【云原生 · Kubernetes】runtime组件

个人名片：
因为云计算成为了监控工程师👨🏻‍💻
个人博客🏆：念舒_C.ying
CSDN主页✏️：念舒_C.ying

8.1 部署cri-o组件

cri-o 实现了 kubernetes 的 Container Runtime Interface (CRI) 接口，提供容器运行时核心功能，如镜像管理、容器管理等，相比 docker 更加简单、健壮和可移植。

containerd cadvisor接口无pod网络不能很直观的监控pod网络使用所以本文选择cri-o

8.2 下载二进制文件

下载二进制文件：

cd /opt/k8s/work
wget https://storage.googleapis.com/cri-o/artifacts/crio.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz
1
2

解压压缩包：

tar -xvf cri-o.amd64.9b7f5ae815c22a1d754abfbc2890d8d4c10e240d.tar.gz
1

8.3 修改配置文件

cri-o 配置文件生成：

cd cri-o/etc
cat > crio.conf <<EOF
[crio]
root = "/var/lib/containers/storage"
runroot = "/var/run/containers/storage"
log_dir = "/var/log/crio/pods"
version_file = "/var/run/crio/version"
version_file_persist = "/var/lib/crio/version"
[crio.api]
listen = "/var/run/crio/crio.sock"
stream_address = "127.0.0.1"
stream_port = "0"
stream_enable_tls = false
stream_tls_cert = ""
stream_tls_key = ""
stream_tls_ca = ""
grpc_max_send_msg_size = 16777216
grpc_max_recv_msg_size = 16777216
[crio.runtime]
default_ulimits = [
"nofile=65535:65535",
"nproc=65535:65535",
"core=-1:-1"
]
default_runtime = "crun"
no_pivot = false
decryption_keys_path = "/apps/crio/keys/"
conmon = "/apps/crio/bin/conmon"
conmon_cgroup = "system.slice"
conmon_env = [
"PATH=/apps/crio/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]
default_env = [
]
selinux = false
seccomp_profile = ""
apparmor_profile = "crio-default"
cgroup_manager = "systemd"
default_capabilities = [
"CHOWN",
"MKNOD",
"DAC_OVERRIDE",
"NET_ADMIN",
"NET_RAW",
"SYS_CHROOT",
"FSETID",
"FOWNER",
"SETGID",
"SETUID",
"SETPCAP",
"NET_BIND_SERVICE",
"KILL",
]
default_sysctls = [
]
additional_devices = [
]
hooks_dir = [
"/apps/crio/containers/oci/hooks.d",
]
default_mounts = [
]
pids_limit = 102400
log_size_max = -1
log_to_journald = false
container_exits_dir = "/apps/crio/run/crio/exits"
container_attach_socket_dir = "/var/run/crio"
bind_mount_prefix = ""
read_only = false
log_level = "info"
log_filter = ""
uid_mappings = ""
gid_mappings = ""
ctr_stop_timeout = 30
manage_ns_lifecycle = true
namespaces_dir = "/apps/crio/run"
pinns_path = "/apps/crio/bin/pinns"
[crio.runtime.runtimes.crun]
runtime_path = "/apps/crio/bin/crun"
runtime_type = "oci"
runtime_root = "/apps/crio/run/crun"
allowed_annotations = [
"io.containers.trace-syscall",
]
[crio.image]
default_transport = "docker://"
global_auth_file = ""
pause_image = "docker.io/juestnow/pause:3.5"
pause_image_auth_file = ""
pause_command = "/pause"
signature_policy = ""
image_volumes = "mkdir"
[crio.network]
network_dir = "/etc/cni/net.d"
plugin_dirs = [
"/opt/cni/bin",
]
[crio.metrics]
enable_metrics = false
metrics_port = 9090
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

参数说明：

• root ：容器镜像存放目录；
• runroot ：容器运行目录；
• log_dir ：容器日志默认存放目录 kubelet指定目录就存放kubelet所指定目录；
• default_runtime ：指定默认运行时；
• conmon ：conmon二进制文件的路径，用于监控 OCI 运行时;
• conmon_env ：conmon 运行时的环境变量；
• hooks_dir ：OCIhooks 目录；
• container_exits_dir ：conmon 将容器出口文件写入其中的目录的路径；
• namespaces_dir ：管理命名空间状态被跟踪的目录。仅在 manage_ns_lifecycle 为 true 时使用；
• pinns_path ：pinns_path 是查找 pinns 二进制文件的路径，这是管理命名空间生命周期所必需的 ；
• runtime_path ：运行时可执行文件的绝对路径 ;
• runtime_root ：存放容器的根目录；
• pause_image：pause镜像路径；
• network_dir ： cni 配置文件路径；
• plugin_dirs ：cni 二进制文件存放路径；
• default runtime：使用crun 运行路径：/apps/crio 请根据自己环境修改

cri-o 启动其它所需配置文件生成

cd /opt/k8s/work/cri-o
mkdir containers
cd containers
cat > policy.json <<EOF
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}
EOF
cat >registries.conf <<EOF
# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.
# The default location for this configuration file is
/etc/containers/registries.conf.
# The only valid categories are: 'registries.search', 'registries.insecure',
# and 'registries.block'.
[registries.search]
registries = ['registry.access.redhat.com', 'docker.io',
'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']
# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does
HTTP.
[registries.insecure]
registries = []
# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
# Docker only
[registries.block]
registries = []
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

