SRE文档1. docker、crictl和ctr命令对比
| 命令 | docker | crictl(k8s) | ctr(containerd) | nerdctl(containerd) |
|---|---|---|---|---|
| 查看运行的容器 | docker ps | crictl ps | ctr task ls/ctr container ls | nerdctl ps |
| 查看镜像 | docker images | crictl images | ctr image ls | nerdctl images |
| 查看容器日志 | docker logs | crictl logs | 无 | nerdctl logs |
| 查看容器信息 | docker inspect | crictl inspect | ctr container info | nerdctl inspect |
| 查看容器资源使用 | docker stats | crictl stats | 无 | nerdctl stats |
| 启动/关闭已有的容器 | docker start/stop | crictl start/stop | ctr task start/kill | nerdctl start/stop |
| 运行一个新的容器 | docker run | 比较麻烦,因为它的最小单元为 Pod | ctr run | nerdctl run |
| 创建一个新的容器 | docker create | 比较麻烦,因为它的最小单元为 Pod | ctr container create | nerdctl create |
| 在容器内部执行命令 | docker exec | crictl exec | 无 | nerdctl exec |
| 删除容器 | docker rm | crictl rm | ctr container rm | nerdctl rm |
| 删除镜像 | docker rmi | crictl rmi | ctr image rm | nerdctl rmi |
| 导入镜像 | docker load | 无 | ctr image import | nerdctl load |
| 导出镜像 | docker save | 无 | ctr image export | nerdctl save |
| 拉取镜像 | docker pull | ctictl pull | ctr image pull | nerdctl pull |
| 给镜像打标签 | docker tag | 无 | ctr image tag | nerdctl tag |
| 推送镜像 | docker push | 无 | ctr image push | nerdctl push |
| 构建镜像 | docker build | 无 | 无 | nerdctl build(需要额外安装buildkit服务) |
❌ 注意
ctr和nerdctl命令需要指定名字空间,管理k8s创建的容器,需要使用k8s.io名字空间,即ctr/nerdctl -n k8s.io
2. 内置命令
2.1 ctr
ctr是containerd提供的客户端工具,内置在containerd中. 不好的一点,下载镜像的指定具体路径
❌ 注意
containerd支持oci标准的镜像,所以可以直接使用docker官方或dockerfile构建Q的镜像需要注意的是,与docker不同,拉取镜像时要加上docker.io/liarary
bash
[root@kube-master-01 containers]# ctr --help
NAME:
ctr -
__
_____/ /______
/ ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/
containerd CLI
USAGE:
ctr [global options] command [command options] [arguments...]
VERSION:
v1.7.22
DESCRIPTION:
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.
COMMANDS:
plugins, plugin Provides information about containerd plugins
version Print the client and server versions
containers, c, container Manage containers
content Manage content
events, event Display containerd events
images, image, i Manage images
leases Manage leases
namespaces, namespace, ns Manage namespaces
pprof Provide golang pprof outputs for containerd
run Run a container
snapshots, snapshot Manage snapshots
tasks, t, task Manage tasks
install Install a new package
oci OCI tools
sandboxes, sandbox, sb, s Manage sandboxes
info Print the server info
deprecations
shim Interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug Enable debug output in logs
--address value, -a value Address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
--timeout value Total timeout for ctr commands (default: 0s)
--connect-timeout value Timeout for connecting to containerd (default: 0s)
--namespace value, -n value Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version[root@kube-master-01 containers]# ctr --help
NAME:
ctr -
__
_____/ /______
/ ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/
containerd CLI
USAGE:
ctr [global options] command [command options] [arguments...]
VERSION:
v1.7.22
DESCRIPTION:
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.
COMMANDS:
plugins, plugin Provides information about containerd plugins
version Print the client and server versions
containers, c, container Manage containers
content Manage content
events, event Display containerd events
images, image, i Manage images
leases Manage leases
namespaces, namespace, ns Manage namespaces
pprof Provide golang pprof outputs for containerd
run Run a container
snapshots, snapshot Manage snapshots
tasks, t, task Manage tasks
install Install a new package
oci OCI tools
sandboxes, sandbox, sb, s Manage sandboxes
info Print the server info
deprecations
shim Interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug Enable debug output in logs
--address value, -a value Address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
--timeout value Total timeout for ctr commands (default: 0s)
--connect-timeout value Timeout for connecting to containerd (default: 0s)
--namespace value, -n value Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version2.2 命名空间操作
namespace
2.3 镜像操作
下载镜像
- 语法
bash
[root@kube-master-01 containerd]# ctr images
NAME:
ctr images - Manage images
USAGE:
ctr images command [command options] [arguments...]
