4.如何使用nerdctl工具并配合Containerd容器运行时来替代Docker容器环境

公众号关注「WeiyiGeek」

设为「特别关注」，每天带你玩转网络安全运维、应用开发、物联网IOT学习！

本章目录：

• 0x01 使用 nerdctl 工具配合 Containerd 替代 Docker

• 1.使用懒加载加速图像拉取（eStargz）

• 2.配置高速的 rootless 模式

• 介绍 nerdctl 工具

• 安装 nerdctl 工具

• 使用 nerdctl 工具

• 工具 nerdctl 命令

• 有趣的实验功能

• 实践.使用 containerd & nerdctl 工具快速部署 redis 数据库服务容器

• 入坑出坑

原文地址: https://blog.weiyigeek.top/2021/6-30-581.html

0x01 使用 nerdctl 工具配合 Containerd 替代 Docker

描述: Containerd 是一个工业级标准的容器运行时，它强调简单性、健壮性和可移植性。Containerd 可以在宿主机中管理完整的容器生命周期：容器镜像的传输和存储、容器的执行和管理、存储和网络等

学过Docker的童鞋都知道, 我们利用docker-cli与docker-compose工具能帮助快速的进行镜像和容器的相关操作。自从 Containerd 发布 1.5 以后，Kubernetes 的CRI接口使用 Containerd 来替代 dockershim 时, 我们便可以使用 nerdctl 工具(替代 docker cli) 配合 Containerd 的情况下基本已经可以替换掉 Docker 和 Docker Compose;

介绍 nerdctl 工具

什么是nerdctl?nerdctl 是 与 Docker 兼容的CLI for Containerd，其支持Compose、Rootless、eStargz、OCIcrypt和IPFS，与docker命令行语法类似，所以其上手使用非常简单😊。

nerdctl 官方发布包包含两个安装版本:

Minimal: 仅包含 nerdctl 二进制文件以及 rootless 模式下的辅助安装脚本Full: 看名字就能知道是个全量包，其包含了 Containerd、CNI、runc、BuildKit 等完整组件

项目地址：GitHub - containerd/nerdctl: Docker-compatible CLI for containerd, with support for Compose ( https://github.com/containerd/nerdctl )

安装 nerdctl 工具

最新nerdctl版本releases下载地址: https://github.com/containerd/nerdctl/releases

Step 1.从Github Release页面中下载适用于你系统的 Full 包，当前最新版本【2022年4月25日 11:22:59】为v.0.19.0。

# 断点与后台下载# 全量包wget -c -b https://github.com/containerd/nerdctl/releases/download/v0.19.0/nerdctl-full-0.19.0-linux-amd64.tar.gz# 仅包含 nerdctl 二进制wget -c -b https://github.com/containerd/nerdctl/releases/download/v0.19.0/nerdctl-0.19.0-linux-amd64.tar.gz

Step 2.下载完成后解压然后进行相应的安装操作。

# 1.安装仅包含 nerdctl 二进制文件包 （Minimal - 不推荐）tar Cxzvvf usr/local/bin nerdctl-0.19.0-linux-amd64.tar.gz  # -rwxr-xr-x root/root  27578368 2022-04-22 12:03 nerdctl  # -rwxr-xr-x root/root     21562 2022-04-22 12:02 containerd-rootless-setuptool.sh  # -rwxr-xr-x root/root      7032 2022-04-22 12:02 containerd-rootless.shcd usr/local/bin && ./containerd-rootless-setuptool.sh install # 注意不能以root用户运行# 2.安装 nerdctl 全量包 (Full - 推荐)tar Cxzvvf usr/local nerdctl-full-0.19.0-linux-amd64.tar.gz  # drwxr-xr-x 0/0               0 2022-04-22 12:16 bin/  # -rwxr-xr-x 0/0        25371420 2015-10-21 08:00 bin/buildctl  # -rwxr-xr-x 0/0        39651613 2015-10-21 08:00 bin/buildkitd  # drwxr-xr-x 0/0               0 2022-04-22 12:16 share/doc/nerdctl-full/  # -rw-r--r-- 0/0            1135 2022-04-22 12:16 share/doc/nerdctl-full/README.md  # -rw-r--r-- 0/0            5425 2022-04-22 12:16 share/doc/nerdctl-full/SHA256SUMS# 3.初始化安装以全量包为例,如出现如下命令表示安装成功。/usr/local/bin$ ./containerd-rootless-setuptool.sh install  # + systemctl --user enable containerd.service  # Created symlink home/weiyigeek/.config/systemd/user/default.target.wants/containerd.service → home/weiyigeek/.config/systemd/user/containerd.service.  # [INFO] Installed "containerd.service" successfully.  # [INFO] To control "containerd.service", run: `systemctl --user (start|stop|restart) containerd.service`  # [INFO] To run "containerd.service" on system startup automatically, run: `sudo loginctl enable-linger weiyigeek`  # [INFO] ------------------------------------------------------------------------------------------  # [INFO] Use `nerdctl` to connect to the rootless containerd.  # [INFO] You do NOT need to specify $CONTAINERD_ADDRESS explicitly.

