其他分享
首页 > 其他分享> > Containerd的高级命令行工具nerdctl

Containerd的高级命令行工具nerdctl

作者:互联网

Containerd的高级命令行工具nerdctl

安装

我们要在GitHub Release页面上下载对应的压缩包解压到PATH路径下:

# 如果没有安装 containerd,则可以下载 nerdctl-full-<VERSION>-linux-amd64.tar.gz 包进行安装
wget https://github.com/containerd/nerdctl/releases/download/v0.12.1/nerdctl-0.12.1-linux-amd64.tar.gz
# 如果有限制,也可以替换成下面的 URL 加速下载
# wget https://download.fastgit.org/containerd/nerdctl/releases/download/v0.12.1/nerdctl-0.12.1-linux-amd64.tar.gz
mkdir -p /usr/local/containerd/bin/ && tar -zxvf nerdctl-0.12.1-linux-amd64.tar.gz nerdctl && mv nerdctl /usr/local/containerd/bin/
ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
nerdctl version
    Client:
     Version:       v0.12.1
     Git commit:    c802f934791f83dacf20a041cd1c865f8fac954e

    Server:
     containerd:
      Version:      v1.5.5
      Revision:     72cec4be58a9eb6b2910f5d10f1c01ca47d231c0

命令

nerdctl run

nerdctl run 和docker run的运行容器命令类似,例如:

nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:alpine
    docker.io/library/nginx:alpine:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
    index-sha256:bead42240255ae1485653a956ef41c9e458eb077fcb6dc664cbc3aa9701a05ce:    done           |++++++++++++++++++++++++++++++++++++++| manifest-sha256:ce6ca11a3fa7e0e6b44813901e3289212fc2f327ee8b1366176666e8fb470f24: done           |++++++++++++++++++++++++++++++++++++++| config-sha256:7ce0143dee376bfd2937b499a46fb110bda3c629c195b84b1cf6e19be1a9e23b:   done           |++++++++++++++++++++++++++++++++++++++| elapsed: 5.3 s                                                                    total:  3.1 Ki (606.0 B/s)                                       6e489777d2f73dda8a310cdf8da9df38353c1aa2021d3c2270b30eff1806bcf8

可选的参数使用和 docker run 基本一直,比如 -i-t--cpus--memory 等选项,可以使用 nerdctl run --help 获取可使用的命令选项:

nerdctl run --help
    NAME:
       nerdctl run - Run a command in a new container

    USAGE:
       nerdctl run [command options] [arguments...]

    OPTIONS:
       --help                        show help (default: false)
       --tty, -t                     (Currently -t needs to correspond to -i) (default: false)
       --interactive, -i             Keep STDIN open even if not attached (default: false)
       --detach, -d                  Run container in background and print container ID (default: false)
       --restart value               Restart policy to apply when a container exits (implemented values: "no"|"always") (default: "no")
       --rm                          Automatically remove the container when it exits (default: false)
       --pull value                  Pull image before running ("always"|"missing"|"never") (default: "missing")
       --network value, --net value  Connect a container to a network ("bridge"|"host"|"none") (default: "bridge")
       --dns value                   Set custom DNS servers (default: "8.8.8.8", "1.1.1.1")
       --publish value, -p value     Publish a container's port(s) to the host
       --hostname value, -h value    Container host name
       --cpus value                  Number of CPUs (default: 0)
       --memory value, -m value      Memory limit
       --pid value                   PID namespace to use
       --pids-limit value            Tune container pids limit (set -1 for unlimited) (default: -1)
       --cgroupns value              Cgroup namespace to use, the default depends on the cgroup version ("host"|"private") (default: "host")
       --cpuset-cpus value           CPUs in which to allow execution (0-3, 0,1)
       --cpu-shares value            CPU shares (relative weight) (default: 0)
       --device value                Add a host device to the container
       --user value, -u value        Username or UID (format: <name|uid>[:<group|gid>])
       --security-opt value          Security options
       --cap-add value               Add Linux capabilities
       --cap-drop value              Drop Linux capabilities
       --privileged                  Give extended privileges to this container (default: false)
       --runtime value               Runtime to use for this container, e.g. "crun", or "io.containerd.runsc.v1" (default: "io.containerd.runc.v2")
       --sysctl value                Sysctl options
       --gpus value                  GPU devices to add to the container ('all' to pass all GPUs)
       --volume value, -v value      Bind mount a volume
       --read-only                   Mount the container's root filesystem as read only (default: false)
       --rootfs                      The first argument is not an image but the rootfs to the exploded container (default: false)
       --entrypoint value            Overwrite the default ENTRYPOINT of the image
       --workdir value, -w value     Working directory inside the container
       --env value, -e value         Set environment variables
       --env-file value              Set environment variables from file
       --name value                  Assign a name to the container
       --label value, -l value       Set meta data on a container
       --label-file value            Read in a line delimited file of labels
       --cidfile value               Write the container ID to the file
       --shm-size value              Size of /dev/shm

nerctl exec

同样也可以使用 exec 命令执行容器相关命令,例如:

 nerdctl exec -it nginx /bin/sh
    / # date
    Thu Aug 19 06:43:19 UTC 2021
    / #

