Containerd高級命令行工具nerdctl

nerdctl

1,安裝

在github上下載相應的二進制包解壓:

# 如果沒有安裝 containerd,則可以下載 nerdctl-full-<VERSION>-linux-amd64.tar.gz 包進行安裝
wget https://github.com/containerd/nerdctl/releases/download/v0.11.0/nerdctl-0.11.0-linux-amd64.tar.gz
# 如果有限制,也可以替換成下面的 URL 加速下載
wget https://download.fastgit.org/containerd/nerdctl/releases/download/v0.11.0/nerdctl-0.11.0-linux-amd64.tar.gz
mkdir -p /usr/local/containerd/bin/ && tar -zxvf nerdctl-0.11.0-linux-amd64.tar.gz nerdctl && mv nerdctl /usr/local/containerd/bin/
ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
[root@one ~]# nerdctl version 
Client:
 Version:   v0.11.0
 Git commit:    c802f934791f83dacf20a041cd1c865f8fac954e

Server:
 containerd:
  Version:  v1.5.5
  Revision: 72cec4be58a9eb6b2910f5d10f1c01ca47d231c0

2,命令行工具使用

1,Run & Exec
nerdctl run

nerdctl rundocker run類似,可以使用nerdctl run命令運行容器。

[root@one ~]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:latest
docker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:61face6bf030edce7ef6d7dd66fe452298d6f5f7ce032afdd01683ef02b2b841: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:fa5269854a5e615e51a72b17ad3fd1e01268f278a6684c8ed3c5f0cdce3f230b:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:93e404ba8667c79caef3367388107d653d53c3ff8cd885fca19de1cdd13ac685:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:1fe172e4850f03bb45d41a20174112bc119fbfec42a650edbbd8491aee32e3c3:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:35c195f487df68cfbbecd2870aefb0ea52015fdb9ef15fd780838efc675dba45:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:213b9b16f4959ca5e12777fa9977f178cf778f615f893f859f2a4ce19838c485:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:a8172d9e19b90893f2eda38b25c9095c9822c924d7a44c7eeb44b30b0a639b9e:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:f5eee2cb2150b290f85c57dd78b1470b77819b511d092c9be1b10876ca48b885:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 70.5s                                                                    total:  54.1 M (785.8 KiB/s)                                     
9aafb7429972aadbc7c8ba57ebf933b84a21d2c615c9208f6b9ff9688879c36a

可選參數使用和docker run基本一致,比如-i -t --cpus --memory等選項,可以使用nerdctl run --help查看使用參數:

nerdctl exec

同樣可以使用exec執(zhí)行容器相關命令

[root@one ~]# nerdctl exec -it nginx date 
Fri May  6 02:15:29 UTC 2022

3,容器管理

nerdctl ps:(列出容器)
[root@one ~]# nerdctl ps 
CONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS    PORTS                 NAMES
533b75d795c7    docker.io/library/nginx:latest    "/docker-entrypoint.…"    3 minutes ago    Up        0.0.0.0:80->80/tcp    nginx

同樣可以使用-a選項列出所有的容器列表,不過需要注意的是nerdctl ps并沒有實現(xiàn)docker ps 下面的--filter、--format、--last、--size等選項

nerdctl inspect :(查看容器詳細信息)
[root@one ~]# nerdctl inspect 4255bd2c93b6
[
   {
       "Id": "4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe",
       "Created": "2022-05-06T02:26:10.070899995Z",
       "Path": "/docker-entrypoint.sh",
       "Args": [
           "nginx",
           "-g",
           "daemon off;"
       ],
       "State": {
           "Status": "running",
           "Running": true,
           "Paused": false,
           "Pid": 31509,
           "ExitCode": 0,
           "FinishedAt": "0001-01-01T00:00:00Z"
       },
       "Image": "docker.io/library/nginx:alpine",
       "ResolvConfPath": "/var/lib/nerdctl/1935db59/containers/default/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe/resolv.conf",
       "LogPath": "/var/lib/nerdctl/1935db59/containers/default/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe-json.log",
       "Name": "nginx",
       "Driver": "overlayfs",
       "Platform": "linux",
       "AppArmorProfile": "",
       "NetworkSettings": {
           "Ports": {
               "80/tcp": [
                   {
                       "HostIp": "0.0.0.0",
                       "HostPort": "80"
                   }
               ]
           },
           "GlobalIPv6Address": "",
           "GlobalIPv6PrefixLen": 0,
           "IPAddress": "10.4.0.7",
           "IPPrefixLen": 24,
           "MacAddress": "46:fd:f7:a8:c7:c2",
           "Networks": {
               "unknown-eth0": {
                   "IPAddress": "10.4.0.7",
                   "IPPrefixLen": 24,
                   "GlobalIPv6Address": "",
                   "GlobalIPv6PrefixLen": 0,
                   "MacAddress": "46:fd:f7:a8:c7:c2"
               }
           }
       }
   }
]
nerdctl logs :(獲取容器日志)
[root@one ~]# nerdctl logs nginx 
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

