一、简介
Nerdctl是用于containerd并且兼容docker-cli习惯的管理工具,主要适用于刚从docker转到containerd的用户,操作 containerd的命令行工具ctr和crictl不怎么好用,所以就有了nerdctl。
要特别说明的是:Nerdctl操作的是containerd而非docker,所以nerdctl images和docker images看到的内容不同,它只是用法保持了docker-cli的习惯,实质上操作的是containerd。
Nerdctl的使用和docker一致,与docker具有相同的体验,主要特征如下:
- 与docker的UI/UX相同
- 支持docker-compose ( 例如:nerdctl compose up)
- [可选] 支持rootless模式,无slirp开销(bypass4netns)
- [可选] 支持延迟拉取(Stargz、Nydus、OverlayBD)
- [可选] 支持加密镜像(ocicrypt)
- [可选] 支持P2P镜像分发 (IPFS) (*1)
- [可选] 支持容器镜像签名和验证(cosign)
- [可选] 支持containerd的命名空间查看,nerdctl不仅可以管理Docker容器,也可以直接管理本地的Kubernetes pod。
- [可选] 支持将Docker Image Manifest镜像转换为OCI镜像、estargz镜像。
Nerdctl是containerd的非核心子项目,更多资料参考官网https://github.com/containerd/nerdctl。
二、安装
Nerdctl的安装分为Minimal精简安装和包含一些插件的Full完整安装。精简版只包含nerdctl,完整版包含nerdctl和CNI插件等依赖(当然你也可以在精简安装的基础上再自己添加CNI等插件)。
- Minimal (nerdctl-2.0.3-linux-amd64.tar.gz): nerdctl only
- Full (nerdctl-full-2.0.3-linux-amd64.tar.gz): Includes dependencies such as containerd, runc, and CNI
2.1 安装nerdctl
官方下载地址:https://github.com/containerd/nerdctl/releases,在Asset中选择下载精简或者完全安装包(本例精简安装)。
# 下载
wget https://github.com/containerd/nerdctl/releases/download/v1.5.0/nerdctl-1.5.0-linux-amd64.tar.gz
# 新建安装目录
mkdir -p /usr/local/containerd/bin/ && tar -zxvf nerdctl-1.5.0-linux-amd64.tar.gz nerdctl && mv nerdctl /usr/local/containerd/bin/
# 创建软链接
ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
# 验证【有个告警说"buildctl": executable file not found in $PATH】我们再安装另一个buildctl
nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH
Client:
Version: v1.5.0
OS/Arch: linux/amd64
Git commit: b33a58f288bc42351404a016e694190b897cd252
buildctl:
Version:
Server:
containerd:
Version: 1.6.22
GitCommit: 8165feabfdfe38c65b599c4993d227328c231fca
runc:
Version: 1.1.8
GitCommit: v1.1.8-0-g82f18fe
2.2 安装buildctl
在镜像构建的时候,我们也需要安装buildctl并运行buildkitd,这是因为nerdctl build需要依赖buildkit工具。
buildkit项目也是docker公司开源的一个构建工具包,支持OCI标准的镜像构建,它主要包含以下部分:
- 服务端buildkitd:当前支持runc和containerd作为worker,默认是runc,我们这里使用containerd;
- 客户端buildctl:负责解析Dockerfile,并向服务端buildkitd发出构建请求;
buildkit是典型的C/S架构,客户端和服务端是可以不在一台服务器上,而nerdctl在构建镜像的时候也作为buildkitd的客户端,所以需要我们安装并运行buildkitd。
所以接下来我们先来安装buildkit:
# 下载
wget https://github.com/moby/buildkit/releases/download/v0.12.2/buildkit-v0.12.2.linux-amd64.tar.gz
# 新建安装目录
mkdir -p /usr/local/buildctl -p && tar -zxvf buildkit-v0.12.2.linux-amd64.tar.gz -C /usr/local/buildctl
# 创建软链接
ln -s /usr/local/buildctl/bin/buildkitd /usr/local/bin/buildkitd
ln -s /usr/local/buildctl/bin/buildctl /usr/local/bin/buildctl
# 使用Systemd来管理buildkitd,创建如下所示的systemd unit文件
cat >> /etc/systemd/system/buildkit.service <<EOF
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
EOF
# 启动buildkitd
systemctl daemon-reload
systemctl enable buildkit --now
systemctl status buildkit
# 查看版本号验证安装
nerdctl version
Client:
Version: v1.5.0
OS/Arch: linux/amd64
Git commit: b33a58f288bc42351404a016e694190b897cd252
buildctl:
Version: v0.12.2
GitCommit: 567a99433ca23402d5e9b9f9124005d2e59b8861
Server:
containerd:
Version: 1.6.22
GitCommit: 8165feabfdfe38c65b599c4993d227328c231fca
runc:
Version: 1.1.8
GitCommit: v1.1.8-0-g82f18fe
2.3 常用nerdctl命令
输入nerdctl -h查看帮助,如下:
nerdctl -h
nerdctl is a command line interface for containerd
Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml
Usage: nerdctl [flags]
Management commands:
apparmor Manage AppArmor profiles
builder Manage builds
container Manage containers
image Manage images
ipfs Distributing images on IPFS
namespace Manage containerd namespaces
network Manage networks
system Manage containerd
volume Manage volumes
Commands:
build Build an image from a Dockerfile. Needs buildkitd to be running.
commit Create a new image from a container's changes
completion Generate the autocompletion script for the specified shell
compose Compose
cp Copy files/folders between a running container and the local filesystem.
create Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
events Get real time events from the server
exec Run a command in a running container
help Help about any command
history Show the history of an image
images List images
info Display system-wide information
inspect Return low-level information on objects.
internal DO NOT EXECUTE MANUALLY
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a container registry
logout Log out from a container registry
logs Fetch the logs of a container. Currently, only containers created with `nerdctl run -d` are supported.
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
push Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.
rename rename a container
restart Restart one or more running containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
save Save one or more images to a tar archive (streamed to STDOUT by default)
start Start one or more running containers
stats Display a live stream of container(s) resource usage statistics.
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update one or more running containers
version Show the nerdctl version information
wait Block until one or more containers stop, then print their exit codes.
Flags:
-H, --H string Alias of --address (default "/run/containerd/containerd.sock")
-a, --a string Alias of --address (default "/run/containerd/containerd.sock")
--address string containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "cgroupfs")
--cni-netconfpath string cni config directory [$NETCONFPATH] (default "/etc/cni/net.d")
--cni-path string cni plugins binary directory [$CNI_PATH] (default "/opt/cni/bin")
--data-root string Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl")
--debug debug mode
--debug-full debug mode (with full output)
--experimental Control experimental: https://github.com/containerd/nerdctl/blob/master/docs/experimental.md [$NERDCTL_EXPERIMENTAL] (default true)
-h, --help help for nerdctl
--host string Alias of --address (default "/run/containerd/containerd.sock")
--hosts-dir strings A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d])
--insecure-registry skips verifying HTTPS certs, and allows falling back to plain HTTP
-n, --n string Alias of --namespace (default "default")
--namespace string containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")
--snapshotter string containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")
--storage-driver string Alias of --snapshotter (default "overlayfs")
-v, --version version for nerdctl
Run 'nerdctl COMMAND --help' for more information on a command.
