测试环境:Ubuntu20.04

环境准备

# 基础包
apt-get install -y net-tools lrzsz

# 安装和配置的先决条件
cat > /etc/modules-load.d/containerd.conf << EOF
overlay
br_netfilter
EOF
# 加载
modprobe overlay
modprobe br_netfilter

# 设置必需的 sysctl 参数,这些参数在重新启动后仍然存在。
cat > /etc/sysctl.d/99-kubernetes-cri.conf << EOF
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF

# 应用 sysctl 参数而无需重新启动
sysctl --system

# 关闭swap,kubeadm 会对其判断
swapoff -a

containerd安装

# https://blog.csdn.net/tao12345666333/article/details/110914360
# cri-tools/kubernetes-xenial,now 1.13.0-01 amd64 [installed] 没有必要使用 crictl,目前主要使用 nerdctl
apt-get update
apt-get install containerd runc

# 新增配置
# https://github.com/containerd/containerd/blob/master/docs/man/containerd-config.toml.5.md
mkdir -p /etc/containerd
[ -f /etc/containerd/config.toml ] || (containerd config default > /etc/containerd/config.toml)

# 新增配置参数,使用 systemd cgroup 驱动程序
# https://kubernetes.io/zh/docs/setup/production-environment/container-runtimes/
# 1.3.3 版本添加如下
# [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
#   ...
#   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
#     SystemdCgroup = true

# 1.4+ 版本:sed -i.1 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
sed -i '/containerd.runtimes.runc]/a \          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]\n            SystemdCgroup = true' /etc/containerd/config.toml
sed -i 's#k8s.gcr.io#registry.aliyuncs.com/google_containers#g' /etc/containerd/config.toml

# 重启
systemctl restart containerd

# 验证是否开启 systemd cgroup 驱动程序
# 目前有 bug,显示是:SystemdCgroup: false
grep SystemdCgroup /var/log/syslog

containerd cni插件

kubeadm 环境下不用处理,自动安装 flannel

kubernetes源码阅读 kubelet对cni的实现

网络插件 | Kubernetes

# 安装
cd /usr/local/src/
wget https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
[ -f /opt/cni/bin/bridge ] || (mkdir -pv /opt/cni/bin && tar xzf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin/)

# networkconfig配置信息,最主要包括type和IPAM;如上以bridge的CNI插件为例;
mkdir -p /etc/cni/net.d
# 网络配置
cat >/etc/cni/net.d/10-mynet.conf <<EOF
{
    "cniVersion": "0.2.0",
    "name": "mynet",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "ipam": {
        "type": "host-local",
        "subnet": "172.26.0.0/16",
        "routes": [
            { "dst": "0.0.0.0/0" }
        ]
    }
}
EOF

# 回环网
cat >/etc/cni/net.d/99-loopback.conf <<EOF
{
    "cniVersion": "0.2.0",
    "type": "loopback"
}
EOF

containerd 客户端工具 nerdctl

containerd –> containerdctl

# containerd 客户端工具 nerdctl
# http://www.rhce.cc/2901.html
cd /usr/local/src/
wget https://github.com/containerd/nerdctl/releases/download/v0.8.3/nerdctl-0.8.3-linux-amd64.tar.gz
[ -f /usr/bin/nerdctl ] || (tar xzf nerdctl-0.8.3-linux-amd64.tar.gz && cp -v nerdctl /usr/bin/)

# 自动补全
grep -q nerdctl ~/.bashrc || echo 'source <(nerdctl completion bash)' >> ~/.bashrc
source ~/.bashrc

# 测试
nerdctl ps
nerdctl run hello-world

# 网络测试
nerdctl run --name test-nginx -d -p 0.0.0.0:8080:80 nginx
# nerdctl exec -it test-nginx /bin/bash

# 查看防火墙和直接访问
iptables -nvL -t nat|grep 8080
curl 10.0.26.199:8080

buildkit(构建环境)

docker build 依赖 buildkit 命令 BuildKit 是下一代的镜像构建组件,在 https://github.com/moby/buildkit 开源

安装

cd /usr/local/src/
wget https://github.com/moby/buildkit/releases/download/v0.8.3/buildkit-v0.8.3.linux-amd64.tar.gz
tar xzf buildkit-v0.8.3.linux-amd64.tar.gz
[ -f /usr/bin/buildctl ] || (cp -v bin/buildctl bin/buildkitd /usr/bin/)

systemd服务单元配置

cat > /usr/lib/systemd/system/buildkit.service << 'EOF'
[Unit]
Description=Dockerfile-agnostic builder toolkit
Documentation=https://github.com/moby/buildkit

