ubuntu下的containerd的部署和使用及其相关的管理工具 nerdctl和crictl

笑脸笑脸2026-06-24 17:26

Containerd 概述

Containerd 概述

很早之前的 Docker Engine 中就有了 containerd,现在已经 从 Docker Engine 里分离出来,作为一个独立的开源项目,目标是提供一个更加开放、稳定的容器运行基础设施。

containerd 是 CNCF 毕业的 工业级容器运行时(Container Runtime) ,强调简单性健壮性可移植性,是容器的「管家」:

  • 向上:给 Kubernetes、nerdctl、crictl 等客户端提供标准化接口
  • 向下:对接 runc、crun 等 OCI 运行时,负责真正的容器启动/管理
  • 核心职责:镜像管理、容器生命周期、存储/网络、运行时管理、事件上报

Containerd 学习必要性

**在Kubernetes 1.24版本中,Dockershim组件正式从kubelet中移除。**从Kubernetes 1.24开始,默认将无法使用Docker Engine作为容器运行。

从本质上讲,dockershim 最初的目的是作为一种临时解决方案,允许流行的 Docker Engine 容器运行时将 OCI 调用转换为 Kubernetes 自己的容器运行时接口 (CRI) 中的 Docker 调用。随着时间的推移,dockershim 在 Kubernetes 部署中变得根深蒂固,减慢部署速度并给维护者带来负担,所以它不得不被移除。

那么这是否就意味着 Kubernetes 不再支持 Docker 了呢?

当然不是的,这只是废弃了内置的 dockershim 功能而已,Docker 和其他容器运行时将一视同仁,不会单独对待内置支持,如果我们还想直接使用 Docker 这种容器运行时应该怎么办呢?可以将 dockershim 的功能单独提取出来独立维护一个 cri-dockerd 即可,就类似于 containerd 1.0 版本中提供的 CRI-Containerd,当然还有一种办法就是 Docker 官方社区将 CRI 接口内置到 Dockerd 中去实现。

但是我们也清楚 Dockerd 也是去直接调用的 Containerd,而 containerd 1.1 版本后就内置实现了 CRI,所以 Docker 也没必要再去单独实现 CRI 了,当 Kubernetes 不再内置支持开箱即用的 Docker 的以后,最好的方式就是直接使用 Containerd 这种容器运行时,而且该容器运行时也已经经过了生产环境实践的,接下来我们就来学习下 Containerd 的使用。

Containerd 架构

containerd 采用清晰的模块化分层架构,从外到内分为 4 层:

text 复制代码 
客户端层 (K8s/nerdctl/crictl)
      ↓ gRPC API
服务层 (containerd daemon)
      ↓
核心组件层 (Plugins/Managers)
      ↓
底层依赖层 (OCI 运行时/CNI/CSI)

1. 客户端层

  • 作用:用户/工具与 containerd 交互的入口
  • 常见客户端:
    • ctr:containerd 自带的底层调试客户端,直接调用 gRPC API
    • nerdctl:Docker 兼容的 containerd 客户端,命令和 docker 几乎一致
    • crictl:Kubernetes CRI 客户端,通过 CRI 接口与 containerd 交互
    • kubelet:Kubernetes 节点代理,通过 CRI 接口管理容器
  • 通信方式:通过 /run/containerd/containerd.sock 提供的 gRPC API 通信

2. 服务层

containerd 核心守护进程,负责处理客户端请求、协调各组件工作。

核心模块:

  • API Server:对外提供 gRPC 接口,接收客户端请求
  • Plugin Manager:加载和管理所有插件(镜像、容器、存储、网络等)
  • Namespace Manager :实现多租户隔离(Kubernetes 用的是 k8s.io 命名空间)
  • Event Manager:收集和上报容器/镜像事件,供上层工具(如 K8s)监听

3. 核心组件层

containerd 采用插件化架构,所有核心功能都由插件实现,可按需扩展。核心插件分为几大类:

(1) 镜像管理相关插件
  • Content Store:负责镜像数据的存储和校验(支持 OCI 标准)
  • Snapshotter :实现镜像分层存储,常见实现:
    • overlayfs:Linux 标准,性能好,生产环境首选
    • devicemapper/aufs:旧版实现,已不推荐
  • Registry Client :处理镜像拉取/推送,支持 certs.d 加速配置(你当前用的就是这个)
  • Image Service:提供镜像生命周期管理(pull/push/rm/inspect)
(2) 容器管理相关插件
  • Container Service:管理容器元数据(创建/删除/查询)
  • Task Service:管理容器进程的生命周期(启动/停止/暂停/恢复)
  • Runtime Manager:对接 OCI 运行时(runc/crun),负责真正的容器启动
  • CRI Plugin :Kubernetes 专用插件,提供 CRI 接口(containerd 2.x 中为 io.containerd.cri.v1.images

(3) 存储与网络相关插件

  • Mount/Volume Plugin:管理容器挂载(宿主机目录、CSI 存储卷)
  • CNI Plugin:容器网络配置,对接 CNI 插件实现网络管理(如 Calico/Flannel)

4. 底层依赖层

  • OCI Runtime(runc/crun):符合 OCI 运行时规范,负责创建和运行容器进程,处理 namespace/cgroup/隔离等底层操作
  • CNI(Container Network Interface):容器网络插件,负责容器网络配置
  • CSI(Container Storage Interface):容器存储插件,负责容器持久化存储
  • 内核模块:依赖 Linux 内核的 namespace、cgroup、overlayfs 等功能