Step 3.启动 containerd 和 buildkitd 服务。

# 启动 containerd &&  验证服务状态systemctl enable --now containerd && systemctl restart containerd && systemctl status containerd# 启用 BuildKit 为了构建 Dockerfile，您需要使用以下命令启用 BuildKit。/usr/local/bin$ CONTAINERD_NAMESPACE=default containerd-rootless-setuptool.sh install-buildkit-containerd  # [INFO] Creating "/home/weiyigeek/.config/systemd/user/default-buildkit.service"  # [INFO] Starting systemd unit "default-buildkit.service"  # + systemctl --user start default-buildkit.service  # + sleep 3  # + systemctl --user --no-pager --full status default-buildkit.service  # ● default-buildkit.service - BuildKit (Rootless)  #     Loaded: loaded (/home/weiyigeek/.config/systemd/user/default-buildkit.service; disabled; vendor preset: enabled)  #     Active: active (running) since Mon 2022-04-25 13:05:25 CST; 3s ago  #   Main PID: 329750 (buildkitd)  #     CGroup: user.slice/user-1000.slice/user@1000.service/default-buildkit.service  #             └─329750 buildkitd --addr=unix:///run/user/1000/buildkit-default/buildkitd.sock --root=/home/weiyigeek/.local/share/buildkit-default --containerd-worker-namespace=default  # Apr 25 13:05:25 node-2 systemd[327840]: Started BuildKit (Rootless).  # Apr 25 13:05:26 node-2 containerd-rootless-setuptool.sh[329750]: time="2022-04-25T13:05:26+08:00" level=info msg="found worker \"ffl4pd8j6x7fh6t9o85a70l11\", labels=map[org.mobyproject.buildkit.worker.containerd.namespace:default org.mobyproject.buildkit.worker.containerd.uuid:4f029882-9edc-4c20-ab49-0363abe0d40e org.mobyproject.buildkit.worker.executor:containerd org.mobyproject.buildkit.worker.hostname:node-2 org.mobyproject.buildkit.worker.network:host org.mobyproject.buildkit.worker.snapshotter:overlayfs], platforms=[linux/amd64 linux/amd64/v2 linux/amd64/v3 linux/386]"  # Apr 25 13:05:26 node-2 containerd-rootless-setuptool.sh[329750]: time="2022-04-25T13:05:26+08:00" level=info msg="found 1 workers, default=\"ffl4pd8j6x7fh6t9o85a70l11\""  # Apr 25 13:05:26 node-2 containerd-rootless-setuptool.sh[329750]: time="2022-04-25T13:05:26+08:00" level=warning msg="currently, only the default worker can be used."  # Apr 25 13:05:26 node-2 containerd-rootless-setuptool.sh[329750]: time="2022-04-25T13:05:26+08:00" level=info msg="running server on run/user/1000/buildkit-default/buildkitd.sock"  # + systemctl --user enable default-buildkit.service  # Created symlink home/weiyigeek/.config/systemd/user/default.target.wants/default-buildkit.service → home/weiyigeek/.config/systemd/user/default-buildkit.service.  # [INFO] Installed "default-buildkit.service" successfully.  # [INFO] To control "default-buildkit.service", run: `systemctl --user (start|stop|restart) default-buildkit.service`

