content
content概念
content代表了容器镜像在不同阶段对应的不同对象:
- 存在于容器镜像仓库(registry)的镜像文件;
- containerd content store,拉取到containerd服务器的镜像文件,存放在文件夹/var/lib/containerd/io.containerd.content.v1.content/,这里的文件都是只读的,格式为gzip的压缩文件;
- snapshots,容器运行需要的文件系统,存放于/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs,这里的文件结构就是layer展开叠加的结果。
镜像格式
- image是用一个json文件进行描述的,描述文件有两种类型:
- manifest类型:列出了运行容器的配置文件的hash值和用于创建容器文件系统的文件layer。
- index类型:可以列出多个操作系统和cpu对应的mainfest的hash值,通过platform字段说明支持的底层硬件和系统。通过index文件获取适用于对应物理机的镜像的manifest的digest,然后根据digest拉取manifest,然后根据manifest拉取镜像的文件的layer和config。
- 拉取nginx镜像
[root@k8snode1 sha256]# ctr images pull --plain-http
harbor_ip:port/library/nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
harbor_ip:port/library/nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:103501419a0aecf94398ffcc7404f22931d9b89bbb6021391c2cd4a286f37ca9: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:cf707e2339551222cafe3bf835fddfb859f26bf59058b3487de2b7659309b6b7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4b962717ba558b7dfabe88c40e20ac86844b132015b66002deac49010cc96be1: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:faef57eae888cbe4a5613eca6741b5e48d768b83f6088858aee9a5a2834f8151: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f46d7b05649a846d7e24418b6ecea3b1efbdac88d361631e849e9c41917ba776: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:021283c8eb95be02b23db0de7f609d603553c6714785e7a673c6594a624ffbda: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:76579e9ed380849b4d22696f292770963b5ea917a45ef77336a1a0a782b410b5: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:91bb7937700d7d3496cf43cb0012e5f818064fecb766bd01041db23c127ab219: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.1 s total: 0.0 B (0.0 B/s)
unpacking linux/amd64 sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea...
done: 2.12433795s
- 上面可以看出组成镜像的文件有三种类型:manifest, config和layer,其中manifest和config文件可以是可读文本文件,layer是gzip压缩后的文件(file filename查看文件类型)。manifest主要描述构成镜像的文件有哪些,而config描述了容器启动时需要的信息(如容器中中执行的命令,网络,存储)。
- 上面的sha256值就是用文件内容计算得到的。
#查看config对应的文件的sha256sum值
[root@k8snode1 sha256]# cat 1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea | sha256sum
1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea -
containerd content store
containerd有专门存放镜像文件的地方,默认在文件夹/var/lib/containerd/io.containerd.content.v1.content/blobs/sha256下面,文件名就是用的上面文件内容的sha256值,不太具有可读性,可以用ctr content命令查看存放在content store的文件信息:
[root@k8snode1 sha256]# ctr content ls
DIGEST SIZE AGE LABELS
sha256:021283c8eb95be02b23db0de7f609d603553c6714785e7a673c6594a624ffbda 8.151kB 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/gc.ref.snapshot.overlayfs=sha256:a9de33035096cdf7bbaf7f3e1291701c0620d2a0e66152228abef35a79002876
sha256:103501419a0aecf94398ffcc7404f22931d9b89bbb6021391c2cd4a286f37ca9 1.405kB 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:3c9d04c9ebd5324784eb9a556a7507c5284aa7353bac7a727768fed180709a69
sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea 1.778kB 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/gc.ref.content.config=sha256:021283c8eb95be02b23db0de7f609d603553c6714785e7a673c6594a624ffbda,containerd.io/gc.ref.content.l.0=sha256:faef57eae888cbe4a5613eca6741b5e48d768b83f6088858aee9a5a2834f8151,containerd.io/gc.ref.content.l.1=sha256:76579e9ed380849b4d22696f292770963b5ea917a45ef77336a1a0a782b410b5,containerd.io/gc.ref.content.l.2=sha256:cf707e2339551222cafe3bf835fddfb859f26bf59058b3487de2b7659309b6b7,containerd.io/gc.ref.content.l.3=sha256:91bb7937700d7d3496cf43cb0012e5f818064fecb766bd01041db23c127ab219,containerd.io/gc.ref.content.l.4=sha256:4b962717ba558b7dfabe88c40e20ac86844b132015b66002deac49010cc96be1,containerd.io/gc.ref.content.l.5=sha256:f46d7b05649a846d7e24418b6ecea3b1efbdac88d361631e849e9c41917ba776,containerd.io/gc.ref.content.l.6=sha256:103501419a0aecf94398ffcc7404f22931d9b89bbb6021391c2cd4a286f37ca9
