diff --git "a/docs/zh/docs/StratoVirt/\345\257\271\346\216\245containerd\345\256\211\345\205\250\345\256\271\345\231\250.md" "b/docs/zh/docs/StratoVirt/\345\257\271\346\216\245containerd\345\256\211\345\205\250\345\256\271\345\231\250.md" new file mode 100644 index 0000000000000000000000000000000000000000..2ff4c5663b6b4566b2a79c97323380e993baa612 --- /dev/null +++ "b/docs/zh/docs/StratoVirt/\345\257\271\346\216\245containerd\345\256\211\345\205\250\345\256\271\345\231\250.md" @@ -0,0 +1,169 @@ +# 对接contaienrd安全容器 + + +## 概述 + +除了使用 openEuler 自研的 iSula 容器引擎外,StratoVirt 也能与社区主流的容器引擎方案 containerd 进行对接。 + +## 对接contaienrd安全容器 + +### **前提条件** + +已安装 containerd 和 kata-containers,并确保 containerd 支持 shim-v2 容器运行时( containerd 版本 >1.4.3 )和 devicemapper 存储驱动。 + +此处给出通过openEuler yum源安装 containerd 和 kata-containers 并进行相应配置的参考方法。 + +1. 配置 yum 源,使用 root 权限安装 containerd 和 kata-containers : + + ```shell + $ yum install containerd + $ yum install kata-containers + ``` + + 从开源社区下载符合版本的 containerd-CLI : + + ```shell + $ wget https://github.com/containerd/containerd/releases/download/v1.5.2/containerd-1.5.2-linux-amd64.tar.gz + $ tar -zxvf containerd-1.5.2-linux-amd64.tar.gz && sudo cp bin/ctr /usr/bin + ``` + +2. 添加 containerd 系统服务 + + ```shell + $ sudo touch /etc/systemd/system/containerd.service + $ sudo cat > /etc/systemd/system/containerd.service << EOF + [Unit] + Description=containerd container runtime + Documentation=https://containerd.io + After=network.target local-fs.target + + [Service] + ExecStartPre=-/sbin/modprobe overlay + ExecStart=/usr/local/bin/containerd + + Type=notify + Delegate=yes + KillMode=process + Restart=always + RestartSec=5 + # Having non-zero Limit*s causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. + LimitNPROC=infinity + LimitCORE=infinity + LimitNOFILE=infinity + # Comment TasksMax if your systemd version does not supports it. + # Only systemd 226 and above support this version. + TasksMax=infinity + OOMScoreAdjust=-999 + + [Install] + WantedBy=multi-user.target + EOF + ``` + + 启动 containerd 系统服务 + + ```shell + sudo systemctl daemon-reload && sudo systemctl restart containerd + ``` + +3. 给 containerd 配置 devmapper 存储卷 + + 通过`ctr plugin ls`命令查看 containerd 插件的支持/加载情况 + + ```shell + $ ctr plugin ls + TYPE ID PLATFORMS STATUS + ... + io.containerd.snapshotter.v1 devmapper linux/amd64 error + ... + ``` + + 目前 devmapper 处于 error 状态。 + + 通过以下脚本创建 devmapper 存储卷: + + ``` bash + #!/bin/bash + set -ex + + DATA_DIR=/var/lib/containerd/devmapper + POOL_NAME=devpool + + mkdir -p ${DATA_DIR} + + # Create data file + sudo touch "${DATA_DIR}/data" + sudo truncate -s 100G "${DATA_DIR}/data" + + # Create metadata file + sudo touch "${DATA_DIR}/meta" + sudo truncate -s 10G "${DATA_DIR}/meta" + + # Allocate loop devices + DATA_DEV=$(sudo losetup --find --show "${DATA_DIR}/data") + META_DEV=$(sudo losetup --find --show "${DATA_DIR}/meta") + + # Define thin-pool parameters. + # See https://www.kernel.org/doc/Documentation/device-mapper/thin-provisioning.txt for details. + SECTOR_SIZE=512 + DATA_SIZE="$(sudo blockdev --getsize64 -q ${DATA_DEV})" + LENGTH_IN_SECTORS=$(bc <<< "${DATA_SIZE}/${SECTOR_SIZE}") + DATA_BLOCK_SIZE=128 + LOW_WATER_MARK=32768 + + # Create a thin-pool device + sudo dmsetup create "${POOL_NAME}" \ + --table "0 ${LENGTH_IN_SECTORS} thin-pool ${META_DEV} ${DATA_DEV} ${DATA_BLOCK_SIZE} ${LOW_WATER_MARK}" + ``` + + 将以下字段添加进 containerd 的配置文件`/etc/containerd/config.toml`: + + ```toml + [plugins.devmapper] + pool_name = "devpool" + root_path = "/var/lib/containerd/devmapper" + base_image_size = "10GB" + ``` + + 之后重新启动 containerd 系统服务,再次使用`ctr plugin ls`查看插件的支持/加载情况情况: + + ```shell + $ ctr plugin ls + TYPE ID PLATFORMS STATUS + ... + io.containerd.snapshotter.v1 devmapper linux/amd64 ok + ... + ``` + + 顺利加载 devmapper 插件。 + +4. 配置 kata-shim-v2 容器运行时 + + 将以下字段添加进 containerd 的配置文件`/etc/containerd/config.toml`: + + ```toml + [plugins.cri] + [plugins.cri.containerd] + default_runtime_name = "runc" + snapshotter = "devmapper" + + [plugins.cri.containerd.runtimes.kata] + runtime_type = "io.containerd.kata.v2" + ``` + + 重新启动 containerd 系统服务。 + + +### **对接指导** + +StratoVirt 对接 kata-containers 的部分与对接 iSula 相同,参见[对接iSula安全容器](../对接iSula安全容器.md)。 + +可以通过以下命令创建测试用containerd安全容器: + +```shell +$ sudo ctr images pull --snapshotter devmapper docker.io/library/busybox:latest +$ sudo ctr run --snapshotter devmapper --runtime "io.containerd.kata.v2" --rm -t "docker.io/library/busybox:latest" test sh +``` + +至此,可以在 test 容器内运行容器命令。 diff --git a/docs/zh/menu/index.md b/docs/zh/menu/index.md index 6e498c1356b4e694881dac754f41ecceaebcbfab..09746a7e7b650b4b25a632e2043c0cb17e486c27 100644 --- a/docs/zh/menu/index.md +++ b/docs/zh/menu/index.md @@ -76,6 +76,7 @@ headless: true - [虚拟机配置]({{< relref "./docs/StratoVirt/虚拟机配置.md" >}}) - [虚拟机管理]({{< relref "./docs/StratoVirt/虚拟机管理.md" >}}) - [对接iSula安全容器]({{< relref "./docs/StratoVirt/对接iSula安全容器.md" >}}) + - [对接containerd安全容器]({{< relref "./docs/StratoVirt/对接containerd安全容器.md" >}}) - [容器用户指南]({{< relref "./docs/Container/container.md" >}}) - [iSula容器引擎]({{< relref "./docs/Container/iSula容器引擎.md" >}}) - [安装、升级与卸载]({{< relref "./docs/Container/安装-升级与卸载.md" >}})