碼上快樂

相關內容    簡體    繁體

使用 cri-o 代替 docker runtime運行時

本文轉載自   查看原文   2022-04-18 16:23   1169    k8s-docker

cri-o 實現了 kubernetes 的 Container Runtime Interface (CRI) 接口,提供容器運行時核心功能,如鏡像管理、容器管理等,相比 docker 更加簡單、健壯和可移植。

下載

cd /data/tools/
wget https://storage.googleapis.com/cri-o/artifacts/cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz
 
tar -xvf cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz

常見cri-o目錄

mkdir -p  /data/crio/var/lib/containers/storage
mkdir -p /data/crio/var/run/containers/storage
mkdir -p  /data/crio/var/log/crio/pods
mkdir -p  /data/crio/var/run/crio
mkdir -p /data/crio/var/lib/crio
touch /data/crio/var/run/crio/version
tourch /data/crio/var/lib/crio/version
touch /var/lib/containers/crio/clean.shutdown

 

cri-o 配置文件生成:

cd cri-o/etc
cat > crio.conf  <<EOF
[crio]
root = "/data/crio/lib/containers/storage"
runroot = "/data/crio/run/containers/storage"
log_dir = "/data/crio/var/log/crio/pods"
version_file = "/data/crio/var/run/crio/version"
version_file_persist = "/data/crio/var/lib/crio/version"

  clean_shutdown_file = "/var/lib/containers/crio/clean.shutdown"

[crio.api]
listen = "/data/crio/var/run/crio/crio.sock"
stream_address = "127.0.0.1"
stream_port = "0"
stream_enable_tls = false
stream_tls_cert = ""
stream_tls_key = ""
stream_tls_ca = ""
grpc_max_send_msg_size = 16777216
grpc_max_recv_msg_size = 16777216
[crio.runtime]
default_ulimits = [
  "nofile=65535:65535",
  "nproc=65535:65535",
  "core=-1:-1"
]
default_runtime = "crun"
no_pivot = false
decryption_keys_path = "/data/crio/keys/"
conmon = "/data/crio/bin/conmon"
conmon_cgroup = "system.slice"
conmon_env = [
        "PATH=/data/crio/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]
default_env = [
]
selinux = false
seccomp_profile = ""
apparmor_profile = "crio-default"
cgroup_manager = "systemd"
default_capabilities = [
    "CHOWN",
    "MKNOD",
    "DAC_OVERRIDE",
    "NET_ADMIN",
    "NET_RAW",
    "SYS_CHROOT",
    "FSETID",
    "FOWNER",
    "SETGID",
    "SETUID",
    "SETPCAP",
    "NET_BIND_SERVICE",
    "KILL",
]
default_sysctls = [
]
additional_devices = [
]
hooks_dir = [
        "/data/crio/containers/oci/hooks.d",
]
default_mounts = [
]
pids_limit = 102400
log_size_max = -1
log_to_journald = false
container_exits_dir = "/data/crio/run/crio/exits"
container_attach_socket_dir = "/data/crio/var/run/crio"
bind_mount_prefix = ""
read_only = false
log_level = "info"
log_filter = ""
uid_mappings = ""
gid_mappings = ""
ctr_stop_timeout = 30
manage_ns_lifecycle = true
namespaces_dir = "/data/crio/run"
pinns_path = "/data/crio/bin/pinns"
[crio.runtime.runtimes.crun]
runtime_path = "/data/crio/bin/crun"
runtime_type = "oci"
runtime_root = "/data/crio/run/crun"
allowed_annotations = [
    "io.containers.trace-syscall",
]
[crio.image]
default_transport = "docker://"
global_auth_file = ""
pause_image = "192.168.96.160/source/pause:3.5"
pause_image_auth_file = ""
pause_command = "/pause"
signature_policy = ""
image_volumes = "mkdir"
[crio.network]
network_dir = "/etc/cni/net.d"
plugin_dirs = [
        "/opt/cni/bin",
]
[crio.metrics]
enable_metrics = false
metrics_port = 9090
EOF
  • root:容器鏡像存放目錄;
  • runroot:容器運行目錄;
  • log_dir:容器日志默認存放目錄 kubelet 指定目錄就存放kubelet所指定目錄;
  • default_runtime:指定默認運行時;
  • conmon:conmon 二進制文件的路徑,用於監控 OCI 運行時;
  • conmon_env:conmon 運行時的環境變量;
  • hooks_dir:OCI hooks 目錄;
  • container_exits_dir:conmon 將容器出口文件寫入其中的目錄的路徑;
  • namespaces_dir:管理命名空間狀態被跟蹤的目錄。僅在 manage_ns_lifecycle 為 true 時使用;
  • pinns_path:pinns_path 是查找 pinns 二進制文件的路徑,這是管理命名空間生命周期所必需的 ;
  • runtime_path:運行時可執行文件的絕對路徑 ;
  • runtime_root:存放容器的根目錄;
  • pause_image:pause鏡像路徑;
  • network_dir: cni 配置文件路徑;
  • golobal_auth_file  私有倉庫認證, 默認配置文件 /root/.docker/config, 官網地址是錯的. 在harbor中,把config.json 拷貝過來
  • plugin_dirs:cni 二進制文件存放路徑;
  • default runtime:使用crun
  • 運行路徑:/data/crio 請根據自己環境修改
  •  官網文檔

