cri-o 实现了 kubernetes 的 Container Runtime Interface (CRI) 接口,提供容器运行时核心功能,如镜像管理、容器管理等,相比 docker 更加简单、健壮和可移植。
下载
cd /data/tools/ wget https://storage.googleapis.com/cri-o/artifacts/cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz tar -xvf cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz
常见cri-o目录
mkdir -p /data/crio/var/lib/containers/storage mkdir -p /data/crio/var/run/containers/storage mkdir -p /data/crio/var/log/crio/pods mkdir -p /data/crio/var/run/crio/version
cri-o 配置文件生成:
cd cri-o/etc cat > crio.conf <<EOF [crio] root = "/data/crio/lib/containers/storage" runroot = "/data/crio/run/containers/storage" log_dir = "/data/crio/var/log/crio/pods" version_file = "/data/crio/var/run/crio/version" version_file_persist = "/data/crio/var/lib/crio/version" [crio.api] listen = "/data/crio/var/run/crio/crio.sock" stream_address = "127.0.0.1" stream_port = "0" stream_enable_tls = false stream_tls_cert = "" stream_tls_key = "" stream_tls_ca = "" grpc_max_send_msg_size = 16777216 grpc_max_recv_msg_size = 16777216 [crio.runtime] default_ulimits = [ "nofile=65535:65535", "nproc=65535:65535", "core=-1:-1" ] default_runtime = "crun" no_pivot = false decryption_keys_path = "/data/crio/keys/" conmon = "/data/crio/bin/conmon" conmon_cgroup = "system.slice" conmon_env = [ "PATH=/data/crio/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] default_env = [ ] selinux = false seccomp_profile = "" apparmor_profile = "crio-default" cgroup_manager = "systemd" default_capabilities = [ "CHOWN", "MKNOD", "DAC_OVERRIDE", "NET_ADMIN", "NET_RAW", "SYS_CHROOT", "FSETID", "FOWNER", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "KILL", ] default_sysctls = [ ] additional_devices = [ ] hooks_dir = [ "/data/crio/containers/oci/hooks.d", ] default_mounts = [ ] pids_limit = 102400 log_size_max = -1 log_to_journald = false container_exits_dir = "/data/crio/run/crio/exits" container_attach_socket_dir = "/data/crio/var/run/crio" bind_mount_prefix = "" read_only = false log_level = "info" log_filter = "" uid_mappings = "" gid_mappings = "" ctr_stop_timeout = 30 manage_ns_lifecycle = true namespaces_dir = "/data/crio/run" pinns_path = "/data/crio/bin/pinns" [crio.runtime.runtimes.crun] runtime_path = "/data/crio/bin/crun" runtime_type = "oci" runtime_root = "/data/crio/run/crun" allowed_annotations = [ "io.containers.trace-syscall", ] [crio.image] default_transport = "docker://" global_auth_file = "" pause_image = "192.168.96.160/source/pause:3.5" pause_image_auth_file = "" pause_command = "/pause" signature_policy = "" image_volumes = "mkdir" [crio.network] network_dir = "/etc/cni/net.d" plugin_dirs = [ "/opt/cni/bin", ] [crio.metrics] enable_metrics = false metrics_port = 9090 EOF
- root:容器镜像存放目录;
- runroot:容器运行目录;
- log_dir:容器日志默认存放目录 kubelet 指定目录就存放kubelet所指定目录;
- default_runtime:指定默认运行时;
- conmon:conmon 二进制文件的路径,用于监控 OCI 运行时;
- conmon_env:conmon 运行时的环境变量;
- hooks_dir:OCI hooks 目录;
- container_exits_dir:conmon 将容器出口文件写入其中的目录的路径;
- namespaces_dir:管理命名空间状态被跟踪的目录。仅在 manage_ns_lifecycle 为 true 时使用;
- pinns_path:pinns_path 是查找 pinns 二进制文件的路径,这是管理命名空间生命周期所必需的 ;
- runtime_path:运行时可执行文件的绝对路径 ;
- runtime_root:存放容器的根目录;
- pause_image:pause镜像路径;
- network_dir: cni 配置文件路径;
- golobal_auth_file 私有仓库认证, 默认配置文件 /root/.docker/config, 官网地址是错的. 在harbor中,把config.json 拷贝过来
- plugin_dirs:cni 二进制文件存放路径;
- default runtime:使用crun
- 运行路径:/data/crio 请根据自己环境修改
- 官网文档
cri-o 启动其它所需配置文件生成
cd /data/tools/cri-o mkdir containers cd containers cat > policy.json <<EOF { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker-daemon": { "": [{"type":"insecureAcceptAnything"}] } } } EOF
cat >registries.conf <<EOF # This is a system-wide configuration file used to # keep track of registries for various container backends. # It adheres to TOML format and does not support recursive # lists of registries. # The default location for this configuration file is /etc/containers/registries.conf. # The only valid categories are: 'registries.search', 'registries.insecure', # and 'registries.block'. [registries.search] registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org'] # If you need to access insecure registries, add the registry's fully-qualified name. # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. [registries.insecure] registries = ['192.168.96.160'] # If you need to block pull access from a registry, uncomment the section below # and add the registries fully-qualified name. # # Docker only [registries.block] registries = [] EOF
创建 cri-o systemd unit 文件
/usr/local/systemd/system/ cat >crio.service <<EOF [Unit] Description=OCI-based implementation of Kubernetes Container Runtime Interface Documentation=https://github.com/github.com/cri-o/cri-o [Service] Type=notify ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay ExecStart=//data/crio/crio/bin/crio --config /data/crio/etc/crio.conf --log-level info Restart=on-failure RestartSec=5 LimitNOFILE=655350 LimitNPROC=655350 LimitCORE=infinity LimitMEMLOCK=infinity TasksMax=infinity Delegate=yes KillMode=process [Install] WantedBy=multi-user.target EOF
启动
# 全局刷新service systemctl daemon-reload # 设置cri-o开机启动 systemctl enable crio # 启动cri-o systemctl start crio # 重启cri-o systemctl restart crio
创建 crictl 配置文件
crictl 是兼容 CRI 容器运行时的命令行工具,提供类似于 docker 命令的功能。具体参考 官方文档
cd /etc cat << EOF | sudo tee crictl.yaml runtime-endpoint: "unix:///data/crio/var/run/crio/crio.sock" image-endpoint: "unix:///data/crio/var/run/crio/crio.sock" timeout: 10 debug: false pull-image-on-create: true disable-pull-on-run: false EOF
# 查看容器运行状态
crictl ps -a crictl pull docker.io/library/busybox:1.24 从私有镜像仓库下载 crictl pull --creds fengjian:'Fengjian6666' 192.168.96.160/process/busybox:20220418 对 fengjian:'Fengjian6666' 进行base64位加密 https://www.qqxiuzi.cn/bianma/base64.htm crictl pull --auth IGZlbmdqaWFuOidGZW5namlhbjY2NjYnIA== 192.168.96.160/process/busybox:20220418
免密钥pull 镜像
habor 镜像仓库登陆 docker login 192.168.96.160 拷贝 harbor /root/.docker/config.json 到 cri-of服务器 scp /root/.docker/config.json root@192.168.96.151:/root/ 再次拉取镜像 crictl pull 192.168.96.160/process/busybox:20220418
原创文章,作者:奋斗,如若转载,请注明出处:https://blog.ytso.com/tech/pnotes/245693.html