Step 4.查看nerdctl工具执行结果及其版本，至此安装完毕

~$ nerdctl --versionnerdctl version 0.19.0

使用 nerdctl 工具

描述: 在某一个用户执行时nerdctl命令时，我们可以其家目录中创建一个如下路径文件/home/weiyigeek/.config/nerdctl/nerdctl.toml
,该文件可配置包含nerdctl相关配置项目。

简述尝试

• Step 1.镜像拉取与查看

$ nerdctl pull hello-world:latest  # docker.io/library/hello-world:latest:                                             resolved       |++++++++++++++++++++++++++++++++++++++|  # index-sha256:10d7d58d5ebd2a652f4d93fdd86da8f265f5318c6a73cc5b6a9798ff6d2b2e67:    done           |++++++++++++++++++++++++++++++++++++++|  # manifest-sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4: done           |++++++++++++++++++++++++++++++++++++++|  # config-sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412:   done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54:    done           |++++++++++++++++++++++++++++++++++++++|  # elapsed: 34.3s                                                                    total:  6.9 Ki (205.0 B/s)$ nerdctl image ls  # REPOSITORY     TAG       IMAGE ID        CREATED           PLATFORM       SIZE        BLOB SIZE  # hello-world    latest    10d7d58d5ebd    31 seconds ago    linux/amd64    20.0 KiB    6.9 KiB

• Step 2.运行拉取的 hello-world 镜像

# 创建并后台运行一个名为 hello-containerd 的容器$ nerdctl run -d --privileged --name hello-containerd hello-world:latest  # 17cc212e69b2387b0aa1e4c4e679e41072eeeb14f909fff2acdb24d3c1033c0d# 查看 hello-containerd 容器日志$ nerdctl logs hello-containerd  # Hello from Docker!  # This message shows that your installation appears to be working correctly.  # .......  # Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/  # For more examples and ideas, visit:https://docs.docker.com/get-started/

• Step 3.查看创建的容器相关信息以及删除容器。

# 容器查看$ nerdctl ps -a  # CONTAINER ID    IMAGE                                   COMMAND     CREATED          STATUS                      PORTS    NAMES  # 17cc212e69b2    docker.io/library/hello-world:latest    "/hello"    2 minutes ago    Exited (0) 2 minutes ago             hello-containerd# 容器详细信息$ nerdctl inspect 17cc212e69b2[  {    "Id": "17cc212e69b2387b0aa1e4c4e679e41072eeeb14f909fff2acdb24d3c1033c0d",    "Created": "2022-04-25T05:13:16.690822727Z",    "Path": "/hello",    "Args": null,    "State": { "Status": "exited", "Running": false, "Paused": false,"Pid": 330226, "ExitCode": 0,"FinishedAt": "2022-04-25T05:13:17.251972898Z"},    "Image": "docker.io/library/hello-world:latest",    "ResolvConfPath": "/home/weiyigeek/.local/share/nerdctl/1935db59/containers/default/17cc212e69b2387b0aa1e4c4e679e41072eeeb14f909fff2acdb24d3c1033c0d/resolv.conf",    "HostnamePath": "/home/weiyigeek/.local/share/nerdctl/1935db59/containers/default/17cc212e69b2387b0aa1e4c4e679e41072eeeb14f909fff2acdb24d3c1033c0d/hostname",    "LogPath": "/home/weiyigeek/.local/share/nerdctl/1935db59/containers/default/17cc212e69b2387b0aa1e4c4e679e41072eeeb14f909fff2acdb24d3c1033c0d/17cc212e69b2387b0aa1e4c4e679e41072eeeb14f909fff2acdb24d3c1033c0d-json.log",    "Name": "hello-containerd",    "Driver": "overlayfs",    "Platform": "linux",    "AppArmorProfile": "",    "Mounts": null,    "NetworkSettings": null  }]# 移除 hello-containerd 容器$ nerdctl rm hello-containerdhello-containerd

