使用 cri-o 代替 docker runtime运行时


cri-o 实现了 kubernetes 的 Container Runtime Interface (CRI) 接口,提供容器运行时核心功能,如镜像管理、容器管理等,相比 docker 更加简单、健壮和可移植。

下载

cd /data/tools/
wget https://storage.googleapis.com/cri-o/artifacts/cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz
 
tar -xvf cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz

常见cri-o目录

mkdir -p  /data/crio/var/lib/containers/storage
mkdir -p /data/crio/var/run/containers/storage
mkdir -p  /data/crio/var/log/crio/pods
mkdir -p /data/crio/var/run/crio/version

 

cri-o 配置文件生成:

cd cri-o/etc
cat > crio.conf  <<EOF
[crio]
root = "/data/crio/lib/containers/storage"
runroot = "/data/crio/run/containers/storage"
log_dir = "/data/crio/var/log/crio/pods"
version_file = "/data/crio/var/run/crio/version"
version_file_persist = "/data/crio/var/lib/crio/version"
[crio.api]
listen = "/data/crio/var/run/crio/crio.sock"
stream_address = "127.0.0.1"
stream_port = "0"
stream_enable_tls = false
stream_tls_cert = ""
stream_tls_key = ""
stream_tls_ca = ""
grpc_max_send_msg_size = 16777216
grpc_max_recv_msg_size = 16777216
[crio.runtime]
default_ulimits = [
  "nofile=65535:65535",
  "nproc=65535:65535",
  "core=-1:-1"
]
default_runtime = "crun"
no_pivot = false
decryption_keys_path = "/data/crio/keys/"
conmon = "/data/crio/bin/conmon"
conmon_cgroup = "system.slice"
conmon_env = [
        "PATH=/data/crio/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]
default_env = [
]
selinux = false
seccomp_profile = ""
apparmor_profile = "crio-default"
cgroup_manager = "systemd"
default_capabilities = [
    "CHOWN",
    "MKNOD",
    "DAC_OVERRIDE",
    "NET_ADMIN",
    "NET_RAW",
    "SYS_CHROOT",
    "FSETID",
    "FOWNER",
    "SETGID",
    "SETUID",
    "SETPCAP",
    "NET_BIND_SERVICE",
    "KILL",
]
default_sysctls = [
]
additional_devices = [
]
hooks_dir = [
        "/data/crio/containers/oci/hooks.d",
]
default_mounts = [
]
pids_limit = 102400
log_size_max = -1
log_to_journald = false
container_exits_dir = "/data/crio/run/crio/exits"
container_attach_socket_dir = "/data/crio/var/run/crio"
bind_mount_prefix = ""
read_only = false
log_level = "info"
log_filter = ""
uid_mappings = ""
gid_mappings = ""
ctr_stop_timeout = 30
manage_ns_lifecycle = true
namespaces_dir = "/data/crio/run"
pinns_path = "/data/crio/bin/pinns"
[crio.runtime.runtimes.crun]
runtime_path = "/data/crio/bin/crun"
runtime_type = "oci"
runtime_root = "/data/crio/run/crun"
allowed_annotations = [
    "io.containers.trace-syscall",
]
[crio.image]
default_transport = "docker://"
global_auth_file = ""
pause_image = "192.168.96.160/source/pause:3.5"
pause_image_auth_file = ""
pause_command = "/pause"
signature_policy = ""
image_volumes = "mkdir"
[crio.network]
network_dir = "/etc/cni/net.d"
plugin_dirs = [
        "/opt/cni/bin",
]
[crio.metrics]
enable_metrics = false
metrics_port = 9090
EOF
  • root:容器镜像存放目录;
  • runroot:容器运行目录;
  • log_dir:容器日志默认存放目录 kubelet 指定目录就存放kubelet所指定目录;
  • default_runtime:指定默认运行时;
  • conmon:conmon 二进制文件的路径,用于监控 OCI 运行时;
  • conmon_env:conmon 运行时的环境变量;
  • hooks_dir:OCI hooks 目录;
  • container_exits_dir:conmon 将容器出口文件写入其中的目录的路径;
  • namespaces_dir:管理命名空间状态被跟踪的目录。仅在 manage_ns_lifecycle 为 true 时使用;
  • pinns_path:pinns_path 是查找 pinns 二进制文件的路径,这是管理命名空间生命周期所必需的 ;
  • runtime_path:运行时可执行文件的绝对路径 ;
  • runtime_root:存放容器的根目录;
  • pause_image:pause镜像路径;
  • network_dir: cni 配置文件路径;
  • golobal_auth_file  私有仓库认证, 默认配置文件 /root/.docker/config, 官网地址是错的. 在harbor中,把config.json 拷贝过来
  • plugin_dirs:cni 二进制文件存放路径;
  • default runtime:使用crun
  • 运行路径:/data/crio 请根据自己环境修改
  •  官网文档