同樣也支持-f -t -n --since --until 這些選項

nerdctl stop(停止容器)
[root@one ~]# nerdctl stop nginx 
nginx
nerdctl rm :(刪除容器)
[root@one ~]# nerdctl rm nginx 
You cannot remove a running container 4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe. Stop the container before attempting removal or force remove
[root@one ~]# nerdctl rm -f nginx 
nginx

要強制刪除同樣可以使用 -f--force 選項來操作。

4,鏡像管理

nerdctl images (鏡像列表)
[root@one ~]# nerdctl images 
REPOSITORY    TAG       IMAGE ID        CREATED              SIZE
nginx         alpine    5a0df7fb7c8c    5 days ago           16.0 KiB
nginx         latest    859ab6768a6f    About an hour ago    16.0 KiB
nerdctl pull (拉取鏡像)
[root@one ~]# nerdctl pull docker.io/library/busybox:latest
docker.io/library/busybox:latest:                                                 resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:52f431d980baa76878329b68ddb69cb124c25efa6e206d8b0bd797a828f0528e: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:1a80408de790c0b1075d0a7e23ff7da78b311f85f36ea10098e4a6184c200964:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 7.9 s
nerdctl push (推送鏡像)

推送鏡像之前也可以使用nerdctl login命令登錄到鏡像倉庫然后再執(zhí)行push操作
可以使用nerdctl login --username xxx --password xxx進行登錄,使用nerdctl logout注銷登錄

nerdctl tag (鏡像標簽)

使用tag命令可以給鏡像創(chuàng)建一個別名鏡像

[root@one ~]# nerdctl tag busybox:latest ccr.ccs.tencentyun.com/piao/busybox:latest 
[root@one ~]# 
[root@one ~]# 
[root@one ~]# nerdctl images 
REPOSITORY                             TAG       IMAGE ID        CREATED          SIZE
ccr.ccs.tencentyun.com/piao/busybox    latest    d2b53584f580    5 seconds ago    1.3 MiB
busybox                                latest    d2b53584f580    3 hours ago      1.3 MiB
nginx                                  alpine    5a0df7fb7c8c    5 days ago       16.0 KiB
nginx                                  latest    859ab6768a6f    4 hours ago      16.0 KiB
nerdctl save(導出鏡像)
[root@one full]# nerdctl save -o busybox.tag.gz busybox:latest 
[root@one full]# ll 
total 768
-rw-r--r-- 1 root root 785408 May  6 14:49 busybox.tag.gz
cerdctl rmi (刪除鏡像)
[root@one full]# nerdctl rmi ccr.ccs.tencentyun.com/piao/busybox:latest-tmp-single
Untagged: ccr.ccs.tencentyun.com/piao/busybox:latest-tmp-single@sha256:32e2a03e361974976d474a54e5477db24947960cb1f858a45d2c680b090cadd9
Deleted: sha256:eb6b01329ebe73e209e44a616a0e16c2b8e91de6f719df9c35e6cdadadbe5965
nerdctl load (導入鏡像)
[root@one full]# nerdctl load -i busybox.tag.gz 
unpacking docker.io/library/busybox:latest (sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8)...done
unpacking overlayfs@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8 (sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8)...done

5,鏡像構建

鏡像構建是平時非常重要的一個需求。但是ctr沒有構建鏡像的命令,現(xiàn)在又不使用docker,但是nerdctl 就提供了nerdctl build這樣的鏡像構建命令

nerdctl build (Dockerfile構建鏡像)

編輯一個Dockerfile

FROM nginx:latest
RUN echo "hello word" >/usr/share/nginx/html/index.html

構建鏡像

[root@one full]# nerdctl build -t nginx:nerdctl -f Dockerfile 
FATA[0000] `buildctl` needs to be installed and `buildkitd` needs to be running, see https://github.com/moby/buildkit: exec: "buildctl": executable file not found in $PATH

提示一個錯誤,需要安裝buildctl 并運行buildkiyd,是因為nerdctl build需要依賴buildkitd工具
buildkitd項目也是docker公司開源的一個構建工具包,支持OCI標準的鏡像構建,主要包含一下部分:
服務端buildkitd:當前支持runc和containerd作為worker,默認是runc。這里我使用的是containerd
客戶端buildctl:負責解析Dockerfile,并向服務端buildkitd發(fā)出構建請求
buildkitd是典型的C/S架構,客戶端和服務端是可以在不同服務器上,而nerdctl在構建鏡像的時候作為buildkitd的客戶端,所以需要安裝并運行buildkitd

2,安裝buildkitd
wget https://github.com/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz
# 如果有限制,也可以替換成下面的 URL 加速下載
wget https://download.fastgit.org/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz
tar -zxvf buildkit-v0.9.0.linux-amd64.tar.gz -C /usr/local/containerd/
bin/
bin/buildctl
bin/buildkit-qemu-aarch64
bin/buildkit-qemu-arm
bin/buildkit-qemu-i386
bin/buildkit-qemu-mips64
bin/buildkit-qemu-mips64el
bin/buildkit-qemu-ppc64le
bin/buildkit-qemu-riscv64
bin/buildkit-qemu-s390x
bin/buildkit-runc
bin/buildkitd 
ln -s /usr/local/containerd/bin/buildkitd /usr/local/bin/buildkitd
ln -s /usr/local/containerd/bin/buildctl /usr/local/bin/buildctl