cri-o 啟動其它所需配置文件生成

cd /data/tools/cri-o
mkdir containers
cd containers
cat > policy.json <<EOF
{
   "default": [
       {
           "type": "insecureAcceptAnything"
       }
   ],
   "transports":
       {
           "docker-daemon":
               {
                   "": [{"type":"insecureAcceptAnything"}]
               }
       }
}
EOF

 

cat >registries.conf <<EOF
# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.
 
# The default location for this configuration file is /etc/containers/registries.conf.
 
# The only valid categories are: 'registries.search', 'registries.insecure',
# and 'registries.block'.
 
[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']
 
# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[registries.insecure]
registries = ['192.168.96.160']
 
# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
# Docker only
[registries.block]
registries = []
EOF

 

創建 cri-o systemd unit 文件

cd /usr/lib/systemd/system/
cat >crio.service <<EOF
[Unit]
Description=OCI-based implementation of Kubernetes Container Runtime Interface
Documentation=https://github.com/github.com/cri-o/cri-o
 
[Service]
Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/data/crio/bin/crio --config /data/crio/etc/crio.conf --log-level info
Restart=on-failure
RestartSec=5
LimitNOFILE=655350
LimitNPROC=655350
LimitCORE=infinity
LimitMEMLOCK=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF

 

拷貝crio目錄到 /data/目錄

[root@master1 etc]# /bin/cp /data/tools/cri-o/* /data/crio/ -a

 

拷貝crio/containers 目錄到 /etc/目錄

[root@master1 etc]# /bin/cp /data/crio/containers /etc/ -ar

 

啟動

# 全局刷新service 
systemctl daemon-reload 
# 設置cri-o開機啟動
systemctl enable crio
# 啟動cri-o
systemctl start crio  
# 重啟cri-o
systemctl restart crio

 

創建 crictl 配置文件

crictl 是兼容 CRI 容器運行時的命令行工具,提供類似於 docker 命令的功能。具體參考 官方文檔

cd /etc
cat << EOF | sudo tee crictl.yaml
runtime-endpoint: "unix:///data/crio/var/run/crio/crio.sock"
image-endpoint: "unix:///data/crio/var/run/crio/crio.sock"
timeout: 10
debug: false
pull-image-on-create: true
disable-pull-on-run: false
EOF

 

 

# 查看容器運行狀態 
crictl ps -a
crictl pull docker.io/library/busybox:1.24

從私有鏡像倉庫下載
crictl pull --creds fengjian:'Fengjian6666' 192.168.96.160/process/busybox:20220418

對 fengjian:'Fengjian6666' 進行base64位加密
https://www.qqxiuzi.cn/bianma/base64.htm

crictl pull --auth IGZlbmdqaWFuOidGZW5namlhbjY2NjYnIA== 192.168.96.160/process/busybox:20220418

 

免密鑰pull 鏡像

habor 鏡像倉庫登陸
docker  login 192.168.96.160

拷貝 harbor /root/.docker/config.json 到 cri-of服務器
scp  -r /root/.docker/config.json  root@192.168.96.151:/root/

再次拉取鏡像
crictl pull  192.168.96.160/process/busybox:20220418

 

 

 

 

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Container Runtime - CRI-O minikube配置CRI-O作為runtime並指定flannel插件 CRI(容器運行時接口) K8s與cri-o部署 CUDA運行時 Runtime(一) CUDA運行時 Runtime(三) CUDA運行時 Runtime(四) oc運行時runtime Go 運行時(runtime) k8s之CRI(容器運行時接口)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM