标签：bin ctr -- Containerd nerdctl containerd 工具 客户端 cni

当我们的k8s没有使用docker的容器运行时的时候，管理查询镜像就需要用到其他Containerd 客户端工具

containerd 的客户端工具有ctr,crictl和 nerdctl

ctr和crictl

ctr 是由 containerd 提供的一个客户端工具。

crictl 是 CRI 兼容的容器运行时命令行接口，和containerd无关，由Kubernetes提供，可以使用它来检查和调试 k8s 节点上的容器运行时和应用程序。

命令	docker	ctr（containerd）	crictl（kubernetes）
查看镜像	docker images	ctr image ls	crictl images
拉取镜像	docker pull	ctr image pull	ctictl pull
推送镜像	docker push	ctr image push	无
删除镜像	docker rmi	ctr image rm	crictl rmi
导入镜像	docker load	ctr image import	无
导出镜像	docker save	ctr image export	无
修改镜像标签	docker tag	ctr image tag	无
创建一个新的容器	docker create	ctr container create	crictl create
运行一个新的容器	docker run	ctr run	无（最小单元为Pod）
删除容器	docker rm	ctr container rm	crictl rm
查看运行的容器	docker ps	ctr task ls ctr container ls	crictl ps
启动已有的容器	docker start	ctr task start	crictl start
关闭已有的容器	docker stop	ctr task kill	crictl stop
在容器内部执行命令	docker exec	无	crictl exec
查看容器数信息	docker inspect	ctr container info	crictl inspect
查看容器日志	docker logs	无	crictl logs
查看容器资源	docker stats	无	crictl stats

注意：

• 要用ctr操作或查看k8s的相关镜像或者容器，需要在前面加上-n k8s.io
  • 例如，如果要把打包好的镜像加载到k8s中ctr -n=k8s.io images import k8s_1.25.0.tar.gz
  • 要查看k8s中的镜像ctr -n=k8s.io image ls

ctr导出镜像

$ ctr -n k8s.io image export es.v8.5.0.tar.gz  docker.elastic.co/elasticsearch/elasticsearch:8.5.0

ctr导入镜像

$ ctr -n k8s.io image import es.v8.5.0.tar.gz

nerdctl

nerdctl 介绍

nerdctl 是 与 Docker 兼容的CLI for Containerd，其支持Compose

nerdctl 和 docker命令行语法很相似，学习比较容易

项目地址：https://github.com/containerd/nerdctl
nerdctl 官方发布包包含两个安装版本:

• Minimal: 仅包含 nerdctl 二进制文件以及 rootless 模式下的辅助安装脚本
• Full: 看名字就能知道是个全量包，其包含了 Containerd、CNI、runc、BuildKit 等完整组件

