nerdctl怎么使用

這篇文章主要介紹“nerdctl怎么使用”，在日常操作中，相信很多人在nerdctl怎么使用問(wèn)題上存在疑惑，小編查閱了各式資料，整理出簡(jiǎn)單好用的操作方法，希望對(duì)大家解答”nerdctl怎么使用”的疑惑有所幫助！接下來(lái)，請(qǐng)跟著小編一起來(lái)學(xué)習(xí)吧！

現(xiàn)有 CLI 的不足

雖然 Docker 能干的事情，現(xiàn)在 Containerd 都能干，但 Containerd 還有一個(gè)非常明顯的缺陷：CLI 不夠友好。它無(wú)法像 Docker 和 Podman 一樣通過(guò)一條簡(jiǎn)單的命令啟動(dòng)一個(gè)容器，它的兩個(gè) CLI 工具 ctr 和 crictl 都無(wú)法實(shí)現(xiàn)這么一件非常簡(jiǎn)單的需求，而這個(gè)需求是大多數(shù)人都需要的，我總不能為了在本地測(cè)試容器而專門部署一個(gè) Kubernetes 集群吧？

ctr 的設(shè)計(jì)對(duì)人類不太友好，例如缺少以下這些和 Docker 類似的功能：

• docker run -p <PORT>

• docker run --restart=always

• 通過(guò)憑證文件 ~/.docker/config.json 來(lái)拉取鏡像

• docker logs

除此之外還有一個(gè) CLI 工具叫 crictl，和 ctr 一樣不太友好。

為了解決這個(gè)痛點(diǎn)，Containerd 官方推出了一個(gè)新的 CLI 叫 nerdctl。nerdctl 的使用體驗(yàn)和 docker 一樣順滑，例如：

????  → nerdctl run -d -p 8080:80 --name=nginx --restart=always nginx

nerdctl 只是 docker 的復(fù)制品？

nerdctl 的目標(biāo)并不是單純地復(fù)制 docker 的功能，它還實(shí)現(xiàn)了很多 docker 不具備的功能，例如延遲拉取鏡像（lazy-pulling）、鏡像加密（imgcrypt）等。

延遲拉取鏡像功能可以參考這篇文章：Containerd 使用 Stargz Snapshotter 延遲拉取鏡像。

雖然這些功能預(yù)計(jì)最終也會(huì)在 Docker 中實(shí)現(xiàn)，但可能需要幾個(gè)月甚至幾年的時(shí)間，因?yàn)?Docker 目前的設(shè)計(jì)只使用一小部分 Containerd 子系統(tǒng)。將來(lái) Docker 有可能重構(gòu)代碼以使用完整的 Containerd，但目前還沒(méi)看到什么實(shí)質(zhì)性進(jìn)展。所以 Containerd 社區(qū)決定創(chuàng)建一個(gè)新的 CLI 來(lái)更友好地使用 Containerd。

nerdctl 試用

你可以從 nerdctl 的 release 中下載最新的可執(zhí)行文件，每一個(gè)版本都有兩種可用的發(fā)行版：

• nerdctl-<VERSION>-linux-amd64.tar.gz : 只包含 nerdctl。

• nerdctl-full-<VERSION>-linux-amd64.tar.gz : 包含了 nerdctl 和相關(guān)依賴組件（containerd, runc, CNI, …）。

