nerdctl 基于 containerd 兼容 docker CLI
简介
nerdctl 是用于 containerd 的与 Docker兼容的 CLI。主要适用于 Docker转到 Containerd 的用户,操作 Containerd 的命令行工具 ctr 和 crictl 不怎么好用,所以出现了 nerdctl工具。
nerdctl 操作的是 containerd 而非 docker,但它只是用法保持了 docker cli 的习惯,实质上操作的是 containerd。
✅ Same UI/UX as docker
✅ 与 UI/UX docker 相同
✅ Supports Docker Compose (nerdctl compose up)
✅ 支持 Docker Compose ( nerdctl compose up )
✅ [Optional] Supports rootless mode, without slirp overhead (bypass4netns)
✅ [可选] 支持无根模式,无 slirp 开销 (bypass4netns)
✅ [Optional] Supports lazy-pulling (Stargz, Nydus, OverlayBD)
✅ [可选] 支持延迟拉取(Stargz、Nydus、OverlayBD)
✅ [Optional] Supports encrypted images (ocicrypt)
✅ [可选] 支持加密图像 (ocicrypt)
✅ [Optional] Supports P2P image distribution (IPFS) (1)
✅ [可选] 支持 P2P 图像分发 (IPFS) (1)
✅ [Optional] Supports container image signing and verifying (cosign)
✅ [可选] 支持容器镜像签名和验证(cosign)
NERDCTL 是 containerd 的一个非核心子项目。
参考:
https://github.com/containerd/nerdctl
安装
nerdctl 官方发布包含两个安装版本:
- Minimal:仅包含 nerdctl 二进制文件及 rootless 模式下的辅助安装脚本;
- Full:全量包,其中包含了 Containerd、CNI、runc、BuildKit 等完整组件。
下载地址:https://github.com/containerd/nerdctl/releases
注意:安装 nerdctl-full 版本集成了 containerd 。如主机已安装 containerd 请选择 nerdctl简易版
#nerdctl 安装:
# nerdctl插件下载地址:https://github.com/containerd/nerdctl/releases/
# 上传nerdctl安装包
tar -zxvf nerdctl-1.7.6-linux-amd64.tar.gz -C /usr/local/bin/
# 查看版本
nerdctl -v
# nerdctl命令补全
yum install bash-completion -y
vim /etc/profile
source <(nerdctl completion bash)
source /etc/profile
将nerdctl更名为 docker
cat << 'EOF' > /usr/local/bin/docker
#!/bin/bash
/usr/local/bin/nerdctl $@
EOF
chmod +x /usr/local/bin/docker
# 生成自动补全文件
# nerdctl completion bash > /etc/bash_completion.d/nerdctl
# nerdctl completion bash > /etc/bash_completion.d/docker
安装buildkit(可省略,用于构建镜像)
# 下载文件 https://github.com/moby/buildkit
# 上传安装包
# 创建解压的目录
mkdir -p /usr/local/buildkit
# 解压到指定的目录
tar -xf buildkit-v0.13.2.linux-amd64.tar.gz -C /usr/local/buildkit
# 查看解压的目录
yum -y install tree
tree /usr/local/buildkit
# 修改PATH环境变量
# 注意这里的echo 要使用单引号,单引号会原样输出,双引号会解析变量
echo 'export PATH=/usr/local/buildkit/bin:$PATH' >> /etc/profile
cat /etc/profile
# 使刚才配置生效
source /etc/profile
# 创建buildkitd自启动服务
cat > /etc/systemd/system/buildkitd.service << 'EOF'
[Unit]
Documentation=https://github.com/moby/buildkit
Description=buildkitd
After=network.target
[Service]
ExecStart=/usr/local/buildkit/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
EOF
# 重新加载Unit file
systemctl daemon-reload
# 启动服务
systemctl start buildkitd
# 开机自启动
systemctl enable buildkitd
命令
输入 nerdctl -h 查看帮助,列出所有命令说明,如下:
[root@k146 rke2]# nerdctl -h
nerdctl is a command line interface for containerd
Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml
Usage: nerdctl [flags]
Management commands:
apparmor Manage AppArmor profiles
builder Manage builds
container Manage containers
image Manage images
ipfs Distributing images on IPFS
namespace Manage containerd namespaces
network Manage networks
system Manage containerd
volume Manage volumes
Commands:
attach Attach stdin, stdout, and stderr to a running container.
build Build an image from a Dockerfile. Needs buildkitd to be running.
commit Create a new image from a container's changes
completion Generate the autocompletion script for the specified shell
compose Compose
cp Copy files/folders between a running container and the local filesystem.
create Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
help Help about any command
history Show the history of an image
images List images
info Display system-wide information
inspect Return low-level information on objects.