容器管理

nerdctl ps: 列出容器

使用nerdctl ps命令可以列出所有容器。

nerdctl ps
    CONTAINER ID    IMAGE                             COMMAND                   CREATED           STATUS    PORTS                 NAMES
    6e489777d2f7    docker.io/library/nginx:alpine    "/docker-entrypoint.…"    10 minutes ago    Up        0.0.0.0:80->80/tcp    nginx

同样可以使用 -a 选项显示所有的容器列表,默认只显示正在运行的容器,不过需要注意的是 nerdctl ps 命令并没有实现 docker ps 下面的 --filter--format--last--size 等选项。

nerctl inspect

获取容器的详细信息。基本上与docker inspect一致

nerdctl inspect nginx
    [
        {
            "Id": "6e489777d2f73dda8a310cdf8da9df38353c1aa2021d3c2270b30eff1806bcf8",
            "Created": "2021-08-19T06:35:46.403464674Z",
            "Path": "/docker-entrypoint.sh",
            "Args": [
                "nginx",
                "-g",
                "daemon off;"
            ],
            "State": {
                "Status": "running",
                "Running": true,
                "Paused": false,
                "Pid": 2002,
                "ExitCode": 0,
                "FinishedAt": "0001-01-01T00:00:00Z"
            },
            "Image": "docker.io/library/nginx:alpine",
            "ResolvConfPath": "/var/lib/nerdctl/1935db59/containers/default/6e489777d2f73dda8a310cdf8da9df38353c1aa2021d3c2270b30eff1806bcf8/resolv.conf",
            "LogPath": "/var/lib/nerdctl/1935db59/containers/default/6e489777d2f73dda8a310cdf8da9df38353c1aa2021d3c2270b30eff1806bcf8/6e489777d2f73dda8a310cdf8da9df38353c1aa2021d3c2270b30eff1806bcf8-json.log",
            "Name": "nginx",
            "Driver": "overlayfs",
            "Platform": "linux",
            "AppArmorProfile": "nerdctl-default",
            "NetworkSettings": {
                "Ports": {
                    "80/tcp": [
                        {
                            "HostIp": "0.0.0.0",
                            "HostPort": "80"
                        }
                    ]
                },
                "GlobalIPv6Address": "",
                "GlobalIPv6PrefixLen": 0,
                "IPAddress": "10.4.0.3",
                "IPPrefixLen": 24,
                "MacAddress": "f2:b1:8e:a2:fe:18",
                "Networks": {
                    "unknown-eth0": {
                        "IPAddress": "10.4.0.3",
                        "IPPrefixLen": 24,
                        "GlobalIPv6Address": "",
                        "GlobalIPv6PrefixLen": 0,
                        "MacAddress": "f2:b1:8e:a2:fe:18"
                    }
                }
            }
        }
    ]

nerdctl logs

获取容器日志

nerdctl logs -f nginx
	......
2021/08/19 06:35:46 [notice] 1#1: start worker processes
2021/08/19 06:35:46 [notice] 1#1: start worker process 32
2021/08/19 06:35:46 [notice] 1#1: start worker process 33

支持 -f-t-n--since--until 这些选项。

nerdctl rm

删除容器

nerdctl rm nginx
    You cannot remove a running container f4ac170235595f28bf962bad68aa81b20fc83b741751e7f3355bd77d8016462d. Stop the container before attempting removal or force remove
nerdctl rm -f ginx
	nginx
nerdctl ps
	CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

要强制删除同样可以使用 -f--force 选项来操作。

镜像管理

nerdctl images: 查看镜像列表

nerdctl images
    REPOSITORY    TAG       IMAGE ID        CREATED           SIZE
    alpine        latest    eb3e4e175ba6    6 days ago        5.9 MiB
    nginx         alpine    bead42240255    29 minutes ago    16.0 KiB