Containerd 工作流程

以 K8s 拉取镜像启动容器为例
内核 runc Registry containerd Kubelet 内核 runc Registry containerd Kubelet #mermaid-svg-6ANdXrXBH7qpEnsq{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-6ANdXrXBH7qpEnsq .error-icon{fill:#552222;}#mermaid-svg-6ANdXrXBH7qpEnsq .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-6ANdXrXBH7qpEnsq .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-6ANdXrXBH7qpEnsq .marker{fill:#333333;stroke:#333333;}#mermaid-svg-6ANdXrXBH7qpEnsq .marker.cross{stroke:#333333;}#mermaid-svg-6ANdXrXBH7qpEnsq svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-6ANdXrXBH7qpEnsq p{margin:0;}#mermaid-svg-6ANdXrXBH7qpEnsq .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-6ANdXrXBH7qpEnsq text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-6ANdXrXBH7qpEnsq .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-6ANdXrXBH7qpEnsq .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-6ANdXrXBH7qpEnsq #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-6ANdXrXBH7qpEnsq .sequenceNumber{fill:white;}#mermaid-svg-6ANdXrXBH7qpEnsq #sequencenumber{fill:#333;}#mermaid-svg-6ANdXrXBH7qpEnsq #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-6ANdXrXBH7qpEnsq .messageText{fill:#333;stroke:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-6ANdXrXBH7qpEnsq .labelText,#mermaid-svg-6ANdXrXBH7qpEnsq .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .loopText,#mermaid-svg-6ANdXrXBH7qpEnsq .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-6ANdXrXBH7qpEnsq .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-6ANdXrXBH7qpEnsq .noteText,#mermaid-svg-6ANdXrXBH7qpEnsq .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-6ANdXrXBH7qpEnsq .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-6ANdXrXBH7qpEnsq .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-6ANdXrXBH7qpEnsq .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-6ANdXrXBH7qpEnsq .actorPopupMenu{position:absolute;}#mermaid-svg-6ANdXrXBH7qpEnsq .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-6ANdXrXBH7qpEnsq .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-6ANdXrXBH7qpEnsq .actor-man circle,#mermaid-svg-6ANdXrXBH7qpEnsq line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-6ANdXrXBH7qpEnsq :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 通过 CRI 接口请求拉取镜像 读取 certs.d 配置,尝试从加速源拉取镜像 返回镜像分层数据 校验镜像、存储到 Content Store 用 Snapshotter 创建容器文件系统 通过 CRI 接口请求启动容器 生成 OCI runtime spec,调用 runc 启动容器 创建 namespace、cgroup、启动容器进程 返回容器进程 PID 返回容器启动成功状态

Containerd 版本

Ubuntu 系统可使用的 containerd 有两个版本。

维度 Ubuntu 官方仓库 containerd Docker CE 仓库 containerd.io
包名 containerd containerd.io
维护方 Ubuntu 安全团队(遵循 Ubuntu 发布周期) Docker Inc.(随 Docker CE 同步迭代)
版本节奏 稳定滞后,仅安全 / 关键修复回 port;LTS 版大版本半年一更新 紧跟上游 containerd,4 个月一次小版本;每年 1 个 LTS 版(支持 2 年 +)
典型版本(24.04) 1.6.x(LTS 稳定版) 1.7.x/2.1.x(最新稳定版)
依赖捆绑 独立运行时,需手动搭配 runc、CNI 插件 与 runc、docker-ce-cli 捆绑,依赖自动对齐Docker
适用场景 追求极致稳定、与系统内核强绑定的基础设施 快速迭代、使用 Docker 生态或 K8s 需新版本的场景
冲突风险 与 Docker CE 共存需手动处理依赖 不可与 Ubuntu 官方 containerd 共存,安装前需卸载旧包Docker

选型建议

场景 推荐选择 理由
生产环境追求极致稳定、与系统强绑定 Ubuntu 官方 containerd 安全验证充分、长期稳定、无意外更新风险
使用 Docker 生态、需快速获取新特性 Docker CE containerd.io 与 Docker 组件同步更新、开箱即用、迭代快
K8s 集群需新版本 containerd(如 1.24+) Docker CE containerd.io 满足 K8s 对高版本运行时的要求,兼容性好
轻量服务器、仅需独立运行时 Ubuntu 官方 containerd 体积小、依赖少、可灵活搭配组件

2026-04-16 查询版本

bash 复制代码 
root@ubuntu2404:~# apt list containerd -a
Listing... Done
containerd/noble-updates 2.2.1-0ubuntu1~24.04.2 amd64
containerd/noble 1.7.12-0ubuntu4 amd64

# 配置docker-ce仓库后,才能查看
root@ubuntu2404:~# apt list containerd.io -a
Listing... Done
containerd.io/noble 2.2.2-1~ubuntu.24.04~noble amd64
containerd.io/noble 2.2.1-1~ubuntu.24.04~noble amd64
containerd.io/noble 2.2.0-2~ubuntu.24.04~noble amd64
containerd.io/noble 2.1.5-1~ubuntu.24.04~noble amd64
containerd.io/noble 1.7.29-1~ubuntu.24.04~noble amd64
containerd.io/noble 1.7.28-2~ubuntu.24.04~noble amd64
containerd.io/noble 1.7.28-1~ubuntu.24.04~noble amd64
containerd.io/noble 1.7.28-0~ubuntu.24.04~noble amd64
containerd.io/noble 1.7.27-1 amd64
containerd.io/noble 1.7.26-1 amd64
containerd.io/noble 1.7.25-1 amd64
containerd.io/noble 1.7.24-1 amd64
containerd.io/noble 1.7.23-1 amd64
containerd.io/noble 1.7.22-1 amd64
containerd.io/noble 1.7.21-1 amd64
containerd.io/noble 1.7.20-1 amd64
containerd.io/noble 1.7.19-1 amd64
containerd.io/noble 1.7.18-1 amd64
containerd.io/noble 1.6.33-1 amd64
containerd.io/noble 1.6.32-1 amd64
containerd.io/noble 1.6.31-1 amd64
containerd.io/noble 1.6.28-2 amd64

Containerd 客户端工具

如果你以前是docker的用户,现在转向使用containerd的话,将使用ctr管理容器和镜像,对于用户来说短时间难以适应。好在社区已经提供了近乎兼容docker命令的小工具--nerdctl。

容器运行时与客户端工具对应关系如下:

客户端工具 容器运行时
docker docker
podman cri-o
nerdctl和ctr containerd
crictl cri(k8s的容器运行时接口)

Containerd 部署

实验环境

  • vmware workstation 17
  • ubuntu-24.04
  • containerd(推荐使用1.7.x或者2.x版本)

Containerd 部署

以 containerd=1.7.12 版本为例。

安装软件

bash 复制代码 
root@ubuntu2404:~# apt install -y containerd=1.7.12-0ubuntu4

创建配置文件

bash 复制代码 
root@ubuntu2404:~# mkdir /etc/containerd
root@ubuntu2404:~# containerd config default > /etc/containerd/config.toml

