如何在 Kubernetes 中与 Containerd 运行时交互

Containerd 是一个开源的、符合容器运行时接口(CRI)的容器运行时,最初由 Docker 创建并捐赠给云原生计算基金会(CNCF)。它支持由开放容器倡议(OCI)确定的标准。Containerd 将负责在物理或虚拟机(主机)上管理容器生命周期。守护进程将从容器注册表中拉取容器镜像并挂载存储。它还可以启动、停止、销毁容器,并为容器启用网络。

在大多数情况下,您不需要在 Kubernetes 部署中直接管理 containerd。但我们将提供两种方式,您可以仅用于诊断目的与 containerd 上的镜像和容器交互。

使用 ctr 与 containerd 运行时交互

ctr 是一个不受支持的调试和管理客户端,用于与 containerd 守护进程交互。因为它是不受支持的,所以命令、选项和操作在 containerd 项目的发布版本之间不保证向后兼容或稳定。

通过运行以下命令检查 containerd 服务状态:

$ systemctl status containerd
● containerd.service - containerd container runtime
     Loaded: loaded (/etc/systemd/system/containerd.service; enabled-runtime; preset: disabled)
     Active: active (running) since Wed 2023-07-19 09:46:47 UTC; 1 day 12h ago
       Docs: https://containerd.io
    Process: 806 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
   Main PID: 823 (containerd)
      Tasks: 136
     Memory: 329.2M
        CPU: 19min 51.135s
     CGroup: /system.slice/containerd.service
             └─ 823 /opt/bin/containerd

接下来获取 containerd 服务器和客户端版本:

$ sudo ctr version
Client:
  Version:  1.6.16
  Revision: 92b3a9d6f1b3bcc6dc74875cfdea653fe39f09c2
  Go version: go1.18.10

Server:
  Version:  v1.6.8
  Revision: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
  UUID: 5702a568-3a30-48cc-b97f-96e646cf95ff
WARNING: version mismatch
WARNING: revision mismatch

显示命令列表:

ctr help

显示某个命令的帮助:

ctr help <command>
ctr help images
ctr help run
ctr help container

列出命名空间:

$ sudo ctr ns ls
NAME   LABELS
k8s.io

使用 --namespace value, -n value 指定要与命令一起使用的命名空间(默认为“default”)。要列出 containerd 在 kubernetes 命名空间中已知的镜像,请运行:

$ sudo ctr -n k8s.io container list
CONTAINER                                                           IMAGE                                              RUNTIME
14547fb3d12d8451b33e8f814fe223bf127f8abf1f48a69a5cf6b2905abccf05    registry.k8s.io/pause:3.6                          io.containerd.runc.v2
3791b1b66442a14b6361c2347831981bbedc86a0cead7988f0a137c14b5ef54f    registry.k8s.io/kube-apiserver:v1.24.6             io.containerd.runc.v2
4831df98ec7f6981dfbddf1c546c88ac75307f343548e266e37a3984ae36fd75    registry.k8s.io/pause:3.6                          io.containerd.runc.v2
50b0ff87965a0f58ce315a40b2e1ebe4a8a97867e2c56c54b58c2fef53768f69    registry.k8s.io/kube-apiserver:v1.24.6             io.containerd.runc.v2
545bf5226fd1ec64ddfd3d64dd3ead50795d0c2cf0b4347708e4a20e1eb248a6    registry.k8s.io/pause:3.6                          io.containerd.runc.v2
60bb4a18cca9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd    quay.io/calico/node:v3.23.3                        io.containerd.runc.v2
65809c67b6a68dddf62db16a6bd38910016f00e4a243d9a23f1d15a19cf997ef    registry.k8s.io/pause:3.6                          io.containerd.runc.v2
675d091aa8c3206f7c9d6ee7cf1440429abaf3d9bf23205e2094ee58afb96319    registry.k8s.io/pause:3.6
....