sha256:4b962717ba558b7dfabe88c40e20ac86844b132015b66002deac49010cc96be1 367B 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:9fdfd12bc85b7a97fef2d42001735cfc5fe24a7371928643192b5494a02497c1
sha256:76579e9ed380849b4d22696f292770963b5ea917a45ef77336a1a0a782b410b5 41.46MB 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:b821d93f6666533e9d135afb55b05327ee35823bb29014d3c4744b01fc35ccc5
sha256:91bb7937700d7d3496cf43cb0012e5f818064fecb766bd01041db23c127ab219 959B 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:f36897eea34df8a4bfea6e0dfaeb693eea7654cd7030bb03767188664a8a7429
sha256:cf707e2339551222cafe3bf835fddfb859f26bf59058b3487de2b7659309b6b7 625B 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:1998c5cd2230129d55a6d8553cd57df27a400614a4d7d510017467150de89739
sha256:f46d7b05649a846d7e24418b6ecea3b1efbdac88d361631e849e9c41917ba776 1.211kB 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:434c6a715c30517afd50547922c1014d43762ebbc51151b0ecee9b0374a29f10
sha256:faef57eae888cbe4a5613eca6741b5e48d768b83f6088858aee9a5a2834f8151 29.12MB 2 minutes containerd.io/distribution.source.harbor_ip=library/nginx,containerd.io/uncompressed=sha256:24839d45ca455f36659219281e0f2304520b92347eb536ad5cc7b4dbb8163588
- DIGEST列的sha256值和pull时拉取的镜像的组成文件的sha256值相同。
- 上面的labes也分为三种,对应镜像的构成文件的三种类型:containerd.io/gc.ref.snapshot.overlayfs对应manifest, containerd.io/gc.ref.content.config对应config, containerd.io/uncompressed对应layer
- uncompressed=sha256:9fdfd12bc85b7a97fef2d42001735cfc5fe24a7371928643192b5494a02497c1,这里的sha256值是layer文件(文件名为4b962717ba558b7dfabe88c40e20ac86844b132015b66002deac49010cc96be1)解压后计算sha256sum得到的:
cat 4b962717ba558b7dfabe88c40e20ac86844b132015b66002deac49010cc96be11 | gzip -d | sha256su
snapshot
snapshot是containerd使用镜像文件生成的用于运行容器的文件系统,构建过程如下:
- 先构建一个空的snapshot
- 然后在这个空的snapshot上逐次应用组成镜像的layer
[root@k8snode1 snapshots]# ctr snapshot tree
sha256:24839d45ca455f36659219281e0f2304520b92347eb536ad5cc7b4dbb8163588
\_ sha256:4645f26713fbea51190f5de52b88fbe27b42efd61c0dba87c81fa16df9a8f649
\_ sha256:c9c467815e8fe87d99f0f500495cf7f4f9096cf6c116ef2782e84bb17a4a5e06
\_ sha256:c04094edc9df98c870e281f3b947a7782ca6d542d8715814ac06786466af3659
\_ sha256:a4c423818ed6dc12a545c349d0dc36a5695446448e07229e96c7235a126c2520
\_ sha256:d66c35807d98c6f37bd2a14c6506a42d27a40fbdb564e233f7a78aafdc636c59
\_ sha256:a9de33035096cdf7bbaf7f3e1291701c0620d2a0e66152228abef35a79002876
- 前面的content中可以看出第一层是containerd.io/gc.ref.content.l.0=sha256:faef57eae888cbe4a5613eca6741b5e48d768b83f6088858aee9a5a2834f8151,解压后的sha256sum为24839d45ca455f36659219281e0f2304520b92347eb536ad5cc7b4dbb8163588。
- 这里snapshot的第一层的sha256sum也为24839d45ca455f36659219281e0f2304520b92347eb536ad5cc7b4dbb8163588,因为第一层snapshot是通过空的snapshot和containerd.io/gc.ref.content.l.0解压后合并而成的,所以和containerd.io/gc.ref.content.l.0解压后的sha256sum相同。
- 后面几层是逐次应用layer,叠加后的结果,所以这些snapshot的sha256sum和content中的各个layer单独计算的sha256sum不同。
- 最后一层snapshot的sha256值(sha256:a9de33035096cdf7bbaf7f3e1291701c0620d2a0e66152228abef35a79002876)与containerd.io/gc.ref.snapshot.overlayfs标签中的值相同。
- content的标记gc.ref表示垃圾回收器不能回收该内容,因为这些content被snapshot引用了。
container运行时文件系统
如果需要启动容器,只需要在最后一层snapshot上面再建一个active snapshot。
containerd的内部流程:
- 通过Pull()或者content.Store API拉取镜像存入content store(/var/lib/containerd/io.containerd.content.v1.content/)
- 通过image.Unpack()解压镜像,为每个layer创建snapshots
- 使用Prepare()创建一个active snapshot
- 使用NewContainer()创建容器
浙公网安备 33010602011771号