基于containerd的kata-containers快速体验
本文介绍了基于 containerd 和 kata-containers 的快速体验过程,涵盖了环境准备、组件安装、配置调整以及功能测试的完整流程。
环境说明
- 物理机或者开启了嵌套虚拟化的虚拟机
- Fedora Server 42 x86_64 (测试新功能比较友好)
- containerd 1.7.27
- kata-containers 3.16.0
安装containerd
cri-containerd-cni-1.7.27-linux-amd64.tar.gz
cri-开头的安装包包含了containerd各种工具和cni插件,安装后containerd会自动安装到/usr/local/bin目录下。
# 直接解压到/目录
root@fedora42:~# tar xf cri-containerd-cni-1.7.27-linux-amd64.tar.gz -C /
# 生成默认配置文件
root@fedora42:~# mkdir /etc/containerd
root@fedora42:~# containerd config default >/etc/containerd/config.toml
# containerd服务配置文件位于/usr/local/lib/systemd/system/containerd.service
root@fedora42:~# systemctl daemon-reload
root@fedora42:~# systemctl start containerd
# 查看containerd版本
root@fedora42:~# ctr version
Client:
Version: v1.7.27
Revision: 05044ec0a9a75232cad458027ca83437aae3f4da
Go version: go1.23.7
Server:
Version: v1.7.27
Revision: 05044ec0a9a75232cad458027ca83437aae3f4da
UUID: 00fc6d52-093d-4c7a-90c8-cf1ce28cef59
# 查看containerd当前runtime,进包含默认的runc
root@fedora42:~# crictl info | jq .config.containerd.runtimes
{
"runc": {
"runtimeType": "io.containerd.runc.v2",
"runtimePath": "",
"runtimeEngine": "",
"PodAnnotations": [],
"ContainerAnnotations": [],
"runtimeRoot": "",
"options": {
"BinaryName": "",
"CriuImagePath": "",
"CriuPath": "",
"CriuWorkPath": "",
"IoGid": 0,
"IoUid": 0,
"NoNewKeyring": false,
"NoPivotRoot": false,
"Root": "",
"ShimCgroup": "",
"SystemdCgroup": false
},
"privileged_without_host_devices": false,
"privileged_without_host_devices_all_devices_allowed": false,
"baseRuntimeSpec": "",
"cniConfDir": "",
"cniMaxConfNum": 0,
"snapshotter": "",
"sandboxMode": "podsandbox"
}
}
root@fedora42:~#
containerd的各种客户端说明:
- ctr 是一个较底层的容器管理工具,主要面向容器运维人员使用;
- nerdctl 是一个基于 containerd 的高级容器管理工具,提供了更加友好的命令行界面;
- crictl 是一个专门用于管理 Kubernetes 集群中容器的工具,主要面向 Kubernetes 集群管理员使用。
安装kata-containers
kata-static-3.16.0-amd64.tar.xz
# 直接解压到/目录即可
root@fedora42:~# tar xf kata-static-3.16.0-amd64.tar.xz -C /
# 拷贝(或做软链)两个文件到/usr/local/bin下,以便被containerd调用
root@fedora42:~# cp /opt/kata/bin/kata-runtime /usr/local/bin/
root@fedora42:~# cp /opt/kata/bin/containerd-shim-kata-v2 /usr/local/bin/
# 测试kata-runtime是否可用
root@fedora42:~# kata-runtime check
WARN[0000] Not running network checks as super user arch=amd64 name=kata-runtime pid=1659 source=runtime
System is capable of running Kata Containers
System can currently create Kata Containers
root@fedora42:~#
配置containerd使用kata-containers
# 在/etc/containerd/config.toml中添加kata-runtime
root@fedora42:~# sed -i '/\[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes\]/a\ [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.kata]\n runtime_type = \"io.containerd.kata.v2\"' /etc/containerd/config.toml
# 确认是否添加kata-runtime配置
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
# 重启containerd服务
root@fedora42:~# systemctl restart containerd
# 查看containerd当前runtime,确认kata-runtime已生效
root@fedora42:~# crictl info | jq .config.containerd.runtimes
{
"kata": {
"runtimeType": "io.containerd.kata.v2",
"runtimePath": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"privileged_without_host_devices_all_devices_allowed": false,
"baseRuntimeSpec": "",
"cniConfDir": "",
"cniMaxConfNum": 0,
"snapshotter": "",
"sandboxMode": "podsandbox"
},
"runc": {
"runtimeType": "io.containerd.runc.v2",
"runtimePath": "",
"runtimeEngine": "",
"PodAnnotations": [],
"ContainerAnnotations": [],
"runtimeRoot": "",
"options": {
"BinaryName": "",
"CriuImagePath": "",
"CriuPath": "",
"CriuWorkPath": "",
"IoGid": 0,
"IoUid": 0,
"NoNewKeyring": false,
"NoPivotRoot": false,
"Root": "",
"ShimCgroup": "",
"SystemdCgroup": false
},
"privileged_without_host_devices": false,
"privileged_without_host_devices_all_devices_allowed": false,
"baseRuntimeSpec": "",
"cniConfDir": "",
"cniMaxConfNum": 0,
"snapshotter": "",
"sandboxMode": "podsandbox"
}
}
root@fedora42:~#
测试kata容器
# 修改containerd的puase镜像为国内源
root@fedora42:~# sed -i 's#registry.k8s.io/pause:3.8#registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.8#g' /etc/containerd/config.toml
# 重启containerd服务
root@fedora42:~# systemctl restart containerd
# 确认pause镜像已修改
root@fedora42:~# crictl info | jq .config.sandboxImage
"registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.8"
root@fedora42:~#
# pull测试镜像
root@fedora42:~# image="quay.io/fedora/fedora:42"
root@fedora42:~# ctr image pull $image
quay.io/fedora/fedora:42: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:941f75ba6a6ed968b71115f8805a0d3055a11c06bf8bcf37d32e4fc9cacd9d7f: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:2ec41376afabc5f8445fbbcafcc0caf967d031ab82853e17825a01146e722831: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:f8ce66db501ce310a4bfb2e98929de5d2852659638a9bcb9c1da883a3b324f85: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4d7fc1cf452e802085764874c175425528f17e2ea03057edf5d83d400e2d3bc8: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 8.0 s total: 58.0 M (7.2 MiB/s)
unpacking linux/amd64 sha256:941f75ba6a6ed968b71115f8805a0d3055a11c06bf8bcf37d32e4fc9cacd9d7f...