在 kubernetes 命名空间中列出 containerd 插件:

$ sudo ctr -n k8s.io plugins list
TYPE                                  ID                       PLATFORMS      STATUS
io.containerd.content.v1              content                  -              ok
io.containerd.snapshotter.v1          aufs                     linux/amd64    skip
io.containerd.snapshotter.v1          btrfs                    linux/amd64    skip
io.containerd.snapshotter.v1          native                   linux/amd64    ok
io.containerd.snapshotter.v1          overlayfs                linux/amd64    ok
io.containerd.snapshotter.v1          zfs                      linux/amd64    skip
io.containerd.metadata.v1             bolt                     -              ok
....

显示 containerd 事件:

$ sudo ctr events
2023-07-20 22:06:45.533485709 +0000 UTC k8s.io /tasks/exec-added {"container_id":"60bb4a18cca

9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd","exec_id":"6535efd575bb0ac4d7c49557fa790962362e8f9c47a376c93daa4481f5b079e3"}
2023-07-20 22:06:45.53386204 +0000 UTC k8s.io /tasks/exec-added {"container_id":"60bb4a18cca9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd","exec_id":"befb68da2de2d64ef697d5f28e4285db0faee08b9667fb6d4479e84ec87dc229"}
2023-07-20 22:06:45.55858748 +0000 UTC k8s.io /tasks/exec-started {"container_id":"60bb4a18cca9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd","exec_id":"6535efd575bb0ac4d7c49557fa790962362e8f9c47a376c93daa4481f5b079e3","pid":1100376}
2023-07-20 22:06:45.578203661 +0000 UTC k8s.io /tasks/exec-started {"container_id":"60bb4a18cca9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd","exec_id":"befb68da2de2d64ef697d5f28e4285db0faee08b9667fb6d4479e84ec87dc229","pid":1100398}
2023-07-20 22:06:45.605581161 +0000 UTC k8s.io /tasks/exit {"container_id":"60bb4a18cca9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd","id":"6535efd575bb0ac4d7c49557fa790962362e8f9c47a376c93daa4481f5b079e3","pid":1100376,"exited_at":"2023-07-20T22:06:45.605549682Z"}
2023-07-20 22:06:45.689340832 +0000 UTC k8s.io /tasks/exit {"container_id":"60bb4a18cca9f00f548bbd138792330674e9014957ba3ae05455386ae8d4eabd","id":"befb68da2de2d64ef697d5f28e4285db0faee08b9667fb6d4479e84ec87dc229","pid":1100398,"exited_at":"2023-07-20T22:06:45.689322554Z"}

安装 crictl 工具

你可以从 GitHub 下载 crictl 工具的最新版本。根据你的操作系统选择合适的版本。

*### Linux 64 位 ###*
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v${VER}/crictl-v${VER}-linux-amd64.tar.gz
tar xvf crictl-v${VER}-linux-amd64.tar.gz

*### Linux 32 位 ###*
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v{VER}/crictl-v{VER}-linux-386.tar.gz
tar xvf crictl-v{VER}-linux-386.tar.gz

*### Linux ARM ###*
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v{VER}/crictl-v{VER}-linux-arm.tar.gz
tar xvf crictl-v{VER}-linux-arm.tar.gz

将解压后的二进制文件移动到你的 PATH 目录中。

sudo mv crictl /usr/local/bin

检查已安装的 crictl 版本。

$ sudo crictl version
Version:  0.1.0
RuntimeName:  containerd
RuntimeVersion:  v1.6.8
RuntimeApiVersion:  v1

显示容器运行时的信息。

sudo crictl info
sudo crictl info|grep -i containerd

列出主机上正在运行的 Pod。

$ sudo crictl pods
POD ID              CREATED             STATE               NAME                  NAMESPACE           ATTEMPT             RUNTIME
3fe60548f7980       36 hours ago        Ready               node-exporter-jfm4r   monitoring          67                  (default)
fab46d543d1aa       36 hours ago        Ready               nodelocaldns-76sgx    kube-system         1                   (default)
e403ba0615eb8       36 hours ago        Ready               speaker-7q4dm         metallb-system      1                   (default)
b59a5b4345df8       36 hours ago        Ready               calico-node-x9vwp     kube-system         12                  (default)
0025007b6267d       36 hours ago        Ready               kube-proxy-xwdjj      kube-system         1                   (default)
...

