entityMap|0|type|IMAGE|mutability|IMMUTABLE|data|imageUrl|https://ask.qcloudimg.com/http-save/1319879/xlyb0th1c7.png|name|image|blockWidth|blockHeight|1|https://ask.qcloudimg.com/http-save/1319879/rchsiecsii.png|2|https://ask.qcloudimg.com/http-save/1319879/0r84irf8c5.png|3|https://ask.qcloudimg.com/http-save/1319879/cczv8nowa1.png|4|https://ask.qcloudimg.com/http-save/1319879/7z2bq3l54g.png|5|https://ask.qcloudimg.com/http-save/1319879/v9xrgk5bht.png|6|https://ask.qcloudimg.com/http-save/1319879/1tsmkcrhze.png|7|https://ask.qcloudimg.com/http-save/1319879/ztykbbu2la.png|8|LINK|MUTABLE|url|https://cloud.tencent.com/developer/article/1579727?s=original-sharing|9|https://github.com/kata-containers/documentation/blob/master/how-to/containerd-kata.md|10|https://github.com/containerd/cri/blob/master/docs/config.md|11|https://feisky.gitbooks.io/kubernetes/plugins/CRI.html|12|https://blog.csdn.net/u011563903/article/details/90743853|13|https://github.com/kubernetes/cri-api/blob/master/pkg/apis/runtime/v1alpha2/api.proto|14|https://github.com/containerd/cri|15|https://github.com/containerd/containerd|16|https://zhuanlan.zhihu.com/p/47012368|17|https://github.com/kubernetes-sigs/cri-tools|blocks|key|ccsii|text|简介|header-one|depth|inlineStyleRanges|entityRanges|bsr99|CRI+是什么|header-two|egbb5|容器运行时插件（Container+Runtime+Interface，简称+CRI）是+Kubernetes+v1.5+引入的容器运行时接口，它将+Kubelet+与容器运行时解耦，将原来完全面向+Pod+级别的内部接口拆分成面向+Sandbox+和+Container+的+gRPC+接口，并将镜像管理和容器管理分离到不同的服务。|unordered-list-item|6g0hi|CRI+主要定义了两个+grpc+interface.|emdti|RuntimeService：容器(container)+和+(Pod)Sandbox+运行时管理|offset|length|style|CODE|2d5g5|ImageService：拉取、查看、和移除镜像|5udl1|OCI+(开放容器标准):+定义了+ImageSpec（镜像格式,+比如文件夹结构，压缩方式）和+RuntimeSpec（如何运行，比如支持+create,+start,+stop,+delete）|14sci|代表实现有：runC，Kata（以及它的前身+runV+和+Clear+Containers），gVisor|7c648|CRI+区别于+OCI，CRI的定义比较简单直接，只是定义了一套协议（grpc+接口）。|gmsc|代表实现有+kubernetest+内置的+dockershim,+CRI-containerd（或者+containerd+with+CRI+plugin）,+cri-o|6do4g|CRI+位于什么位置|epqot|在+kubernetes+中:|unstyled|b4fnk|[image]|atomic|3qa0u|co0g6|在和OCI，调度层的角度看:+|bd1va|graph+LR
OrchestrationAPI+-->+ContainerAPI-criRuntime