配置镜像加速

不同版本的 containerd 配置镜像加速方法是不同的。

containerd 版本 config 版本 推荐方式 旧版 mirrors
1.5.x 及更早 v2 mirrors 支持
1.6.x(Ubuntu 24.04 默认) v2 config_path + certs.d 兼容
1.7.x v2/v3 config_path + certs.d 兼容(弃用)
2.x(2.0--2.4) v3 默认 config_path + certs.d(强制推荐) 废弃,不再读取
新方式:config_path + certs.d
bash 复制代码 
# 修改 config_path 值为 /etc/containerd/certs.d
root@ubuntu2404:~# vim /etc/containerd/config.toml
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"
# 只保留一个路径,所有的加速都配置在该目录

# containerd 1.712 版本中 config_path 默认值为:空
# containerd 2.2.1 版本中 config_path 默认值为:/etc/containerd/certs.d:/etc/docker/certs.d

提示: 对于 containerd 2.2.1版本,必须删除 config_path 配置中不存在的 /etc/docker/certs.d路径。

配置 docker.io 加速

bash 复制代码 
root@ubuntu2404:~# mkdir -p /etc/containerd/certs.d/docker.io
root@ubuntu2404:~# cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://registry-1.docker.io"

[host."https://docker.m.daocloud.io"]
  capabilities = ["pull", "resolve"]

[host."https://09def58152000fc00ff0c00057bad7e0.mirror.swr.myhuaweicloud.com"]
  capabilities = ["pull", "resolve"]
EOF

配置 registry.k8s.io 加速

bash 复制代码 
root@ubuntu2404:~# mkdir -p /etc/containerd/certs.d/registry.k8s.io
root@ubuntu2404:~# cat > /etc/containerd/certs.d/registry.k8s.io/hosts.toml << EOF
server = "https://registry.k8s.io"

# 首选 DaoCloud
[host."https://k8s.m.daocloud.io"]
  capabilities = ["pull", "resolve"]

[host."https://09def58152000fc00ff0c00057bad7e0.mirror.swr.myhuaweicloud.com"]
  capabilities = ["pull", "resolve"]
EOF
bash 复制代码 
root@ubuntu2404:~# systemctl restart containerd

验证加速

bash 复制代码 
# 提醒: ctr pull 命令必须加选项`--hosts-dir /etc/containerd/certs.d`。
root@ubuntu2404:~# ctr image pull --hosts-dir /etc/containerd/certs.d docker.io/library/busybox:latest
docker.io/library/busybox:latest:                                                 resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:481282afbc4304ffee4792258ea114f09e423a4a082335b30695b50310394f47:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:925ff61909aebae4bcc9bc04bb96a8bd15cd2271f13159fe95ce4338824531dd:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 11.7s                                                                    total:  2.1 Mi (185.4 KiB/s)                                     
unpacking linux/amd64 sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e...
done: 104.968929ms	

root@ubuntu2404:~# ctr image pull registry.k8s.io/pause:3.8 --hosts-dir /etc/containerd/certs.d
registry.k8s.io/pause:3.8:                                                        resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:8d4106c88ec0bd28001e34c975d65175d994072d65341f62a8ab0754b0fafe10: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:61fec91190a0bab34406027bbec43d562218df6e80d22d4735029756f23c7007:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:e6f1816883972d4be47bd48879a08919b96afcd344132622e4d444987919323c:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 6.9 s                                                                    total:  3.8 Ki (565.0 B/s)                                       
unpacking linux/amd64 sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097...
done: 40.53432ms	

root@ubuntu2404:~# ctr image ls| awk '{print $1}'
REF
docker.io/library/busybox:latest
registry.k8s.io/pause:3.9

提示:nerdctl 工具只会读取 /etc/containerd/certs.d 目录下配置。

旧方式:mirrors
bash 复制代码 
root@ubuntu2404:~# vim /etc/containerd/config.toml
...
    [plugins."io.containerd.grpc.v1.cri".registry]
      # config_path 配置项值为未空
      config_path = ""
...
      # 查找 mirrors行
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        # 添加如下四行记录,注意缩进
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://docker.m.daocloud.io","https://09def58152000fc00ff0c00057bad7e0.mirror.swr.myhuaweicloud.com"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]
          endpoint = ["https://k8s.m.daocloud.io","https://09def58152000fc00ff0c00057bad7e0.mirror.swr.myhuaweicloud.com"]

使用旧方式配置的加速,ctr 命令无法拉取镜像。

  • 旧 mirrors 配置CRI 插件专属配置
  • ctr 是 containerd 原生客户端,不读取 CRI 配置

此时可以通过 crictl 工具验证。

bash 复制代码 
[root@ubuntu2404 ~ 09:27:02]# crictl pull hello-world
Image is up to date for sha256:e2ac70e7319a02c5a477f5825259bd118b94e8b02c279c67afa63adab6d8685b
[root@ubuntu2404 ~ 09:29:07]# crictl images
IMAGE                           TAG                 IMAGE ID            SIZE
docker.io/library/hello-world   latest              e2ac70e7319a0       16.2kB

镜像加速总结

1. containerd 1.x(config version=2)

  • CRI 插件:io.containerd.grpc.v1.cri

  • 两种加速都能用:

    • 旧:[plugins."io.containerd.grpc.v1.cri".registry.mirrors] 内嵌配置
    • 新:config_path + certs.d

  • 旧配置只给 CRI(K8s)用,ctr 不认

2. containerd 2.x(config version=3)

  • CRI 插件改名:io.containerd.cri.v1.images

  • 彻底废弃内嵌 mirrors

  • 强制只认:config_path = "/etc/containerd/certs.d"

3. K8s/CRI 怎么读加速?

  • 不管 1.x/2.x,K8s 只走 CRI 插件

  • 2.x 以后:kubelet → CRI → containerd → certs.d/域名/hosts.toml

  • ctr 永远不经过 CRI,所以不认 mirrors,只认 --hosts-dir

ctr 工具

ctr 是 containerd 自带的、用于管理 containerd 的底层调试工具。

缺点:ctr 难用、不友好、不适合日常使用!

ctr 命令帮助

bsh 复制代码 
root@ubuntu2404:~# ctr
NAME:
   ctr - 
        __
  _____/ /______
 / ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/

containerd CLI


USAGE:
   ctr [global options] command [command options] [arguments...]

