Containerd

install by binary

bash

# containerd
# 支持 oci 标准的容器
# https://github.com/containerd/containerd
$ curl -O https://hub.gitmirror.com/https://github.com/containerd/containerd/releases/download/v1.6.0/cri-containerd-cni-1.6.0-linux-amd64.tar.gz
$ tar -tf cri-containerd-cni-1.6.0-linux-amd64.tar.gz
$ tar -xvf cri-containerd-cni-1.6.0-linux-amd64.tar.gz
# 解压到路径
$ tar -xvf cri-containerd-cni-1.6.0-linux-amd64.tar.gz -C /
$ cp usr/local/bin/containerd /usr/local/bin/
$ cp etc/systemd/system/containerd.service /etc/systemd/system/
$ containerd config default > /etc/containerd/config.toml
$ systemctl enable containerd
$ systemctl start containerd
$ systemctl status containerd
$ cp usr/local/bin/ctr /usr/local/bin/
$ ctr help

# runc
# https://github.com/opencontainer/runc
# seccomp 依赖 可能存在不兼容 另装
$ curl -O https://hub.gitmirror.com/https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
$ mv runc.amd64 /usr/local/sbin/runc
$ chmod +x /usr/local/sbin/runc

config.toml

bash

# mirror
# dockerhub: docker.io 
# gcr, google container registry
# kubernetes 项目相关镜像: k8s.gcr.io
# kubernetes 项目相关、docker 镜像： gcr.io
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://dockerhub.mirrors.nwafu.edu.cn"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
          endpoint = ["https://registry.aliyuncs.com/k8sxio"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]
          endpoint = ["xxx"]
          
"https://docker.anyhub.us.kg",
"https://dockerhub.jobcher.com",
"https://dockerhub.icu",
"https ://docker.ckyl.me",
"https://docker.aws19527.cn",
"https://docker.m.daocloud.io",
"https://docker.laoex.link"

image

bash

$ ctr image pull <host>/<namespace>/<image>:<tag>
# host: docker.io
# namespace: library 官方命名空间，替换用户命名空间
$ ctr image pull docker.io/library/nginx:1.21-alpine
$ ctr image pull dokcer.io/jenkins/jenkins:latest

$ ctr image mount <image> <mount-endpoint>
$ ctr image unmount <mount-enpoint>

$ ctr image export [option] <path> <ref>
$ ctr image import <path>

# copy and rename target of tag
# ref: <host/namespace/image:tag>
$ ctr image tag <source-ref> <targe-ref>

container & task

bash

$ ctr container ls
# static container
# image --> container
$ ctr container create
# namespace share
--with-ns "pid:/proc/<pid>/ns/pid"
# mount file
--mount "type=bind,src=/tmp,dst=/host,options=rbind:ro"
# print container info
$ ctr container info

# dynamic container:
# container -> task
# task: container inside process
$ ctr task start <container>
$ ctr task ls
$ ctr task ps <container>
$ ps -ef | grep <pid>
$ ctr task pause <container>
$ ctr task resume <container>

# entry task
# $RANDOM: 系统随机数字变量
$ ctr task exec --exec-it $RANDOM <container>

# image --> task
$ ctr run -d --net-host <ref> [container]

namespace

bash

# tenant partition, default namespace is default
$ ctr namespace create <NAME>
$ ctr namespace create kubemsb
$ ctr -n kubemsb image pull docker.io/library/nginx:alpine
$ ctr -n kubemsb run -d docker.io/library/nginx:alpine nginx
$ ctr -n kubemsb task ls

copy & mv

bash

# /run/containerd/io.containerd.runtime.v2.task/<namespace>/<CONTAINER>/rootfs

cni

bash

# Container Network Interface
# cni: www.github.com/containernetworking/cni
# cni-plugins: www.github.com/containernetworking/plugins

# download
$ curl -O https://hub.gitmirror.com/https://github.com/containernetworking/cni/archive/refs/tags/v1.1.0.tar.gz
$ curl -O https://hub.gitmirror.com/https://github.com/containernetworking/plugins/releases/download/v1.1.0/cni-plugins-linux-amd64-v1.1.0.tgz