如果你已經(jīng)安裝了 Containerd，只需要選擇前一個(gè)發(fā)行版，否則就選擇完整版。

安裝好 nerdctl 后，就可以使用 nerdctl 來(lái)運(yùn)行容器了：

????  → nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:alpine

docker.io/library/nginx:alpine:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:d33e9e24389d7d8b90fe2bcc2dd1bc09b4d235e916ba9d5d9a71cf52e340edb6:    done           |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:c1f4e1974241c3f9ddb2866b2bf8e7afbceaa42dae82aabda5e946d03f054ed2: done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:bfad9487e175364fd6315426feeee34bf5e6f516d2fe6a4e9b592315e330828e:   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:29d3f97df6fd99736a0676f9e57e53dfa412cf60b26d95008df9da8197f1f366:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:9aae54b2144e5b2b00c610f8805128f4f86822e1e52d3714c463744a431f0f4a:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a5f0adaddd5456b7c5a3753ab541b5fad750f0a6499a15f63571b964eb3e2616:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5df810e1c460527fe400cdd2cab62228f5fb3da0f2dce86a6a6c354972f19b6e:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:345aee38d3533398e0eb7118e4323a8970f7615136f2170dfb2b0278bbd9099d:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e6a4c36d7c0e358e5fc02ccdac645b18b85dcfec09d4fb5f8cbdc187ce9467a0:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 5.7 s                                                                    total:  9.4 Mi (1.6 MiB/s)
27b55e0b18b10c4c8f34e3ba709614e7b1760a75db061d2ce5183e8b1101ce09

查看創(chuàng)建的容器：

????  → nerdctl ps
CONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS    PORTS                 NAMES
3b5faa266a43    docker.io/library/nginx:alpine    "/docker-entrypoint.…"    3 minutes ago    Up        0.0.0.0:80->80/tcp    nginx

和 Docker 一樣，Containerd 也有一個(gè)子命令 network：

????  → nerdctl network ls
NETWORK ID    NAME               FILE
0             bridge
              k8s-pod-network    /etc/cni/net.d/10-calico.conflist
              host
              none

來(lái)看下默認(rèn)的 bridge 配置：

????  → nerdctl network inspect bridge
[
    {
        "CNI": {
            "cniVersion": "0.4.0",
            "name": "bridge",
            "nerdctlID": 0,
            "plugins": [
                {
                    "type": "bridge",
                    "bridge": "nerdctl0",
                    "isGateway": true,
                    "ipMasq": true,
                    "hairpinMode": true,
                    "ipam": {
                        "type": "host-local",
                        "routes": [
                            {
                                "dst": "0.0.0.0/0"
                            }
                        ],
                        "ranges": [
                            [
                                {
                                    "subnet": "10.4.0.0/24",
                                    "gateway": "10.4.0.1"
                                }
                            ]
                        ]
                    }
                },
                {
                    "type": "portmap",
                    "capabilities": {
                        "portMappings": true
                    }
                },
                {
                    "type": "firewall"
                },
                {
                    "type": "tuning"
                }
            ]
        },
        "NerdctlID": 0
    }
]

可以看到 network 子命令背后還是 CNI 在運(yùn)作，與 docker network 子命令原理不同。

構(gòu)建鏡像

nerdctl 也可以和 buildkit 結(jié)合使用來(lái)構(gòu)建容器鏡像，需要先下載 buildkit 的可執(zhí)行文件：

????  → wget https://github.com/moby/buildkit/releases/download/v0.8.2/buildkit-v0.8.2.darwin-amd64.tar.gz

將其解壓到 $PATH 中：

????  → tar -C /usr/local/ -zxvf buildkit-v0.8.2.linux-amd64.tar.gz

編寫 systemd unit 文件：

# /etc/systemd/system/buildkit.service
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

啟用 buildkit.service 并設(shè)置開機(jī)自動(dòng)運(yùn)行：

????  → systemctl enable --now buildkit.service

下面以 KubeSphere 項(xiàng)目為例，展示如何使用 nerdctl 來(lái)構(gòu)建鏡像。

首先克隆 KubeSphere 官方倉(cāng)庫(kù)：

????  → git clone --depth=1 https://github.com.cnpmjs.org/kubesphere/kubesphere.git

進(jìn)入倉(cāng)庫(kù)目錄，編譯二進(jìn)制文件：

????  → cd kubesphere
????  → make ks-apiserver

將二進(jìn)制文件拷貝到 Dockerfile 目錄：

????  → cp bin/cmd/ks-apiserver build/ks-apiserver

進(jìn)入 Dockerfile 目錄，修改 Dockerfile：

# Copyright 2020 The KubeSphere Authors. All rights reserved.
# Use of this source code is governed by an Apache license
# that can be found in the LICENSE file.
FROM alpine:3.11