VERSION:
   1.6.24

DESCRIPTION:
   
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.

COMMANDS:
   plugins, plugin            provides information about containerd plugins
   version                    print the client and server versions
   containers, c, container   manage containers
   content                    manage content
   events, event              display containerd events
   images, image, i           manage images
   leases                     manage leases
   namespaces, namespace, ns  manage namespaces
   pprof                      provide golang pprof outputs for containerd
   run                        run a container
   snapshots, snapshot        manage snapshots
   tasks, t, task             manage tasks
   install                    install a new package
   oci                        OCI tools
   shim                       interact with a shim directly
   help, h                    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug                      enable debug output in logs
   --address value, -a value    address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
   --timeout value              total timeout for ctr commands (default: 0s)
   --connect-timeout value      timeout for connecting to containerd (default: 0s)
   --namespace value, -n value  namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
   --help, -h                   show help
   --version, -v                print the version

命名空间

Containerd 支持命名空间,用于隔离不同命名空间的镜像和容器。

bash 复制代码 
root@ubuntu2404:~# ctr namespace
NAME:
   ctr namespaces - manage namespaces

USAGE:
   ctr namespaces command [command options] [arguments...]

COMMANDS:
   create, c   create a new namespace
   list, ls    list namespaces
   remove, rm  remove one or more namespaces
   label       set and clear labels for a namespace

OPTIONS:
   --help, -h  show help

示例:

bash 复制代码 
root@ubuntu2404:~# ctr namespace ls
NAME   LABELS 
k8s.io  

# 通过 -n 选项指定操作的命名空间
root@ubuntu2404:~# ctr -n k8s.io container ls
CONTAINER                                                           IMAGE                               RUNTIME                  
6afe638b117d8d8470948b944efd2b913b0a91d366fcd3f88c48baa661c7fcf7    docker.io/library/busybox:latest    io.containerd.runc.v2    
bab94a9f169c0305c47c247d258d90d9e25f2172ec09ecdf14c9452436ed5c15    docker.io/library/busybox:latest    io.containerd.runc.v2    
dd82eea219b39c0b53257201b7528c2c52d8a886cd35108b55136c78b9525a48    docker.io/library/busybox:latest    io.containerd.runc.v2

nerdctl 工具

nerdctl 介绍

nerdctl 就是为了替代 docker 而生的,命令 99% 跟 docker 一样!生产环境日常使用首选。

nerdctl 安装

我们推荐使用 nerdctl 管理containerd,命令语法与 docker 一致。

github项目地址:https://github.com/containerd/nerdctl/releases

cni插件项目地址:https://github.com/containernetworking/plugins/releases

bash 复制代码 
# 下载并安装
root@ubuntu2404:~# wget http://192.168.42.200/course-materials/softwares/stage03/nerdctl-1.7.7-linux-amd64.tar.gz
root@ubuntu2404:~# tar -xf nerdctl-1.7.7-linux-amd64.tar.gz -C /usr/bin/

# 配置命令补全
root@ubuntu2404:~# apt install -y bash-completion
root@ubuntu2404:~# [ ! -d /etc/bash_completion.d ] && mkdir /etc/bash_completion.d
root@ubuntu2404:~# nerdctl completion bash > /etc/bash_completion.d/nerdctl
root@ubuntu2404:~# source /etc/bash_completion.d/nerdctl

# 下载 nerdctl 所需要的 cni 插件
root@ubuntu2404:~# wget http://192.168.42.200/course-materials/softwares/stage03/cni-plugins-linux-amd64-v1.6.0.tgz
root@ubuntu2404:~# mkdir -p /opt/cni/bin
root@ubuntu2404:~# tar -xf cni-plugins-linux-amd64-v1.6.0.tgz -C /opt/cni/bin

# nerdctl 依赖防火墙
root@ubuntu2404:~# apt install -y iptables

# 加载模块
root@ubuntu2404:~# modprobe -a overlay br_netfilter
root@ubuntu2404:~# cat > /etc/modules-load.d/k8s-net.conf << EOF
br_netfilter
overlay
EOF

# 配置内核参数
root@ubuntu2404:~# cat > /etc/sysctl.d/k8s.conf << 'EOF'
net.bridge.bridge-nf-call-iptables=1  
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
EOF
root@ubuntu2404:~# sysctl -p /etc/sysctl.d/k8s.conf

验证部署

bash 复制代码 
[root@ubuntu2404 ~ 08:44:45]# nerdctl version 
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH 
Client:
 Version:	v1.7.7
 OS/Arch:	linux/amd64
 Git commit:	5882c720f4e7f358fb26b759e514b3ae9dd8ea83
 buildctl:
  Version:	

Server:
 containerd:
  Version:	1.7.12
  GitCommit:	
 runc:
  Version:	1.3.4-0ubuntu1~24.04.1

root@ubuntu2404:~# nerdctl info
Client:
 Namespace:	default
 Debug Mode:	false

Server:
 Server Version: 1.7.12
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Log: fluentd journald json-file syslog
  Storage: native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-31-generic
 Operating System: Ubuntu 24.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.778GiB
 Name: ubuntu2404
 ID: 9f3569cd-5ac4-40d4-acdc-5ff271ad5916

nerdctl 配置

nerdctl 配置文件:

  • rootful(sudo/root): /etc/nerdctl/nerdctl.toml
  • rootless(普通用户): ~/.config/nerdctl/nerdctl.toml

配置内容:

toml 复制代码 
# 1. containerd socket 地址(默认位置)
address = "unix:///run/containerd/containerd.sock"