$ mkdir cni
$ tar -xvf v1.1.0.tar.gz -C ./cni
$ mkdir cni/cni-1.1.0/plugins/bin
$ tar -xvf cni-plugins-linux-amd64-v1.0.0.tgz ./cni/cni-1.1.0/plugins/bin

# config
# by www.github.com/containernetworking/cni/main/README.dm
# /etc/cni/net.d/10-mynet.conf
# the "cniVersion" see /cni/release overview
$ cat > /etc/cni/net.d/10-mynet.conf <<EOF
{
	"cniVersion": "1.0.0",
	"name": "mynet",
	"type": "bridge",
	"bridge": "cni0",
	"isGateway": true,
	"ipMasq": true,
	"ipam": {
		"type": "host-local",
		"subnet": "10.23.0.0/16",
		"routes": [
			{ "dst": "0.0.0.0/0" }
		]
	}
}
EOF

# /etc/cni/net.d/99-loopback.conf
$ cat > /etc/cni/net.d/99-loopback.conf <<EOF
{
	"cniVersion": "1.0.0",
	"name": "lo",
	"type": "loopback"
}
EOF

# before execute script
$ cd cni/cni-1.1.0/scripts

# create
# dependencies: iptables, jq
$ apt install iptables
$ apt install jq

# script/priv-net-run.sh
CNI_PATH=`pwd`/../plugins/bin ./priv-net-run.sh

# delete
$ ip link delete <interface>

# scripts/exec-plugins.sh
# add or deletes the container specified by NETNS_PATH to the networks
$ CONTAINER_ID=`ctr task ls | grep <TASK> | awk '{print $2}'`
$ NETNS_PATH=/proc/$container-id/ns/net
$ CNI_PATH=`pwd`/../plugins/bin ./exec-plugins.sh add|del <CONTAINER_ID> <NETNS_PATH>

iptables

bash

$ iptables -t filter -A INPUT -j DROP -p tcp --deport 8081
$ iptables -t filter -A OUTPUT -j DROP -p tcp -d 127.0.0.1
$ iptables -t filter -D INPUT 1


# /etc/sysctl.conf 
# /proc/sys/net/ipv4/ip_forward
$ sysctl -w net.ipv4.ip_forward=1

$ iptables -t nat -L -n
$ iptables -t filter -L -n

# DNAT, Destination Network Address Translation
# SNAT, Source Network Address Translation

# 添加 PREROUTING
$ iptables -t nat -A PREROUTING -j DNAT -p tcp -d <proxy-ip> --dport <proxy-port> --to <target-ip:target-port>
$ iptables -t nat -A PREROUTING -j DNAT -p tcp -d <proxy-ip> --dport <proxy-port> --to-destination <target-ip:target-port>

# 添加 POSTROUTING
$ iptables -t nat -A POSTROUTING -j SNAT -p tcp -d <target-ip> --dport <target-port> --source <proxy-ip>
# 或者
$ iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -d <target-ip> --dport <target-port>
# eg.
$ iptables -t nat -A POSTROUTING -j CNI-5935cb6e9db3cd5c99e752b0 --source 10.22.0.5

# comment: -m comment --comment '<content>'
# eg.
$ iptables -t nat -A POSTROUTING -j CNI-5935cb6e9db3cd5c99e752b0 --source 10.22.0.5 -m comment --comment 'name: "mynet" id: "586"'

Harbor

开源镜像仓库

bash

# dns 设置 
# /etc/hosts 
127.0.0.1	harbor.kubemsb.com

# modify ref
$ ctr image tag docker.io/library/nginx:alpine harbor.kubemsb.com/library/nginx:alpine
# --plain-http 使用 http，默认 https
$ ctr push --platform linux/amd64 --plain-http -u <username>:<passwd> harbor.kubemsb.com/library/nginx:alpine
$ ctr pull --platform linux/amd64 --plain-http harbor.kubemsb.com/library/nginx:alpine

Containerd ​

install by binary ​

config.toml ​

image ​

container & task ​

namespace ​

copy & mv ​

cni ​

iptables ​

Harbor ​

Containerd

install by binary

config.toml

image

container & task

namespace

copy & mv

cni

iptables

Harbor