COMMANDS:
check Check existing images to ensure all content is available locally
export Export images
import Import images
list, ls List images known to containerd
mount Mount an image to a target path
unmount Unmount the image from the target
pull Pull an image from a remote
push Push an image to a remote
prune Remove unused images
delete, del, remove, rm Remove one or more images by reference
tag Tag an image
label Set and clear labels for an image
convert Convert an image
usage Display usage of snapshots for a given image ref
OPTIONS:
--help, -h show help[root@kube-master-01 containerd]# ctr images
NAME:
ctr images - Manage images
USAGE:
ctr images command [command options] [arguments...]
COMMANDS:
check Check existing images to ensure all content is available locally
export Export images
import Import images
list, ls List images known to containerd
mount Mount an image to a target path
unmount Unmount the image from the target
pull Pull an image from a remote
push Push an image to a remote
prune Remove unused images
delete, del, remove, rm Remove one or more images by reference
tag Tag an image
label Set and clear labels for an image
convert Convert an image
usage Display usage of snapshots for a given image ref
OPTIONS:
--help, -h show helpbash
ctr images pull docker.io/library/nginx:latest
#或者
[root@kube-master-01 containerd]# ctr images ls -q
docker.io/library/nginx:latest ctr images pull docker.io/library/nginx:latest
#或者
[root@kube-master-01 containerd]# ctr images ls -q
docker.io/library/nginx:latest指定平台下载
默认下载所有
bash
ctr images pull --all-platforms docker.io/library/nginx:alpine
ctr images pull --platform linux/amd64 docker.io/library/nginx:alpinectr images pull --all-platforms docker.io/library/nginx:alpine
ctr images pull --platform linux/amd64 docker.io/library/nginx:alpine查看镜像
bash
[root@kube-master-01 ~]# ctr image ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3 67.7 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -[root@kube-master-01 ~]# ctr image ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3 67.7 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -删除镜像
bash
ctr images del docker.io/library/nginx:latestctr images del docker.io/library/nginx:latest导出镜像
- 语法
bash
ctr image export <output-filename> <image-name>ctr image export <output-filename> <image-name>bash
ctr image export nginx.tar.gz docker.io/library/nginx:alpine ctr image export nginx.tar.gz docker.io/library/nginx:alpine导入镜像
ctr images import nginx.tar.gzctr images import nginx.tar.gz修改tag
bash
$ ctr images tag docker.io/library/nginx:alpine nginx:alpine
# 建议修改tag的名称为:镜像仓库地址/目录/镜像名
$ ctr images tag docker.io/library/nginx:alpine nginx:alpine
# 建议修改tag的名称为:镜像仓库地址/目录/镜像名2.4 容器操作
单从containerd的角度来看启动一个容器的过程大致是下图所示的流程:
containerd 创建容器流程如下:
- 接收到 api 请求,通过调用 containerd-shim-runc-v2 调用 runc 创建容器,主要是做解压文件和准备环境的工作。
- 接收到 api 请求,创建一个 task,task 是一个容器的抽象,包含了容器的所有信息,比如容器的 id、容器的状态、容器的配置等等。
- containerd 启动一个 containerd-shim-runc-v2 进程。
- containerd-shim-runc-v2 进程 在启动一个 containerd-shim-runc-v2 进程,然后第一个 containerd-shim-runc-v2 进程退出。
- containerd 通过 IPC 通信,让第二个 containerd-shim-runc-v2 启动容器。
- containerd-shim-runc-v2 进程通过调用 runc start 启动容器。
- runc 会调用 runc init 启动容器的 init 进程。
- runc init 进程会调用
unix.Exec的方式,替换自己的进程,启动容器的第一个进程。这个进程既是容器的启动命令,也是容器的 pid 1 进程。完成之后,runc create 进程退出。
容器启动
bash
ctr run -t -d docker.io/library/nginx:alpine nginxctr run -t -d docker.io/library/nginx:alpine nginx容器查看
bash
[root@kube-master-01 ~]# ctr container ls
CONTAINER IMAGE RUNTIME
