docker · 2024-05-04 0

containers 使用基础 ctr 命令

一、docker、ctr、crictl 命令

ctr 是一个用于管理 containerd 的命令行工具,可以用它来打包、拉取、上传镜像。

ctr 是 containerd 的一个客户端工具;crictl 是遵循 CRI 接口规范的一个命令行工具。

docker 的数据目录默认是在 /var/lib/docker 目录下;而切换到 containerd 时,数据目录默认为 /var/lib/containerd。

从containerd的角度来看启动一个容器:

ctr cli ---grpc---> containerd ---exec---> containerd-shim-runc ---exec---> runc

从 containerd 作为 k8s 的容器运行时来看:

crictl 与 kubelet ---CRI---> containerd ---exec---> containerd-shim-runc ---exec---> runc

containerd 实现了 k8s 的 CRI 接口,提供容器运行时核心功能,如镜像管理、容器管理等,也就是说 containerd 同样是一个 k8s CRI 的实现。

docker ctr (containerd) crictl (kubernetes) 作用
docker ps ctr task ls/ctr container ls crictl ps 查看运行的容器
docker images ctr image ls crictl images 查看镜像
docker logs crictl logs 查看容器日志
docker inspect ctr container info crictl inspect 查看容器数据信息
docker stats crictl stats 查看容器资源
docker start/stop ctr task start/kill crictl start/stop 启动/关闭已有的容器
docker run ctr run 无 (最小单元为pod) 运行一个新的容器
docker tag ctr image tag 修改镜像标签
docker create ctr container create crictl create 创建一个新的容器
docker load ctr image import 导入镜像
docker save ctr image export 导出镜像
docker rm ctr container rm crictl rm 删除容器
docker rmi ctr image rm crictl rmi 删除镜像
docker pull ctr image pull ctictl pull 拉取镜像
docker push ctr image push 推送镜像
docker exec crictl exec 在容器内部执行命令

解释一个概念 containers 和 task ,在 docker 里面 container 概念被弱化 ,将 containers 和 task 整在一起 形成了 docker 中的 container。

ctr 中 containers 是镜像实例化的一个虚拟环境,提供一个磁盘,模拟空间,就好比你电脑处于关机状态一样。

ctr 中 tasks 是将容器运行起来,电脑开机了 ,初始化进程等 ,task 就是的这么个形式。

二、安装启动 containerd

1.安装 containerd

root@ctr-1:~# apt install containerd -y
root@ctr-1:~# ctr -v
ctr github.com/containerd/containerd 1.7.2

2.启动 containerd

root@ctr-1:~# ctr version
Client:
  Version:  1.7.2
  Revision: 
  Go version: go1.20.3

ctr: failed to dial "/run/containerd/containerd.sock": context deadline exceeded: connection error: desc = "transport: error while dialing: dial unix:///run/containerd/containerd.sock: timeout"

ctr version 若出现 failed to dial "/run/containerd/containerd.sock",表示服务没有启动
执行 containerd 或 systemctl start containerd,启动服务

root@ctr-1:~# ctr version
Client:
  Version:  1.7.2
  Revision: 
  Go version: go1.20.3

Server:
  Version:  1.7.2
  Revision: 
  UUID: deed1033-a829-419b-b232-fa64b992b077

3.生成配置文件

若需要修改默认的配置文件,需把默认的配置写入到 /etc/containerd/config.toml

root@ctr-1:~# mkdir -p /etc/containerd/
root@ctr-1:~# containerd config default > /etc/containerd/config.toml

4.配置国内仓库

以下是 containerd 1.6 之后的配置

1) 修改 /etc/containerd/config.toml 中的 config_path

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"

2) 创建配置文件

创建 /etc/containerd/certs.d/docker.io 和 hosts.toml 文件

root@ctr-1:/# mkdir -p /etc/containerd/certs.d/docker.io
root@ctr-1:/# touch /etc/containerd/certs.d/docker.io/hosts.toml
root@ctr-1:/etc/containerd/certs.d/docker.io# cat hosts.toml 
server = "https://docker.io"
[host."https://docker.m.daocloud.io"]
  capabilities = ["pull","resolve"]
  # skip_verify = true

