RuntimeService
:容器(container) 和 (Pod)Sandbox 运行时管理ImageService
:拉取、查看、和移除镜像在 kubernetes 中:
在和OCI,调度层的角度看:
graph LR OrchestrationAPI --> ContainerAPI-criRuntime ContainerAPI-criRuntime --> KernelAPI-ociRuntime
使用 cri-containerd 的调用流程更为简洁, 省去了上面的调用流程的 1,2 两步
执行流程为:
使用 terraform 在腾讯云上创建 tke 测试集群
# Configure the TencentCloud Provider provider "tencentcloud" { secret_id = var.secret_id secret_key = var.secret_key region = var.region } # test cluster resource "tencentcloud_kubernetes_cluster" "managed_cluster" { vpc_id = var.vpc cluster_cidr = "10.4.0.0/16" cluster_max_pod_num = 32 cluster_name = "test" cluster_desc = "test cluster desc" cluster_max_service_num = 32 container_runtime = "containerd" cluster_version = "1.14.3" worker_config { count = 2 availability_zone = var.availability_zone instance_type = var.default_instance_type system_disk_size = 50 security_group_ids = [var.sg] internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = var.subnet enhanced_security_service = false enhanced_monitor_service = false key_ids = [var.key_id] } cluster_deploy_type = "MANAGED_CLUSTER" }
CRI runtime 的实现需要实现大量 API,这里我们做一个简单的 shell 脚本,将请求转发给 runc,同时打印出调用的参数。把这个脚本命名为 runb
$ cat /usr/local/bin/runb #!/bin/bash -e echo "["`date --iso-8601=seconds`"] call runb: $@" >> /var/log/runb.log exec runc $@
ctr 是调用containerd 的命令行工具,而 crictl 是调用 cri 相关 api 的工具,一个测试的例子 参考这里
在 /etc/containerd/config.toml 下面添加如下的配置,配置 runtime 为 runb,二进制程序为 runb. containerd 的配置因版本变化有所不同,具体可以参考这里。重启 containerd
[plugins.cri.containerd.runtimes.runb] runtime_type = "io.containerd.runc.v1" [plugins.cri.containerd.runtimes.runb.options] NoPivotRoot = false NoNewKeyring = false ShimCgroup = "" IoUid = 0 IoGid = 0 BinaryName = "runb" Root = "" CriuPath = "" SystemdCgroup = false
用 kubectl 把名为 runb 的 runtimeclass 创建出来
apiVersion: node.k8s.io/v1beta1 # RuntimeClass is defined in the node.k8s.io API group kind: RuntimeClass metadata: name: runb # The name the RuntimeClass will be referenced by # RuntimeClass is a non-namespaced resource handler: runb # The name of the corresponding CRI configuration
创建一个使用 runb 为runtime 的pod
root@VM-8-12-ubuntu:~# cat nginx.yaml apiVersion: v1 kind: Pod metadata: name: nginx spec: runtimeClassName: runb containers: - image: nginx name: nginx ports: - containerPort: 80 name: http
观察创建结果和 runb 的输出日志
root@VM-8-12-ubuntu:~# crictl ps CONTAINER ID IMAGE CREATED STATE NAME ATTEMPT POD ID d0e454f31ad06 2073e0bcb60ee 11 minutes ago Running nginx 0 f640723d57cc2 root@VM-8-12-ubuntu:~# head /var/log/runb.log starting with runb -namespace default -address /run/containerd/containerd.sock -publish-binary /usr/local/bin/containerd -id hello -debug start starting with runb: --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json --log-format json create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/init.pid 5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac starting with runb: --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json --log-format json state 5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac starting with runb: --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json --log-format json start 5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac starting with runb: --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json --log-format json state 5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac
原创声明,本文系作者授权云+社区发表,未经许可,不得转载。
如有侵权,请联系 yunjia_community@tencent.com 删除。
我来说两句