如何使用 cri-o

image.png

本教程将引导你如何安装CRI-O（基于Open Container Initiative的Kubernetes Container Runtime Interface的实现）以及创建运行在Pod中的Redis服务器。

系统要求

ubntu16.04

安装

需要安装的组件:

• crio - 管理pods，实现了kubernetes的CRI
• crictl - CRI的client
• cni - 容器网络接口
• runc - 启动容器的OCI运行时

runc

下载runc的二进制可执行文件

wget https://github.com/opencontainers/runc/releases/download/v1.0.0-rc4/runc.amd64

设置可执行权限并移动到指定的目录

chmod +x runc.amd64

sudo mv runc.amd64 /usr/bin/runc

检查runc的版本

runc --version

runc --version
runc version 1.0.0-rc4
spec: 1.0.0

cri-o

cri-o没有release的二进制可执行文件，所以需要从源码build。

下载Go安装包

wget https://dl.google.com/go/go1.10.2.linux-amd64.tar.gz

安装Go 1.10.2

tar -C /usr/local -zxf go1.10.2.linux-amd64.tar.gz

mkdir -p $HOME/go/src

export GOPATH=$HOME/go

export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

Go应该安装好啦

go version

go version go1.10.2 linux/amd64

下载crictl

go get github.com/kubernetes-incubator/cri-tools/cmd/crictl
cd $GOPATH/src/github.com/kubernetes-incubator/cri-tools
make
make install

编译可执行文件

sudo apt-get update && apt-get install -y libglib2.0-dev \
                                          libseccomp-dev \
                                          libgpgme11-dev \
                                          libdevmapper-dev \
                                          make \
                                          git

go get -d github.com/kubernetes-incubator/cri-o

cd $GOPATH/src/github.com/kubernetes-incubator/cri-o

make install.tools
make 
make install

如果你是第一次安装，要生成配置文件

make install.config

验证注册信息

如果没有这些配置项，需要自己配置。

registries = ['registry.access.redhat.com', 'registry.fedoraproject.org', 'docker.io']

启动进程crio

sudo sh -c 'echo "[Unit]
Description=OCI-based implementation of Kubernetes Container Runtime Interface
Documentation=https://github.com/kubernetes-incubator/cri-o

[Service]
ExecStart=/usr/local/bin/crio --log-level debug
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/crio.service'

systemctl daemon-reload
systemctl enable crio
systemctl start crio

检查进程是否启动成功

crictl --runtime-endpoint unix:///var/run/crio/crio.sock version

Version:  0.1.0
RuntimeName:  cri-o
RuntimeVersion:  1.10.0-dev
RuntimeApiVersion:  v1alpha1

cni 插件安装

下载cni的源代码

go get -d github.com/containernetworking/plugins

cd $GOPATH/src/github.com/containernetworking/plugins

编译CNI二进制文件

./build.sh

输出信息

Building plugins
  bandwidth
  flannel
  portmap
  tuning
  bridge
  host-device
  ipvlan
  loopback
  macvlan
  ptp
  vlan
  dhcp
  host-local
  static
  sample

安装CNI插件

mkdir -p /opt/cni/bin
cp bin/* /opt/cni/bin/

配置CNI

mkdir -p /etc/cni/net.d

sudo sh -c 'cat >/etc/cni/net.d/10-mynet.conf <<-EOF
{
    "cniVersion": "0.2.0",
    "name": "mynet",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "ipam": {
        "type": "host-local",
        "subnet": "10.88.0.0/16",
        "routes": [
            { "dst": "0.0.0.0/0"  }
        ]
    }
}
EOF'

sudo sh -c 'cat >/etc/cni/net.d/99-loopback.conf <<-EOF
{
    "cniVersion": "0.2.0",
    "type": "loopback"
}
EOF'

安装skopeo-containers

sudo add-apt-repository ppa:projectatomic/ppa
sudo apt-get update
sudo apt-get install skopeo-containers -y

重启cri-o来启动CNI

systemctl restart crio

现在CNI安装并且配置好啦，使用10.88.0.0/16的网段来分配给容器。
一切准备就绪，现在我们可以创建pods，接下来演示如何在pod中创建一个redis server。

创建一个pod

首先需要设置pod sandbox的配置

cd $GOPATH/src/github.com/kubernetes-incubator/cri-o
mkdir /etc/containers/
cp test/policy.json /etc/containers

创建pod并且获得pod的ID

POD_ID=$(sudo crictl runp test/testdata/sandbox_config.json)

用crictl查看pod的信息

sudo crictl inspectp --output table $POD_ID

输出信息

ID: f66df6126fe9a2e4cf056598afeb1c13a54568c850ead8582924b47b0decc128
Name: podsandbox1
UID: redhat-test-crio
Namespace: redhat.test.crio
Attempt: 1
Status: SANDBOX_READY
Created: 2018-05-17 03:25:19.327406442 +0000 UTC
IP Address: 10.88.0.2
Labels:
    group -> test
    io.kubernetes.container.name -> POD
Annotations:
    owner -> hmeng
    security.alpha.kubernetes.io/seccomp/pod -> unconfined
Info: map[version:{"version":"1.11.0-dev"}]

在pod中创建redis容器

用crictl 拉取redis镜像，根据配置文件创建redis容器，并且附着到之前创建的pod中。

crictl pull quay.io/crio/redis:alpine
CONTAINER_ID=$(sudo crictl create $POD_ID test/testdata/container_redis.json test/testdata/sandbox_config.json)

启动redis容器

crictl start $CONTAINER_ID

查看容器的日志

crictl inspect $CONTAINER_ID

{
  "status": {
    "id": "90688b328b0345e682d407ca99472e30bda036d9a0803878328ee43c2b5cf11b",
    "metadata": {
      "attempt": 0,
      "name": "podsandbox1-redis"
    },
    "state": "CONTAINER_RUNNING",
    "createdAt": "2018-05-17T03:26:28.363615962Z",
    "startedAt": "2018-05-17T03:26:36.152514904Z",
    "finishedAt": "1970-01-01T00:00:00Z",
    "exitCode": 0,
    "image": {
      "image": "quay.io/crio/redis:alpine"
    },
    "imageRef": "quay.io/crio/redis@sha256:1780b5a5496189974b94eb2595d86731d7a0820e4beb8ea770974298a943ed55",
    "reason": "",
    "message": "",
    "labels": {
      "tier": "backend"
    },
    "annotations": {
      "pod": "podsandbox1"
    },
    "mounts": null,
    "logPath": "/var/log/crio/pods/f66df6126fe9a2e4cf056598afeb1c13a54568c850ead8582924b47b0decc128/90688b328b0345e682d407ca99472e30bda036d9a0803878328ee43c2b5cf11b.log"
  }
}

测试redis容器

连接容器

telnet 10.88.0.2 6379

Trying 10.88.0.2...
Connected to 10.88.0.2.
Escape character is '^]'.

根据提示出入MONITOR

Trying 10.88.0.2...
Connected to 10.88.0.2.
Escape character is '^]'.
MONITOR
+OK

输入ctrl+ 」和quit退出连接

^]

telnet> quit
Connection closed.

查看redis的日志

journalctl -u crio --no-pager

停止并且删除容器

crictl stop $CONTAINER_ID
crictl rm $CONTAINER_ID
crictl stopp $POD_ID
crictl rmp $POD_ID

查看是否删除

crictl pods
crictl ps