1. containerd简介与版本说明
containerd是一个工业级的容器运行时,由CNCF(云原生计算基金会)托管。它作为Docker引擎的核心组件,也被Kubernetes广泛使用。containerd专注于容器的生命周期管理,提供了镜像传输、容器执行、快照管理等核心功能。更多学习教程www.fgedu.net.cn
containerd最新版本:
containerd 1.7.15 (2024年稳定版)
containerd 1.7.14 (2024年稳定版)
containerd 2.0.0 (2024年新版本)
containerd 1.6.31 (LTS版本)
containerd核心组件:
– containerd daemon:主守护进程
– containerd-shim:容器运行时shim
– ctr:命令行客户端
– nerdctl:Docker兼容CLI
运行时支持:
– runc:默认OCI运行时
– crun:C语言实现的轻量级运行时
– kata-containers:安全容器运行时
– gVisor:沙箱容器运行时
功能特性:
– OCI镜像支持
– 多租户命名空间
– 快照存储
– CRI插件(Kubernetes支持)
– 分布式镜像拉取
2. containerd下载方式
containerd提供多种下载方式,包括二进制文件、包管理器、源码编译等。学习交流加群风哥微信: itpux-com
方式一:二进制文件下载
$ mkdir -p /fgeudb/software/containerd
$ cd /fgeudb/software/containerd
# 下载containerd 1.7.16
$ wget https://github.com/containerd/containerd/releases/download/v1.7.16/containerd-1.7.16-linux-amd64.tar.gz
# 下载runc
$ wget https://github.com/opencontainers/runc/releases/download/v1.1.12/runc.amd64
# 下载CNI插件
$ wget https://github.com/containernetworking/plugins/releases/download/v1.4.1/cni-plugins-linux-amd64-v1.4.1.tgz
# 下载nerdctl(Docker兼容CLI)
$ wget https://github.com/containerd/nerdctl/releases/download/v1.7.4/nerdctl-1.7.4-linux-amd64.tar.gz
# 查看下载文件
$ ls -lh
输出示例如下:
total 150M
-rw-r–r– 1 root root 50M Apr 4 10:00 containerd-1.7.16-linux-amd64.tar.gz
-rw-r–r– 1 root root 10M Apr 4 10:00 runc.amd64
-rw-r–r– 1 root root 40M Apr 4 10:00 cni-plugins-linux-amd64-v1.4.1.tgz
-rw-r–r– 1 root root 20M Apr 4 10:00 nerdctl-1.7.4-linux-amd64.tar.gz
方式二:包管理器安装
$ sudo dnf install -y containerd
# Ubuntu/Debian
$ sudo apt-get update
$ sudo apt-get install -y containerd
# 验证安装
$ containerd –version
输出示例如下:
containerd github.com/containerd/containerd v1.7.16 abc123def456
# 查看runc版本
$ runc –version
输出示例如下:
runc version 1.1.12
commit: v1.1.12-0-gabc123
spec: 1.0.2-dev
go: go1.21.6
libseccomp: 2.5.3
方式三:国内镜像下载
$ wget https://mirrors.aliyun.com/docker-ce/linux/static/stable/x86_64/containerd-1.7.16.tgz
# 使用华为云镜像
$ wget https://mirrors.huawei.com/docker-ce/linux/static/stable/x86_64/containerd-1.7.16.tgz
# 或使用代理下载
$ export https_proxy=http://proxy.fgedu.net.cn:8080
$ wget https://github.com/containerd/containerd/releases/download/v1.7.16/containerd-1.7.16-linux-amd64.tar.gz
3. containerd安装部署
containerd安装包括主程序、runc运行时和CNI网络插件。学习交流加群风哥QQ113257174
步骤1:解压安装containerd
$ cd /fgeudb/software/containerd
$ tar -zxvf containerd-1.7.16-linux-amd64.tar.gz -C /usr/local/
# 查看安装文件
$ ls -la /usr/local/bin/
输出示例如下:
total 150000
-rwxr-xr-x 1 root root 50000000 Apr 4 10:00 containerd
-rwxr-xr-x 1 root root 50000000 Apr 4 10:00 containerd-shim
-rwxr-xr-x 1 root root 50000000 Apr 4 10:00 containerd-shim-runc-v1
-rwxr-xr-x 1 root root 50000000 Apr 4 10:00 containerd-shim-runc-v2
-rwxr-xr-x 1 root root 10000000 Apr 4 10:00 ctr
# 安装runc
$ install -m 755 runc.amd64 /usr/local/sbin/runc
# 验证runc
$ runc –version
输出示例如下:
runc version 1.1.12
spec: 1.0.2-dev
步骤2:安装CNI网络插件
$ mkdir -p /opt/cni/bin
# 解压CNI插件
$ tar -zxvf cni-plugins-linux-amd64-v1.4.1.tgz -C /opt/cni/bin/
# 查看CNI插件
$ ls -la /opt/cni/bin/
输出示例如下:
total 80000
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 bandwidth
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 bridge
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 dhcp
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 firewall
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 host-device
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 host-local
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 ipvlan
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 loopback
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 macvlan
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 portmap
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 ptp
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 sbr
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 static
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 tuning
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 vlan
-rwxr-xr-x 1 root root 4000000 Apr 4 10:00 vrf
