胡文成的个人博客

Kubernetes安装步骤二_02_安装容器运行时-Containerd

2024-08-17

一、从官方二进制安装

1)下载二进制压缩包

二进制包下载地址

在这里,我们下载的是 containerd-1.7.19-linux-amd64.tar.gz

压缩包包含以下内容:

1
2
3
4
5
6
7
bin/
bin/containerd-shim-runc-v2
bin/containerd-shim
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd
bin/containerd-stress

将压缩包放到downloads目录下

1
2
3
4
5
6
7
8
9
# cd downloads
# tar -xzf containerd-1.7.19-linux-amd64.tar.gz
bin/
bin/containerd-shim-runc-v2
bin/containerd-shim
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd
bin/containerd-stress

将压缩包下所有文件(一定是所有文件)拷贝到/usr/local/bin目录下

1
# cp bin/* /usr/local/bin

说明:containerd之前是docker那边的,现在为了适配kubernetes,

对于Kubernetes,不需要安装cri-containerd-(cni-)<VERSION>-<OS-<ARCH>.tar.gz压缩包中的内容,这个压缩包将在后续版本被移除掉

因为Kubernetes的CRI接口已经包含在了containerd-<VERSION>-<OS>-<ARCH>.tar.gz这个压缩包的containerd二进制文件中

2)下载containerd.service启动脚本文件

官方下载地址,并将文件拷贝到/usr/local/lib/systemd/system/目录下

1
2
3
4
// 创建目录
# mkdir /usr/local/lib/systemd/system/ -p
// 拷贝文件
# cp containerd.service /usr/local/lib/systemd/system/

以下是containerd.service文件内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd

Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target
3)重新加载系统服务
1
2
# systemctl daemon-reload
# systemctl enable --now containerd
4)安装 runc

下载地址,在这里我们下载的是 runc-1.1.13.amd64

1
# install -m 755 runc.amd64 /usr/local/sbin/runc

二、使用包管理工具安装

1)下载docker-ce.repo

下面只要使用一个即可

1
# curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

或者

1
# curl -o /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
2)刷新yum缓存
1
# dnf makecache
3)安装containerd.io

说明:containerd.io包含了runc,但是不包含CNI插件

1
# dnf install -y containerd.io
4)将containerd.io设置为开机启动
1
# systemctl enable containerd.service

三、配置containerd,使用systemdcgroup驱动

1)生成默认的containerd配置文件
1
2
# mkdir /etc/containerd/ -p
# containerd config default > /etc/containerd/config.toml
2)将SystemdCgroup配置成true
1
2
3
4
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  ...
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    SystemdCgroup = true
3)修改sandbox_image镜像源

这是原来的配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[plugins."io.containerd.grpc.v1.cri"]
    cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"]
    device_ownership_from_security_context = false
    disable_apparmor = false
    disable_cgroup = false
    disable_hugetlb_controller = true
    disable_proc_mount = false
    disable_tcp_service = true
    drain_exec_sync_io_timeout = "0s"
    enable_cdi = false
    enable_selinux = false
    enable_tls_streaming = false
    enable_unprivileged_icmp = false
    enable_unprivileged_ports = false
    ignore_deprecation_warnings = []
    ignore_image_defined_volumes = false
    image_pull_progress_timeout = "5m0s"
    image_pull_with_sync_fs = false
    max_concurrent_downloads = 3
    max_container_log_line_size = 16384
    netns_mounts_under_state_dir = false
    restrict_oom_score_adj = false
    sandbox_image = "registry.k8s.io/pause:3.8"
① 改成自己的Harbor地址

说明:需要提前在Harbor中配置镜像代理,具体参考: 配置Harbor为其他镜像代理

1
# sed -i "s#registry.k8s.io/pause:3.8#harbor.home.cloud/aliyun/google_containers/pause:3.9#g" /etc/containerd/config.toml