8.4 创建 cri-o systemd unit 文件

cd /opt/k8s/work
cat >crio.service <<EOF
[Unit]
Description=OCI-based implementation of Kubernetes Container Runtime Interface
Documentation=https://github.com/github.com/cri-o/cri-o
[Service]
Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/apps/crio/bin/crio --config /apps/crio/etc/crio.conf --log-level info
Restart=on-failure
RestartSec=5
LimitNOFILE=655350
LimitNPROC=655350
LimitCORE=infinity
LimitMEMLOCK=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

8.5 分发文件

分发二进制文件及配置文件：

cd /opt/k8s/work/cri-o
scp -r {bin,etc} root@192.168.2.175:/apps/crio
scp -r {bin,etc} root@192.168.2.176:/apps/crio
scp -r {bin,etc} root@192.168.2.177:/apps/crio
scp -r {bin,etc} root@192.168.2.185:/apps/crio
scp -r {bin,etc} root@192.168.2.187:/apps/crio
scp -r {bin,etc} root@192.168.3.62:/apps/crio
scp -r {bin,etc} root@192.168.3.70/apps/crio
1
2
3
4
5
6
7
8

分发其它配置文件：

cd /opt/k8s/work/cri-o
scp -r containers root@192.168.2.175:/etc/
scp -r containers root@192.168.2.176:/etc/
scp -r containers root@192.168.2.177:/etc/
scp -r containers root@192.168.2.185:/etc/
scp -r containers root@192.168.2.187:/etc/
scp -r containers root@192.168.3.62:/etc/
scp -r containers root@192.168.3.70:/etc/
1
2
3
4
5
6
7
8

分发启动文件：

cd /opt/k8s/work
scp crio.service root@192.168.2.175:/usr/lib/systemd/system/crio.service
scp crio.service root@192.168.2.176:/usr/lib/systemd/system/crio.service
scp crio.service root@192.168.2.177:/usr/lib/systemd/system/crio.service
scp crio.service root@192.168.2.185:/usr/lib/systemd/system/crio.service
scp crio.service root@192.168.2.187:/usr/lib/systemd/system/crio.service
scp crio.service root@192.168.3.62:/usr/lib/systemd/system/crio.service
scp crio.service root@192.168.3.70:/usr/lib/systemd/system/crio.service
1
2
3
4
5
6
7
8

8.6 启动cri-o 服务

# 全局刷新service
systemctl daemon-reload
# 设置cri-o开机启动
systemctl enable crio
#重启cri-o
systemctl restart crio
1
2
3
4
5
6

8.7 检查启动结果

所有节点执行

systemctl status crio|grep Active
[root@k8s-master-3 bin]# systemctl status crio|grep Active
Active: active (running) since Fri 2022-02-11 13:48:39 CST; 3 days ago
[root@k8s-master-2 ~]# systemctl status crio|grep Active
Active: active (running) since Fri 2022-02-11 13:49:31 CST; 3 days ago
[root@k8s-master-1 ~]# systemctl status crio|grep Active
Active: active (running) since Fri 2022-02-11 13:49:30 CST; 3 days ago
# 请自行全部节点检查
1
2
3
4
5
6
7
8

8.8 创建和分发 crictl 配置文件

crictl 是兼容 CRI 容器运行时的命令行工具，提供类似于 docker 命令的功能。

cd /opt/k8s/work
cat << EOF | sudo tee crictl.yaml
runtime-endpoint: "unix:///var/run/crio/crio.sock"
image-endpoint: "unix:///var/run/crio/crio.sock"
timeout: 10
debug: false
pull-image-on-create: true
disable-pull-on-run: false
EOF
1
2
3
4
5
6
7
8
9

分发到所有节点：

cd /opt/k8s/work
scp crictl.yaml root@192.168.2.175:/etc/crictl.yaml
scp crictl.yaml root@192.168.2.176:/etc/crictl.yaml
scp crictl.yaml root@192.168.2.177:/etc/crictl.yaml
scp crictl.yaml root@192.168.2.185:/etc/crictl.yaml
scp crictl.yaml root@192.168.2.187:/etc/crictl.yaml
scp crictl.yaml root@192.168.3.62:/etc/crictl.yaml
scp crictl.yaml root@192.168.3.70:/etc/crictl.yaml
1
2
3
4
5
6
7
8

8.9 验证cri-o是否能正常访问

# 查询镜像
crictl images
# pull 镜像
crictl pull docker.io/library/busybox:1.24
# 查看容器运行状态
crictl ps -a
1
2
3
4
5
6

期待下次的分享，别忘了三连支持博主呀~
我是 念舒_C.ying ，期待你的关注~💪💪💪

附专栏链接
【云原生 · Kubernetes】apiserver高可用
【云原生 · Kubernetes】kubernetes v1.23.3 二进制部署（三）
【云原生 · Kubernetes】kubernetes v1.23.3 二进制部署（二）
【云原生 · Kubernetes】kubernetes v1.23.3 二进制部署（一）
【云原生 · Kubernetes】Kubernetes 编排部署GPMall（一）
【云原生 · Kubernetes】Kubernetes容器云平台部署与运维
【云原生 · Kubernetes】部署博客系统
【云原生 · Kubernetes】部署Kubernetes集群
【云原生 · Kubernetes】Kubernetes基础环境搭建