下载地址https://github.com/containerd/nerdctl/releases

nerdctl 安装和使用

在单机使用 nerdctl 代替 Docker

#在新主机使用nerdctl/代替docker
$ wget https://github.com/containerd/nerdctl/releases/download/v0.23.0/nerdctl-full-0.23.0-linux-amd64.tar.gz
#查看文件内容
$ tar tf nerdctl-full-0.23.0-linux-amd64.tar.gz
bin/
bin/buildctl
bin/buildg
bin/buildg.sh
bin/buildkitd
bin/bypass4netns
bin/bypass4netnsd
bin/containerd
bin/containerd-fuse-overlayfs-grpc
bin/containerd-rootless-setuptool.sh
bin/containerd-rootless.sh
bin/containerd-shim-runc-v2
bin/containerd-stargz-grpc
bin/ctd-decoder
bin/ctr
bin/ctr-enc
bin/ctr-remote
bin/fuse-overlayfs
bin/ipfs
bin/nerdctl
bin/rootlessctl
bin/rootlesskit
bin/runc
bin/slirp4netns
bin/tini
lib/
lib/systemd/
lib/systemd/system/
lib/systemd/system/buildkit.service
lib/systemd/system/containerd.service
lib/systemd/system/stargz-snapshotter.service
libexec/
libexec/cni/
libexec/cni/bandwidth
libexec/cni/bridge
libexec/cni/dhcp
libexec/cni/firewall
libexec/cni/host-device
libexec/cni/host-local
libexec/cni/ipvlan
libexec/cni/loopback
libexec/cni/macvlan
libexec/cni/portmap
libexec/cni/ptp
libexec/cni/sbr
libexec/cni/static
libexec/cni/tuning
libexec/cni/vlan
libexec/cni/vrf
share/
share/doc/
share/doc/nerdctl/
share/doc/nerdctl/README.md
share/doc/nerdctl/docs/
share/doc/nerdctl/docs/build.md
share/doc/nerdctl/docs/builder-debug.md
share/doc/nerdctl/docs/cni.md
share/doc/nerdctl/docs/compose.md
share/doc/nerdctl/docs/config.md
share/doc/nerdctl/docs/cosign.md
share/doc/nerdctl/docs/dir.md
share/doc/nerdctl/docs/experimental.md
share/doc/nerdctl/docs/faq.md
share/doc/nerdctl/docs/freebsd.md
share/doc/nerdctl/docs/gpu.md
share/doc/nerdctl/docs/ipfs.md
share/doc/nerdctl/docs/multi-platform.md
share/doc/nerdctl/docs/nydus.md
share/doc/nerdctl/docs/ocicrypt.md
share/doc/nerdctl/docs/overlaybd.md
share/doc/nerdctl/docs/registry.md
share/doc/nerdctl/docs/rootless.md
share/doc/nerdctl/docs/stargz.md
share/doc/nerdctl-full/
share/doc/nerdctl-full/README.md
share/doc/nerdctl-full/SHA256SUMS


$ tar xf nerdctl-full-0.23.0-linux-amd64.tar.gz -C /usr/local 
$ systemctl enable containerd
#查看用法
$ nerdctl --help
nerdctl is a command line interface for containerd

Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml

Usage: nerdctl [flags]

Management commands:
  apparmor   Manage AppArmor profiles
  builder    Manage builds
  container  Manage containers
  image      Manage images
  ipfs       Distributing images on IPFS
  namespace  Manage containerd namespaces
  network    Manage networks
  system     Manage containerd
  volume     Manage volumes

Commands:
  build       Build an image from a Dockerfile. Needs buildkitd to be running.
  commit      Create a new image from a container's changes
  completion  Generate the autocompletion script for the specified shell
  compose     Compose
  cp          Copy files/folders between a running container and the local filesystem.
  create      Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
  events      Get real time events from the server
  exec        Run a command in a running container
  help        Help about any command
  history     Show the history of an image
  images      List images
  info        Display system-wide information
  inspect     Return low-level information on objects.
  internal    DO NOT EXECUTE MANUALLY
  kill        Kill one or more running containers
  load        Load an image from a tar archive or STDIN
  login       Log in to a Docker registry
  logout      Log out from a Docker registry
  logs        Fetch the logs of a container. Currently, only containers created with `nerdctl run -d` are supported.
  pause       Pause all processes within one or more containers
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
  push        Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.
  rename      rename a container
  restart     Restart one or more running containers
  rm          Remove one or more containers
  rmi         Remove one or more images
  run         Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
  save        Save one or more images to a tar archive (streamed to STDOUT by default)
  start       Start one or more running containers
  stats       Display a live stream of container(s) resource usage statistics.
  stop        Stop one or more running containers
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
  top         Display the running processes of a container
  unpause     Unpause all processes within one or more containers
  update      Update one or more running containers
  version     Show the nerdctl version information
  wait        Block until one or more containers stop, then print their exit codes.

Flags:
  -H, --H string                 Alias of --address (default "/run/containerd/containerd.sock")
  -a, --a string                 Alias of --address (default "/run/containerd/containerd.sock")
      --address string           containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")
      --cgroup-manager string    Cgroup manager to use ("cgroupfs"|"systemd") (default "cgroupfs")
      --cni-netconfpath string   cni config directory [$NETCONFPATH] (default "/etc/cni/net.d")
      --cni-path string          cni plugins binary directory [$CNI_PATH] (default "/usr/local/libexec/cni")
      --data-root string         Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl")
      --debug                    debug mode
      --debug-full               debug mode (with full output)
      --experimental             Control experimental: https://github.com/containerd/nerdctl/blob/master/docs/experimental.md [$NERDCTL_EXPERIMENTAL] (default true)
  -h, --help                     help for nerdctl
      --host string              Alias of --address (default "/run/containerd/containerd.sock")
      --hosts-dir strings        A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d])
      --insecure-registry        skips verifying HTTPS certs, and allows falling back to plain HTTP
  -n, --n string                 Alias of --namespace (default "default")
      --namespace string         containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")
      --snapshotter string       containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")
      --storage-driver string    Alias of --snapshotter (default "overlayfs")
  -v, --version                  version for nerdctl

Run 'nerdctl COMMAND --help' for more information on a command.

