containerd安装与配置 新版本的kubernetes不在使用docker作为容器运行时，而是直接使用containerd。因此在安装kubernetes时需要安装containerd。安装安装containerd非常简单，配置好yum仓库，一条yum命令即可安装成功。#containerd网络仓库配置 dnf install -y yum-utils yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 添加仓库自：https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo yum -y install containerd安装完成之后需要修改配置文件。containerd安装完成后会默认在/etc/containerd/目录下生成一个配置文件config.toml，但是该文件缺少很多信息，因此我们需要重新生成一个配置文件，然后对新生成的配置文件进行修改。#生成新配置文件 containerd config default > /etc/containerd/config.toml修改配置信息修改Cgroup为systemd在[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] 下找到SystemdCgroup，将false改为true修改sandbox镜像地址把配置文件中的 sandbox_image = "registry.k8s.io/pause:3.6" 改为阿里云的地址 sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.8"sandbox_image 是容器运行时（如 containerd、CRI-O 等）或容器编排系统（如 Kubernetes）中一个关键配置参数，用于指定 沙箱容器（Sandbox Container） 的基础镜像。沙箱容器是一个特殊的容器，用于为其他容器提供共享的底层环境（如网络、IPC 命名空间等）。例如：在 Kubernetes 中，每个 Pod 的第一个容器就是沙箱容器（称为 pause 容器），它负责维持 Pod 的网络命名空间。配置镜像加速# 修改配置文件，添加配置镜像加速相关信息的配置文件的路径 vim /etc/containerd/config.toml [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d" # 创建文件夹 mkdir -p /etc/containerd/certs.d/docker.io #创建配置文件 cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF server = "https://docker.io" [host."https://docker.1ms.run"] capabilities = ["pull", "resolve"] EOF说明：该配置方式对crictl命令有效，对ctr命令无效，使用ctr下载镜像时，需要指定镜像的地址和版本，如： ctr --debug=true image pull docker.1ms.run/busybox:latest{alert type="info"}特别提醒：在/etc/containerd/certs.d目录下，每个镜像加速地址都要放在单独的文件夹中，且这个文件夹必须以.io结尾，镜像加速地址的文件名称必须为hosts.toml{/alert}tree containerd/ containerd/ ├── certs.d │   └── docker.io │   └── hosts.toml └── config.toml 2 directories, 2 files 安装crictl工具#下载源码包 wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.29.0/crictl-v1.29.0-linux-amd64.tar.gz #解压缩 tar zxvf crictl-v1.29.0-linux-amd64.tar.gz -C /usr/local/bin # -C：指定解压缩后文件存放的位置修改配置文件cat > /etc/crictl.yaml <<EOF runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF # 重启containerd systemctl restart containerd或者通过命令行工具修改crictl config runtime-endpoint unix:///run/containerd/containerd.sock crictl config image-endpoint unix:///run/containerd/containerd.sock安装cni插件在没有安装cni插件时，containerd会报错缺少cni插件。#下载安装包 wget https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz #创建目录 mkdir -p /opt/cni/bin/ #解压缩 tar xzvf cni-plugins-linux-amd64-v1.4.0.tgz -C /opt/cni/bin/修改配置文件mkdir -p /etc/cni/net.d/ cat > /etc/cni/net.d/10-containerd-net.conflist <<EOF { "cniVersion": "1.0.0", "name": "containerd-net", "plugins": [ { "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "promiscMode": true, "ipam": { "type": "host-local", "ranges": [ [{ "subnet": "10.88.0.0/16" }], [{ "subnet": "2001:4860:4860::/64" }] ], "routes": [ { "dst": "0.0.0.0/0" }, { "dst": "::/0" } ] } }, { "type": "portmap", "capabilities": {"portMappings": true} } ] } EOF [root@rocky9 ~]# systemctl restart containerd [root@rocky9 ~]# crictl info …… #重启containerd即可下载镜像示例[root@node-001 docker.io]# crictl pull httpd Image is up to date for sha256:83d938198316505b3aebd52bed1e54e5f2a49591cc41e09a30f480e5c00ea0cf [root@node-001 docker.io]# crictl pull nginx Image is up to date for sha256:53a18edff8091d5faff1e42b4d885bc5f0f897873b0b8f0ace236cd5930819b0 [root@node-001 docker.io]# crictl pull bitnami/php-fpm Image is up to date for sha256:0fdfdfd1cd46d5ef32ed47af20e8ae3ad58b0f4d62516519994bf74b8f6611a5 [root@node-001 docker.io]# crictl images ls IMAGE TAG IMAGE ID SIZE docker.1ms.run/calico/cni v3.25.0 d70a5947d57e5 88MB docker.1ms.run/calico/node v3.25.0 08616d26b8e74 87.2MB docker.io/bitnami/php-fpm latest 0fdfdfd1cd46d 115MB docker.io/library/httpd latest 83d9381983165 58.5MB docker.io/library/nginx latest 53a18edff8091 72.2MB registry.aliyuncs.com/google_containers/kube-proxy v1.28.0 ea1030da44aa1 24.6MB registry.aliyuncs.com/google_containers/pause 3.9 e6f1816883972 322kB

docker search命令提示i/o timeout的解决方案 配置好docker的镜像加速器后，会发现一个奇怪的现象。如果使用docker search命令搜索某个容器，会得到i/o timeout 的错误信息，但是用docker pull命令下载镜像时，却可以下载。示例[root@10-60-14-211 lnmp]# docker search nginx Error response from daemon: Get "https://index.docker.io/v1/search?q=nginx&n=25": dial tcp 69.30.25.21:443: i/o timeout [root@10-60-14-211 ~]# docker pull nginx:1.27.4-perl 1.27.4-perl: Pulling from library/nginx 7cf63256a31a: Already exists bf9acace214a: Pull complete 513c3649bb14: Pull complete d014f92d532d: Pull complete 9dd21ad5a4a6: Pull complete 943ea0f0c2e4: Pull complete 103f50cb3e9f: Pull complete d8dfdc7acfb3: Pull complete Digest: sha256:74edc8744a1080ccd9f9719e51e7d885b65dedaf2164a246f1cbd328f20f5d2e Status: Downloaded newer image for nginx:1.27.4-perl docker.io/library/nginx:1.27.4-perl原因解读docker search：直接查询Docker Hub API (https://index.docker.io/v1)，而不是通过配置的镜像源。docker pull：优先使用配置的镜像源，如果镜像源失败，尝试从Docker Hub拉取。这种差异的原因在于Docker的设计理念：搜索功能主要面向Docker Hub官方仓库，而镜像源主要用于拉取（docker pull）操作。解决方案在搜索镜像时加上镜像加速器的地址。[root@10-60-14-211 lnmp]# docker search 1ms.run/nginx NAME DESCRIPTION STARS OFFICIAL nginx Official build of Nginx. 20633 [OK] nginx/nginx-prometheus-exporter NGINX Prometheus Exporter for NGINX and NGIN… 47 nginx/nginx-ingress NGINX and NGINX Plus Ingress Controllers fo… 100 nginx/unit This repository is retired, use the Docker o… 65 nginx/nginx-ingress-operator NGINX Ingress Operator for NGINX and NGINX P… 2 nginx/nginx-quic-qns NGINX QUIC interop 1 nginx/unit-preview Unit preview features 0 nginx/nginxaas-loadbalancer-kubernetes 0 bitnami/nginx Bitnami container image for NGINX 196 ubuntu/nginx Nginx, a high-performance reverse proxy & we… 127 bitnamicharts/nginx Bitnami Helm chart for NGINX Open Source 0 rancher/nginx 2 kasmweb/nginx An Nginx image based off nginx:alpine and in… 8 linuxserver/nginx An Nginx container, brought to you by LinuxS… 224 redash/nginx Pre-configured nginx to proxy linked contain… 3 dtagdevsec/nginx T-Pot Nginx 0 paketobuildpacks/nginx 0 vmware/nginx 2 chainguard/nginx Build, ship and run secure software with Cha… 4 gluufederation/nginx A customized NGINX image containing a consu… 1 droidwiki/nginx 0 intel/nginx 0 circleci/nginx This image is for internal use 2 corpusops/nginx https://github.com/corpusops/docker-images/ 1 antrea/nginx Nginx server used for Antrea e2e testing 0