ARG HELM_VERSION=v3.5.2

RUN apk add --no-cache ca-certificates
# install helm
RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz && \
    tar xvf helm-${HELM_VERSION}-linux-amd64.tar.gz && \
    rm helm-${HELM_VERSION}-linux-amd64.tar.gz && \
    mv linux-amd64/helm /usr/bin/ && \
    rm -rf linux-amd64
# To speed up building process, we copy binary directly from make
# result instead of building it again, so make sure you run the
# following command first before building docker image
#   make ks-apiserver
#
COPY  ks-apiserver /usr/local/bin/

EXPOSE 9090
CMD ["sh"]

構(gòu)建鏡像：

????  → cd build/ks-apiserver

????  → nerdctl build -t ks-apiserver .
[+] Building 22.6s (9/9) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                0.0s
 => => transferring dockerfile: 812B                                                                                                                                                0.0s
 => [internal] load .dockerignore                                                                                                                                                   0.0s
 => => transferring context: 2B                                                                                                                                                     0.0s
 => [internal] load metadata for docker.io/library/alpine:3.11                                                                                                                      1.0s
 => [1/4] FROM docker.io/library/alpine:3.11@sha256:bf5fa774f08a9ed2cb301e522b769d43d48124315a4ec50eae3228d03b9dc558                                                                7.9s
 => => resolve docker.io/library/alpine:3.11@sha256:bf5fa774f08a9ed2cb301e522b769d43d48124315a4ec50eae3228d03b9dc558                                                                0.0s
 => => sha256:9b794450f7b6db7c944ba1f4161edb68cb535052fe7db8ac06e613516c4a658d 2.10MB / 2.82MB                                                                                     21.4s
 => => extracting sha256:9b794450f7b6db7c944ba1f4161edb68cb535052fe7db8ac06e613516c4a658d                                                                                           0.1s
 => [internal] load build context                                                                                                                                                   1.0s
 => => transferring context: 115.87MB                                                                                                                                               1.0s
 => [2/4] RUN apk add --no-cache ca-certificates                                                                                                                                    2.7s
 => [3/4] RUN wget https://get.helm.sh/helm-v3.5.2-linux-amd64.tar.gz &&     tar xvf helm-v3.5.2-linux-amd64.tar.gz &&     rm helm-v3.5.2-linux-amd64.tar.gz &&     mv linux-amd64  4.7s
 => [4/4] COPY  ks-apiserver /usr/local/bin/                                                                                                                                        0.2s
 => exporting to oci image format                                                                                                                                                   5.9s
 => => exporting layers                                                                                                                                                             4.6s
 => => exporting manifest sha256:d7eb2a90496678d11ac5c363b7743ffe2b8e23e7071b94556a5e3231f50f5a6e                                                                                   0.0s
 => => exporting config sha256:8eb6a5187ce958e76c8d37e18221d88f25b48dd7e6672021d0fce21bb071f284                                                                                     0.0s
 => => sending tarball                                                                                                                                                              1.3s
unpacking docker.io/library/ks-apiserver:latest (sha256:d7eb2a90496678d11ac5c363b7743ffe2b8e23e7071b94556a5e3231f50f5a6e)...done
unpacking overlayfs@sha256:d7eb2a90496678d11ac5c363b7743ffe2b8e23e7071b94556a5e3231f50f5a6e (sha256:d7eb2a90496678d11ac5c363b7743ffe2b8e23e7071b94556a5e3231f50f5a6e)...done

查看構(gòu)建好的鏡像：

????  → nerdctl images
REPOSITORY                                                   TAG       IMAGE ID        CREATED          SIZE
alpine                                                       3.11      bf5fa774f08a    3 seconds ago    2.7 MiB
ks-apiserver                                                 latest    d7eb2a904966    6 minutes ago    57.7 MiB

到此，關(guān)于“nerdctl怎么使用”的學(xué)習(xí)就結(jié)束了，希望能夠解決大家的疑惑。理論與實(shí)踐的搭配能更好的幫助大家學(xué)習(xí)，快去試試吧！若想繼續(xù)學(xué)習(xí)更多相關(guān)知識(shí)，請(qǐng)繼續(xù)關(guān)注億速云網(wǎng)站，小編會(huì)繼續(xù)努力為大家?guī)?lái)更多實(shí)用的文章！