containerd_buildkitd构建镜像，告别docker构建

一：containerd制作和构建镜像

1.1：下载 containerd 二进制包和 systemd service 文件

wget https://github.com/containerd/containerd/releases/download/v1.7.13/containerd-1.7.13-linux-amd64.tar.gz
tar -xvf containerd-1.7.13-linux-amd64.tar.gz
cp bin/* /usr/bin/


创建service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=/usr/sbin/modprobe overlay
ExecStart=/usr/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target

二：buildkit介绍

buildkit是从Docker从公司开源出来的下一代镜像构建工具，支持OCI标准的镜像构建，项目地址是：https://github.com/moby/buildkit

2.1：buildkit由两部分组成

buildkitd（服务端）：负责镜像构建，目前支持runc和containerd作为镜像构建环境，默认是runc
buildkitctl（客户端）：负责解析Dockerfile文件，并向服务端buildkitd发出构建情趣

2.2：相对于docker daemon build，buildkit具有以下优势

更高效： 支持并行的多阶段构建、更好的缓存管理
更安全： 支持secret mount，无需root权限
更易于扩展： 使用自定义中间语言LLB，完全兼容Dockerfile，也可以支持第三方语言。后台支持runc和containerd

2.3：buildkit安装

wget https://github.com/moby/buildkit/releases/download/v0.10.3/buildkit-v0.10.4.linux-amd64.tar.gz
tar xf buildkit-v0.10.4.linux-amd64.tar.gz -C /usr/local/bin
mv /usr/local/bin/bin/buildctl /usr/local/bin/bin/buildkitd /usr/local/bin

2.3.1：vim /usr/lib/systemd/system/buildkit.socket

[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Socket]
ListenStream=%t/buildkit/buildkitd.sock

[Install]
WantedBy=sockets.target

2.3.2：vim /usr/lib/systemd/system/buildkitd.service

[Unit]
Description=BuildKit
Requires=buildkit.socket
After=buildkit.socket
Documentation=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

2.3.3：启动buildkitd

systemctl daemon-reload
systemctl start builkitd
systemctl enable builkitd

三：nerdctl安装使用

3.1：nerdctl安装

#因为nerdctl运行容器需要使用cni配置容器网络，所以先安装cni
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
mkdir -p /opt/cni/bin
tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/

wget https://github.com/containerd/nerdctl/releases/download/v0.22.0/nerdctl-0.22.0-linux-amd64.tar.gz
tar xvf nerdctl-0.22.0-linux-amd64.tar.gz
cp nerdctl /usr/bin/
nerdctl version

3.2：nerdctl使用harbor仓库

在containerd主机执行
mkdir -p /etc/containerd/certs.d/harbor.magedu.net/
在harbor仓库主机执行
openssl x509 -inform PEM -in harbor-ca.crt -out harbor-ca.cert
scp harbor-ca.cert harbor-ca.key 172.16.10.104:/etc/containerd/certs.d/harbor.magedu.net

containerd主机执行

vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry] 
  config_path = "/etc/containerd/certs.d"
  
vim /etc/containerd/certs.d/harbor.magedu.net/hosts.toml  
server = "https://harbor.magedu.net"
[host."https://harbor.magedu.net"]
  capabilities = ["pull", "resolve","push"]
  skip_verify = true

3.2.1：nerdctl拉取镜像

[root@etcd1 harbor.magedu.net]#  nerdctl pull   harbor.magedu.net/k8s/alpine:latest
harbor.magedu.net/k8s/alpine:latest:                                              resolved       |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 0.1 s                                                                    total:   0.0 B (0.0 B/s)