• Step 4.删除指定 hello-world 镜像

$ nerdctl rmi hello-worldUntagged: docker.io/library/hello-world:latest@sha256:10d7d58d5ebd2a652f4d93fdd86da8f265f5318c6a73cc5b6a9798ff6d2b2e67Deleted: sha256:e07ee1baac5fae6a26f30cabfe54a36d3402f96afda318fe0a96cec4ca393359

• Step 5.我们也可以拉取 nginx:alpine 镜像并创建、后台运行nginx容器、进入容器内部。

$ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine  # docker.io/library/nginx:alpine:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|  # index-sha256:5a0df7fb7c8c03e4158ae9974bfbd6a15da2bdfdeded4fb694367ec812325d31:    done           |++++++++++++++++++++++++++++++++++++++|  # manifest-sha256:efc09388b15fb423c402f0b8b28ca70c7fd20fe31f8d7531ae1896bbb4944999: done           |++++++++++++++++++++++++++++++++++++++|  # config-sha256:51696c87e77e4ff7a53af9be837f35d4eacdb47b4ca83ba5fd5e4b5101d98502:   done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:4071be97c256d6f5ab0e05ebdebcfec3d0779a5e199ad0d71a5fccba4b3e2ce4:    done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:df9b9388f04ad6279a7410b85cedfdcb2208c0a003da7ab5613af71079148139:    done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:5867cba5fcbd3ae827c5801e76d20e7dc91cbb626ac5c871ec6c4d04eb818b16:    done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:4b639e65cb3ba47e77db93f93c6625a62ba1b9eec99160b254db380115ae009d:    done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:061ed9e2b9762825b9869a899a696ce8b56e7e0ec1e1892b980969bf7bcda56a:    done           |++++++++++++++++++++++++++++++++++++++|  # layer-sha256:bc19f3e8eeb1bb75268787f8689edec9a42deda5cdecdf2f95b3c6df8eb57a48:    done           |++++++++++++++++++++++++++++++++++++++|  # elapsed: 33.7s                                                                    total:  9.7 Mi (294.8 KiB/s)  # 98eb2f1d4639b173dc21c30e40be5f3e2c410e4ca325b6bd6bafcaab46ab6c11# 查看创建的nginx容器$ sudo nerdctl ps  # CONTAINER ID    IMAGE                             COMMAND                   CREATED              STATUS    PORTS                 NAMES  # 98eb2f1d4639    docker.io/library/nginx:alpine    "/docker-entrypoint.…"    About an hour ago    Up        0.0.0.0:80->80/tcp    nginx# 进入nginx容器内部$ nerdctl exec -it nginx -- sh/ # whoamiroot/ # ip addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP    link/ether ee:e6:a6:9a:07:48 brd ff:ff:ff:ff:ff:ff    inet 10.4.0.2/24 brd 10.4.0.255 scope global eth0       valid_lft forever preferred_lft forever    inet6 fe80::ece6:a6ff:fe9a:748/64 scope link       valid_lft forever preferred_lft forever/usr/share/nginx/html # hostname > index.html/usr/share/nginx/html # ip addr >> index.html# 访问创建的nginx容器 或者 浏览器访问 10.10.107.227 宿主机$ curl -I localhost

• Step 6.nginx 容器详细信息查看与容器停止、删除。

$ nerdctl inspect --format "{{ .Name }} {{ .Id }}" nginx  # nginx 98eb2f1d4639b173dc21c30e40be5f3e2c410e4ca325b6bd6bafcaab46ab6c11$ nerdctl stop nginx  # nginx$ nerdctl ps  -a  # CONTAINER ID    IMAGE                             COMMAND                   CREATED        STATUS                      PORTS                 NAMES  # 98eb2f1d4639    docker.io/library/nginx:alpine    "/docker-entrypoint.…"    2 hours ago    Exited (0) 4 seconds ago    0.0.0.0:80->80/tcp    nginx$ nerdctl rm nginxnginx

温馨提示: 不知读者是否发现, 其子命令及其使用方法与docker客户端工具基本是类似的，所以前面说到其学习成本较低, 熟悉docker的朋友可以快速上手

工具 nerdctl 命令

描述 : nerdctl 是 containerd 的命令行界面的工具。

命令参数:

# Usage:  nerdctl [flags]  nerdctl [command]# Management commands:  apparmor    Manage AppArmor profiles  builder     Manage builds  container   Manage containers  image       Manage images  ipfs        Distributing images on IPFS  namespace   Manage containerd namespaces  network     Manage networks  system      Manage containerd  volume      Manage volumesCommands:  build       Build an image from a Dockerfile. Needs buildkitd to be running.  commit      Create a new image from a container changes  completion  Generate the autocompletion script for the specified shell  compose     Compose  cp          Copy files/folders between a running container and the local filesystem.  create      Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.  events      Get real time events from the server  exec        Run a command in a running container  help        Help about any command  history     Show the history of an image  images      List images  info        Display system-wide information  inspect     Return low-level information on objects.  kill        Kill one or more running containers  load        Load an image from a tar archive or STDIN  login       Log in to a Docker registry  logout      Log out from a Docker registry  logs        Fetch the logs of a container. Currently, only containers created with `nerdctl run -d` are supported.  pause       Pause all processes within one or more containers  port        List port mappings or a specific mapping for the container  ps          List containers  pull        Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.  push        Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.  restart     Restart one or more running containers  rm          Remove one or more containers  rmi         Remove one or more images  run         Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.  save        Save one or more images to a tar archive (streamed to STDOUT by default)  start       Start one or more running containers  stats       Display a live stream of container(s) resource usage statistics.  stop        Stop one or more running containers  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE  top         Display the running processes of a container  unpause     Unpause all processes within one or more containers  update      Update one or more running containers  version     Show the nerdctl version information  wait        Block until one or more containers stop, then print their exit codes.# Flags:  -H, --H string                 Alias of --address (default "/run/containerd/containerd.sock")  -a, --a string                 Alias of --address (default "/run/containerd/containerd.sock")      --address string           containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")      --cgroup-manager string    Cgroup manager to use ("cgroupfs"|"systemd") (default "none")      --cni-netconfpath string   cni config directory [$NETCONFPATH] (default "/home/weiyigeek/.config/cni/net.d")      --cni-path string          cni plugins binary directory [$CNI_PATH] (default "/usr/local/libexec/cni")      --data-root string         Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/home/weiyigeek/.local/share/nerdctl")      --debug                    debug mode      --debug-full               debug mode (with full output)  -h, --help                     help for nerdctl      --host string              Alias of --address (default "/run/containerd/containerd.sock")      --hosts-dir strings        A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{ca.cert, cert.pem, key.pem} (docker style) (default [/home/weiyigeek/.config/containerd/certs.d,/home/weiyigeek/.config/docker/certs.d])      --insecure-registry        skips verifying HTTPS certs, and allows falling back to plain HTTP  -n, --n string                 Alias of --namespace (default "default") , 支持名称空间。      --namespace string         containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")      --snapshotter string       containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")      --storage-driver string    Alias of --snapshotter (default "overlayfs")  -v, --version                  version for nerdctl

nerdctl 使用示例

• 仓库认证

$ nerdctl login -u weiyigeek index.docker.io  # Enter Password:  # WARNING: Your password will be stored unencrypted in root/.docker/config.json. Configure a credential helper to remove this warning. See  # https://docs.docker.com/engine/reference/commandline/login/#credentials-store  # Login Succeeded$ nerdctl logout  # Removing login credentials for https://index.docker.io/v1/

• 镜像操作

# 拉取nerdctl pull docker.io/library/nginx:alpinenerdctl -n k8s.io pull docker.io/library/nginx:alpine# 查看nerdctl -n default image lsnerdctl -n default inspect nginx:alpine# 删除nerdctl -n default rmi nginx:alpine

• 容器操作

# 创建运行容器sudo nerdctl -n default run -d --name nginx -p 80:80 nginx:alpinesudo nerdctl -n k8s.io run -d --privileged --restart=always --name rancher -p 80:80 -p 443:443 docker.io/cnrancher/rancher:v2.4.17-ent# 查看容器sudo nerdctl -n k8s.io ps -asudo nerdctl -n k8s.io inpsect rancher# 进入容器内部sudo nerdctl -n k8s.io exec rancher -- sh# 停止容器sudo nerdctl -n k8s.io stop rancher# 删除容器sudo nerdctl -n k8s.io rm rancher