ContainerAPI-criRuntime+-->+KernelAPI-ociRuntime|code-block|syntex|4h0gk|CRI/CRI+Runtime|8ch9i|CRI+Runtime+的执行流程|dju94|经典的+kubernetes+runtime+执行流程|header-three|2o046|4qm8t|执行流程里面核心组件是+kubelet/KubeGenericRuntimeManager+他调用很多其他组件，比如+cm+(ContainerManager/podContainerManager/cgroupManager/cpuManager/deviceManager,+pod+级别的资源管理),+RuntimeService+(grpc+调用+CRI+的客户端)+共同完成+SyncPod+的操作。|5lkvo|经典的+dockershim+->+containerd+的流程+(称为+docker+cri)|40p1i|rmna|Kubelet+通过+CRI+接口（gRPC）调用+dockershim，请求创建一个容器。CRI+即容器运行时接口（Container+Runtime+Interface），这一步中，Kubelet+可以视作一个简单的+CRI+Client，而+dockershim+就是接收请求的+Server。目前+dockershim+的代码其实是内嵌在+Kubelet+中的，所以接收调用的凑巧就是+Kubelet+进程|ordered-list-item|87iu5|dockershim+收到请求后，转化成+Docker+Daemon+能听懂的请求，发到+Docker+Daemon+上请求创建一个容器。|ekc30|Docker+Daemon+早在+1.12+版本中就已经将针对容器的操作移到另一个守护进程——containerd+中了，因此+Docker+Daemon+仍然不能帮我们创建容器，而是要请求+containerd+创建一个容器；|bdb5n|containerd+收到请求后，并不会自己直接去操作容器，而是创建一个叫做+containerd-shim+的进程，让+containerd-shim+去操作容器。这是因为容器进程需要一个父进程来做诸如收集状态，维持+stdin+等+fd+打开等工作。而假如这个父进程就是+containerd，那每次+containerd+挂掉或升级，整个宿主机上所有的容器都得退出了。而引入了+containerd-shim+就规避了这个问题（containerd+和+shim+并不是父子进程关系）；|76mds|我们知道创建容器需要做一些设置+namespaces+和+cgroups，挂载+root+filesystem+等等操作，而这些事该怎么做已经有了公开的规范了，那就是+OCI（Open+Container+Initiative，开放容器标准）。它的一个参考实现叫做+runC。于是，containerd-shim+在这一步需要调用+runC+这个命令行工具，来启动容器；|2al87|runC+启动完容器后本身会直接退出，containerd-shim+则会成为容器进程的父进程，负责收集容器进程的状态，上报给+containerd，并在容器中+pid+为+1+的进程退出后接管容器中的子进程进行清理，确保不会出现僵尸进程。|dnaf1|直接对接+cri-containerd/cri-o+的运行时|ah20u|73ihg|cbvbg|使用+cri-containerd+的调用流程更为简洁,+省去了上面的调用流程的+1，2+两步|6a9fl|常见+CRI+runtime+实现|stgd|3fgle|Cri-containerd|9sh0t|7ggd1|执行流程为:|73db3|Kubelet+通过+CRI+runtime+service+API+调用+cri+plugin+创建+pod|6ariq|cri+通过+CNI+创建+pod+的网络配置和+namespace|1pkr8|cri+使用+containerd+创建并启动+pause+container+(sandbox+container)+并且把这个+container+置于+pod+的+cgroups/namespace|755d0|Kubelet+接着通过+CRI+image+service+API+调用+cri+plugin,+获取容器镜像|lbbg|cri+通过+containerd+获取容器镜像|c88ij|Kubelet+通过+CRI+runtime+service+API+调用+cri,+在+pod+的空间使用拉取的镜像启动容器|5easf|cri+通过+containerd+创建/启动+应用容器,+并且把+container+置于+pod+的+cgroups/namespace.+Pod+完成启动.|e8a16|实践|307cl|准备集群|84po2|使用+terraform+在腾讯云上创建+tke+测试集群|3e1bt|#+Configure+the+TencentCloud+Provider
