写在最前
1. 前置条件
2. 部署流程
2.1 下载安装
如果链接失效或者下载失败可以用我下载好cri-containerd-cni-1.7.23-linux-amd64.tar.gz
# 下载
wget https://github.com/containerd/containerd/releases/download/v1.7.23/cri-containerd-cni-1.7.23-linux-amd64.tar.gz
# 默认解压后会有如下目录:etc, opt, usr 会把对应的目解压到/下对应目录中,这样就省去复制文件步骤。
tar -xf cri-containerd-cni-1.7.23-linux-amd64.tar.gz -C /
# 创建containerd目录,用于存放配置文件
mkdir /etc/containerd
# 生成配置文件并修改
containerd config default >/etc/containerd/config.toml
# 下面的配置文件中已修改,可不执行,仅修改默认时执行。
sed -i 's@systemd_cgroup = false@systemd_cgroup = true@' /etc/containerd/config.toml
# 下面的配置文件中已修改,可不执行,仅修改默认时执行。
sed -i 's@k8s.gcr.io/pause:3.6@registry.aliyuncs.com/google_containers/pause:3.6@' /etc/containerd/config.toml
# 现成的配置
cat >/etc/containerd/config.toml<<EOF
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = -999
[grpc]
address = "/run/containerd/containerd.sock"
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = ""
uid = 0
gid = 0
level = ""
[metrics]
address = ""
grpc_histogram = false
[cgroup]
path = ""
[plugins]
[plugins.cgroups]
no_prometheus = false
[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "0"
enable_selinux = false
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.6"
stats_collect_period = 10
systemd_cgroup = true
enable_tls_streaming = false
max_container_log_line_size = 16384
[plugins.cri.containerd]
snapshotter = "overlayfs"
no_pivot = false
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = ""
runtime_root = ""
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = ""
runtime_engine = ""
runtime_root = ""
[plugins.cri.cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = "/etc/cni/net.d/10-default.conf"
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = [
"https://docker.mirrors.ustc.edu.cn",
"http://hub-mirror.c.163.com"
]
[plugins.cri.registry.mirrors."gcr.io"]
endpoint = [
"https://gcr.mirrors.ustc.edu.cn"
]
[plugins.cri.registry.mirrors."k8s.gcr.io"]
endpoint = [
"https://gcr.mirrors.ustc.edu.cn/google-containers/"
]
[plugins.cri.registry.mirrors."quay.io"]
endpoint = [
"https://quay.mirrors.ustc.edu.cn"
]
[plugins.cri.registry.mirrors."harbor.tanqidi.com"]
endpoint = [
"http://harbor.tanqidi.com"
]
[plugins.cri.x509_key_pair_streaming]
tls_cert_file = ""
tls_key_file = ""
[plugins.diff-service]
default = ["walking"]
[plugins.linux]
shim = "containerd-shim"
runtime = "runc"
runtime_root = ""
no_shim = false
shim_debug = false
[plugins.opt]
path = "/opt/containerd"
[plugins.restart]
interval = "10s"
[plugins.scheduler]
pause_threshold = 0.02
deletion_threshold = 0
mutation_threshold = 100
schedule_delay = "0s"
startup_delay = "100ms"
EOF
2.2 优化runc
默认runc执行时提示:runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond,如果链接失效或者下载失败可以用我下载好runc.amd64
# 下载
https://github.com/opencontainers/runc/releases/download/v1.2.3/runc.amd64
# 授权执行权限
chmod +x runc.amd64
# 替换掉原软件包中的runc
mv runc.amd64 /usr/local/sbin/runc
# 试验调用
-rwxr-xr-x 1 root root 11168096 Jan 4 23:48 /usr/local/sbin/runc
[root@k8s-master1 k8s-work]# runc -v
runc version 1.2.3
commit: v1.2.3-0-g0d37cfd4
spec: 1.2.0
go: go1.22.10
libseccomp: 2.5.5
# 启动
systemctl enable --now containerd
systemctl start containerd
2.3 代理配置
NO_PROXY配置部分还不是很完善,只能在开发测试环境使用。
# 编辑 /etc/systemd/system/containerd.service.d/http-proxy.conf 如果文件不存在则创建它
mkdir -p /etc/systemd/system/containerd.service.d
# 生成配置文件
cat > /etc/systemd/system/containerd.service.d/http-proxy.conf <<EOF
[Service]
Environment="HTTP_PROXY=http://your-proxy-server:port"
Environment="HTTPS_PROXY=http://your-proxy-server:port"
Environment="NO_PROXY=localhost,127.0.0.1,::1,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,,.svc,.cluster.local"
EOF
# 重启服务
systemctl daemon-reload
systemctl restart containerd