有趣的实验功能

描述: 我在验证环境中使用时发现特别吸引人的最新功能一个是图像快速拉取（eStargz）, 另外一个是高速 rootless 模式。

1.使用懒加载加速图像拉取（eStargz）

描述: 在过去的一年中，可以在容器相关的工具（包括Kubernetes，contained，nerdctl，CRI-O，Podman，BuildKit，Kaniko
等）上使用eStargz镜像的懒拉取功能, 在2021年懒拉取将成为越来越普遍的镜像分发技术，并且正在把eStargz增加到OCI容器镜像规范当中。

从 1.4 版开始 Containered 支持懒拉取, Stargz Snapshotter 是使 containerd 能够处理eStargz的插件。这是一种用于懒拉取的镜像分发技术。这使容器运行时无需等待整个镜像内容即可启动容器。取而代之的是，按需获取必要的内容块（例如单个文件）。这样可以将容器启动延迟从数十秒缩短到最佳的几秒。

配置参考地址: https://github.com/containerd/nerdctl/blob/master/docs/rootless.md#stargz-snapshotter

我们将继续执行如下步骤, 以启用图像拉取的加速（延迟拉取）, 即加速镜像拉取。

实践操作

1.安装与启用 Stargz 快照程序。

/usr/local/bin$ containerd-rootless-setuptool.sh install-stargz[INFO] Creating "/home/cqzk/.config/systemd/user/stargz-snapshotter.service"[INFO] Starting systemd unit "stargz-snapshotter.service"+ systemctl --user start stargz-snapshotter.service+ sleep 3+ systemctl --user --no-pager --full status stargz-snapshotter.service...........[INFO] Installed "stargz-snapshotter.service" successfully.[INFO] To control "stargz-snapshotter.service", run: `systemctl --user (start|stop|restart) stargz-snapshotter.service`[INFO] Add the following lines to "/home/cqzk/.config/containerd/config.toml" manually, and then run `systemctl --user restart containerd.service`:### BEGIN ###[proxy_plugins]  [proxy_plugins."stargz"]    type = "snapshot"    address = "/run/user/1000/containerd-stargz-grpc/containerd-stargz-grpc.sock"###  END  ###[INFO] Set `export CONTAINERD_SNAPSHOTTER="stargz"` to use the stargz snapshotter.

2.准备一个包含以下 containerd 内容的配置, 为了安全我们可以指定一个用户, 例如使用 nerdctl 的用户的 UID 为 1000 的配置放置位置为/run/user/1000
。

# 确认方法当前用户UID$ echo $UID1000# 在 containerd 配置文件中启用该插件tee ~/.config/containerd/config.toml  <<'EOF'# Plug stargz snapshotter into containerd# Containerd recognizes stargz snapshotter through specified socket address.[proxy_plugins]  [proxy_plugins."stargz"]    type = "snapshot"    # NOTE: replace "1000" with your actual UID    address = "/run/user/1000/containerd-stargz-grpc/containerd-stargz-grpc.sock"# Use stargz snapshotter through CRIEOF

3.重新启动 restargz-snapshotter 与 containerd 以使配置更改生效。

systemctl daemon-reload systemctl --user start restargz-snapshotter.service && systemctl --user restart containerd.servicesystemctl status stargz-snapshotter.service && systemctl status containerd.service● stargz-snapshotter.service - stargz snapshotter (Rootless)     Loaded: loaded (/home/cqzk/.config/systemd/user/stargz-snapshotter.service; enabled; vendor preset: enabled)     Active: active (running) since Mon 2022-04-25 16:48:56 CST; 7s ago   Main PID: 360664 (containerd-star)     CGroup: user.slice/user-1000.slice/user@1000.service/stargz-snapshotter.service             └─360664 containerd-stargz-grpc -address run/user/1000/containerd-stargz-grpc/containerd-stargz-grpc.sock -root home/cqzk/.local/share/containerd-stargz-grpc -config home/cqzk/.config/container>Apr 25 16:48:56 node-2 systemd[358295]: Started stargz snapshotter (Rootless).

