写在最前

1. 前置条件

  1. centos7.9 安装与配置

2. 部署流程

2.1 下载安装

如果链接失效或者下载失败可以用我下载好cri-containerd-cni-1.7.23-linux-amd64.tar.gz

# 下载
wget https://github.com/containerd/containerd/releases/download/v1.7.23/cri-containerd-cni-1.7.23-linux-amd64.tar.gz

# 默认解压后会有如下目录:etc, opt, usr 会把对应的目解压到/下对应目录中,这样就省去复制文件步骤。
tar -xf cri-containerd-cni-1.7.23-linux-amd64.tar.gz -C /

# 创建containerd目录,用于存放配置文件
mkdir /etc/containerd

# 生成配置文件并修改
containerd config default >/etc/containerd/config.toml

# 下面的配置文件中已修改,可不执行,仅修改默认时执行。
sed -i 's@systemd_cgroup = false@systemd_cgroup = true@' /etc/containerd/config.toml
# 下面的配置文件中已修改,可不执行,仅修改默认时执行。
sed -i 's@k8s.gcr.io/pause:3.6@registry.aliyuncs.com/google_containers/pause:3.6@' /etc/containerd/config.toml
# 现成的配置

cat >/etc/containerd/config.toml<<EOF
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = -999

[grpc]
  address = "/run/containerd/containerd.sock"
  uid = 0
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216

[debug]
  address = ""
  uid = 0
  gid = 0
  level = ""

[metrics]
  address = ""
  grpc_histogram = false

[cgroup]
  path = ""

[plugins]
  [plugins.cgroups]
    no_prometheus = false
  [plugins.cri]
    stream_server_address = "127.0.0.1"
    stream_server_port = "0"
    enable_selinux = false
    sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.6"
    stats_collect_period = 10
    systemd_cgroup = true
    enable_tls_streaming = false
    max_container_log_line_size = 16384
    [plugins.cri.containerd]
      snapshotter = "overlayfs"
      no_pivot = false
      [plugins.cri.containerd.default_runtime]
        runtime_type = "io.containerd.runtime.v1.linux"
        runtime_engine = "" 
        runtime_root = ""
      [plugins.cri.containerd.untrusted_workload_runtime]
        runtime_type = ""
        runtime_engine = ""
        runtime_root = ""
    [plugins.cri.cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      conf_template = "/etc/cni/net.d/10-default.conf"
    [plugins.cri.registry]
      [plugins.cri.registry.mirrors]
        [plugins.cri.registry.mirrors."docker.io"]
          endpoint = [
            "https://docker.mirrors.ustc.edu.cn",
            "http://hub-mirror.c.163.com"
          ]
        [plugins.cri.registry.mirrors."gcr.io"]
          endpoint = [
            "https://gcr.mirrors.ustc.edu.cn"
          ]
        [plugins.cri.registry.mirrors."k8s.gcr.io"]
          endpoint = [
            "https://gcr.mirrors.ustc.edu.cn/google-containers/"
          ]
        [plugins.cri.registry.mirrors."quay.io"]
          endpoint = [
            "https://quay.mirrors.ustc.edu.cn"
          ]
        [plugins.cri.registry.mirrors."harbor.tanqidi.com"]
          endpoint = [
            "http://harbor.tanqidi.com"
          ]
    [plugins.cri.x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""
  [plugins.diff-service]
    default = ["walking"]
  [plugins.linux]
    shim = "containerd-shim"
    runtime = "runc"
    runtime_root = ""
    no_shim = false
    shim_debug = false
  [plugins.opt]
    path = "/opt/containerd"
  [plugins.restart]
    interval = "10s"
  [plugins.scheduler]
    pause_threshold = 0.02
    deletion_threshold = 0
    mutation_threshold = 100
    schedule_delay = "0s"
    startup_delay = "100ms"
EOF

2.2 优化runc

默认runc执行时提示:runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond,如果链接失效或者下载失败可以用我下载好runc.amd64

# 下载
https://github.com/opencontainers/runc/releases/download/v1.2.3/runc.amd64

# 授权执行权限
chmod +x runc.amd64

# 替换掉原软件包中的runc
mv runc.amd64 /usr/local/sbin/runc

# 试验调用
-rwxr-xr-x 1 root root 11168096 Jan  4 23:48 /usr/local/sbin/runc
[root@k8s-master1 k8s-work]# runc -v
runc version 1.2.3
commit: v1.2.3-0-g0d37cfd4
spec: 1.2.0
go: go1.22.10
libseccomp: 2.5.5

# 启动
systemctl enable --now containerd
systemctl start containerd

2.3 代理配置

NO_PROXY配置部分还不是很完善,只能在开发测试环境使用。

# 编辑 /etc/systemd/system/containerd.service.d/http-proxy.conf 如果文件不存在则创建它
mkdir -p /etc/systemd/system/containerd.service.d

# 生成配置文件
cat > /etc/systemd/system/containerd.service.d/http-proxy.conf <<EOF
[Service]
Environment="HTTP_PROXY=http://your-proxy-server:port"
Environment="HTTPS_PROXY=http://your-proxy-server:port"
Environment="NO_PROXY=localhost,127.0.0.1,::1,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,,.svc,.cluster.local"
EOF

# 重启服务
systemctl daemon-reload
systemctl restart containerd