Containerd 命名空间管理
本次学习到了有关于containerd的命名空间相关知识对于containerd的命名空间的本质就是资源隔离、权限控制等如本次的案例中,使用到的k8s.io命名空间,实际上,这就是kubernetes调用containerd时会使用到的命名空间,kubernetes只会获取containerd的k8s.io命名空间,所以,如果需要拉取或导入镜像,用于kubernetes集群的话,记住别忘了添加-n
·
命名空间(Namespace)是操作系统内核提供的资源隔离机制,用于将全局系统资源划分为不同的逻辑分组。每个命名空间中的进程只能看到该命名空间内的资源(如进程ID、网络接口、文件系统挂载点等),不同命名空间的资源相互隔离。这种机制是容器技术实现轻量级虚拟化的核心基础之一。
查看containerd 管理命名空间命令帮助
[root@containerd ~]# ctr --help
NAME:
ctr -
__
_____/ /______
/ ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/
containerd CLI
USAGE:
ctr [global options] command [command options] [arguments...]
VERSION:
v1.7.0
DESCRIPTION:
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.
COMMANDS:
plugins, plugin Provides information about containerd plugins
version Print the client and server versions
containers, c, container Manage containers
content Manage content
events, event Display containerd events
images, image, i Manage images
leases Manage leases
namespaces, namespace, ns Manage namespaces
pprof Provide golang pprof outputs for containerd
run Run a container
snapshots, snapshot Manage snapshots
tasks, t, task Manage tasks
install Install a new package
oci OCI tools
sandboxes, sandbox, sb, s Manage sandboxes
info Print the server info
shim Interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug Enable debug output in logs
--address value, -a value Address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
--timeout value Total timeout for ctr commands (default: 0s)
--connect-timeout value Timeout for connecting to containerd (default: 0s)
--namespace value, -n value Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the versionnamespaces, namespace, ns:可以使用这三条命令来管理containerd的命名空间
查看命名空间管理命令
[root@containerd ~]# ctr ns --help
NAME:
ctr namespaces - Manage namespaces
USAGE:
ctr namespaces command [command options] [arguments...]
COMMANDS:
create, c Create a new namespace
list, ls List namespaces
remove, rm Remove one or more namespaces
label Set and clear labels for a namespace
OPTIONS:
--help, -h show help依次介绍
创建命名空间
[root@containerd ~]# ctr ns c --help
NAME:
ctr namespaces create - Create a new namespace
USAGE:
ctr namespaces create <name> [<key>=<value>]
DESCRIPTION:
create a new namespace. it must be unique创建test命名空间
[root@containerd ~]# ctr ns c test
[root@containerd ~]# 查看命名空间
[root@containerd ~]# ctr ns ls --help
NAME:
ctr namespaces list - List namespaces
USAGE:
ctr namespaces list [command options] [flags]
DESCRIPTION:
list namespaces
OPTIONS:
--quiet, -q Print only the namespace name查看命名空间是否创建成功
[root@containerd ~]# ctr ns ls
NAME LABELS
default
test
[root@containerd ~]# 这里可以看到已经创建了test的命名空间
删除命名空间
[root@containerd ~]# ctr ns rm --help
NAME:
ctr namespaces remove - Remove one or more namespaces
USAGE:
ctr namespaces remove [command options] <name> [<name>, ...]
DESCRIPTION:
remove one or more namespaces. for now, the namespace must be empty
OPTIONS:
--cgroup, -c Delete the namespace's cgroup删除test命名空间
[root@containerd ~]# ctr ns rm test
test
[root@containerd ~]# 检查效果
[root@containerd ~]# ctr ns ls
NAME LABELS
default
[root@containerd ~]# 删除成功
综合案例:
创建一个k8s.io命名空间,在该命名空间中创建一个busybox的动态容器,并访问
[root@containerd ~]# ctr ns create k8s.io创建命名空间成功,查看该命名空间下的容器镜像
[root@containerd ~]# ctr -n k8s.io i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
[root@containerd ~]# 可以发现,k8s.io这个新建的命名空间下,没有之前的busybox
原因,命名空间是用于对资源进行隔离的,没有使用-n参数指定的命名空间,则是默认的default命名空间,所以这里在新建的k8s.io这个命名空间下,没有看到之前拉取的busybox
[root@containerd ~]# ctr --help
NAME:
ctr -
__
_____/ /______
/ ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/
containerd CLI
USAGE:
ctr [global options] command [command options] [arguments...]
VERSION:
v1.7.0
DESCRIPTION:
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.