4.您可以选择执行以下命令,并指定使用--snapshotter=stargz
进行快速图像拉取。

export CONTAINERD_SNAPSHOTTER="stargz"nerdctl run --snapshotter=stargz ghcr.io/stargz-containers/python:3.10-esgz python -c "print('hello')"

2.配置高速的 rootless 模式

描述: Rootless模式允许你在没有特权的情况下运行容器，具有安全优势，但它的缺点是容器外的通信速度比特权 Rootful 模式慢。

但是我们可以通过使用 bypass4netns, 使得 Rootless 的容器外通信速度将比 Rootful 更快, 操作如下所示:

1.安装与启用 bypass4netns

/usr/local/bin$ containerd-rootless-setuptool.sh install-bypass4netnsd

2.您可以选择执行如下命令，使用快速无根功能启动容器和以下--label nerdctl/bypass4netns=true
参数快速图像拉取。

$ nerdctl run --label nerdctl/bypass4netns=true ghcr.io/stargz-containers/python:3.10-esgz python -c "print('hello')"

实践.使用 containerd & nerdctl 工具快速部署 redis 数据库服务容器

Step 1.准备 redis 数据库配置文件极其相关目录

mkdir -vp app/redis/datatee app/redis/redis.conf <<'EOF'# 绑定任意接口、服务端口、后台运行。bind 0.0.0.0port 6379# 容器里必须设置为nodaemonize nosupervised auto# redis服务pid进程文件名pidfile "/var/run/redis.pid"# 关闭保护模式，并配置使用密码访问protected-mode norequirepass "123456"# echo -e "weiyigeek"|sha256sum # requirepass 097575a79efcd7ea7b1efa2bcda78a4fc7cbd0820736b2f2708e72c3d21f8b61# 数据文件保存路径，rdb/AOF文件也保存在这里dir "/data"# 日志文件记录文件(notice  verbose)# logfile "/logs/redis.log"# loglevel verbose  # 最大客户端连接数maxclients 10000# 客户端连接空闲多久后断开连接，单位秒，0表示禁用timeout 60tcp-keepalive 60 # Redis 数据持久化(rdb/aof)配置# RDB 文件名dbfilename "dump.rdb"# 数据自动保存脚本条件例如300s中有10key发生变化save 300 10save 60 10000# 对RDB文件进行压缩，建议以（磁盘）空间换（CPU）时间。rdbcompression yes# 版本5的RDB有一个CRC64算法的校验和放在了文件的最后。这将使文件格式更加可靠。rdbchecksum yes# RDB自动触发策略是否启用，默认为yesrdb-save-incremental-fsync yes# AOF开启appendonly yes# AOF文件名appendfilename "appendonly.aof"# 可选值 always， everysec，no，建议设置为everysecappendfsync everysec# Redis风险命令重命名# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52rename-command FLUSHDB b840fc02d524045429941cc15f59e41cb7be6c53rename-command FLUSHALL b840fc02d524045429941cc15f59e41cb7be6c54rename-command EVAL b840fc02d524045429941cc15f59e41cb7be6c55rename-command DEBUG b840fc02d524045429941cc15f59e41cb7be6c56# rename-command SHUTDOWN SHUTDOWNEOF

Step 2.执行如下命令进行快速创建容器并运行redis服务。

$ nerdctl run -d -p 6379:6379 \ -v app/redis/redis.conf:/etc/redis/redis.conf \ -v app/redis/data:/data \ --name redis-server redis:6.2.6-alpine3.15 redis-server etc/redis/redis.conf5e854a58087ae1bba5a661b2941474560cbecc37f54c7f4e7a28afbaed6aebf0