[Service]
Type=notify
ExecStart=/usr/bin/buildkitd
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

启动

# 开机自启动
systemctl enable buildkit.service

# 启动
systemctl start buildkit.service

# 检测状态
systemctl status buildkit.service

创建容器

nginx 官方 Dockerfile 为例

docker-nginx/Dockerfile

Dockerfile

基于 centos:7 源码编译一个 nginx

mkdir ~/nginx && cd ~/nginx
wget https://nginx.org/download/nginx-1.20.1.tar.gz

# Dockerfile 配置文件
cat > Dockerfile << 'EOF'
FROM centos:7

LABEL maintainer="zaza <260458726@qq.com>"

ENV NGINX_VERSION   1.20.1

COPY nginx-${NGINX_VERSION}.tar.gz /usr/local/src

RUN yum -y install gcc make openssl-devel pcre-devel \
  && useradd www-data -M -s /bin/false \
  && cd /usr/local/src \
  && tar xzf nginx-${NGINX_VERSION}.tar.gz \
  && cd nginx-${NGINX_VERSION} \
  && ./configure --prefix=/usr/local/nginx --user=www-data --group=www-data --with-http_stub_status_module --with-http_ssl_module \
  && make \
  && make install \
  && install -m 755 -o root -g root -d /usr/local/nginx/conf/sites-available \
  && install -m 755 -o root -g root -d /usr/local/nginx/conf/sites-enabled \
  && rm -fr /usr/local/src/* \
  && echo "This is test dockerfile nginx" > /usr/local/nginx/html/index.html

# COPY nginx.conf /usr/local/nginx/conf/

expose 80

CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
EOF

编译(构建)

# nerdctl build -t zaza-test/nginx-1.20.1:v1 .
nerdctl build -t nginx-1.20.1:zaza .

运行测试

# 外部访问的话,需要声明 0.0.0.0,否则防火墙 nat 只有 nerdctl0 网段和 127.0.0.1的路由
nerdctl run --name nginx-zaza -d -p 0.0.0.0:8080:80 nginx-1.20.1:zaza

# 进入容器
nerdctl exec -it nginx-zaza /bin/bash
# ipaddr=$(hostname -I)

自建仓库

registry (docker.com)

# 运行容器
nerdctl run -d -p 5000:5000 --restart always --name nginx-1.20.1:zaza

# 使用方法
nerdctl pull centos:7
nerdctl tag centos:7 localhost:5000/centos:7
nerdctl push localhost:5000/centos:7

下载基础容器

Docker Hub

# 下载镜像(大小:72MB 左右)
nerdctl pull centos:7

# 运行实例
# --tty, -t
# --interactive, -i 即使未连接STDIN(标准输入)也保持打开状态,分配一个交互终端
# --rm 退出时自动删除容器
# 简单的说:下面的命令就是运行一个 centos:7 镜像的容器,并进入容器,退出的时候自动销毁
nerdctl run -it --rm centos:7

常见基础镜像

Alpine, Slim, Stretch, Buster, Jessie, Bullseye — What are the Differences in Docker Images?

alpine

A minimal Docker image based on Alpine Linux with a complete package index and only 5 MB in size!

Alpine 是众多 Linux 发行版中的一员,和 CentOSUbuntuArchlinux 之类一样,只是一个发行版的名字,号称小巧安全,有自己的包管理工具 apk

因为其特别小,主流软件都有基于alpine构建的版本

slim

slim 镜像一般都基于 Debianglibc,删除了许多非必需的软件包,优化了体积。如果构建过程中需要编译器,那么 slim 镜像不适合,除此之外大多数情况下还是可以使用 slim 作为基础镜像的

例如:FROM debian:buster-slim

busybox

busybox是一个软件工具箱,里边集成了linux中几百个常用的linux命令以及工具。大小只有1.2M,适合用来测试用

groovy focal bionic xenial

Ubuntu Groovy 20.10 Ubuntu Focal 20.04 (LTS) Ubuntu Bionic 18.04 (LTS) Ubuntu Xenial 16.04 (LTS)

stretch buster

Raspbian Buster 10 (stable) Debian 9 Stretch Debian 10 Buster debian:<suite>-slim These tags are an experiment in providing a slimmer base (removing some extra files that are normally not necessary within containers, such as man pages and documentation), and are definitely subject to change.