nginx docker.io/library/nginx:alpine io.containerd.runc.v2
[root@kube-master-01 ~]# ctr task ls
TASK PID STATUS
nginx 2057 RUNNING[root@kube-master-01 ~]# ctr container ls
CONTAINER IMAGE RUNTIME
nginx docker.io/library/nginx:alpine io.containerd.runc.v2
[root@kube-master-01 ~]# ctr task ls
TASK PID STATUS
nginx 2057 RUNNING❌ 注意
在containerd中,container和task是分离的,container描述的是容器分配和附加资源的元数据对象,是静态内容,task是任务是系统上一个活动的、正在运行的进程。 task应该在每次运行后删除,而container可以被多次使用、更新和查询。这点和docker中container定义是不一样的。
查看容器详细配置
container表示静态容器,可用c缩写代表container
bash
ctr c info container_namectr c info container_name查看容器使用的指标
bash
[root@kube-master-01 ~]# ctr t metrics container_name
ID TIMESTAMP
nginx seconds:1726319142 nanos:539959947
METRIC VALUE
pids.current 3
pids.limit 18446744073709551615
cpu.usage_usec 38526
cpu.user_usec 2854
cpu.system_usec 35672
cpu.nr_periods 0
cpu.nr_throttled 0
cpu.throttled_usec 0
memory.usage 3690496
memory.usage_limit 18446744073709551615
memory.swap_usage 0
memory.swap_limit 18446744073709551615[root@kube-master-01 ~]# ctr t metrics container_name
ID TIMESTAMP
nginx seconds:1726319142 nanos:539959947
METRIC VALUE
pids.current 3
pids.limit 18446744073709551615
cpu.usage_usec 38526
cpu.user_usec 2854
cpu.system_usec 35672
cpu.nr_periods 0
cpu.nr_throttled 0
cpu.throttled_usec 0
memory.usage 3690496
memory.usage_limit 18446744073709551615
memory.swap_usage 0
memory.swap_limit 18446744073709551615进入容器
ctr task exec -t --exec-id exec-id container_name
bash
[root@kube-master-01 ~]# ctr task exec -t --exec-id nginx-sh nginx sh
/ # ls
bin docker-entrypoint.sh lib opt run sys var
dev etc media proc sbin tmp
docker-entrypoint.d home mnt root srv usr
/ # ps uax|grep nginx
1 root 0:00 nginx: master process nginx -g daemon off;
30 nginx 0:00 nginx: worker process
31 nginx 0:00 nginx: worker process
40 root 0:00 grep nginx
/ # exit[root@kube-master-01 ~]# ctr task exec -t --exec-id nginx-sh nginx sh
/ # ls
bin docker-entrypoint.sh lib opt run sys var
dev etc media proc sbin tmp
docker-entrypoint.d home mnt root srv usr
/ # ps uax|grep nginx
1 root 0:00 nginx: master process nginx -g daemon off;
30 nginx 0:00 nginx: worker process
31 nginx 0:00 nginx: worker process
40 root 0:00 grep nginx
/ # exit停止容器
跟docker不同,先停止task ,再删除容器
bash
[root@kube-master-01 ~]# ctr task ls
TASK PID STATUS
nginx 2057 RUNNING
[root@kube-master-01 ~]# ctr task kill nginx
[root@kube-master-01 ~]# ctr container rm nginx
[root@kube-master-01 ~]# ctr container ls
CONTAINER IMAGE RUNTIME[root@kube-master-01 ~]# ctr task ls
TASK PID STATUS
nginx 2057 RUNNING
[root@kube-master-01 ~]# ctr task kill nginx
[root@kube-master-01 ~]# ctr container rm nginx
[root@kube-master-01 ~]# ctr container ls
CONTAINER IMAGE RUNTIME删除容器
必须先删除task,再删除容器
[root@kube-master-01 ~]# ctr task ls
TASK PID STATUS
nginx 2057 RUNNING
#删除task
ctr tasks delete nginx2
#删除
ctr container delete nginx[root@kube-master-01 ~]# ctr task ls
TASK PID STATUS
nginx 2057 RUNNING
#删除task
ctr tasks delete nginx2
#删除
ctr container delete nginx上传容器
以habor为例
bash
$ ctr images push --platform linux/amd64 --plain-http -u admin:密码 harbor.xx.com/library/nginx:latest
注解:
因为我们harbor是http协议,不是https协议,所以需要加上 --plain-http
--user admin:Harbor12345 指定harbor的用户名与密码$ ctr images push --platform linux/amd64 --plain-http -u admin:密码 harbor.xx.com/library/nginx:latest
注解:
因为我们harbor是http协议,不是https协议,所以需要加上 --plain-http
--user admin:Harbor12345 指定harbor的用户名与密码- 下载
bash
$ ctr images pull --plain-http harbor.xx.com/library/nginx:latest$ ctr images pull --plain-http harbor.xx.com/library/nginx:latest