步骤3:创建systemd服务
$ cat > /etc/systemd/system/containerd.service << 'EOF' [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/local/bin/containerd Type=notify Delegate=yes KillMode=process Restart=always RestartSec=5 LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=infinity TasksMax=infinity OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target EOF # 重载systemd $ systemctl daemon-reload # 启动containerd $ systemctl start containerd # 设置开机自启 $ systemctl enable containerd # 查看服务状态 $ systemctl status containerd 输出示例如下: ● containerd.service - containerd container runtime Loaded: loaded (/etc/systemd/system/containerd.service; enabled) Active: active (running) since Thu 2026-04-04 10:00:00 CST; 5s ago Docs: https://containerd.io Main PID: 12345 (containerd) Tasks: 8 Memory: 15.5M CPU: 50ms CGroup: /system.slice/containerd.service └─12345 /usr/local/bin/containerd
步骤4:安装nerdctl
$ cd /fgeudb/software/containerd
$ tar -zxvf nerdctl-1.7.4-linux-amd64.tar.gz -C /usr/local/bin/
# 验证nerdctl
$ nerdctl –version
输出示例如下:
nerdctl version 1.7.4
# 测试拉取镜像
$ nerdctl pull docker.io/library/nginx:latest
输出示例如下:
docker.io/library/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:abc123def456: exists |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:def456ghi789: exists |++++++++++++++++++++++++++++++++++++++|
config-sha256:ghi789jkl012: exists |++++++++++++++++++++++++++++++++++++++|
layer-sha256:jkl012mno345: exists |++++++++++++++++++++++++++++++++++++++|
elapsed: 5.0 s total: 25.0 M (5.0 MiB/s)
4. containerd配置详解
containerd配置文件为config.toml,支持丰富的配置选项。风哥提示:正确配置是containerd稳定运行的基础。
生成默认配置
$ mkdir -p /etc/containerd
# 生成默认配置
$ containerd config default > /etc/containerd/config.toml
# 查看配置文件
$ cat /etc/containerd/config.toml
输出示例如下:
version = 2
[plugins.”io.containerd.grpc.v1.cri”]
sandbox_image = “registry.k8s.io/pause:3.9″
[plugins.”io.containerd.grpc.v1.cri”.containerd]
snapshotter = “overlayfs”
[plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes]
[plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes.runc]
runtime_type = “io.containerd.runc.v2″
[plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins.”io.containerd.grpc.v1.cri”.cni]
bin_dir = “/opt/cni/bin”
conf_dir = “/etc/cni/net.d”
配置镜像加速
$ vi /etc/containerd/config.toml
[plugins.”io.containerd.grpc.v1.cri”.registry]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”docker.io”]
endpoint = [“https://docker.mirrors.ustc.edu.cn”, “https://hub-mirror.c.163.com”]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”k8s.gcr.io”]
endpoint = [“https://registry.aliyuncs.com/k8sxio”]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”quay.io”]
endpoint = [“https://quay.mirrors.ustc.edu.cn”]
# 重启containerd
$ systemctl restart containerd
配置私有仓库
$ vi /etc/containerd/config.toml
[plugins.”io.containerd.grpc.v1.cri”.registry]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”harbor.fgedu.net.cn”]
endpoint = [“https://harbor.fgedu.net.cn”]
[plugins.”io.containerd.grpc.v1.cri”.registry.configs]
[plugins.”io.containerd.grpc.v1.cri”.registry.configs.”harbor.fgedu.net.cn”.tls]
insecure_skip_verify = true
[plugins.”io.containerd.grpc.v1.cri”.registry.configs.”harbor.fgedu.net.cn”.auth]
username = “admin”
password = “Harbor12345”
# 重启containerd
$ systemctl restart containerd
配置SystemdCgroup
$ vi /etc/containerd/config.toml
[plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes.runc.options]
SystemdCgroup = true
# 或使用sed修改
$ sed -i ‘s/SystemdCgroup = false/SystemdCgroup = true/’ /etc/containerd/config.toml
# 重启containerd
$ systemctl restart containerd
5. 使用nerdctl管理容器
nerdctl是containerd的Docker兼容CLI,提供了与Docker类似的命令体验。更多学习教程公众号风哥教程itpux_com
镜像管理
$ nerdctl pull docker.io/library/nginx:latest
输出示例如下:
docker.io/library/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
elapsed: 5.0 s total: 25.0 M (5.0 MiB/s)
# 查看本地镜像
$ nerdctl images
输出示例如下:
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE
nginx latest abc123def456 2 days ago linux/amd64 146.0 MiB
# 构建镜像
$ nerdctl build -t fgedu-web:v1 .