# 2. 镜像加速目录(自动读取 certs.d)
hosts_dir = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]

# 3. 默认命名空间(k8s 用 k8s.io)
namespace = "default"

nerdctl 与 containerd 通信

nerdctl 按:命令行 → 环境变量 → nerdctl.toml → 默认路径 的顺序找 socket。

默认使用 /run/containerd/containerd.sock,所以平时不用配。

  1. 命令行参数(临时)
bash 复制代码 
nerdctl -H unix:///path/to/containerd.sock images
# 或
nerdctl --address unix:///path/to/containerd.sock ps
  1. 环境变量(会话级)
bash 复制代码 
export CONTAINERD_ADDRESS=unix:///run/k3s/containerd/containerd.sock
nerdctl images  # 自动用这个 sock
  1. 配置文件(持久化)
  • rootful(sudo/root): /etc/nerdctl/nerdctl.toml
  • rootless(普通用户): ~/.config/nerdctl/nerdctl.toml

设置address:

toml 复制代码 
address = "unix:///run/containerd/containerd.sock"
  1. 上面都没配,使用默认值 unix:///run/containerd/containerd.sock

nerdctl 管理镜像

bash 复制代码 
root@ubuntu2404:~# nerdctl image <tab><tab>
build    (Build an image from a Dockerfile. Needs buildkitd to be running.)
convert  (convert an image)
decrypt  (decrypt an image)
encrypt  (encrypt image layers)
history  (Show the history of an image)
inspect  (Display detailed information on one or more images.)
load     (Load an image from a tar archive or STDIN)
ls       (List images)
pull     (Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from ...)
push     (Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to pu...)
rm       (Remove one or more images)
save     (Save one or more images to a tar archive (streamed to STDOUT by default))
tag      (Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE)

配置镜像加速

nerdctl 不会读取 CRI 专属的 registry 配置(crictl专用) ,而是使用 containerd 原生 API ,也就是新方式:config_path + certs.d

bash 复制代码 
# 修改 config_path 值为 /etc/containerd/certs.d
root@ubuntu2404:~# vim /etc/containerd/config.toml
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"

# 创建加速配置目录
root@ubuntu2404:~# mkdir -p /etc/containerd/certs.d

# 配置 docker.io 加速
root@ubuntu2404:~# mkdir -p /etc/containerd/certs.d/docker.io
root@ubuntu2404:~# cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://registry-1.docker.io"

[host."https://docker.m.daocloud.io"]
  capabilities = ["pull", "resolve"]

[host."https://09def58152000fc00ff0c00057bad7e0.mirror.swr.myhuaweicloud.com"]
  capabilities = ["pull", "resolve"]
EOF

# 配置 registry.k8s.io 加速
root@ubuntu2404:~# mkdir -p /etc/containerd/certs.d/registry.k8s.io
root@ubuntu2404:~# cat > /etc/containerd/certs.d/registry.k8s.io/hosts.toml << EOF
server = "https://registry.k8s.io"

# 首选 DaoCloud
[host."https://k8s.m.daocloud.io"]
  capabilities = ["pull", "resolve"]

[host."https://09def58152000fc00ff0c00057bad7e0.mirror.swr.myhuaweicloud.com"]
  capabilities = ["pull", "resolve"]
EOF
bash 复制代码 
root@ubuntu2404:~# systemctl restart containerd

# 验证加速
root@ubuntu2404:~# nerdctl pull hello-world
docker.io/library/hello-world:latest:                                             resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:f9078146db2e05e794366b1bfe584a14ea6317f44027d10ef7dad65279026885:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:d1a8d0a4eeb63aff09f5f34d4d80505e0ba81905f36158cc3970d8e07179e59e: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:e2ac70e7319a02c5a477f5825259bd118b94e8b02c279c67afa63adab6d8685b:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:4f55086f7dd096d48b0e49be066971a8ed996521c2e190aa21b2435a847198b4:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 3.3 s                                                                    total:  15.8 K (4.8 KiB/s)

ls

作用:查看本地镜像清单。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image ls
REPOSITORY    TAG    IMAGE ID    CREATED    PLATFORM    SIZE    BLOB SIZE

# 可简写如下
root@ubuntu2404:~# nerdctl images

pull

作用:从网络上下载镜像。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image pull busybox
# 可简写如下
root@ubuntu2404:~# nerdctl pull busybox

# 下载其他站点镜像
root@ubuntu2404:~# nerdctl pull docker.io/library/mysql:latest

root@ubuntu2404:~# nerdctl image ls
REPOSITORY                     TAG       IMAGE ID        CREATED           PLATFORM       SIZE         BLOB SIZE
busybox                        latest    560af6915bfc    4 minutes ago     linux/amd64    4.8 MiB      2.5 MiB
docker.io/library/mysql    latest    66990ab1ab7d    26 seconds ago    linux/amd64    411.2 MiB    134.1 MiB
root@ubuntu2404:~#

rm

作用:删除本地不用的镜像。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image rm docker.io/library/mysql
root@ubuntu2404:~# nerdctl images
REPOSITORY           TAG       IMAGE ID        CREATED               PLATFORM       SIZE       BLOB SIZE
busybox              latest    560af6915bfc    11 minutes ago        linux/amd64    4.8 MiB    2.5 MiB

tag

作用:给镜像打标签。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl tag busybox mage16196/busybox
root@ubuntu2404:~# nerdctl images
REPOSITORY                     TAG       IMAGE ID        CREATED           PLATFORM       SIZE         BLOB SIZE
busybox                        latest    560af6915bfc    10 minutes ago    linux/amd64    4.8 MiB      2.5 MiB
mage16196/busybox              latest    560af6915bfc    12 seconds ago    linux/amd64    4.8 MiB      2.5 MiB

push

作用:将镜像推送到服务器。

示例:推动到docker服务

bash 复制代码 
# 登录
root@ubuntu2404:~# nerdctl login
Enter Username: mage16196
Enter Password: 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

root@ubuntu2404:~# nerdctl push mage16196/busybox

save

作用:将本地镜像导出为文件。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image save busybox -o busybox.tar
# 可简写为
root@ubuntu2404:~# nerdctl save busybox -o busybox.tar