provider+"tencentcloud"+{
++secret_id++=+var.secret_id
++secret_key+=+var.secret_key
++region+++++=+var.region
}

#+test+cluster
resource+"tencentcloud_kubernetes_cluster"+"managed_cluster"+{
++vpc_id++++++++++++++++++=+var.vpc
++cluster_cidr++++++++++++=+"10.4.0.0/16"
++cluster_max_pod_num+++++=+32
++cluster_name++++++++++++=+"test"
++cluster_desc++++++++++++=+"test+cluster+desc"
++cluster_max_service_num+=+32
++container_runtime++++++++++=+"containerd"
++cluster_version++++++++++++=+"1.14.3"

++worker_config+{
++++count++++++++++++++++++++++=+2
++++availability_zone++++++++++=+var.availability_zone
++++instance_type++++++++++++++=+var.default_instance_type
++++system_disk_size+++++++++++=+50
++++security_group_ids+++++++++=+[var.sg]
++++internet_charge_type+++++++=+"TRAFFIC_POSTPAID_BY_HOUR"
++++internet_max_bandwidth_out+=+100
++++public_ip_assigned+++++++++=+true
++++subnet_id++++++++++++++++++=+var.subnet
++++enhanced_security_service+=+false
++++enhanced_monitor_service++=+false
++++key_ids+++++++++++++++++++=+[var.key_id]
++}

++cluster_deploy_type+=+"MANAGED_CLUSTER"
}|csvd4|用+bash+实现一个+CRI+runtime|4df3v|CRI+runtime+的实现需要实现大量+API，这里我们做一个简单的+shell+脚本，将请求转发给+runc，同时打印出调用的参数。把这个脚本命名为+runb|6j0dl|$+cat+/usr/local/bin/runb
#!/bin/bash+-e
echo+"["`date+--iso-8601=seconds`"]+call+runb:+$@"+>>+/var/log/runb.log
exec+runc+$@|c8nal|使用+ctr/crictl+测试|9s44c|ctr+是调用containerd+的命令行工具，而+crictl+是调用+cri+相关+api+的工具，一个测试的例子+参考这里|e2bdr|配置+containerd，+使用+k8s+yaml+测试|d8m37|在+/etc/containerd/config.toml+下面添加如下的配置，配置+runtime+为+runb，二进制程序为+runb.+containerd+的配置因版本变化有所不同，具体可以参考这里。重启+containerd|fnmi1|++++++[plugins.cri.containerd.runtimes.runb]
+++++++++runtime_type+=+"io.containerd.runc.v1"
+++++++++[plugins.cri.containerd.runtimes.runb.options]
+++++++++++NoPivotRoot+=+false
+++++++++++NoNewKeyring+=+false
+++++++++++ShimCgroup+=+""
+++++++++++IoUid+=+0
+++++++++++IoGid+=+0
+++++++++++BinaryName+=+"runb"
+++++++++++Root+=+""
+++++++++++CriuPath+=+""
+++++++++++SystemdCgroup+=+false|4lrus|用+kubectl+把名为+runb+的+runtimeclass+创建出来|vjp3|apiVersion:+node.k8s.io/v1beta1++#+RuntimeClass+is+defined+in+the+node.k8s.io+API+group
kind:+RuntimeClass
