Containerd-chep1-安装

本文致力于深入学习Contaienrd并整理。
参考官方文档

依赖与限制

独立使用containerd依赖于runc与CNI plugins，可采用cri-containerd-cni-1.7.16-linux-amd64.tar.gz完整包安装，或拆分后各自安装。containerd是为基于glibc的Linux发行版动态构建的，所以musl类的如Alpine则可能无法运行。

若作为Kubernetes的容器运行时使用，只需要使用containerd-<VERSION>-<OS>-<ARCH>.tar.gz类型的二进制包。从containerd 2.0起，cri-containerd-*命名的二进制包、档案已弃用。

安装

Containerd

下载安装

$ wget https://github.com/containerd/containerd/releases/download/v1.6.31/containerd-1.6.2-linux-amd64.tar.gz
$ tar Cxzf /usr/local containerd-1.6.2-linux-amd64.tar.gz
bin/
bin/containerd-shim-runc-v2
bin/containerd-shim
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd
bin/containerd-stress

使用systemd管理

$ curl https://raw.githubusercontent.com/containerd/containerd/main/containerd.service | sudo tee -a /usr/local/lib/systemd/system/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd

Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now containerd

参考官方文档

Delegate允许 containerd 及其运行时管理它创建的容器的 cgroup。如果不设置此选项，systemd 将尝试将进程移至其自己的 cgroup 中，从而导致 containerd 及其运行时无法正确考虑容器的资源使用情况。

关闭服务时，systemd默认会找服务的cgroup并杀死服务的每个进程，对于containerd而言会导致现有容器异常。设置KillMode为process可确保systemd只杀死Containerd守护进程而不杀死子进程。

OOMScoreAdjust保障containerd因内存不足而被杀死的优先级。（ 可设为 -1000(禁止被杀死) 到 1000(最先被杀死)之间的整数值。）

runc & cni

# install runc
$ wget https://github.com/opencontainers/runc/releases/download/v1.1.11/runc.amd64
$ install -m 755 runc.amd64 /usr/local/sbin/runc

# install cni
$ wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
$ mkdir -p /opt/cni/bin
$ tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
./
./macvlan
./static
./vlan
./portmap
./host-local
./vrf
./bridge
./tuning
./firewall
./host-device
./sbr
./loopback
./dhcp
./ptp
./ipvlan
./bandwidth