Containerd 客户端工具 nerdctl
相比Containerd自带的ctr工具,nerdctl操作方式更接近之前的docker命令。nerdctl 是一个与 docker cli 风格兼容的 containerd 客户端工具,而且直接兼容docker compose的语法的。
仓库:https://github.com/containerd/nerdctl
1. 安装
二进制文件下载路径:https://github.com/containerd/nerdctl/releases
nerdctl 官方发布包含两个安装版本:
- Minimal:仅包含 nerdctl 二进制文件及 rootless 模式下的辅助安装脚本;
- Full:全量包,其中包含了 Containerd、CNI、runc、BuildKit 等完整组件。
wget https://github.com/containerd/nerdctl/releases/download/v2.0.0-beta.5/nerdctl-2.0.0-beta.5-linux-amd64.tar.gz
mkdir nerdctl
tar xf nerdctl-2.0.0-beta.5-linux-amd64.tar.gz -C nerdctl/
mv ./nerdctl/nerdctl /usr/bin/nerdctl
# 检查安装
root@master1:~# nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH
Client:
Version: v2.0.0-beta.5
OS/Arch: linux/amd64
Git commit: 9236b9370203b7f3274ae8d1417cc6ddcbdd4511
buildctl:
Version:
Server:
containerd:
Version: 1.7.12
GitCommit:
runc:
Version: 1.1.12-0ubuntu3
2. nerdctl使用
2.1 可以将nerdctl更名为docker
# 创建docker执行文件,确保nerdctl路径正确
root@master1:~# cat << 'EOF' > /usr/local/bin/docker
#!/bin/bash
/usr/local/bin/nerdctl $@
EOF
root@master1:~# chmod +x /usr/local/bin/docker
这样就可以把使用docker作为命令了。
2.2 nerdctl bash自动补全
root@master1:~ # apt install bash-completion
root@master1:~ # nerdctl completion bash > /etc/bash_completion.d/nerdctl
root@master1:~ # source /etc/bash_completion.d/nerdctl
# 如果遇到如下问题,执行souce命令解决
root@master1:~# nerdctl image_get_comp_words_by_ref: command not found
_get_comp_words_by_ref: command not found
_get_comp_words_by_ref: command not found
^C
root@master1:~# source /usr/share/bash-completion/bash_completion
# 写入.bashrc文件
echo "source /etc/bash_completion.d/nerdctl" >> ~/.bashrc
echo "source /usr/share/bash-completion/bash_completion" >> ~/.bashrc
2.3 nerdctl在k8s下使用
k8s默认使用k8s.io,而 nerdctl 默认使用 default namspace。如果需要查看 k8s 相关镜像需要加上"--namespace=k8s.io"来指定。
# 打印k8s相关容器
nerdctl --namespace k8s.io ps -a
# 镜像列表
nerdctl images --namespace=k8s.io
nerdctl -n=k8s.io images
# 构建镜像
nerdctl --namespace k8s.io build -t nginx:nerdctl .
或者在 nerdctl 配置文件中指定 nerdctl 默认使用 k8s.io namespace
root@master1:~# mkdir /etc/nerdctl/
root@master1:~# cat >> /etc/nerdctl/nerdctl.toml << EOF
namespace = "k8s.io"
EOF
3. 容器管理
运行容器:
root@master1:~# nerdctl images | grep nginx
nginx 1.27.0 91bb02101775 20 hours ago linux/amd64 192.8 MiB 182.9 MiB
# 运行容器
root@master1:~# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:1.27.0
f506dd37ea00a8f2581cfefec977d4189774960fe1ffe6567632ee331af80c78
# 进入容器
root@master1:~# nerdctl exec -it nginx /bin/bash
root@f506dd37ea00:/#
# 查看容器列表
root@master1:~# nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0417a801d4e7 registry.cn-hangzhou.aliyuncs.com/chenby/pause:3.8 "/pause" 3 hours ago Up k8s://kube-system/kube-proxy-m6z76
...
# 获取容器的详细信息
root@master1:~# nerdctl inspect nginx
[
{
"Id": "f506dd37ea00a8f2581cfefec977d4189774960fe1ffe6567632ee331af80c78",
"Created": "2024-06-23T03:38:30.407728208Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
...
# 停止容器
root@master1:~# nerdctl stop nginx
# 启动容器
root@master1:~# nerdctl start nginx
# 查看日志
root@master1:~# nerdctl logs -f nginx
...