metadata:
++name:+runb++#+The+name+the+RuntimeClass+will+be+referenced+by
++#+RuntimeClass+is+a+non-namespaced+resource
handler:+runb++#+The+name+of+the+corresponding+CRI+configuration|dh2tr|创建一个使用+runb+为runtime+的pod|8oqtg|root@VM-8-12-ubuntu:~#+cat+nginx.yaml
apiVersion:+v1
kind:+Pod
metadata:
++name:+nginx
spec:
++runtimeClassName:+runb
++containers:
++++-+image:+nginx
++++++name:+nginx
++++++ports:
++++++++-+containerPort:+80
++++++++++name:+http|cqr25|观察创建结果和+runb+的输出日志|f5qpn|root@VM-8-12-ubuntu:~#+crictl+ps
CONTAINER+ID++++++++IMAGE+++++++++++++++CREATED+++++++++++++STATE+++++++++++++++NAME++++++++++++++++ATTEMPT+++++++++++++POD+ID
d0e454f31ad06+++++++2073e0bcb60ee+++++++11+minutes+ago++++++Running+++++++++++++nginx+++++++++++++++0+++++++++++++++++++f640723d57cc2

root@VM-8-12-ubuntu:~#+head+/var/log/runb.log
starting+with+runb+-namespace+default+-address+/run/containerd/containerd.sock+-publish-binary+/usr/local/bin/containerd+-id+hello+-debug+start
starting+with+runb:+--root+/run/containerd/runc/k8s.io+--log+/run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json+--log-format+json+create+--bundle+/run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac+--pid-file+/run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/init.pid+5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac
starting+with+runb:+--root+/run/containerd/runc/k8s.io+--log+/run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json+--log-format+json+state+5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac
starting+with+runb:+--root+/run/containerd/runc/k8s.io+--log+/run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json+--log-format+json+start+5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac
starting+with+runb:+--root+/run/containerd/runc/k8s.io+--log+/run/containerd/io.containerd.runtime.v2.task/k8s.io/5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac/log.json+--log-format+json+state+5dd814edd58826c3ebcfa87ae96bb972b1541d6007f7f7ed5c01a4da639b0fac|bk957|参考|ekoi1|CRI-feisky|7751c|K8S+Runtime+CRI+OCI+contained+dockershim+理解|bc6oa|CRI+API+定义|8escg|cri-containerd|2v10s|containerd|2go53|K8S+