# 删除镜像
root@ubuntu2404:~# nerdctl image rm busybox
root@ubuntu2404:~# nerdctl images
REPOSITORY           TAG       IMAGE ID        CREATED          PLATFORM       SIZE       BLOB SIZE
mage16196/busybox    latest    560af6915bfc    4 minutes ago    linux/amd64    4.8 MiB    2.5 MiB

load

作用:导入tar文件中镜像。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image load -i busybox.tar
# 可简写为
root@ubuntu2404:~# nerdctl load -i busybox.tar

root@ubuntu2404:~# nerdctl images
REPOSITORY           TAG       IMAGE ID        CREATED          PLATFORM       SIZE       BLOB SIZE
busybox              latest    560af6915bfc    2 seconds ago    linux/amd64    4.8 MiB    2.5 MiB
mage16196/busybox    latest    560af6915bfc    4 minutes ago    linux/amd64    4.8 MiB    2.5 MiB

history

作用:查看镜像构建时的历史命令层次结构。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image pull docker.io/library/mysql
root@ubuntu2404:~# nerdctl image history docker.io/library/mysql

inspect

作用:查看镜像详细信息。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image inspect docker.io/library/mysql
......
        "Config": {
            "AttachStdin": false,
            "ExposedPorts": {
                "3306/tcp": {}
            },
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "GOSU_VERSION=1.7",
                "MYSQL_MAJOR=5.7",
                "MYSQL_VERSION=5.7.18-1debian8"
            ],
            "Cmd": [
                "mysqld"
            ],
            "Volumes": {
                "/var/lib/mysql": {}
            },
            "Entrypoint": [
                "docker-entrypoint.sh"
            ]
        },
......

prune

作用:删除所有未使用的镜像。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl image prune --all --force
root@ubuntu2404:~# nerdctl image ls
REPOSITORY    TAG    IMAGE ID    CREATED    PLATFORM    SIZE    BLOB SIZE

nerdctl 管理容器

帮助信息

bash 复制代码 
root@ubuntu2404:~# nerdctl container <tab><tab>
commit   (Create a new image from a container's changes)
cp       (Copy files/folders between a running container and the local filesystem.)
create   (Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.)
exec     (Run a command in a running container)
inspect  (Display detailed information on one or more containers.)
kill     (Kill one or more running containers)
logs     (Fetch the logs of a container. Currently, only containers created with `nerdctl run -d` are support...)
ls       (List containers)
pause    (Pause all processes within one or more containers)
port     (List port mappings or a specific mapping for the container)
rename   (rename a container)
restart  (Restart one or more running containers)
rm       (Remove one or more containers)
run      (Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image fr...)
start    (Start one or more running containers)
stop     (Stop one or more running containers)
unpause  (Unpause all processes within one or more containers)
update   (Update one or more running containers)
wait     (Block until one or more containers stop, then print their exit codes.)

ls

作用:查看容器清单。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container ls
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES
# 可简写为
root@ubuntu2404:~# nerdctl ps
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

# 使用-a选项查看所有容器,包括未运行的
root@ubuntu2404:~# nerdctl container ls -a
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

常用选项:

  • -a, --all Show all containers (default shows just running)
  • -f, --filter strings Filter matches containers based on given conditions
  • --format string Format the output using the given Go template, e.g, '{{json .}}', 'wide'

run

作用:创建并运行容器。

示例:

bash 复制代码 
# 语法:
Usage: nerdctl container run [flags] IMAGE [COMMAND] [ARG...]

root@ubuntu2404:~# nerdctl container run -it ubuntu
root@249c162d8db6:/# exit
exit

# 可简写为
root@ubuntu2404:~# nerdctl container run -it ubuntu

# 容器状态为Exited
root@ubuntu2404:~# nerdctl container ls
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES
root@ubuntu2404:~# nerdctl container ls -a
CONTAINER ID    IMAGE                              COMMAND        CREATED           STATUS                       PORTS    NAMES
249c162d8db6    docker.io/library/ubuntu:latest    "/bin/bash"    24 seconds ago    Exited (0) 22 seconds ago             ubuntu-249c1

常用选项:

  • --cpu-shares uint CPU shares (relative weight)
  • --cpus float Number of CPUs
  • -d, --detach Run container in background and print container ID
  • --dns strings Set custom DNS servers
  • -e, --env stringArray Set environment variables
  • -h, --hostname string Container host name
  • -i, --interactive Keep STDIN open even if not attached
  • --ip string Pv4 address to assign to the container
  • --mac-address string MAC address to assign to the container
  • -m, --memory string Memory limit
  • --name string Assign a name to the container
  • --net strings Connect a container to a network ("bridge"|"host"|"none"|) (default bridge)
  • --network strings Connect a container to a network ("bridge"|"host"|"none"|"container:"|) (default bridge)
  • --privileged Give extended privileges to this container
  • --pull string Pull image before running ("always"|"missing"|"never") (default "missing")
  • --restart string Restart policy to apply when a container exits (implemented values: "no"|"always|on-failure:n|unless-stopped") (default "no")
  • --rm Automatically remove the container when it exits
  • --runtime string Runtime to use for this container, e.g.
  • --stop-signal string Signal to stop a container (default "SIGTERM")
  • --stop-timeout Timeout (in seconds) to stop a container
  • -t, --tty Allocate a pseudo-TTY
  • -v, --volume Bind mount a volume

rm

作用:删除容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container rm 249c162d8db6
249c162d8db6
root@ubuntu2404:~# nerdctl container ls -a
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

prune

作用:删除所有未运行的容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container run ubuntu
root@ubuntu2404:~# nerdctl container run ubuntu
root@ubuntu2404:~# nerdctl container ls -a
CONTAINER ID    IMAGE                              COMMAND        CREATED          STATUS                      PORTS    NAMES
62a3258de309    docker.io/library/ubuntu:latest    "/bin/bash"    6 seconds ago    Exited (0) 6 seconds ago             ubuntu-62a32
d84bb674f77f    docker.io/library/ubuntu:latest    "/bin/bash"    8 seconds ago    Exited (0) 7 seconds ago             ubuntu-d84bb

root@ubuntu2404:~# nerdctl container prune --force 
Deleted Containers:
62a3258de309b3e01b1108cd0ac8fcb23918cfe05ba00719d47f9c907e83a938
d84bb674f77f3731a33958dbc74e7596dacc99688b33c64512f24bd067c9a67a