3) 使用国内仓库

若要使用指定的仓库,拉取镜像时,需指定 --hosts-dir

ctr image pull docker.io/library/nginx:1.23.3 --hosts-dir /etc/containerd/certs.d   

5.拉取镜像

root@ctr-1:~# ctr image pull docker.io/library/nginx:1.23.3
docker.io/library/nginx:1.23.3: resolving      |--------------------------------------| 
elapsed: 0.4 s                  total:   0.0 B (0.0 B/s)                                         
INFO[0000] trying next host                              error="failed to do request: Head \"https://registry-1.docker.io/v2/library/nginx/manifests/1.23.3\": tls: failed to verify certificate: x509: certificate signed by unknown authority" host=registry-1.docker.io
ctr: failed to resolve reference "docker.io/library/nginx:1.23.3": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/1.23.3": tls: failed to verify certificate: x509: certificate signed by unknown authority

若出现 failed to verify certificate: x509,则需要安装 ca-certificates

root@ctr-1:~# apt install ca-certificates -y
root@ctr-1:~# ctr image pull docker.io/library/nginx:1.23.3
docker.io/library/nginx:1.23.3:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:f4e3b6489888647ce1834b601c6c06b9f8c03dee6e097e13ed3e28c01ea3ac8c:    done           |++++++++++++++++++++++++++++++++++++++| 
...
layer-sha256:84181e80d10e844350789d3324e848cf728df4f3d0f6c978789dd489f493934a:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 12.3s                                                                    total:  54.0 M (4.4 MiB/s)    
root@ctr-1:~# ctr image list
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                                               LABELS 
docker.io/library/nginx:1.23.3 application/vnd.docker.distribution.manifest.list.v2+json sha256:f4e3b6489888647ce1834b601c6c06b9f8c03dee6e097e13ed3e28c01ea3ac8c 54.3 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x

三、ctr 命令操作镜像

1.拉取镜像

命令:

ctr images pull <image_name>

指定平台:

  • --all-platforms:所有平台(amd64 、arm、386 、ppc64le 等),不加的话下载当前平台架构
  • --platform:指定linux/amd64平台

例:

root@ctr-1:~# ctr image pull docker.io/library/nginx:1.23.3
docker.io/library/nginx:1.23.3:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:f4e3b6489888647ce1834b601c6c06b9f8c03dee6e097e13ed3e28c01ea3ac8c:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:557c9ede65655e5a70e4a32f1651638ea3bfb0802edd982810884602f700ba25: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:84181e80d10e844350789d3324e848cf728df4f3d0f6c978789dd489f493934a:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:ac232364af842735579e922641ae2f67d5b8ea97df33a207c5ea05f60c63a92d:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:f1f26f5702560b7e591bef5c4d840f76a232bf13fd5aefc4e22077a1ae4440c7:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:1ff0f94a80076ab49af75159e23f062a30a75d333a8e9c021bf39669230afcfe:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:d776269cad101c9f8e33e2baa0a05993ed0786604d86ea525f62d5d7ae7b9540:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:e9427fcfa8642f8ddf5106f742a75eca0dbac676cf8145598623d04fa45dd74e:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 29.8s                                                                    total:  53.3 M (1.8 MiB/s)                                       
unpacking linux/amd64 sha256:f4e3b6489888647ce1834b601c6c06b9f8c03dee6e097e13ed3e28c01ea3ac8c...
done: 1.856878044s
ctr images pull --platform linux/arm docker.io/library/nginx:1.25-alpine

注意:containerd 支持 oci 标准的镜像,所以可以直接使用 docker 官方或 dockerfile 构建的镜像,需要注意的是,与 docker 不同,拉取镜像时要加上 docker.io/liarary