容器运行时-feisky|1sbls|critools^VQ|CU|1GI|N8|VG|I9|13S|BQ|18G|DG|128|BU|19I|KG|1A0|J6|0|0|0|0|1|0|E|1|0|C|0|1|0|1|0|0|0|0|7|0|0|0|7|1|0|0|0|0|0|0|0|7|2|0|0|0|0|7|3|0|0|0|0|0|0|0|0|0|7|4|0|0|7|5|0|0|0|0|7|6|0|0|0|7|7|0|0|0|0|0|0|0|0|0|0|0|3|9|8|0|0|0|0|0|0|1P|4|9|0|0|2T|2|A|0|0|0|0|0|0|0|0|0|0|A|B|0|0|17|C|0|0|A|D|0|0|E|E|0|0|A|F|0|0|G|G|0|0|8|H^^$0|$1|$2|3|4|5|6|$7|8|9|A|B|5O|C|5P]]|D|$2|3|4|5|6|$7|E|9|A|B|5Q|C|5R]]|F|$2|3|4|5|6|$7|G|9|A|B|5S|C|5T]]|H|$2|3|4|5|6|$7|I|9|A|B|5U|C|5V]]|J|$2|3|4|5|6|$7|K|9|A|B|5W|C|5X]]|L|$2|3|4|5|6|$7|M|9|A|B|5Y|C|5Z]]|N|$2|3|4|5|6|$7|O|9|A|B|60|C|61]]|P|$2|3|4|5|6|$7|Q|9|A|B|62|C|63]]|R|$2|S|4|T|6|$U|V]]|W|$2|S|4|T|6|$U|X]]|Y|$2|S|4|T|6|$U|Z]]|10|$2|S|4|T|6|$U|11]]|12|$2|S|4|T|6|$U|13]]|14|$2|S|4|T|6|$U|15]]|16|$2|S|4|T|6|$U|17]]|18|$2|S|4|T|6|$U|19]]|1A|$2|S|4|T|6|$U|1B]]|1C|$2|S|4|T|6|$U|1D]]]|1E|@$1F|1G|1H|1I|2|1J|1K|64|1L|@]|1M|@]|6|$]]|$1F|1N|1H|1O|2|1P|1K|65|1L|@]|1M|@]|6|$]]|$1F|1Q|1H|1R|2|1S|1K|66|1L|@]|1M|@]|6|$]]|$1F|1T|1H|1U|2|1S|1K|67|1L|@]|1M|@]|6|$]]|$1F|1V|1H|1W|2|1S|1K|68|1L|@$1X|69|1Y|6A|1Z|20]]|1M|@]|6|$]]|$1F|21|1H|22|2|1S|1K|6B|1L|@$1X|6C|1Y|6D|1Z|20]]|1M|@]|6|$]]|$1F|23|1H|24|2|1S|1K|6E|1L|@]|1M|@]|6|$]]|$1F|25|1H|26|2|1S|1K|6F|1L|@]|1M|@]|6|$]]|$1F|27|1H|28|2|1S|1K|6G|1L|@]|1M|@]|6|$]]|$1F|29|1H|2A|2|1S|1K|6H|1L|@]|1M|@]|6|$]]|$1F|2B|1H|2C|2|1P|1K|6I|1L|@]|1M|@]|6|$]]|$1F|2D|1H|2E|2|2F|1K|6J|1L|@]|1M|@]|6|$]]|$1F|2G|1H|2H|2|2I|1K|6K|1L|@]|1M|@$1X|6L|1Y|6M|1F|6N]]|6|$]]|$1F|2J|1H|2H|2|2I|1K|6O|1L|@]|1M|@$1X|6P|1Y|6Q|1F|6R]]|6|$]]|$1F|2K|1H|2L|2|2F|1K|6S|1L|@]|1M|@]|6|$]]|$1F|2M|1H|2N|2|2O|1K|6T|1L|@]|1M|@]|6|$2P|-3]]|$1F|2Q|1H|2R|2|1J|1K|6U|1L|@]|1M|@]|6|$]]|$1F|2S|1H|2T|2|1P|1K|6V|1L|@]|1M|@]|6|$]]|$1F|2U|1H|2V|2|2W|1K|6W|1L|@]|1M|@]|6|$]]|$1F|2X|1H|2H|2|2I|1K|6X|1L|@]|1M|@$1X|6Y|1Y|6Z|1F|70]]|6|$]]|$1F|2Y|1H|2Z|2|1S|1K|71|1L|@]|1M|@]|6|$]]|$1F|30|1H|31|2|2W|1K|72|1L|@]|1M|@]|6|$]]|$1F|32|1H|2H|2|2I|1K|73|1L|@]|1M|@$1X|74|1Y|75|1F|76]]|6|$]]|$1F|33|1H|34|2|35|1K|77|1L|@]|1M|@]|6|$]]|$1F|36|1H|37|2|35|1K|78|1L|@]|1M|@]|6|$]]|$1F|38|1H|39|2|35|1K|79|1L|@]|1M|@]|6|$]]|$1F|3A|1H|3B|2|35|1K|7A|1L|@]|1M|@]|6|$]]|$1F|3C|1H|3D|2|35|1K|7B|1L|@]|1M|@]|6|$]]|$1F|3E|1H