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a container registry
logout Log out from a container registry
logs Fetch the logs of a container. Expected to be used with 'nerdctl run -d'.
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
push Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.
rename rename a container
restart Restart one or more running containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
save Save one or more images to a tar archive (streamed to STDOUT by default)
start Start one or more running containers
stats Display a live stream of container(s) resource usage statistics.
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update one or more running containers
version Show the nerdctl version information
wait Block until one or more containers stop, then print their exit codes.
Flags:
-H, --H string Alias of --address (default "/run/containerd/containerd.sock")
-a, --a string Alias of --address (default "/run/containerd/containerd.sock")
--address string containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "cgroupfs")
--cni-netconfpath string cni config directory [$NETCONFPATH] (default "/etc/cni/net.d")
--cni-path string cni plugins binary directory [$CNI_PATH] (default "/opt/cni/bin")
--data-root string Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl")
--debug debug mode
--debug-full debug mode (with full output)
--experimental Control experimental: https://github.com/containerd/nerdctl/blob/main/docs/experimental.md [$NERDCTL_EXPERIMENTAL] (default true)
-h, --help help for nerdctl
--host string Alias of --address (default "/run/containerd/containerd.sock")
--host-gateway-ip string IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host [$NERDCTL_HOST_GATEWAY_IP] (default "192.168.111.146")
--hosts-dir strings A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d])
--insecure-registry skips verifying HTTPS certs, and allows falling back to plain HTTP
-n, --n string Alias of --namespace (default "default")
--namespace string containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")
--snapshotter string containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")
--storage-driver string Alias of --snapshotter (default "overlayfs")
-v, --version version for nerdctl
Run 'nerdctl COMMAND --help' for more information on a command.
常用nerdctl命令
#nerdctl run :创建容器
nerdctl run -d -p 80:80 --name=nginx --restart=always nginx
#nerdctl exec :进入容器
nerdctl exec -it nginx /bin/sh
#nerdctl ps :列出容器
nerdctl ps -a
nerdctl -n k8s.io ps -a
#nerdctl inspect :获取容器的详细信息
nerdctl inspect nginx
#nerdctl logs :获取容器日志
nerdctl logs -f nginx
#nerdctl stop :停止容器
nerdctl stop nginx
#nerdctl rm :删除容器
nerdctl rm -f nginx
nerdctl rmi -f <IMAGE ID>
#nerdctl images:镜像列表
nerdctl images
nerdctl -n=k8s.io images
nerdctl -n=k8s.io images | grep -v '<none>'
#nerdctl pull :拉取镜像
nerdctl pull nginx
nerdctl -n k8s.io pull nginx
#使用 nerdctl login --username xxx --password xxx 进行登录,使用 nerdctl logout 可以注销退出登录
nerdctl login
nerdctl logout
#nerdctl tag :镜像标签
nerdctl tag nginx:latest harbor.k8s/image/nginx:latest
#nerdctl push :推送镜像
nerdctl push harbor.k8s/image/nginx:latest
nerdctl -n k8s.io push harbor.k8s/image/nginx:latest
#nerdctl save :导出镜像
nerdctl save -o busybox.tar.gz busybox:latest
#nerdctl load :导入镜像
nerdctl load -i busybox.tar.gz
#nerdctl rmi :删除镜像
nerdctl rmi busybox
#nerdctl build :从Dockerfile构建镜像
nerdctl build -t centos:v1.0 -f centos.dockerfile .
注意:
ctr和nerdctl命令需要指定名字空间,管理k8s创建的容器,需要使用k8s.io名字空间,即ctr/nerdctl -n k8s.io
参考
1.https://www.cnblogs.com/lifuqiang/articles/17850939.html
2.https://www.cnblogs.com/hsyw/p/17695809.html
3.https://github.com/containerd/nerdctl