COMMANDS:
plugins, plugin Provides information about containerd plugins
version Print the client and server versions
containers, c, container Manage containers
content Manage content
events, event Display containerd events
images, image, i Manage images
leases Manage leases
namespaces, namespace, ns Manage namespaces
pprof Provide golang pprof outputs for containerd
run Run a container
snapshots, snapshot Manage snapshots
tasks, t, task Manage tasks
install Install a new package
oci OCI tools
sandboxes, sandbox, sb, s Manage sandboxes
info Print the server info
shim Interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug Enable debug output in logs
--address value, -a value Address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
--timeout value Total timeout for ctr commands (default: 0s)
--connect-timeout value Timeout for connecting to containerd (default: 0s)
--namespace value, -n value Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version--namespace value, -n value Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
在帮助命令中,就有所提及命名空间的参数
拉取busybox镜像:
[root@containerd ~]# ctr -n k8s.io images pull --hosts-dir /etc/containerd/certs.d/ docker.io/library/busybox:latest
docker.io/library/busybox:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:182014572d8981d8323fe9944876f63b39694e16ce08ae6296e97686c52b150c: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:80bfbb8a41a2b27d93763e96f5bdccb8ca289387946e406e6f24053f6a8e8494: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:0ed463b26daee791b094dc3fff25edb3e79f153d37d274e5c2936923c38dac2b: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.7 s total: 0.0 B (0.0 B/s)
unpacking linux/amd64 sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e...
done: 122.419149ms命名空间隔离的仅是以containerd为单位的容器部分,所以这里指定的是全局的参数,可以使用hosts-dir拉取到镜像
[root@containerd ~]# ctr -n k8s.io i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/busybox:latest application/vnd.oci.image.index.v1+json sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e 2.1 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/riscv64,linux/s390x,unknown/unknown - 这样,就成功的在k8s.io这个目录下,看到了busybox镜像
创建动态容器
[root@containerd ~]# ctr -n k8s.io run -d docker.io/library/busybox:latest busybox
[root@containerd ~]# ctr -n k8s.io c ls
CONTAINER IMAGE RUNTIME
busybox docker.io/library/busybox:latest io.containerd.runc.v2
[root@containerd ~]# ctr -n k8s.io t ls
TASK PID STATUS
busybox 1943 RUNNING-n参数需要添加至ctr命令后,否则无法识别
进入容器中
[root@containerd ~]# ctr -n k8s.io t exec --exec-id $RANDOM -t busybox sh
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # 至此,完成了在k8s.io命名空间中的操作案例演示
清理环境
错误示范:
[root@containerd ~]# ctr ns rm k8s.io
ERRO[0000] unable to delete k8s.io error="namespace \"k8s.io\" must be empty, but it still has images, blobs, containers, snapshots on \"overlayfs\" snapshotter: failed precondition"
ctr: unable to delete k8s.io: namespace "k8s.io" must be empty, but it still has images, blobs, containers, snapshots on "overlayfs" snapshotter: failed precondition不能直接删除该命名空间,需要将命名空间内的容器,镜像等一一清理
root@containerd ~]# ctr -n k8s.io t ls
TASK PID STATUS
busybox 1943 RUNNING
[root@containerd ~]# ctr -n k8s.io t kill -s 9 busybox
[root@containerd ~]# ctr -n k8s.io c ls
CONTAINER IMAGE RUNTIME
busybox docker.io/library/busybox:latest io.containerd.runc.v2
[root@containerd ~]# ctr -n k8s.io c rm busybox
[root@containerd ~]# ctr -n k8s.io i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/busybox:latest application/vnd.oci.image.index.v1+json sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e 2.1 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/riscv64,linux/s390x,unknown/unknown -
[root@containerd ~]# ctr -n k8s.io i rm docker.io/library/busybox:latest
docker.io/library/busybox:latest
[root@containerd ~]# ctr ns rm k8s.io
k8s.io
[root@containerd ~]# ctr ns ls
NAME LABELS
default
[root@containerd ~]# 清理完成,清理的过程中,可以感觉到对于单个命名空间的创建和删除等操作,过于的繁杂
目前只是学习containerd的基本使用,实际上是不需要手工对containerd的容器以及镜像进行操作的,containerd只是作为kubernetes的容器运行时(Container Runtime)
总结:
本次学习到了有关于containerd的命名空间相关知识
对于containerd的命名空间的本质就是资源隔离、权限控制等
如本次的案例中,使用到的k8s.io命名空间,实际上,这就是kubernetes调用containerd时会使用到的命名空间,kubernetes只会获取containerd的k8s.io命名空间,所以,如果需要拉取或导入镜像,用于kubernetes集群的话,记住别忘了添加-n k8s.io 否则集群无法获取到镜像,难以排查
有“AI”的1024 = 2048,欢迎大家加入2048 AI社区
更多推荐
6
0- 0
已为社区贡献1条内容
所有评论(0)