# 删除容器。需要在关闭状态下删除,或者加-f强制删除
root@master1:~# nerdctl rm nginx
FATA[0000] 1 errors:
container f506dd37ea00a8f2581cfefec977d4189774960fe1ffe6567632ee331af80c78 is in running status. unpause/stop container first or force removal
root@master1:~# nerdctl rm -f nginx
nginx
4. 镜像管理
# 查看镜像列表
root@master1:~# nerdctl images
nginx 1.27.0 91bb02101775 22 hours ago linux/amd64 192.8 MiB 182.9 MiB
# 创建tag
root@master1:~# nerdctl tag nginx:1.27.0 lldhsds/nginx:latest
# 拉取镜像
root@master1:~# nerdctl pull python:3.10
# 推送镜像,先执行登录,然后推送
nerdctl login
nerdctl push lldhsds/nginx:latest
# 导出镜像
nerdctl save -o busybox.tar.gz busybox:latest
# 导入镜像
nerdctl load -i busybox.tar.gz
# 删除镜像
nerdctl rmi busybox
5. 网络管理
# 查看网络
root@master1:~# nerdctl network ls
NETWORK ID NAME FILE
cbr0 /etc/cni/net.d/10-flannel.conflist
17f29b073143 bridge /etc/cni/net.d/nerdctl-bridge.conflist
host
none
# 创建桥接网络
root@master1:~# nerdctl network create -d bridge --subnet 10.255.0.0/16 mynet
11c844f95e2862126712e209cd3acbc68c137931c639633da9dfc17b3a464bde
root@master1:~# nerdctl network ls
NETWORK ID NAME FILE
cbr0 /etc/cni/net.d/10-flannel.conflist
17f29b073143 bridge /etc/cni/net.d/nerdctl-bridge.conflist
11c844f95e28 mynet /etc/cni/net.d/nerdctl-mynet.conflist
host
none
root@master1:~# cat /etc/cni/net.d/nerdctl-mynet.conflist
{
"cniVersion": "1.0.0",
"name": "mynet",
"nerdctlID": "11c844f95e2862126712e209cd3acbc68c137931c639633da9dfc17b3a464bde",
"nerdctlLabels": {},
"plugins": [
{
"type": "bridge",
"bridge": "br-11c844f95e28",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"ranges": [
[
{
"gateway": "10.255.0.1",
"subnet": "10.255.0.0/16"
}
]
],
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"type": "host-local"
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall",
"ingressPolicy": "same-bridge"
},
{
"type": "tuning"
}
]
6. 镜像构建
ctr命令不支持镜像构建,nerdctl通过安装buildkit可以支持镜像构建。
buildkit组成部分:
-
buildkitd(服务端),目前支持runc和containerd作为镜像构建环境,默认是runc,可以更换containerd。
-
buildctl(客户端),负责解析Dockerfile文件、并向服务端buildkitd发出构建请求。
buildkit仓库:https://github.com/moby/buildkit
root@master1:~# wget https://github.com/moby/buildkit/releases/download/v0.14.1/buildkit-v0.14.1.linux-amd64.tar.gz
root@master1:~# mkdir /opt/buildkit && tar -zxvf buildkit-v0.14.1.linux-amd64.tar.gz -C /opt/buildkit/
root@master1:~# ln -s /opt/buildkit/bin/buildctl /usr/local/bin/
root@master1:~# ln -s /opt/buildkit/bin/buildkitd /usr/local/bin/
# 用Systemd来管理buildkitd
root@master1:~# cat >> /etc/systemd/system/buildkit.service <<EOF
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
EOF
root@master1:~# systemctl daemon-reload
root@master1:~# systemctl enable buildkit --now
Created symlink /etc/systemd/system/multi-user.target.wants/buildkit.service → /etc/systemd/system/buildkit.service.
root@master1:~# systemctl status buildkit
# 验证nerdctl与buildctl
root@master1:~# nerdctl version
Client:
Version: v2.0.0-beta.5
OS/Arch: linux/amd64
Git commit: 9236b9370203b7f3274ae8d1417cc6ddcbdd4511
buildctl:
Version: v0.14.1
GitCommit: eb864a84592468ee9b434326cb7efd66f58555af
Server:
containerd:
Version: 1.7.12
GitCommit:
runc:
Version: 1.1.12-0ubuntu3
从Dockerfile构建镜像,创建Dockerfile文件,内容如下:
root@master1:~/buidctl# cat > Dockerfile <<EOF
FROM nginx:latest
RUN echo -e "Hello Nerdctl From Containerd" > /usr/share/nginx/html/index.html
EOF
构建镜像:
root@master1:~/buidctl# nerdctl build -t nginx:nerdctl .