列出所有命令说明,如下:
# nerdctl run:创建容器
nerdctl run -d -p 80:80 --name=nginx --restart=always nginx
# nerdctl exec:进入容器
nerdctl exec -it nginx /bin/sh
# nerdctl ps:列出容器
nerdctl ps -a
# nerdctl inspect:获取容器的详细信息
nerdctl inspect nginx
# nerdctl logs:获取容器日志
nerdctl logs -f nginx
# nerdctl stop:停止容器
nerdctl stop nginx
# nerdctl rm:删除容器
nerdctl rm -f nginx
nerdctl rmi -f <IMAGE ID>
# nerdctl images:镜像列表
nerdctl images
nerdctl -n=k8s.io images
nerdctl -n=k8s.io images | grep -v '<none>'
# nerdctl pull:拉取镜像
nerdctl pull nginx
# 使用nerdctl login --username xxx --password xxx进行登录,使用nerdctl logout可以注销退出登录
nerdctl login
nerdctl logout
# nerdctl tag:镜像标签
nerdctl tag nginx:latest harbor.k8s/image/nginx:latest
# nerdctl push:推送镜像
nerdctl push harbor.k8s/image/nginx:latest
# nerdctl save:导出镜像
nerdctl save -o busybox.tar.gz busybox:latest
# nerdctl load:导入镜像
nerdctl load -i busybox.tar.gz
# nerdctl rmi:删除镜像
nerdctl rmi busybox
# nerdctl build:从Dockerfile构建镜像
nerdctl build -t centos:v1.0 -f centos.dockerfile .
可以通过配置文件/etc/nerdctl/nerdctl.toml,对nerdctl进行更多配置。
三、常用命令
按照使用场景来分类:
3.1 namespace
k8s默认使用k8s.io,而nerdctl默认使用default namspace。如果需要查看k8s相关镜像需要加上"namespace=k8s.io"来指定。
nerdctl images --namespace=k8s.io
nerdctl -n=k8s.io images
或者在nerdctl配置文件中指定nerdctl默认使用k8s.io namespace
mkdir /etc/nerdctl/
cat >> /etc/nerdctl/nerdctl.toml << EOF
namespace = "k8s.io"
EOF
3.2 Run&Exec
run
nerdctl run和docker run类似,可以使用nerdctl run命令运行容器,例如:
nerdctl run -d 80:80 --name=nginx --restart=always nginx:alpine
883a46df6f5875a6afae26414b498f396ea5e8ca1c24tf91f97a2695c7b187ec0
可选的参数使用和docker run基本一致,比如-i、-t、--cpus、--memory等选项,可以使用nerdctl run --help
exec
获取可使用的命令选项。
nerdctl同样也可以使用exec命令,执行容器相关命令,例如:
nerdctl exec -it nginx/bin/sh
/ #date
Wed Aug
08:12:10 UTC 2023
/ #ls
3.3 容器管理
ps
nerdctl ps:列出容器
使用nerdctl ps命令可以列出所有容器。
nerdctl ps
同样可选的参数使用和docker ps基本一致,比如-q,-n等选项,可以使用nerdctl ps --help获取可使用的命令选项。
inspect
nerdctl inspect:获取容器的详细信息。
nerdctl inspect nginx
显示结果和docker inspect也基本一致的。
logs
nerdctl logs:获取容器日志
查看容器日志是我们平时经常会使用到的一个功能,同样我们可以使用nerdctl logs来获取日志数据:
nerdctl logs -f nginx
同样支持-f、-t、--since、--until这些选项。
stop
nerdctl stop:停止容器
# stop属于重启
nerdctl stop nginx
nerdctl ps
# kill属于停止容器 容器状态属于为创建
nerdctl kill nginx
nerdctl ps
nerdctl ps -a
rm
nerdctl rm:删除容器
nerdctl rm nginx
nerdctl rm -f nginx
如果要强制删除同样可以使用-f或--force选项来操作。
3.4 镜像管理
images
nerdctl images:镜像列表
nerdctl images
nerdctl -n=k8s.io images
tag
nerdctl tag:镜像标签