rename

作用:重命名容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container run --name ubuntu-1 ubuntu 
root@ubuntu2404:~# nerdctl container rename ubuntu-1 ubuntu
root@ubuntu2404:~# nerdctl container ls -a
CONTAINER ID    IMAGE                              COMMAND        CREATED           STATUS                       PORTS    NAMES
2f2aa825864f    docker.io/library/ubuntu:latest    "/bin/bash"    25 seconds ago    Exited (0) 24 seconds ago             ubuntu

root@ubuntu2404:~# nerdctl container rm ubuntu

stop 和 start

作用:停止和启动容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container run -d nginx
root@ubuntu2404:~# nerdctl container ls --format "{{.Names}} {{.Status}}"
nginx-de224 Up

root@ubuntu2404:~# nerdctl container stop nginx-de224 
nginx-de224
root@ubuntu2404:~# nerdctl container ls -a --format "{{.Names}} {{.Status}}" -a
nginx-de224 Exited (0) 7 seconds ago

root@ubuntu2404:~# nerdctl container start nginx-de224 
nginx-de224
root@ubuntu2404:~# nerdctl container ls --format "{{.Names}} {{.Status}}"
nginx-de224 Up

restart

作用:重启容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container restart nginx-de224

pause 和 unpause

作用:挂起和取消挂起容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container pause nginx-de224 
nginx-de224
root@ubuntu2404:~# nerdctl container ls -a --format "{{.Names}} {{.Status}}"
nginx-de224 Paused

root@ubuntu2404:~# nerdctl container unpause nginx-de224 
nginx-de224
root@ubuntu2404:~# nerdctl container ls --format "{{.Names}} {{.Status}}"
nginx-de224 Up

kill

作用:给容器发信号,默认发KILL信号。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container kill nginx-de224
root@ubuntu2404:~# nerdctl container ls -a --format "{{.Names}} {{.Status}}"
nginx-de224 Exited (137) 24 seconds ago

exec

作用:在运行的容器内部执行命令。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container start nginx-de224 
root@ubuntu2404:~# nerdctl container exec -it nginx-de224 bash
root@de2241441cb6:/# exit
exit

cp

作用:将宿主机文件复制给容器。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container cp /etc/hostname nginx-de224:
root@ubuntu2404:~# nerdctl container exec nginx-de224 ls hostname
hostname

inspect

作用:查看容器详细信息。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container inspect nginx-de224 
[
    {
        "Id": "de2241441cb6122fa90fc68462684c9fe260e5eed20e44c83d2a9401fa7108d7",
        "Created": "2023-05-26T09:52:49.849804164Z",
        "Path": "/docker-entrypoint.sh",
        "Args": [
            "nginx",
            "-g",
            "daemon off;"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "Pid": 4888,
            "ExitCode": 0,
            "Error": "",
            "FinishedAt": "0001-01-01T00:00:00Z"
        },
        "Image": "docker.io/library/nginx:latest",
        "ResolvConfPath": "/var/lib/nerdctl/1935db59/containers/default/de2241441cb6122fa90fc68462684c9fe260e5eed20e44c83d2a9401fa7108d7/resolv.conf",
        "HostnamePath": "/var/lib/nerdctl/1935db59/containers/default/de2241441cb6122fa90fc68462684c9fe260e5eed20e44c83d2a9401fa7108d7/hostname",
        "LogPath": "/var/lib/nerdctl/1935db59/containers/default/de2241441cb6122fa90fc68462684c9fe260e5eed20e44c83d2a9401fa7108d7/de2241441cb6122fa90fc68462684c9fe260e5eed20e44c83d2a9401fa7108d7-json.log",
        "Name": "nginx-de224",
        "RestartCount": 0,
        "Driver": "overlayfs",
        "Platform": "linux",
        "AppArmorProfile": "nerdctl-default",
        "Mounts": null,
        "Config": {
            "Hostname": "de2241441cb6",
            "AttachStdin": false,
            "Labels": {
                "containerd.io/restart.explicitly-stopped": "false",
                "io.containerd.image.config.stop-signal": "SIGQUIT",
                "nerdctl/extraHosts": "null",
                "nerdctl/hostname": "de2241441cb6",
                "nerdctl/log-uri": "binary:///usr/bin/nerdctl?_NERDCTL_INTERNAL_LOGGING=%2Fvar%2Flib%2Fnerdctl%2F1935db59",
                "nerdctl/name": "nginx-de224",
                "nerdctl/namespace": "default",
                "nerdctl/networks": "[\"bridge\"]",
                "nerdctl/platform": "linux/amd64",
                "nerdctl/state-dir": "/var/lib/nerdctl/1935db59/containers/default/de2241441cb6122fa90fc68462684c9fe260e5eed20e44c83d2a9401fa7108d7"
            }
        },
        "NetworkSettings": {
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "10.4.0.14",
            "IPPrefixLen": 24,
            "MacAddress": "3e:51:10:ab:23:0b",
            "Networks": {
                "unknown-eth0": {
                    "IPAddress": "10.4.0.14",
                    "IPPrefixLen": 24,
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "3e:51:10:ab:23:0b"
                }
            }
        }
    }
]

logs

作用:显示容器console终端内容。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container logs nginx-de224 
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/05/26 10:55:17 [notice] 1#1: using the "epoll" event method
2023/05/26 10:55:17 [notice] 1#1: nginx/1.25.0
2023/05/26 10:55:17 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
2023/05/26 10:55:17 [notice] 1#1: OS: Linux 5.15.0-72-generic
2023/05/26 10:55:17 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1024:1024
2023/05/26 10:55:17 [notice] 1#1: start worker processes
2023/05/26 10:55:17 [notice] 1#1: start worker process 22
2023/05/26 10:55:17 [notice] 1#1: start worker process 23

port

作用:显示宿主机和容器之间端口映射关系。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl container run --name nginx -d -p 8080:80 nginx
root@ubuntu2404:~# nerdctl container port nginx
80/tcp -> 0.0.0.0:8080

commit

作用:将容器提交为镜像。

示例:

bash 复制代码

nerdctl 管理网络

Containerd 中的网络与Docker类似,所有网络接口默认都是虚拟接口。

当使用nerdctl创建容器时,nerdctl命令会创建一个名称为bridge的Linux网桥(其上有一个nerdctl0内部接口),利用了Linux虚拟网络技术,在本地主机和容器内分别创建一个虚拟接口,并让它们彼此连通(这样的一对接口叫做vethpair)。Containerd 默认指定了nerdctl0接口的IP地址和子网掩码,让主机和容器之间可以通过网桥相互通信。