done: 1.22051028s
# 创建kata容器,查看容器内核版本
root@fedora42:~# ctr run --runtime "io.containerd.kata.v2" --rm -t "$image" test-kata uname -r
6.12.22
# 查看宿主机内核版本,确认kata容器使用了自带的内核
root@fedora42:~# uname -r
6.14.0-63.fc42.x86_64
root@fedora42:~#
通过nerdctl创建kata容器
nerdctl-2.0.4-linux-amd64.tar.gz
ctr创建的kata容器并没有网络,所以需要使用高级客户端nerdctl测试
# 安装nerdctl
root@fedora42:~# tar tf nerdctl-2.0.4-linux-amd64.tar.gz
nerdctl
containerd-rootless-setuptool.sh
containerd-rootless.sh
root@fedora42:~# tar xf nerdctl-2.0.4-linux-amd64.tar.gz -C /usr/local/bin/
# 查看nerdctl信息
root@fedora42:~# nerdctl info
Client:
Namespace: default
Debug Mode: false
Server:
Server Version: v1.7.27
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Log: fluentd journald json-file none syslog
Storage: native overlayfs
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.14.0-63.fc42.x86_64
Operating System: Fedora Linux 42 (Server Edition)
OSType: linux
Architecture: x86_64
CPUs: 11
Total Memory: 15.6GiB
Name: fedora42
ID: 00fc6d52-093d-4c7a-90c8-cf1ce28cef59
# 创建nerdctl配置文件,添加kata-runtime配置
root@fedora42:~# nerdctl run -it --rm -p 80:80 --runtime "io.containerd.kata.v2" $image bash
WARN[0000] cannot set cgroup manager to "systemd" for runtime "io.containerd.kata.v2"
[root@9a8ca379b0f6 /]#
# 查看容器网络,默认没有工具,需要安装iproute
[root@9a8ca379b0f6 /]# ip a
bash: ip: command not found
# 安装iproute
[root@9a8ca379b0f6 /]# dnf install -y iproute
# 输出略
# 查看容器网络
[root@9a8ca379b0f6 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 1a:81:00:d1:f8:6a brd ff:ff:ff:ff:ff:ff
inet 10.4.0.2/24 brd 10.4.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::1881:ff:fed1:f86a/64 scope link
valid_lft forever preferred_lft forever
[root@9a8ca379b0f6 /]#
# 10.4.0.2为容器的IP地址,对应于nerdctl创建的cni网络配置/etc/cni/net.d/nerdctl-bridge.conflist
root@fedora42:~# cat /etc/cni/net.d/nerdctl-bridge.conflist |jq .plugins.[0].ipam.ranges.[0][0]
{
"gateway": "10.4.0.1",
"subnet": "10.4.0.0/24"
}
# 创建nginx服务进行测试
[root@9a8ca379b0f6 /]# dnf install nginx -y
# 输出略
# 配置校验和启动nginx
[root@9a8ca379b0f6 /]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@9a8ca379b0f6 /]# nginx
[root@9a8ca379b0f6 /]# nginx -v
nginx version: nginx/1.26.3
# 宿主机访问测试,通过隐射端口完成服务访问
root@fedora42:~# curl localhost -I
HTTP/1.1 200 OK
Server: nginx/1.26.3
Date: Sun, 27 Apr 2025 01:53:26 GMT
Content-Type: text/html
Content-Length: 8484
Last-Modified: Thu, 20 Mar 2025 00:00:00 GMT
Connection: keep-alive
ETag: "67db5a80-2124"
Accept-Ranges: bytes
总结
通过本文的操作步骤,您可以快速搭建一个基于 containerd 和 kata-containers 的轻量级虚拟化容器环境。Kata Containers 提供了更强的安全性和隔离性,同时兼容 containerd 生态,适合需要高性能和高安全性的场景。
浙公网安备 33010602011771号