列出集群节点上的容器镜像。

$ sudo crictl image list
IMAGE                                                    TAG                 IMAGE ID            SIZE
docker.io/ambassador/ambassador-agent                    1.0.3               0c5f3cfad4d65       33.2MB
docker.io/datawire/aes                                   1.14.4              3295ac39d11dc       175MB
docker.io/datawire/aes                                   3.5.1               9f53591be643b       187MB
docker.io/grafana/grafana                                9.3.1               179ad45e2c742       97.9MB
docker.io/hashicorp/vault-k8s                            1.1.0               d12e0fde3d588       28.7MB
docker.io/hashicorp/vault                                1.12.1              ba4d5c495a47b       85.7MB
docker.io/kong/httpbin                                   latest              97011e41c273a       250MB
docker.io/kubernetesui/dashboard                         v2.7.0              07655ddf2eebe       75.8MB
docker.io/kubernetesui/metrics-scraper                   v1.0.8              115053965e86b       19.7MB
docker.io/kubeshark/kubeshark                            37.0                1437fc61a2aa3       25.3MB
docker.io/library/nginx                                  <none>              448a08f1d2f94       57MB
docker.io/library/nginx                                  <none>              eb4a571591807       70.6MB
docker.io/library/nginx                                  <none>              6efc10a0510f1       57MB
docker.io/library/nginx                                  <none>              f9c14fe76d502       57.2MB
docker.io/library/nginx                                  1.24.0              1e96add5ea29f       57MB
docker.io/library/nginx                                  latest              021283c8eb95b       70.6MB
docker.io/library/postgres                               13                  b9c0a694b7811       137MB
docker.io/library/redis                                  5.0.1               c188f257942c5       35.2MB
docker.io/library/traefik                                v2.9.8              85dec640e68e6       38.8MB
...

如果你只需要镜像 ID,可以使用:

sudo crictl images -q

列出节点上活跃的容器。

$ sudo crictl ps
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID              POD
6825d2ec20200       5f5175f39b19e       36 hours ago        Running             calico-node         15                  b59a5b4345df8       calico-node-x9vwp
019b7ffe8efd1       eb5a02daef2fe       36 hours ago        Running             kube-rbac-proxy     67                  3fe60548f7980       node-exporter-jfm4r
3ddaa8beec819       0da6a335fe135       36 hours ago        Running             node-exporter       67                  3fe60548f7980       node-exporter-jfm4r
c8fae715be0e5       5bae806f8f123       36 hours ago        Running             node-cache          1                   fab46d543d1aa       nodelocaldns-76sgx
6cbe8ee0d8e80       738c5d221d601       36 hours ago        Running             speaker             1                   e403ba0615eb8       speaker-7q4dm
622e6f6b44bc2       0bb39497ab33b       36 hours ago        Running            

 kube-proxy          1                   0025007b6267d       kube-proxy-xwdjj

列出所有容器,包括已退出的。

sudo crictl ps -a

获取容器的日志。

sudo crictl logs *<ContainerID>*

列出容器的资源使用统计。

sudo crictl stats *<ContainerID>*

显示一个或多个容器的状态。

sudo crictl inspect *<ContainerID>*

获取所有容器的日志:

crictl logs *<containerid>*

列出 Pod 的资源使用统计。

sudo crictl statsp *<PodID>*

*# 示例* $ sudo crictl statsp 3fe60548f7980
POD                   POD ID              CPU %               MEM
node-exporter-jfm4r   3fe60548f7980       1.40                49.97MB

在运行中的容器中执行命令。

sudo crictl exec -i -t *<containerid>* ls

查看更多命令选项,请运行:

sudo crictl help

你可以使用以下语法检查特定命令的帮助页面。

sudo crictl help *<command>*

示例:

$ sudo crictl help port-forward
NAME:
   crictl port-forward - Forward local port to a pod

USAGE:
   crictl port-forward POD-ID [LOCAL_PORT:]REMOTE_PORT

文章的这一部分主要介绍了如何与 Kubernetes 中的 containerd 运行时进行交互,包括安装 crictl 工具、查看版本、显示容器运行时信息、列出 Pod、镜像和容器等。这些命令对于理解和管理 Kubernetes 集群中的容器非常有用。

正文完