使用tag命令可以为一个镜像创建一个别名镜像。
nerdctl images
nerdctl tag nginx:alpine harbor.boysec.cn/course/nginx:apline
pull
nerdctl pull:拉取镜像
nerdctl pull docker.io/library/busybox:latest
push
nerdctl push:推送镜像
当然在推送镜像之前也可以使用nerdctl login命令登录到镜像仓库,然后再执行push操作。
可以使用nerdctl login --username xxx --password xxx进行登录,使用nerdctl logout可以注销退出登录。
save
nerdctl save:导出镜像
使用save命令可以导出镜像为一个tar压缩包。
nerdctl save -o busybox.tar.gz busybox:latest
rmi
nerdctl rmi:删除镜像
nerdctl rmi busybox
load
nerdctl load:导入镜像
使用load命令可以将上面导出的镜像再次导入:
nerdctl load -i busybox.tar.gz
nerdctl images
3.5 镜像构建
镜像构建是平时我们非常重要的一个需求,我们知道ctr并没有构建镜像的命令,而现在我们又不使用Docker了,那么如何进行镜像构建了,幸运的是nerdctl就提供了nerdctl build这样的镜像构建命令。
nerdctl build:从Dockerfile构建镜像
比如现在我们定制一个nginx镜像,新建一个如下所示的Dockerfile文件
cat > Dockerfile <<EOF
FROM nginx:alpine
RUN echo -e "#version wangxiansen\n Hello Nerdctl From Containerd" > /usr/share/nginx/html/index.html
EOF
然后在文件所在目录执行镜像构建命令:
nerdctl build -t nginx:nerdctl -f Dockerfile .
构建完成后查看镜像是否构建成功:
nerdctl images
这样我们就使用nerdctl + buildkitd轻松完成了容器镜像的构建。
当然如果你还想在单机环境下使用Docker Compose,在containerd模式下,我们也可以使用nerdctl来兼容该功能。同样我们可以使用nerdctl compose、nerdctl compose up、nerdctl compose logs、nerdctl compose build、nerdctl compose down等命令来管理Compose服务。这样使用containerd、nerdctl结合buildkit等工具就完全可以替代docker在镜像构建镜像容器方面的管理功能了。
四、手工添加插件(按需可选)
以添加CNI插件为例,先到CNI 插件的官方地址下载插件文件。
CNI需放在指定目录,默认目录为/opt/cni/bin(这个默认目录在nerdctl --help 帮助中 --cni-path 后面有说明),nerdctl会默认查找该目录。
# 下载相关安装包
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
# 新建安装目录
mkdir -p /opt/cni/bin
# 安装
tar -xzvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin
ll /opt/cni/bin/
total 63728
-rwxr-xr-x 1 root root 3780654 Mar 10 2022 bandwidth
-rwxr-xr-x 1 root root 4221977 Mar 10 2022 bridge
-rwxr-xr-x 1 root root 9742834 Mar 10 2022 dhcp
-rwxr-xr-x 1 root root 4345726 Mar 10 2022 firewall
-rwxr-xr-x 1 root root 3811793 Mar 10 2022 host-device
-rwxr-xr-x 1 root root 3241605 Mar 10 2022 host-local
-rwxr-xr-x 1 root root 3922560 Mar 10 2022 ipvlan
-rwxr-xr-x 1 root root 3295519 Mar 10 2022 loopback
-rwxr-xr-x 1 root root 3959868 Mar 10 2022 macvlan
-rwxr-xr-x 1 root root 3679140 Mar 10 2022 portmap
-rwxr-xr-x 1 root root 4092460 Mar 10 2022 ptp
-rwxr-xr-x 1 root root 3484284 Mar 10 2022 sbr
-rwxr-xr-x 1 root root 2818627 Mar 10 2022 static
-rwxr-xr-x 1 root root 3379564 Mar 10 2022 tuning
-rwxr-xr-x 1 root root 3920827 Mar 10 2022 vlan
-rwxr-xr-x 1 root root 3523475 Mar 10 2022 vrf
浙公网安备 33010602011771号