安装docker时报错container-selinux >= 2:2.74 错误：软件包：docker-ce-rootless-extras-25.0.4-1.el7.x86_64 (docker-ce-stable) 需要：slirp4netns >= 0.4 错误：软件包：docker-ce-rootless-extras-25.0.4-1.el7.x86_64 (docker-ce-stable) 需要：fuse-overlayfs >= 0.7 错误：软件包：containerd.io-1.6.28-3.1.el7.x86_64 (docker-ce-stable) 需要：container-selinux >= 2:2.74 错误：软件包：3:docker-ce-25.0.4-1.el7.x86_64 (docker-ce-stable) 需要：container-selinux >= 2:2.74 安装docker时遇到以上报错，提示需要升级软件包。解决方案：wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum install epel-release -y yum install container-selinux -y #安装最新的contain-selinux

k8s安装时报错解决方案（container runtime is not running） 在是用kubeadm安装v1.28.7版本的k8s集群时，出现以下报错。解决方案如下：rm -f /etc/containerd/config.toml systemctl restart containerd之后再用kubeadm命令重新执行初始化即可。 kubeadm init --config=kubeadm-init.yaml --dry-runkubeadm应答文件创建方式kubeadm config print init-defaults > init.yaml应答文件如下：apiVersion: kubeadm.k8s.io/v1beta3 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 192.168.88.51 #管理节点的IP地址 bindPort: 6443 nodeRegistration: criSocket: unix:///var/run/containerd/containerd.sock #Runtime的socket地址 imagePullPolicy: IfNotPresent name: master1 #管理节点的名称 taints: null --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta3 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes #集群名称 controllerManager: {} dns: {} etcd: local: dataDir: /var/lib/etcd imageRepository: registry:80/library #私有仓库地址 kind: ClusterConfiguration kubernetesVersion: 1.28.0 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 #service地址段 podSubnet: 10.244.0.0/16 #pod地址段（新添加的信息） scheduler: {} #在文件最后追加，启用IPVS模式 --- kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 mode: ipvs ipvs: strictARP: true #设置kubelet使用的Croup驱动模式为systemd --- kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 cgroupDriver: systemd

使用国内镜像地址拉取k8s安装需要的images 以下这些站点国内无法访问：https://hub.docker.com/ #Docker镜像仓库https://gcr.io/google-containers/ #谷歌镜像仓库https://gcr.io/kubernetes-helm/ #谷歌镜像仓库https://gcr.io/google-containers/pause #谷歌镜像仓库使用容器安装k8s时，需要拉取k8s安装所需的镜像，可以使用下面的一些镜像源进行替代，然后重新打上tag即可。安装k8s所需的镜像kubeadm config images list k8s.gcr.io/kube-apiserver:v1.28.7 k8s.gcr.io/kube-controller-manager:v1.28.7 k8s.gcr.io/kube-scheduler:v1.28.7 k8s.gcr.io/kube-proxy:v1.28.7 k8s.gcr.io/pause:3.9 k8s.gcr.io/etcd:3.5.10-0 k8s.gcr.io/coredns/coredns:v1.10.1方法一，使用阿里源docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.28.7 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.28.7 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.28.7 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.28.7 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.5.10-0 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.10.1下载后可以重新打标签，然后就可以把这些镜像上传到私有仓库里面。docker images | grep hangzhou |while read i t _ do docker tag $i:$t registry:80/library/${i##*/}:$t #打标签 docker push registry:80/library/${i##*/}:$t #上传 docker rmi ${i}:${t} registry:80/library/${i##*/}:${t} #删除所有镜像 done方法二，使用willdocker docker pull willdockerhub/kube-apiserver:v1.17.3