download/v1.1.4/libseccomp-2.5.4.tar.gz
[root@os-240 ~]#   wget https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz
[root@os-240 ~]#   wget https://github.com/containerd/nerdctl/releases/download/v1.2.1/nerdctl-1.2.1-linux-amd64.tar.gz
[root@os-240 ~]#   wget https://github.com/moby/buildkit/releases/download/v0.11.5/buildkit-v0.11.5.linux-amd64.tar.gz
[root@os-240 ~]#  wget https://github.com/containerd/containerd/releases/download/v1.7.0/containerd-1.7.0-linux-amd64.tar.gz

# 安装新版libseccomp软件包，runc需要使用

[root@os-240 ~]#   tar zxvf libseccomp-2.5.4.tar.gz

[root@os-240 ~]#  yum  -y install gperf                         #根据情况安装编写环境

[root@os-240 ~]#  ./configure

[root@os-240 ~]#  make && make install

[root@os-240 ~]#   tar xvf containerd-1.7.0-linux-amd64.tar.gz

# 二进制文件都安装到/usr/local/bin/目录下
[root@os-240 ~]#  cp -r bin/* /usr/local/bin/

3，创建containerd systemd service启动管理文件

修改ExecStart=/usr/local/bin/containerd为当前containerd文件路径

[root@os-240 ~]#   cd /etc/systemd/system/
[root@os-240 ~]#  cat containerd.service 


# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
 
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
 
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
 
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
 
[Install]
WantedBy=multi-user.target

[root@os-240 ~]#   mkdir /etc/containerd

[root@os-240 ~]#   containerd config default > /etc/containerd/config.toml

[root@os-240 ~]#   systemctl daemon-reload

修改配置文件

vim下搜索/mirrors，添加镜像加速，使用docker镜像源即可，上下级配置，缩进两个空格。

   [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://dxc7f1d6.mirror.aliyuncs.com"]

或是使用： 

endpoint = ["https://registry-1.docker.io"]

[root@os-240 ~]#   systemctl enable containerd --now

4，安装runc

[root@os-240 ~]#  mv runc.amd64 /usr/local/bin/runc

[root@os-240 ~]# chmod +x /usr/local/bin/runc

[root@os-240 ~]#  runc -version
runc version 1.1.4
commit: v1.1.4-0-g5fd4c4d1
spec: 1.0.2-dev
go: go1.17.10
libseccomp: 2.5.4

5，安装buildkit，实现Dockerfile构建镜像
[root@os-240 ~]#    tar zxvf buildkit-v0.11.5.linux-amd64.tar.gz 
[root@os-240 ~]#    cp -a bin/build* /usr/local/bin/

添加启动服务
[root@os-240 ~]#   cat > /etc/systemd/system/buildkit.service <<EOF
   [Unit]
   Description=BuildKit
   Documentation=https://github.com/moby/buildkit
   [Service]
   ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
   [Install]
   WantedBy=multi-user.target
   EOF

[root@os-240 ~]#    systemctl daemon-reload 
[root@os-240 ~]#    systemctl enable buildkit --now
[root@os-240 ~]#    systemctl status buildkit.service 

6，安装cni网络插件

CNI：Container network interface容器网络接口，为容器分配ip地址网卡等

[root@os-240 ~]#   mkdir  -p /opt/cni/bin

[root@os-240 ~]#   tar xvf cni-plugins-linux-amd64-v1.2.0.tgz -C /opt/cni/bin/


# 给containerd配置一个网络
root@containerd:/tools# nerdctl network create docker0


#如不配置网络，会有以下报错。
# Mar 24 10:14:51 os-240 containerd: time="2023-03-24T10:14:51.282280892+08:00" level=error msg="failed to load cni during init, please check CRI plugin status before setting up network for pods" error="cni config load failed: no network config found in /etc/cni/net.d: cni plugin not initialized: failed to load cni config"



[root@os-240 ~]# nerdctl network ls
NETWORK ID      NAME       FILE
17f29b073143    bridge     /etc/cni/net.d/nerdctl-bridge.conflist
297a8b73df18    docker0    /etc/cni/net.d/nerdctl-docker0.conflist
                host       
                none       

[root@os-240 ~]# nerdctl network create bridge


# 最后重启containerd
root@containerd:/tools#   systemctl restart containerd.service 


# 创建容器时，不加--netwrok 参数时，默认使用bridge网卡。


[root@os-240 ~]# nerdctl run -dt --name=nginx --network docker0 -p 8082:80 docker.io/library/nginx:latest
#以上添加network命令使用docker0网络，网络配置文件内容可以修改 /etc/cni/net.d/nerdctl-docker0.conflist。

7，安装命令工具，这里使用nerdctl，与docker命令基本一样。

[root@os-240 ~]#  tar xvf nerdctl-1.2.1-linux-amd64.tar.gz 
[root@os-240 ~]#  cp nerdctl /usr/local/bin/

[root@os-240 ~]#   cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
                               overlay
                               br_netfilter
                               EOF

[root@os-240 ~]#  sudo modprobe overlay
[root@os-240 ~]#  sudo modprobe br_netfilter

[root@os-240 ~]#  systemctl restart containerd.service 

8，命令补全

[root@os-240 ~]#   source /usr/share/bash-completion/bash_completion
[root@os-240 ~]#   source <(nerdctl completion bash)
[root@os-240 ~]#   echo "source <(nerdctl completion bash)" >> ~/.bashrc
[root@os-240 ~]#   source ~/.bashrc


[root@os-240 ~]#   ln -s /usr/local/bin/nerdctl /usr/local/bin/docker

# 实现与docker命令操作一样的效果

9，命令测试

[root@os-240 ~]# nerdctl run -dt --name=nginxweb --network docker0 -p 8083:80 docker.io/library/nginx:latest
7181edec2d8a556ac8d2fbbff36123797963ac7091ec2d44a66efacb2732237d
 
[root@os-240 ~]# docker  ps 
CONTAINER ID    IMAGE                             COMMAND                   CREATED              STATUS    PORTS                   NAMES
7181edec2d8a    docker.io/library/nginx:latest    "/docker-entrypoint.…"    5 seconds ago        Up        0.0.0.0:8083->80/tcp    nginxweb
 
[root@os-240 ~]# 
[root@os-240 ~]# curl -i 127.0.0.1:8083