|3F|2|35|1K|7C|1L|@]|1M|@]|6|$]]|$1F|3G|1H|3H|2|2W|1K|7D|1L|@]|1M|@]|6|$]]|$1F|3I|1H|2H|2|2I|1K|7E|1L|@]|1M|@$1X|7F|1Y|7G|1F|7H]]|6|$]]|$1F|3J|1H|2H|2|2I|1K|7I|1L|@]|1M|@$1X|7J|1Y|7K|1F|7L]]|6|$]]|$1F|3K|1H|3L|2|2F|1K|7M|1L|@]|1M|@]|6|$]]|$1F|3M|1H|3N|2|1J|1K|7N|1L|@]|1M|@]|6|$]]|$1F|3O|1H|2H|2|2I|1K|7O|1L|@]|1M|@$1X|7P|1Y|7Q|1F|7R]]|6|$]]|$1F|3P|1H|3Q|2|1P|1K|7S|1L|@]|1M|@]|6|$]]|$1F|3R|1H|2H|2|2I|1K|7T|1L|@]|1M|@$1X|7U|1Y|7V|1F|7W]]|6|$]]|$1F|3S|1H|3T|2|2F|1K|7X|1L|@]|1M|@]|6|$]]|$1F|3U|1H|3V|2|35|1K|7Y|1L|@]|1M|@]|6|$]]|$1F|3W|1H|3X|2|35|1K|7Z|1L|@]|1M|@]|6|$]]|$1F|3Y|1H|3Z|2|35|1K|80|1L|@]|1M|@]|6|$]]|$1F|40|1H|41|2|35|1K|81|1L|@]|1M|@]|6|$]]|$1F|42|1H|43|2|35|1K|82|1L|@]|1M|@]|6|$]]|$1F|44|1H|45|2|35|1K|83|1L|@]|1M|@]|6|$]]|$1F|46|1H|47|2|35|1K|84|1L|@]|1M|@]|6|$]]|$1F|48|1H|49|2|1J|1K|85|1L|@]|1M|@]|6|$]]|$1F|4A|1H|4B|2|1P|1K|86|1L|@]|1M|@]|6|$]]|$1F|4C|1H|4D|2|2F|1K|87|1L|@]|1M|@$1X|88|1Y|89|1F|8A]]|6|$]]|$1F|4E|1H|4F|2|2O|1K|8B|1L|@]|1M|@]|6|$2P|-3]]|$1F|4G|1H|4H|2|1P|1K|8C|1L|@]|1M|@]|6|$]]|$1F|4I|1H|4J|2|2F|1K|8D|1L|@]|1M|@]|6|$]]|$1F|4K|1H|4L|2|2O|1K|8E|1L|@]|1M|@]|6|$2P|-3]]|$1F|4M|1H|4N|2|1P|1K|8F|1L|@]|1M|@]|6|$]]|$1F|4O|1H|4P|2|2F|1K|8G|1L|@]|1M|@$1X|8H|1Y|8I|1F|8J]]|6|$]]|$1F|4Q|1H|4R|2|1P|1K|8K|1L|@]|1M|@]|6|$]]|$1F|4S|1H|4T|2|2F|1K|8L|1L|@]|1M|@$1X|8M|1Y|8N|1F|8O]]|6|$]]|$1F|4U|1H|4V|2|2O|1K|8P|1L|@]|1M|@]|6|$2P|-3]]|$1F|4W|1H|4X|2|2F|1K|8Q|1L|@]|1M|@]|6|$]]|$1F|4Y|1H|4Z|2|2O|1K|8R|1L|@]|1M|@]|6|$2P|-3]]|$1F|50|1H|51|2|2F|1K|8S|1L|@]|1M|@]|6|$]]|$1F|52|1H|53|2|2O|1K|8T|1L|@]|1M|@]|6|$2P|-3]]|$1F|54|1H|55|2|2F|1K|8U|1L|@]|1M|@]|6|$]]|$1F|56|1H|57|2|2O|1K|8V|1L|@]|1M|@]|6|$2P|-3]]|$1F|58|1H|59|2|1J|1K|8W|1L|@]|1M|@]|6|$]]|$1F|5A|1H|5B|2|1S|1K|8X|1L|@]|1M|@$1X|8Y|1Y|8Z|1F|90]]|6|$]]|$1F|5C|1H|5D|2|1S|1K|91|1L|@]|1M|@$1X|92|1Y|93|1F|94]]|6|$]]|$1F|5E|1H|5F|2|1S|1K|95|1L|@]|1M|@$1X|96|1Y|97|1F|98]]|6|$]]|$1F|5G|1H|5H|2|1S|1K|99|1L|@]|1M|@$1X|9A|1Y|9B|1F|9C]]|6|$]]|$1F|5I|1H|5J|2|1S|1K|9D|1L|@]|1M|@$1X|9E|1Y|9F|1F|9G]]|6|$]]|$1F|5K|1H|5L|2|1S|1K|9H|1L|@]|1M|@$1X|9I|1Y|9J|1F|9K]]|6|$]]|$1F|5M|1H|5N|2|1S|1K|9L|1L|@]|1M|@$1X|9M|1Y|9N|1F|9O]]|6|$]]]]

使用 cri-containerd 的调用流程更为简洁, 省去了上面的调用流程的 1，2 两步