2.查看镜像

命令:

ctr images list
ctr i ls
ctr i ls -q
  • 查看镜像可以使用 i 简写或者image
  • -q 只打印镜像名称

例:

root@ctr-1:~# ctr images list
REF                            TYPE                                                      DIGEST                                                                  SIZE     PLATFORMS                                                                                               LABELS 
docker.io/library/nginx:1.23.3 application/vnd.docker.distribution.manifest.list.v2+json sha256:f4e3b6489888647ce1834b601c6c06b9f8c03dee6e097e13ed3e28c01ea3ac8c 54.3 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x - 
root@ctr-1:~# ctr i ls -q
docker.io/library/nginx:1.23.3

3.检测镜像

例:

root@ctr-1:~# ctr images check
REF                            TYPE                                                      DIGEST                                                                  STATUS         SIZE              UNPACKED 
docker.io/library/nginx:1.23.3 application/vnd.docker.distribution.manifest.list.v2+json sha256:f4e3b6489888647ce1834b601c6c06b9f8c03dee6e097e13ed3e28c01ea3ac8c complete (7/7) 54.3 MiB/54.3 MiB true

4.删除镜像

命令:

ctr images rm  <image_name>

例:

root@ctr-1:~# ctr images rm docker.io/library/nginx:1.25-alpine
docker.io/library/nginx:1.25-alpine

5.镜像打标签

命令:

ctr images tag <images_name> <new _image_name>

例:

ctr images tag docker.io/library/nginx:1.23.3 docker.io/activepirate/nginx:1.23.3

6.导入导出镜像

ctr image export <image_file_name> <image_name>
ctr images import <image_file_name>

7.挂载镜像

命令:

ctr images mount <image_name> <dir_path>
ctr images unmount <dir_path>

把已下载的容器镜像挂载至当前文件系统,是为了方便查看镜像中包含的内容

例:

root@ctr-1:~# ctr images mount docker.io/library/nginx:1.23.3 /root/tmp
sha256:31888883f307f2ea78ac1dd1abd26ddae38ebe9aacfbb0250995a636b8531d8f
/root/tmp
root@ctr-1:~# ls /root/tmp/
bin  boot  dev  docker-entrypoint.d  docker-entrypoint.sh  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@ctr-1:~# ctr images unmount /root/tmp/
/root/tmp/
root@ctr-1:~# ls -lh /root/tmp/
total 0

四、ctr 命令操作容器

通过 container create 命令创建的容器,并没有处于运行状态,只是一个静态的容器(仅仅只是一个创建容器的声明

1.查看容器

ctr containers list
ctr containers ls
ctr c ls

2.创建容器

ctr container create <image_name> <container_name>
  • –net-host: 主机网络

例:

ctr container create docker.io/library/nginx:1.23.3 nginx_1
ctr container create --net-host docker.io/library/nginx:1.23.3 nginx_

五、ctr 命令操作任务

1.开始任务

ctr task start -d <container_name>

例:

root@ctr-1:~# ctr task start -d nginx_1
root@ctr-1:~# ps -ef | grep nginx_1
root       22023       1  0 20:27 ?        00:00:01 /usr/bin/containerd-shim-runc-v2 -namespace default -id nginx_1 -address /run/containerd/containerd.sock

可以看出 containerd 中是存在 namespace 概念的,这样可以将不同业务和应用进行隔离

2.列出任务

命令用于管理容器中运行的任务

ctr tasks list
ctr t ls

例:

root@ctr-1:~# ctr tasks list
TASK       PID      STATUS
nginx_1    18895    RUNNING
root@ctr-1:~# ctr task ls -q
nginx_1

3.进入到容器

命令:

ctr task exec --exec-id <exec_id> -t <container_name> sh

注意必须要指定 --exec-id 参数,这个 id 可以随便写,只要唯一就行

例:

root@ctr-1:~# ctr tasks exec --exec-id $RANDOM -t busybox_1 sh
/ # ls
bin    dev    etc    home   lib    lib64  proc   root   run    sys    tmp    usr    var
/ # exit
root@ctr-1:~# ctr task exec --exec-id 0 -t nginx_1 sh
# ls
bin  boot  dev  docker-entrypoint.d  docker-entrypoint.sh  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