测试

$ nerdctl run -d --name nginx -p 80:80 nginx:alpine
$ nerdctl ps
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS NAMES
4dc4a4e4d872 docker.io/library/nginx:alpine "/docker-entrypoint...." 5
seconds ago Up 0.0.0.0:80->80/tcp nginx
$ curl 127.0.0.1

在 Kubernetes 集群中使用 nerdctl

#在使用containerd的kubernetes环境中安装nerdctl
$ wget https://github.com/containerd/nerdctl/releases/download/v0.23.0/nerdctl-0.23.0-linux-amd64.tar.gz
#查看文件内容
$ tar tf nerdctl-0.23.0-linux-amd64.tar.gz
nerdctl
containerd-rootless-setuptool.sh
containerd-rootless.sh
#安装至指定目录
$ tar xf nerdctl-0.23.0-linux-amd64.tar.gz -C /usr/local/bin/
$ ls /usr/local/bin/
containerd-rootless-setuptool.sh containerd-rootless.sh nerdctl

注意：加-n k8s.io 选项才能查看到k8s的名称空间的镜像和容器

#查看k8s名称空间的镜像
$ nerdctl -n k8s.io images
#查看k8s名称空间的容器
$ nerdctl -n k8s.io ps
#查看默认名称空间default的镜像
$ nerdctl images
#查看默认名称空间default的容器
$ nerdctl ps

如果是使用apt安装的cni插件创建容器时会出下面错误

$ nerdctl run -d --name nginx -p 80:80 nginx:alpine
FATA[0010] failed to create shim: OCI runtime create failed: runc create failed:
unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2022-09-10T12:56:43Z" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\"failed (add): incompatible CNI versions; config is \"1.0.0\", plugin supports[\"0.1.0\" \"0.2.0\" \"0.3.0\" \"0.3.1\" \"0.4.0\"]"
Failed to write to log, write /var/lib/nerdctl/1935db59/containers/default/206d99263af985df7dce896e29451d8ee31234fd0a55b19eb3bde39d2b1bfdd9/oci-hook.createRuntime.log: file already closed:unknown


$ mv /opt/cni/bin/* /srv
#下载cni插件
$ wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
$ tar xf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/
#启动成功
$ nerdctl start nginx
#或者删除再启动成功
$ nerdctl run -d --name nginx -p 80:80 nginx:alpine
FATA[0000] name "nginx" is already used by ID "206d99263af985df7dce896e29451d8ee31234fd0a55b19eb3bde39d2b1bfdd9"

$ nerdctl rm -f nginx
nginx
$ nerdctl run -d --name nginx -p 80:80 nginx:alpine
6b7ea18022d3e1293a5149f316742af093e061f3a968eb80762d5fd976dec595
$ nerdctl ps
CONTAINER ID  IMAGE                              COMMAND                     CREATED        STATUS   PORTS            NAMES
94bdff6354c0 docker.io/library/nginx:alpine      "/docker-entrypoint...."   4 seconds ago   Up     0.0.0.0:80->80/tcp nginx

nerdctl的命令补全

在/etc/profile里添加source <(nerdctl completion bash)

$ vim /etc/profile
source <(nerdctl completion bash)

$ . /etc/profile

坑

在查询与k8s相关的镜像或容器时一定要加上-n k8s.io

例如

#查看k8s名称空间的镜像
$ nerdctl -n k8s.io images
#查看k8s名称空间的容器
$ nerdctl -n k8s.io ps

标签：bin,ctr,--,Containerd,nerdctl,containerd,工具,客户端,cni
From： https://www.cnblogs.com/guangdelw/p/17154223.html