[+] Building 10.7s (6/6) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 134B 0.0s
=> [internal] load metadata for docker.io/library/nginx:latest 7.4s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/2] FROM docker.io/library/nginx:latest@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e 1.5s
=> => resolve docker.io/library/nginx:latest@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e 0.0s
=> => extracting sha256:2cc3ae149d28a36d28d4eefbae70aaa14a0c9eab588c3790f7979f310b893c44 0.5s
=> => extracting sha256:1018f2b8dba8ffec0afc981d5bae673e38ecac6ca29a861d12cccbd820d53f8d 0.9s
=> => extracting sha256:b831e78d8e20641c11c527baff6e2c7bae6a43cc1ab4316a5532885d6461b1e7 0.0s
=> => extracting sha256:3ab22521e91957c19caeb12eadcad2823fdca853477acb38cd5e9a1ebe57e96e 0.0s
=> => extracting sha256:5112bf42775bbb6a896ccd3ad63cbf864976fb1c047a4c56f316cf78d3edd756 0.0s
=> => extracting sha256:cbdaf9e4ee2d8507bf2e162c560cfb0b37567db3870235b8940aeb157d628327 0.0s
=> => extracting sha256:a06b6fd631e8e2091ce18db1a1b063f14f06a63d0513cafc51500ce7cb1ae2f4 0.0s
=> [2/2] RUN echo -e "Hello Nerdctl From Containerd" > /usr/share/nginx/html/index.html 0.3s
=> exporting to docker image format 1.4s
=> => exporting layers 0.0s
=> => exporting manifest sha256:77b08cbea3668d12b71ea1b1fa55bb81e24056b38d0b3fe864bc127706ba70aa 0.0s
=> => exporting config sha256:244a13280dc34ea76b8d9229ed0438c29117db56e2659add3d7fc2bacd264651 0.0s
=> => sending tarball 1.4s
unpacking docker.io/library/nginx:nerdctl (sha256:77b08cbea3668d12b71ea1b1fa55bb81e24056b38d0b3fe864bc127706ba70aa)...
Loaded image: docker.io/library/nginx:nerdctl
说明:
构建镜像时支持支持命名空间:
nerdctl --namespace k8s.io build -t nginx:nerdctl .
测试构建的镜像:
root@master1:~/buidctl# nerdctl run -d -p 10080:80 --name=nginx --restart=always nginx:nerdctl
c707f450a88a026d05f2f2bf784ed417e47bf1a5d74d0dadc1e045b904a71073
root@master1:~/buidctl# curl http://127.0.0.1:10080
-e Hello Nerdctl From Containerd
注意
nerdctl 构建的机制和 docker 是不同的:
- docker 首先会检查本地是否有 Dockerfile 中 FROM 的镜像。如果有,直接使用。没有则通过网络下载镜像;
- nerdctl 会根据 Dockerfile FROM参数指定镜像的域名去网上找这个镜像,找到后确认和本地同名镜像校验无误之后,才会使用本地的镜像构建新镜像。
7. 兼容docker compose
nerdctl兼容docker compose:
配置清单文件:
root@master1:~# cat docker-compose.yml
version: "3.7"
services:
nginx-test:
container_name: "nginx-test"
image: nginx:alpine
restart: always
networks:
- test_net
ports:
- 20080:80
networks:
test_net:
name: test_net
driver: bridge
ipam:
config:
- subnet: "172.100.0.0/16"
通过docker-compose启动:
root@master1:~# nerdctl compose up -d
INFO[0000] Ensuring image nginx:alpine
WARN[0000] skipping verifying HTTPS certs for "docker.io"
docker.io/library/nginx:alpine: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:a45ee5d042aaa9e81e013f97ae40c3dda26fbe98f22b6251acdf28e579560d55: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:d0540253e168c1c4a6ec65d259aadc293efa9b35ad9bf8575a81fa414f79e0c6: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:099a2d701db1f36dcc012419be04b7da299f48b4d2054fa8ab51e7764891e233: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:0102bea57027dc7aee55edbe80b59dec0853bf7fbdfa6b92bcd00bc7eb8d953c: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6b549263cbbd6a62fbe0fc206b12bfdaf0f8be68ce22381354b69158a965da9a: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:8311a42582b3be423b36b2d2b20dc028c69b089c941ed07c31cb35399305461c: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:56051d5ceced327050d3affcbe858aabf524aacc3bd3a8fb5879dc9f2943af9c: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:86c35ade2ef3fc036c4d252dc91d9bbcb7a182cccde80ed8cd38f2441cc1d114: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:b84a74cde5af5c5199bfc2ce2a8c8951a29a7716d17327e923f1a14c870a858b: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4838760d22df5943d9a3eadd764e3dfc8477e8e28651724efdb110723febcfb3: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ec939b2456d7dd88a36bb7b620b10caed3301f2c440d3385ec7686d69823e69d: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 21.7s total: 17.6 M (828.2 KiB/s)
INFO[0021] Creating container nginx-test
# 查看启动的容器
root@master1:~# nerdctl compose ps
NAME IMAGE COMMAND SERVICE STATUS PORTS
nginx-test docker.io/library/nginx:alpine "/docker-entrypoint.…" nginx-test running 0.0.0.0:20080->80/tcp
root@master1:~# nerdctl exec -it nginx-test sh
/ # ps -elf
PID USER TIME COMMAND
1 root 0:00 nginx: master process nginx -g daemon off;
30 nginx 0:00 nginx: worker process
31 nginx 0:00 nginx: worker process
32 nginx 0:00 nginx: worker process
33 nginx 0:00 nginx: worker process
34 root 0:00 sh
40 root 0:00 ps -elf
# 停止
root@master1:~# nerdctl compose down
INFO[0000] Removing container nginx-test
INFO[0000] Removing network test_net
INFO[0000] Removing network root_default