使用systemd來管理buildkitd

cat /etc/systemd/system/buildkit.service
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

啟動buildkitd

systemctl daemon-reload 
systemctl enable buildkit.service --now

重新構建鏡像:

[root@one full]# nerdctl build --no-cache -t nginx:nerdctl -f Dockerfile .
[+] Building 9.2s (6/6) FINISHED                                                                                                                                                                                                                                           
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                                  0.1s
 => => transferring dockerfile: 111B                                                                                                                                                                                                                                  0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                     0.1s
 => => transferring context: 2B                                                                                                                                                                                                                                       0.0s
 => [internal] load metadata for docker.io/library/nginx:latest                                                                                                                                                                                                       3.6s
 => [1/2] FROM docker.io/library/nginx:latest@sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097                                                                                                                                                 2.5s
 => => resolve docker.io/library/nginx:latest@sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097                                                                                                                                                 0.0s
 => => extracting sha256:1fe172e4850f03bb45d41a20174112bc119fbfec42a650edbbd8491aee32e3c3                                                                                                                                                                             1.3s
 => => extracting sha256:35c195f487df68cfbbecd2870aefb0ea52015fdb9ef15fd780838efc675dba45                                                                                                                                                                             1.0s
 => => extracting sha256:213b9b16f4959ca5e12777fa9977f178cf778f615f893f859f2a4ce19838c485                                                                                                                                                                             0.0s
 => => extracting sha256:a8172d9e19b90893f2eda38b25c9095c9822c924d7a44c7eeb44b30b0a639b9e                                                                                                                                                                             0.0s
 => => extracting sha256:f5eee2cb2150b290f85c57dd78b1470b77819b511d092c9be1b10876ca48b885                                                                                                                                                                             0.0s
 => => extracting sha256:93e404ba8667c79caef3367388107d653d53c3ff8cd885fca19de1cdd13ac685                                                                                                                                                                             0.1s
 => [2/2] RUN echo "hello word" >/usr/share/nginx/html/index.html                                                                                                                                                                                                     0.3s
 => exporting to oci image format                                                                                                                                                                                                                                     2.4s
 => => exporting layers                                                                                                                                                                                                                                               0.4s
 => => exporting manifest sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913                                                                                                                                                                     0.0s
 => => exporting config sha256:857f00a5a814fe7d57903278cdcd13e0e3febe00967eb0aef83bea4186a92812                                                                                                                                                                       0.0s
 => => sending tarball                                                                                                                                                                                                                                                2.0s
unpacking docker.io/library/nginx:nerdctl (sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913)...done
unpacking overlayfs@sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913 (sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913)...done
[root@one full]#

查看構建的鏡像

[root@one full]# nerdctl images 
WARN[0000] unparsable image name "overlayfs@sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913" 
WARN[0000] unparsable image name "overlayfs@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8" 
REPOSITORY                             TAG        IMAGE ID        CREATED           SIZE
ccr.ccs.tencentyun.com/piao/busybox    latest     d2b53584f580    2 hours ago       1.3 MiB
busybox                                latest     d2b53584f580    5 hours ago       1.3 MiB
nginx                                  alpine     5a0df7fb7c8c    6 days ago        16.0 KiB
nginx                                  latest     859ab6768a6f    6 hours ago       16.0 KiB
nginx                                  nerdctl    31645ca78f4a    50 seconds ago    24.0 KiB
                                                  31645ca78f4a    50 seconds ago    24.0 KiB
                                                  d2b53584f580    39 minutes ago    1.3 MiB

已經可以看見構建出來的鏡像了,但是出現(xiàn)了WARN[0000] unparsable image name xxxxWarning的信息,在鏡像列表里也看見有鏡像tag為空的鏡像和構建的鏡像id一樣,在nerdctl 的 github issue 上也有提到這個問題:https://github.com/containerd/nerdctl/issues/177,不過到現(xiàn)在為止還沒有 FIX,幸運的是這只是一個??,不會影響我們的使用。

使用構建的鏡像啟動容器測試

[root@one full]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:nerdctl 
6d7656bff4288f8a3d1b7c9f4942ab90fcd421f4d529fc76ac7a53158786a1e3

如果還想在單機環(huán)境下使用docker compose,在containerd模式下也可以使用nerdctl 來兼容該功能,
同樣我們可以使用nerdctl composenerdctl compose up、nerdctl compose logsnerdctl compose build、nerdctl compose down等命令來管理conpose服務,這樣使用containerd,nerdctl結合buildkit等工具就能完全代替docker在構建鏡像,,鏡像容器方面的管理功能了。

?著作權歸作者所有,轉載或內容合作請聯(lián)系作者
【社區(qū)內容提示】社區(qū)部分內容疑似由AI輔助生成,瀏覽時請結合常識與多方信息審慎甄別。
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發(fā)布,文章內容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

相關閱讀更多精彩內容

友情鏈接更多精彩內容