Step 3.查看创建的容器并验证redis服务是否正常。

$ nerdctl psCONTAINER ID    IMAGE                                       COMMAND                   CREATED           STATUS    PORTS                     NAMES5e854a58087a    docker.io/library/redis:6.2.6-alpine3.15    "docker-entrypoint.s…"    42 seconds ago    Up        0.0.0.0:6379->6379/tcp    redis-server$ nerdctl logs redis-server1:C 25 Apr 2022 13:22:59.597 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo1:C 25 Apr 2022 13:22:59.597 # Redis version=6.2.6, bits=64, commit=00000000, modified=0, pid=1, just started1:C 25 Apr 2022 13:22:59.597 # Configuration loaded# 如下返回，表示 redis 服务状态是正常的$ nerdctl exec -it redis-server redis-cli -a 123456 pingPONG$ nerdctl exec -it redis-server redis-cli -a 123456 info# Serverredis_version:6.2.6redis_git_sha1:00000000redis_git_dirty:0redis_build_id:63421500bb103677redis_mode:standaloneos:Linux 5.4.0-96-generic x86_64arch_bits:64multiplexing_api:epollatomicvar_api:atomic-builtin

Step 4.这里我们直接用telnet工具连接创建的redis容器中的redis数据库服务。

$ telnet 10.10.107.227 6379Trying 10.10.107.227...Connected to 10.10.107.227.Escape character is '^]'.auth 123456  # 认证+OKping   # 服务验证+PONG set name weiyigeek # 设置 字符串 类型的key+OKget name  # 获取 key 的值$9weiyigeek

入坑出坑

• 错误1.安装nerdctl（Minimal）时执行containerd-rootless-setuptool.sh脚本安装时报[ERROR] Refusing to install rootless containerd as the root user
  错误解决办法: 请切换到普通用户执行。

• 错误2.安装nerdctl（Minimal）时执行containerd-rootless-setuptool.sh脚本安装时报containerd-rootless-setuptool.sh: 110: rootlesskit: Permission denied
  错误

/usr/local/bin$ containerd-rootless-setuptool.sh install[INFO] Checking RootlessKit functionality/usr/local/bin/containerd-rootless-setuptool.sh: 110: rootlesskit: Permission denied

问题原因: 由于未安装 rootlesskit 相关依赖工具
解决办法: 执行如下命令进行安装操作 apt install -y rootlesskit rootlessctl

• 错误3.安装nerdctl (full) 时执行containerd-rootless-setuptool.sh脚本安装时报exec: "newuidmap": executable file not found in $PATH
  错误

./containerd-rootless-setuptool.sh install
[INFO] Checking RootlessKit functionality
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 328299 [0 1000 1 1 100000 65536] failed: : exec: "newuidmap": executable file not found in $PATH

问题原因: newuidmap 在没有安装的环境下会出现上述错误，所以执行apt命令安装uidmap软件包。
解决版本: sudo apt install uidmap

本文至此完毕，更多技术文章，尽情期待下一章节！

原文地址: https://blog.weiyigeek.top/2021/6-30-581.html

更多文章来源于【WeiyiGeek Blog 个人博客 - 为了能到远方，脚下的每一步都不能少 】

个人主页: 【 https://weiyigeek.top】

博客地址: 【 https://blog.weiyigeek.top 】

专栏书写不易，如果您觉得这个专栏还不错的，请给这篇专栏 【点个赞、投个币、收个藏、关个注，转个发，留个言】(人间六大情)，这将对我的肯定，谢谢！。

• echo  "【点个赞】，动动你那粗壮的拇指或者芊芊玉手，亲！"

• printf("%s", "【投个币】，万水千山总是情，投个硬币行不行，亲！")

• fmt.Printf("【收个藏】，阅后即焚不吃灰，亲！")  

• console.info("【转个发】，让更多的志同道合的朋友一起学习交流，亲！")

• System.out.println("【关个注】，后续浏览查看不迷路哟，亲！")

• cout << "【留个言】，文章写得好不好、有没有错误，一定要留言哟，亲! " << endl;

 往期相关文章

1.Containerd容器运行时初识与尝试

2.基于Containerd运行时搭建Kubernetes集群实践

【转载】使用 RBAC 模型限制对 Kubernetes 资源的访问原理浅析

更多网络安全、系统运维、应用开发、全栈文章，尽在【个人博客 - https://blog.weiyigeek.top】站点，谢谢支持！

↓↓↓ 更多文章，请点击下方阅读原文。