也需要注意的是没有实现 docker images 的一些选项,比如 --all--digests--filter--format

nerdctl pull: 拉取镜像

docker.io/library/busybox:latest:
    resolved       |++++++++++++++++++++++++++++++++++++++|
    index-sha256:0f354ec1728d9ff32edcd7d1b8bbdfc798277ad36120dc3dc683be44524c8b60:    done           |++++++++++++++++++++++++++++++++++++++| manifest-sha256:dca71257cd2e72840a21f0323234bb2e33fea6d949fa0f21c5102146f583486b: done           |++++++++++++++++++++++++++++++++++++++| config-sha256:69593048aa3acfee0f75f20b77acb549de2472063053f6730c4091b53f2dfb02:   done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:b71f96345d44b237decc0c2d6c2f9ad0d17fde83dad7579608f1f0764d9686f2:    done           |++++++++++++++++++++++++++++++++++++++| elapsed: 5.9 s                                                                    total:  752.8  (127.5 KiB/s)

nerdctl push:推送镜像

当然在推送镜像之前也可以使用 nerdctl login 命令登录到镜像仓库,然后再执行 push 操作。

可以使用 nerdctl login --username xxx --password xxx 进行登录,使用 nerdctl logout 可以注销退出登录。

nerdctl tag:镜像标签

使用 tag 命令可以为一个镜像创建一个别名镜像:

nerdctl images
    REPOSITORY    TAG                  IMAGE ID        CREATED           SIZE
    busybox       latest               0f354ec1728d    6 minutes ago     1.3 MiB
    nginx         alpine               bead42240255    41 minutes ago    16.0 KiB
nerdctl tag nginx:alpine harbor.k8s.local/course/nginx:alpine
nerdctl images
    REPOSITORY                       TAG                  IMAGE ID        CREATED           SIZE
    busybox                          latest               0f354ec1728d    7 minutes ago     1.3 MiB
    nginx                            alpine               bead42240255    41 minutes ago    16.0 KiB
    harbor.k8s.local/course/nginx    alpine               bead42240255    2 seconds ago     16.0 KiB

nerdctl save:导出镜像

使用 save 命令可以导出镜像为一个 tar 压缩包。

nerdctl save -o busybox.tar.gz busybox:latest
ls -lh busybox.tar.gz
	-rw-r--r-- 1 root root 761K Aug 19 15:19 busybox.tar.gz

nerdctl rmi:删除镜像

nerdctl rmi busybox
    Untagged: docker.io/library/busybox:latest@sha256:0f354ec1728d9ff32edcd7d1b8bbdfc798277ad36120dc3dc683be44524c8b60
    Deleted: sha256:5b8c72934dfc08c7d2bd707e93197550f06c0751023dabb3a045b723c5e7b373

nerdctl load:导入镜像

使用 load 命令可以将上面导出的镜像再次导入:

nerdctl load -i busybox.tar.gz
    unpacking docker.io/library/busybox:latest (sha256:0f354ec1728d9ff32edcd7d1b8bbdfc798277ad36120dc3dc683be44524c8b60)...done

使用 -i--input 选项指定需要导入的压缩包。

镜像构建

镜像构建是平时我们非常重要的一个需求,我们知道 ctr 并没有构建镜像的命令,而现在我们又不使用 Docker 了,那么如何进行镜像构建了,幸运的是 nerdctl 就提供了 nerdctl build 这样的镜像构建命令。

nerdctl build:从Dockerfile构建镜像

比如现在我们定制一个 nginx 镜像,新建一个如下所示的 Dockerfile 文件:

FROM nginx
RUN echo 'Hello Nerdctl From Containerd' > /usr/share/nginx/html/index.html

然后在文件所在目录执行镜像构建命令:

nerdctl build -t nginx:nerdctl -f Dockerfile .
    FATA[0000] `buildctl` needs to be installed and `buildkitd` needs to be running, see https://github.com/moby/buildkit: exec: "buildctl": executable file not found in $PATH

可以看到有一个错误提示,需要我们安装 buildctl 并运行 buildkitd,这是因为 nerdctl build 需要依赖 buildkit 工具。

buildkit 项目也是 Docker 公司开源的一个构建工具包,支持 OCI 标准的镜像构建。它主要包含以下部分:

buildkit 是典型的 C/S 架构,客户端和服务端是可以不在一台服务器上,而 nerdctl 在构建镜像的时候也作为 buildkitd 的客户端,所以需要我们安装并运行 buildkitd