cri-o 启动其它所需配置文件生成

cd /data/tools/cri-o
mkdir containers
cd containers
cat > policy.json <<EOF
{
   "default": [
       {
           "type": "insecureAcceptAnything"
       }
   ],
   "transports":
       {
           "docker-daemon":
               {
                   "": [{"type":"insecureAcceptAnything"}]
               }
       }
}
EOF
 

 

cat >registries.conf <<EOF
# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.
 
# The default location for this configuration file is /etc/containers/registries.conf.
 
# The only valid categories are: 'registries.search', 'registries.insecure',
# and 'registries.block'.
 
[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']
 
# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[registries.insecure]
registries = ['192.168.96.160']
 
# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
# Docker only
[registries.block]
registries = []
EOF

 

创建 cri-o systemd unit 文件

/usr/local/systemd/system/
cat >crio.service <<EOF
[Unit]
Description=OCI-based implementation of Kubernetes Container Runtime Interface
Documentation=https://github.com/github.com/cri-o/cri-o
 
[Service]
Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=//data/crio/crio/bin/crio --config /data/crio/etc/crio.conf --log-level info
Restart=on-failure
RestartSec=5
LimitNOFILE=655350
LimitNPROC=655350
LimitCORE=infinity
LimitMEMLOCK=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF

 

启动

# 全局刷新service 
systemctl daemon-reload 
# 设置cri-o开机启动
systemctl enable crio
# 启动cri-o
systemctl start crio  
# 重启cri-o
systemctl restart crio

 

创建 crictl 配置文件

crictl 是兼容 CRI 容器运行时的命令行工具,提供类似于 docker 命令的功能。具体参考 官方文档

cd /etc
cat << EOF | sudo tee crictl.yaml
runtime-endpoint: "unix:///data/crio/var/run/crio/crio.sock"
image-endpoint: "unix:///data/crio/var/run/crio/crio.sock"
timeout: 10
debug: false
pull-image-on-create: true
disable-pull-on-run: false
EOF

 

 

# 查看容器运行状态

crictl ps -a
crictl pull docker.io/library/busybox:1.24

从私有镜像仓库下载
crictl pull --creds fengjian:'Fengjian6666' 192.168.96.160/process/busybox:20220418

对 fengjian:'Fengjian6666' 进行base64位加密
https://www.qqxiuzi.cn/bianma/base64.htm

crictl pull --auth IGZlbmdqaWFuOidGZW5namlhbjY2NjYnIA== 192.168.96.160/process/busybox:20220418

 

免密钥pull 镜像

habor 镜像仓库登陆
docker  login 192.168.96.160

拷贝 harbor /root/.docker/config.json 到 cri-of服务器
scp  /root/.docker/config.json  root@192.168.96.151:/root/

再次拉取镜像
crictl pull  192.168.96.160/process/busybox:20220418

 

使用 cri-o 代替 docker runtime运行时

 

 

 

 

 

原创文章,作者:奋斗,如若转载,请注明出处:https://blog.ytso.com/tech/pnotes/245693.html

(0)
上一篇 2022年4月18日 17:47
下一篇 2022年4月18日 17:47

相关推荐

发表回复

登录后才能评论