这是改过后的配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[plugins."io.containerd.grpc.v1.cri"]
    cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"]
    device_ownership_from_security_context = false
    disable_apparmor = false
    disable_cgroup = false
    disable_hugetlb_controller = true
    disable_proc_mount = false
    disable_tcp_service = true
    drain_exec_sync_io_timeout = "0s"
    enable_cdi = false
    enable_selinux = false
    enable_tls_streaming = false
    enable_unprivileged_icmp = false
    enable_unprivileged_ports = false
    ignore_deprecation_warnings = []
    ignore_image_defined_volumes = false
    image_pull_progress_timeout = "5m0s"
    image_pull_with_sync_fs = false
    max_concurrent_downloads = 3
    max_container_log_line_size = 16384
    netns_mounts_under_state_dir = false
    restrict_oom_score_adj = false
    sandbox_image = "harbor.home.cloud/aliyun/google_containers/pause:3.9"
② 使用阿里云镜像地址
1
# sed -i "s#registry.k8s.io/pause:3.8#registry.aliyuncs.com/google_containers/pause:3.9#g" /etc/containerd/config.toml

这是改过后的配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[plugins."io.containerd.grpc.v1.cri"]
    cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"]
    device_ownership_from_security_context = false
    disable_apparmor = false
    disable_cgroup = false
    disable_hugetlb_controller = true
    disable_proc_mount = false
    disable_tcp_service = true
    drain_exec_sync_io_timeout = "0s"
    enable_cdi = false
    enable_selinux = false
    enable_tls_streaming = false
    enable_unprivileged_icmp = false
    enable_unprivileged_ports = false
    ignore_deprecation_warnings = []
    ignore_image_defined_volumes = false
    image_pull_progress_timeout = "5m0s"
    image_pull_with_sync_fs = false
    max_concurrent_downloads = 3
    max_container_log_line_size = 16384
    netns_mounts_under_state_dir = false
    restrict_oom_score_adj = false
    sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"
4)配置镜像加速
Step1:新建/etc/containerd/certs.d目录
1
# mkdir -p /etc/containerd/certs.d
Step2:如果使用自己的Harbor,需要将自定义的Harbor CA证书导入Linux系统(可选)
1
2
# mkdir harbor.home.cloud
# cp /path/to/ca.crt /etc/containerd/harbor.home.cloud/ca.crt

下面是导入脚本import-ca.sh

1
# ./import-ca.sh
1
2
3
#!/bin/bash

\cp /etc/containerd/harbor.home.cloud/ca.crt /etc/pki/ca-trust/source/anchors/harbor-ca.crt && update-ca-trust
Step3:配置拉取镜像的账号

/etc/containerd/config.toml中添加

1
2
3
4
5
6
7
8
9
10
11
12
13
[plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.home.cloud".auth]
          # 用户名
          username = "k8s-user"
          # 用户密码
          password = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          # Harbor服务器中~/.docker/config.json中的auth属性
          auth = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Step4:配置docker.ioregistry.k8s.ioquay.io(外部用户)

说明:

  • 针对不使用自己Harbor且使用外部镜像源的用户,需要配置该步骤
  • 如果使用自己harbor的,需要先这样配置,等到kubernetes集群安装完后,需要将注释取消掉, 并将外部代理的注释掉

配置docker.io代理

1
2
3
4
5
6
7
8
# mkdir -p /etc/containerd/certs.d/docker.io
# cat <<EOF | tee /etc/containerd/certs.d/docker.io/hosts.toml
> server = "https://docker.io"
  #[host."https://harbor.home.cloud"]
  #	 capabilities = ["pull", "resolve", "push"]
  [host."https://docker.m.daocloud.io"]
    capabilities = ["pull", "resolve"]
> EOF

配置registry.k8s.io代理

1
2
3
4
5
6
7
8
# mkdir -p /etc/containerd/certs.d/registry.k8s.io
# cat <<EOF | tee /etc/containerd/certs.d/registry.k8s.io/hosts.toml
> server = "https://registry.k8s.io"
  # [host."https://harbor.home.cloud"]
 	# capabilities = ["pull", "resolve", "push"]
  [host."https://k8s.m.daocloud.io"]
    capabilities = ["pull", "resolve"]
> EOF

quay.io(红帽)在国内不需要代理,因为能够正常访问

5)重启containerd服务
1
2
# systemctl daemon-reload
# systemctl restart containerd
Tags: k8s 环境搭建

扫描二维码,分享此文章