所以接下来我们先来安装 buildkit

wget https://github.com/moby/buildkit/releases/download/v0.9.1/buildkit-v0.9.1.linux-amd64.tar.gz
    # 如果有限制,也可以替换成下面的 URL 加速下载
    # wget https://download.fastgit.org/moby/buildkit/releases/download/v0.9.1/buildkit-v0.9.1.linux-amd64.tar.gz
tar -zxvf buildkit-v0.9.1.linux-amd64.tar.gz -C /usr/local/containerd/
    bin/
    bin/buildctl
    bin/buildkit-qemu-aarch64
    bin/buildkit-qemu-arm
    bin/buildkit-qemu-i386
    bin/buildkit-qemu-mips64
    bin/buildkit-qemu-mips64el
    bin/buildkit-qemu-ppc64le
    bin/buildkit-qemu-riscv64
    bin/buildkit-qemu-s390x
    bin/buildkit-runc
    bin/buildkitd
ln -s /usr/local/containerd/bin/buildkitd /usr/local/bin/buildkitd
ln -s /usr/local/containerd/bin/buildctl /usr/local/bin/buildctl

这里我们使用 Systemd 来管理 buildkitd,创建如下所示的 systemd unit 文件:

cat /etc/systemd/system/buildkit.service
    [Unit]
    Description=BuildKit
    Documentation=https://github.com/moby/buildkit

    [Service]
    ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

    [Install]
    WantedBy=multi-user.target

然后启动 buildkitd

systemctl daemon-reload
systemctl enable buildkit --now
	Created symlink /etc/systemd/system/multi-user.target.wants/buildkit.service → /etc/systemd/system/buildkit.service.
systemctl status buildkit
    ● buildkit.service - BuildKit
         Loaded: loaded (/etc/systemd/system/buildkit.service; enabled; vendor preset: enabled)
         Memory: 8.6M
         CGroup: /system.slice/buildkit.service
                 └─5779 /usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

    Aug 19 16:03:10 ydzsio systemd[1]: Started BuildKit.
    Aug 19 16:03:10 ydzsio buildkitd[5779]: time="2021-08-19T16:03:10+08:00" level=warning msg="using host network as the default"
    Aug 19 16:03:10 ydzsio buildkitd[5779]: time="2021-08-19T16:03:10+08:00" level=info msg="found worker \"euznuelxhxb689bc5of7pxmbc\", labels>
    Aug 19 16:03:10 ydzsio buildkitd[5779]: time="2021-08-19T16:03:10+08:00" level=info msg="found 1 workers, default=\"euznuelxhxb689bc5of7pxm>
    Aug 19 16:03:10 ydzsio buildkitd[5779]: time="2021-08-19T16:03:10+08:00" level=warning msg="currently, only the default worker can be used."
    Aug 19 16:03:10 ydzsio buildkitd[5779]: time="2021-08-19T16:03:10+08:00" level=info msg="running server on /run/buildkit/buildkitd.sock"
    ~

现在我们再来重新构建镜像:

nerdctl 构建镜像

构建完成后查看镜像是否构建成功:

nerdctl images
    WARN[0000] unparsable image name "overlayfs@sha256:d5b9b9e4c930f30340650cb373f62f97c93ee3b92c83f01c6e00b7b87d62c624"
    REPOSITORY    TAG        IMAGE ID        CREATED               SIZE
    nginx         latest     4d4d96ac750a    4 minutes ago         16.0 KiB
    nginx         nerdctl    d5b9b9e4c930    About a minute ago    24.0 KiB

我们可以看到已经有我们构建的 nginx:nerdctl 镜像了。接下来使用上面我们构建的镜像来启动一个容器进行测试:

nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:nerdctl
	f8f639cb667926023231b13584226b2c7b856847e0a25bd5f686b9a6e7e3cacd
nerdctl ps
    CONTAINER ID    IMAGE                              COMMAND                   CREATED         STATUS    PORTS                 NAMES
    f8f639cb6679    docker.io/library/nginx:nerdctl    "/docker-entrypoint.…"    1 second ago    Up        0.0.0.0:80->80/tcp    nginx
curl localhost
	This is a nerdctl build's nginx image base on containerd

这样我们就使用 nerdctl + buildkitd 轻松完成了容器镜像的构建。

当然如果你还想在单机环境下使用 Docker Compose,在 containerd 模式下,我们也可以使用 nerdctl 来兼容该功能。同样我们可以使用 nerdctl composenerdctl compose upnerdctl compose logsnerdctl compose buildnerdctl compose down 等命令来管理 Compose 服务。这样使用 containerd、nerdctl 结合 buildkit 等工具就完全可以替代 docker 在镜像构建、镜像容器方面的管理功能了。

标签:--,Containerd,value,nerdctl,nginx,buildkit,命令行,镜像
来源: https://www.cnblogs.com/l-uz/p/16519631.html