SRE文档1. Containerd配置
1.1 containerd.service
[root@kube-master-01 containers]# cat /etc/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target[root@kube-master-01 containers]# cat /etc/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target❌ 注意
1.Delegate
2.KillMode 该值用来设置systemd单元进程被杀死的方式, 默认值:control-group, 该字段还可以设置如下:
control-group: 当前控制组里面的所有子进程都会被杀掉.
process: 只杀主进程.
mixed: 主进程收到SIGTERM信号,子进程收到SIGKILL信号.
none: 没有进程被杀掉, 只是执行服务的stop命令.
containerd将KillMode的值设置为process,这样可以确保升级或重启containerd时不杀死现有的容器.
1.2 配置镜像加速
1.修改配置文件,推荐
vim /etc/containerd/config.toml
# 修改内容
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
#创建目录
mkdir /etc/containerd/certs.dvim /etc/containerd/config.toml
# 修改内容
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
#创建目录
mkdir /etc/containerd/certs.d- 重启服务
systemctl restart containerdsystemctl restart containerd❌ 注意
建议:
/etc/containerd/config.toml配置文件当中打开config_path配置,指向镜像仓库配置目录即可。这种方式只
需要在第一次修改/etc/containerd/config.toml文件打开config_path配置时需要重启containerd,后续我
们增加镜像仓库配置都无需重启containerd,非常方便。
另一种方式-不推荐
/etc/containerd/config.toml配置文件,这种方式在较新版本的contaienrd中已经被废弃,将来肯定会被移
除,只不过现在还可以使用而已。另外,这种方式有一个不好的地方就是,每次改/etc/containerd/config.toml
配置文件,都需重启containerd服务。
2.添加加速配置
hosts.toml文件中的内容仅支持:server, capabilities, ca, client, skip_verify, [header], override_path
- docker
# docker hub镜像加速
mkdir -p /etc/containerd/certs.d/docker.io
cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://docker.io"
[host."https://dockerproxy.com"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
# registry.k8s.io镜像加速
mkdir -p /etc/containerd/certs.d/registry.k8s.io
tee /etc/containerd/certs.d/registry.k8s.io/hosts.toml << 'EOF'
server = "https://registry.k8s.io"
[host."https://k8s.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF# docker hub镜像加速
mkdir -p /etc/containerd/certs.d/docker.io
cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://docker.io"
[host."https://dockerproxy.com"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
# registry.k8s.io镜像加速
mkdir -p /etc/containerd/certs.d/registry.k8s.io
tee /etc/containerd/certs.d/registry.k8s.io/hosts.toml << 'EOF'
server = "https://registry.k8s.io"
[host."https://k8s.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF❌ 注意
hosts.toml中可以配置多个镜像仓库,containerd下载竟像时会根据配置的顺序使用镜像仓库,只有当上一个仓库下载失败才会使用下一个镜像仓库
3.验证
nerdctl --debug=true image pull registry.k8s.io/sig-storage/csi-provisioner:v3.5.0
nerdctl --debug=true image pull k8s.gcr.io/kube-apiserver:v1.17.3nerdctl --debug=true image pull registry.k8s.io/sig-storage/csi-provisioner:v3.5.0
nerdctl --debug=true image pull k8s.gcr.io/kube-apiserver:v1.17.3❌ 注意
对于nerdctl命令来说,会自动使用/etc/containerd/certs.d目录下的配置镜像加速,但是对于ctr命令,需要指定--hosts-dir=/etc/containerd/certs.d。
比如:ctr i pull --hosts-dir=/etc/containerd/certs.d registry.k8s.io/sig-storage/csi-provisioner:v3.5.0,
如果要确定此命令是否真的使用了镜像加速,可以增加--debug=true参数,
比如:ctr --debug=true i pull --hosts-dir=/etc/containerd/certs.d registry.k8s.io/sig-storage/csi-provisioner:v3.5.0