输出示例如下:
[+] Building 10.0s (8/8) FINISHED
=> [internal] load build definition from Dockerfile
=> => transferring dockerfile: 200B
=> [internal] load .dockerignore
=> => transferring context: 2B
=> [internal] load metadata for docker.io/library/nginx:latest
=> [1/3] FROM docker.io/library/nginx:latest
=> => resolve docker.io/library/nginx:latest
=> [2/3] COPY index.html /usr/share/nginx/html/
=> [3/3] RUN echo “Build complete”
=> exporting to oci image format
=> => exporting layers
=> => exporting manifest sha256:abc123
=> => exporting config sha256:def456
=> => sending tarball
# 推送镜像
$ nerdctl push harbor.fgedu.net.cn/library/fgedu-web:v1
# 保存镜像
$ nerdctl save -o nginx.tar nginx:latest
# 加载镜像
$ nerdctl load -i nginx.tar
容器管理
$ nerdctl run -d –name nginx-web -p 8080:80 nginx:latest
输出示例如下:
abc123def456789012345678901234567890123456789012345678901234
# 查看运行中的容器
$ nerdctl ps
输出示例如下:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
abc123def456 docker.io/library/nginx:latest “/docker-entrypoint.…” 5 seconds ago Up 0.0.0.0:8080->80/tcp nginx-web
# 查看容器日志
$ nerdctl logs nginx-web
输出示例如下:
2026/04/04 10:00:00 [notice] 1#1: using the “epoll” event method
2026/04/04 10:00:00 [notice] 1#1: nginx/1.25.4
# 进入容器
$ nerdctl exec -it nginx-web /bin/bash
# 停止容器
$ nerdctl stop nginx-web
# 启动容器
$ nerdctl start nginx-web
# 删除容器
$ nerdctl rm -f nginx-web
# 运行带资源限制的容器
$ nerdctl run -d –name web-app \
–memory=512m \
–cpus=1.5 \
-p 8080:80 \
nginx:latest
使用ctr命令
$ ctr namespaces ls
输出示例如下:
NAME LABELS
default
k8s.io
moby
# 拉取镜像到指定命名空间
$ ctr -n k8s.io image pull docker.io/library/nginx:latest
# 查看镜像
$ ctr -n k8s.io image ls
输出示例如下:
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:latest application/vnd.docker.distribution.manifest.v2+json sha256:abc123def456… 25.0 MiB linux/amd64 –
# 运行容器
$ ctr -n default run –rm docker.io/library/nginx:latest nginx-test
# 查看容器
$ ctr -n default containers ls
# 查看任务
$ ctr -n default tasks ls
6. Kubernetes集成配置
containerd是Kubernetes推荐的容器运行时,需要正确配置CRI插件。from:www.itpux.com
配置CRI插件
$ vi /etc/containerd/config.toml
version = 2
[plugins.”io.containerd.grpc.v1.cri”]
sandbox_image = “registry.aliyuncs.com/k8sxio/pause:3.9″
[plugins.”io.containerd.grpc.v1.cri”.containerd]
snapshotter = “overlayfs”
[plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes.runc]
runtime_type = “io.containerd.runc.v2″
[plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins.”io.containerd.grpc.v1.cri”.cni]
bin_dir = “/opt/cni/bin”
conf_dir = “/etc/cni/net.d”
[plugins.”io.containerd.grpc.v1.cri”.registry]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”docker.io”]
endpoint = [“https://docker.mirrors.ustc.edu.cn”]
[plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”k8s.gcr.io”]
endpoint = [“https://registry.aliyuncs.com/k8sxio”]
# 重启containerd
$ systemctl restart containerd
配置kubelet
$ vi /etc/kubernetes/kubelet-config.yml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
containerRuntimeEndpoint: unix:///run/containerd/containerd.sock
cgroupDriver: systemd
# 或使用命令行参数
$ kubelet –container-runtime=remote \
–container-runtime-endpoint=unix:///run/containerd/containerd.sock \
–cgroup-driver=systemd
# 验证节点状态
$ kubectl get nodes
输出示例如下:
NAME STATUS ROLES AGE VERSION
fgedu-node01 Ready control-plane 10d v1.29.0
fgedu-node02 Ready
fgedu-node03 Ready