5.暂停任务

命令:

ctr task pause <container_name>

例:

root@ctr-1:~# ctr task pause nginx_1
root@ctr-1:~# ctr task ls
TASK       PID      STATUS
nginx_1    18895    PAUSED

6.恢复任务

命令:

ctr task resume <container_name>

例:

root@ctr-1:~# ctr task resume nginx_1
root@ctr-1:~# ctr task ls
TASK       PID      STATUS
nginx_1    18895    RUNNING

7.杀死任务

ctr 没有 stop 容器的功能,只能暂停或者杀死容器,杀死容器可以使用 task kill 命令

命令:

ctr task kill <container_name>

例:

root@ctr-1:~# ctr task kill nginx_1
root@ctr-1:~# ctr task kill -s 9 nginx_1
root@ctr-1:~# ctr task list
TASK       PID      STATUS
nginx_1    18895    STOPPED

8.删除任务

命令:

ctr task rm <container_name>

例:

root@ctr-1:~# ctr task rm nginx_1
root@ctr-1:~# ctr task list
TASK    PID    STATUS

9.ctr run

ctr run 命令实际上是快捷方式ctr container create + ctr task start

  • –net-host: 主机网络

例:

root@ctr-1:~# ctr run -d docker.io/library/nginx:1.23.3 nginx_2
root@ctr-1:~# ctr run --net-host -d docker.io/library/nginx:1.23.3 nginx_3
root@ctr-1:~# curl http://127.0.0.1:80

六、ctr 命令操作命名空间

containerd 相比于docker,多了 namespace 概念,每个 image 和containe 都会在各自的 namespace 下可见

1.查看命名空间

命令:

ctr namespaces list
ctr ns ls

例:

root@ctr-1:~# ctr namespaces list
NAME    LABELS
default
dev
root@ctr-1:~# ctr ns ls
NAME    LABELS 
default
dev

2.创建命名空间

命令:

ctr namespaces create <ns_name>
ctr ns create <ns_name>

3.删除命名空间

命令:

ctr namespaces rm <ns_name>
ctr ns rm <ns_name>

4.拉取镜像到指定的命令空间

ctr -n <ns_name> images pull <image_name>

例:

root@ctr-1:~# ctr -n dev images pull docker.io/library/nginx:1.25-alpine

5.查看指定命名空间下的镜像

ctr -n <ns_name> images ls

例:

root@ctr-1:~# ctr -n dev images list
REF                                 TYPE                                    DIGEST                                                                  SIZE     PLATFORMS                                                                                                LABELS 
docker.io/library/nginx:1.25-alpine application/vnd.oci.image.index.v1+json sha256:fdbfdaea4fc323f44590e9afeb271da8c345a733bf44c4ad7861201676a95f42 19.5 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x,unknown/unknown -

七、网络

默认 containerd 管理的容器仅有 lo 网络,无法访问容器之外的网络,可以为其添加网络插件。

便于测试,使用 nicolaka/netshoot 镜像,内置的有查看容器的 ip 的命令。

ctr-1:~# ctr image pull docker.io/nicolaka/netshoot:v0.13

1.默认

ctr-1:~# ctr container create docker.io/nicolaka/netshoot:v0.13 netshoot_1
ctr-1:~# ctr task start -d netshoot_1
ctr-1:~# ctr task exec --exec-id 1 -t netshoot_1 bash
ctr-1:~# ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

2.使用主机网络

  • --net-host 为容器启用主机网络,让容器共享主机的网络命名空间,这意味着容器将使用主机的 IP 地址和端口,而不是创建一个新的独立网络命名空间。
ctr-1:~# ctr container create --net-host docker.io/nicolaka/netshoot:v0.13 netshoot_2
ctr-1:~# ctr task start -d netshoot_2
ctr-1:~# ctr task exec --exec-id 2 -t netshoot_2 bash
ctr-1:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:234707 errors:0 dropped:0 overruns:0 frame:0
          TX packets:127521 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:322696737 (307.7 MiB)  TX bytes:8564271 (8.1 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)