1 containerd 的命令行工具ctr

ctr

COMMANDS:
plugins, plugin provides information about containerd plugins
version print the client and server versions
containers, c, container manage containers
content manage content
events, event display containerd events
images, image, i manage images
leases manage leases
namespaces, namespace, ns manage namespaces
pprof provide golang pprof outputs for containerd
run run a container
snapshots, snapshot manage snapshots
tasks, t, task manage tasks
install install a new package
shim interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug enable debug output in logs
--address value, -a value address for containerd's GRPC server (default: "/run/containerd/containerd.sock")
--timeout value total timeout for ctr commands (default: 0s)
--connect-timeout value timeout for connecting to containerd (default: 0s)
--namespace value, -n value namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version
containerd 相比于docker , 多了namespace概念, 每个image和container 都会在各自的namespace下可见, 目前k8s会使用k8s.io 作为命名空间

查看ctr image可用操作

ctr i

镜像标记tag

ctr -n k8s.io i tag hub.dream.io/hello:latest hub.dream.io/hello:second
注意: 若新镜像reference 已存在, 需要先删除新reference, 或者如下方式强制替换
ctr -n k8s.io i tag --force hub.dream.io/hello:lates hub.dream.io/hello:second

删除镜像

ctr -n k8s.io i rm hub.dream.io/hello:latest

拉取镜像

ctr -n k8s.io i pull -k hub.dream.io/hello:latest

推送镜像

ctr -n k8s.io i push -k hub.dream.io/hello:latest

导出镜像

ctr -n k8s.io i export hello.tar hub.dream.io/hello:latest

导入镜像

ctr -n k8s.io i import hello.tar

不支持 build,commit 镜像

查看容器相关操作

ctr c

运行容器

签名:ctr run [command options] [flags] Image|RootFS ID [COMMAND] [ARG...]
例子:
ctr -n k8s.io run --null-io --net-host -d \
--env PASSWORD=$drone_password \
--mount type=bind,src=/etc,dst=/host-etc,options=rbind:rw \
--mount type=bind,src=/root/.kube,dst=/root/.kube,options=rbind:rw \
$image sysreport bash /sysreport/run.sh

--null-io: 将容器内标准输出重定向到/dev/null
--net-host: 主机网络
-d: 当task执行后就进行下一步shell命令,如没有选项,则会等待用户输入,并定向到容器内

容器日志

注意: 容器默认使用fifo创建日志文件, 如果不读取日志文件,会因为fifo容量导致业务运行阻塞
如要创建日志文件,建议如下方式创建:
ctr -n k8s.io run --log-uri file:///var/log/xx.log ...

停止容器, 需要先停止容器内的task, 再删除容器

ctr -n k8s.io tasks kill -a -s 9 {id}
ctr -n k8s.io c rm {id}

2 crictl用法
COMMANDS:
attach Attach to a running container
create Create a new container
exec Run a command in a running container
version Display runtime version information
images List images
inspect Display the status of one or more containers
inspecti Return the status of one or more images
inspectp Display the status of one or more pods
logs Fetch the logs of a container
port-forward Forward local port to a pod
ps List containers
pull Pull an image from a registry
runp Run a new pod
rm Remove one or more containers
rmi Remove one or more images
rmp Remove one or more pods
pods List pods
start Start one or more created containers
info Display information of the container runtime
stop Stop one or more running containers
stopp Stop one or more running pods
update Update one or more running containers
config Get and set crictl options
stats List container(s) resource usage statistics
completion Output bash shell completion code
help, h Shows a list of commands or help for one command
crictl 工具是为k8s使用containerd而制作的, 其他非k8s的创建的 crictl是无法看到和调试的, 也就是说用ctr run 运行的容器无法使用crictl 看到
crictl 使用命名空间 k8s.io.

cri plugin区别对待pod和container

ps: 列出在k8s.io 命名空间下的业务容器
pods: 列出在k8s.io 命名空间下的sandbox容器,在k8s里,通常是pause容器
logs: 打印业务容器日志
create: 创建容器,这里需要先创建sandbox, 获取sandbox容器的id后,再用此id创建业务容器

inspect: 列出业务容器状态
inspectp: 列出sandbox容器状态

3 ctr和docker命令比较

id containerd 命令 docker 命令备注
1 ctr image ls docker images 获取image信息
2 ctr image pull nginx docker pull nginx pull 一个nginx的image
3 ctr image tag nginx nginx-test docker tag nginx nginx-test tag 一个nginx的image
4 ctr image push nginx-test docker push nginx-test push nginx-test的image
5 ctr image pull nginx docker pull nginx pull 一个nginx的image
6 ctr image import nginx.tar docker load<nginx.tar.gz 导入本地镜像ctr不支持压缩
7 ctr run -d --env 111 nginx-test nginx docker run -d --name=nginx nginx-test 运行的一个容器
8 ctr task ls docker ps 查看运行的容器

[root@node-1 ~]# ctr -n k8s.io image ls|grep hello-ope
hub.dream.io/escloud-linux-source-hello-operator:5.1.0-alpha.70 application/vnd.docker.distribution.manifest.v2+json sha256:3596481c90b90f21f64f4c13427968a5c6fba42f302e5cbc916bc1c5bf56a948 141.9 MiB linux/arm64 io.cri-containerd.image=managed

ctr run -it --rm hub.dream.io/escloud-linux-source-hello-operator:5.1.0-alpha.70 /bin/bash

hub.dream.io/escloud-linux-source-hello:5.1.0-alpha.70 application/vnd.docker.distribution.manifest.v2+json sha256:23575a52cffb512a97ebc9651a1e8d99b2d1f0efcb46981bc5722b6a883b7084 337.1 MiB linux/arm64 io.cri-containerd.image=managed

ctr -n k8s.io run -t --rm hub.dream.io/arm64v8/escloud-linux-source-hello:5.1.0-alpha.70 bash

参考:
https://github.com/projectatomic/containerd/blob/master/docs/cli.md
https://blog.51cto.com/3138583/2465439?source=dra

4 ctr命令官方用法
NAME:
ctr -

___/ /__
/ _/ / _/
/ // // /
__/_//

containerd CLI

USAGE:
ctr [global options] command [command options] [arguments...]

VERSION:
1.3.3

DESCRIPTION:

ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.

GLOBAL OPTIONS:
--debug enable debug output in logs
--address value, -a value address for containerd's GRPC server (default: "/run/containerd/containerd.sock")
--timeout value total timeout for ctr commands (default: 0s)
--connect-timeout value timeout for connecting to containerd (default: 0s)
--namespace value, -n value namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version