# 查看节点运行时
$ kubectl describe node fgedu-node01 | grep -A 5 “Container Runtime”
输出示例如下:
Container Runtime Version: containerd://1.7.16
Kubelet Version: v1.29.0
Kube-Proxy Version: v1.29.0
使用crictl工具
$ cat > /etc/crictl.yaml << 'EOF' runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF # 查看Pod $ crictl pods 输出示例如下: POD ID CREATED STATE NAME NAMESPACE ATTEMPT RUNTIME abc123def456 10 minutes ago Ready nginx-pod default 1 (default) # 查看容器 $ crictl ps 输出示例如下: CONTAINER ID IMAGE CREATED STATE NAME ATTEMPT POD ID POD def456ghi789 nginx:latest 10 minutes ago Running nginx 1 abc123def456 nginx-pod # 查看镜像 $ crictl images 输出示例如下: IMAGE TAG IMAGE ID SIZE docker.io/library/nginx latest abc123def456 146MB registry.aliyuncs.com/k8sxio/pause 3.9 def456ghi789 740kB # 拉取镜像 $ crictl pull docker.io/library/nginx:latest 输出示例如下: Image is up to date for docker.io/library/nginx@sha256:abc123def456 # 查看容器日志 $ crictl logs def456ghi789 输出示例如下: 2026/04/04 10:00:00 [notice] 1#1: nginx/1.25.4
7. containerd监控运维
containerd提供监控指标和运维工具。
步骤1:配置Prometheus指标
$ vi /etc/containerd/config.toml
[metrics]
address = “0.0.0.0:1338″
grpc_histogram = false
# 重启containerd
$ systemctl restart containerd
# 访问指标
$ curl http://192.168.1.51:1338/metrics | head -20
输出示例如下:
# HELP containerd_container_actions_seconds The total number of seconds spent in container actions
# TYPE containerd_container_actions_seconds summary
containerd_container_actions_seconds{action=”create”,quantile=”0.5″} 0.1
containerd_container_actions_seconds{action=”create”,quantile=”0.9″} 0.2
containerd_container_actions_seconds{action=”create”,quantile=”0.99″} 0.3
containerd_container_actions_seconds_sum{action=”create”} 10.5
containerd_container_actions_seconds_count{action=”create”} 100
# HELP containerd_grpc_requests_total The total number of gRPC requests
# TYPE containerd_grpc_requests_total counter
containerd_grpc_requests_total{grpc_code=”OK”,grpc_method=”ListContainers”,grpc_service=”containerd.services.containers.v1.Containers”} 500
步骤2:清理无用资源
$ du -sh /var/lib/containerd/*
输出示例如下:
500M /var/lib/containerd/io.containerd.content.v1.content
2.0G /var/lib/containerd/io.containerd.grpc.v1.cri
1.5G /var/lib/containerd/io.containerd.metadata.v1.bolt
3.0G /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs
# 清理无用镜像
$ crictl rmi –prune
输出示例如下:
Removed: docker.io/library/nginx@sha256:old123
Removed: docker.io/library/redis@sha256:old456
Total removed: 2
# 清理停止的容器
$ crictl rm $(crictl ps -a -q)
# 使用nerdctl清理
$ nerdctl system prune -a -f
输出示例如下:
Deleted Images:
untagged: docker.io/library/nginx:old
deleted: sha256:old123
Total reclaimed space: 500MB
步骤3:日志管理
$ journalctl -u containerd -f
输出示例如下:
Apr 04 10:00:00 fgedu.net.cn containerd[12345]: time=”2026-04-04T10:00:00.000000000Z” level=info msg=”starting containerd” revision=abc123 version=1.7.16
Apr 04 10:00:00 fgedu.net.cn containerd[12345]: time=”2026-04-04T10:00:00.000000000Z” level=info msg=”loading plugin” id=io.containerd.grpc.v1.cri type=io.containerd.grpc.v1
Apr 04 10:00:00 fgedu.net.cn containerd[12345]: time=”2026-04-04T10:00:00.000000000Z” level=info msg=”Start subscribing containerd event”
# 配置日志轮转
$ vi /etc/systemd/journald.conf
[Journal]
Storage=persistent
Compress=yes
MaxRetentionSec=7day
MaxFileSec=1day
# 重启journald
$ systemctl restart systemd-journald
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