示例

bash 复制代码 
root@ubuntu2404:~# nerdctl run -d busybox -- sleep infinity
bab94a9f169c0305c47c247d258d90d9e25f2172ec09ecdf14c9452436ed5c15

root@ubuntu2404:~# nerdctl container ls
CONTAINER ID    IMAGE                               COMMAND               CREATED           STATUS    PORTS    NAMES
bab94a9f169c    docker.io/library/busybox:latest    "sleep infinity"    19 seconds ago    Up                 busybox-bab94

root@ubuntu2404:~# nerdctl exec busybox-bab94 -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 7a:a2:3f:04:16:d7 brd ff:ff:ff:ff:ff:ff
    inet 10.4.0.4/24 brd 10.4.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::78a2:3fff:fe04:16d7/64 scope link 
       valid_lft forever preferred_lft forever

容器内看到的网卡名:2: eth0@if7,@if7代表对端是7号网卡。

bash 复制代码 
root@ubuntu2404:~# ip a
......
6: nerdctl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a6:4c:c0:32:6a:5c brd ff:ff:ff:ff:ff:ff
    inet 10.4.0.1/24 brd 10.4.0.255 scope global nerdctl0
       valid_lft forever preferred_lft forever
    inet6 fe80::a44c:c0ff:fe32:6a5c/64 scope link 
       valid_lft forever preferred_lft forever
7: vethf9f77444@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master nerdctl0 state UP group default 
    link/ether 76:51:da:0a:6a:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::7451:daff:fe0a:6aa3/64 scope link 
       valid_lft forever preferred_lft forever

对应容器主机的网卡:7: vethf9f77444@if2@if2代表对端容器内对应2号网卡。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl network ls
NETWORK ID      NAME      FILE
17f29b073143    bridge    /etc/cni/net.d/nerdctl-bridge.conflist
                host      
                none      

root@ubuntu2404:~# nerdctl network inspect bridge 
[
    {
        "Name": "bridge",
        "Id": "17f29b073143d8cd97b5bbe492bdeffec1c5fee55cc1fe2112c8b9335f8b6121",
        "IPAM": {
            "Config": [
                {
                    "Subnet": "10.4.0.0/24",
                    "Gateway": "10.4.0.1"
                }
            ]
        },
        "Labels": {
            "nerdctl/default-network": "true"
        }
    }
]

# 主机中nerdctl0就是容器的网关
root@ubuntu2404:~# ip addr show nerdctl0 
6: nerdctl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a6:4c:c0:32:6a:5c brd ff:ff:ff:ff:ff:ff
    inet 10.4.0.1/24 brd 10.4.0.255 scope global nerdctl0
       valid_lft forever preferred_lft forever
    inet6 fe80::a44c:c0ff:fe32:6a5c/64 scope link 
       valid_lft forever preferred_lft forever

目前 Containerd 网桥是Linux网桥,用户可以使用brctl show命令查看网桥和端口连接信息。

bash 复制代码 
root@ubuntu2404:~# apt install -y bridge-utils
root@ubuntu2404:~# brctl show
bridge name	bridge id		STP enabled	interfaces
nerdctl0		8000.a64cc0326a5c	no		vethf9f77444

nerdctl network 命令使用帮助

bash 复制代码 
root@ubuntu2404:~# nerdctl network 
Manage networks

Usage: nerdctl network [flags]

Commands:
  create   Create a network
  inspect  Display detailed information on one or more networks
  ls       List networks
  prune    Remove all unused networks
  rm       Remove one or more networks

Flags:
  -h, --help   help for network

See also 'nerdctl --help' for the global flags such as '--namespace', '--snapshotter', and '--cgroup-manager'.

nerdctl 管理存储

nerdctl 命令创建容器的时候,可以使用 -v 选项将本地目录挂载给容器实现数据持久化。

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl run -d -v /data:/data busybox -- sleep infinity
6afe638b117d8d8470948b944efd2b913b0a91d366fcd3f88c48baa661c7fcf7
root@ubuntu2404:~# touch /data/f1
root@ubuntu2404:~# nerdctl exec busybox-6afe6 -- ls /data
f1

nerdctl 命令创建容器的时候,也可以使用 -v 选项指定volume。

bash 复制代码 
root@ubuntu2404:~# nerdctl run -d -v data:/data busybox -- sleep infinity
dd82eea219b39c0b53257201b7528c2c52d8a886cd35108b55136c78b9525a48
root@ubuntu2404:~# nerdctl exec busybox-dd82e -- touch /data/f1

root@ubuntu2404:~# nerdctl volume ls
VOLUME NAME    DIRECTORY
data           /var/lib/nerdctl/1935db59/volumes/k8s.io/data/_data
root@ubuntu2404:~# ls /var/lib/nerdctl/1935db59/volumes/k8s.io/data/_data
f1

nerdctl volume 命令使用帮助

bash 复制代码 
root@ubuntu2404:~# nerdctl volume 
Manage volumes

Usage: nerdctl volume [flags]

Commands:
  create   Create a volume
  inspect  Display detailed information on one or more volumes
  ls       List volumes
  prune    Remove all unused local volumes
  rm       Remove one or more volumes

Flags:
  -h, --help   help for volume

See also 'nerdctl --help' for the global flags such as '--namespace', '--snapshotter', and '--cgroup-manager'.

nerdctl 管理命名空间

bash 复制代码 
root@ubuntu2404:~# nerdctl namespace 
Unrelated to Linux namespaces and Kubernetes namespaces

Usage: nerdctl namespace [flags]

Aliases: namespace, ns
Commands:
  create   Create a new namespace
  inspect  Display detailed information on one or more namespaces.
  ls       List containerd namespaces
  remove   Remove one or more namespaces
  update   Update labels for a namespace

Flags:
  -h, --help   help for namespace

See also 'nerdctl --help' for the global flags such as '--namespace', '--snapshotter', and '--cgroup-manager'

示例:

bash 复制代码 
root@ubuntu2404:~# nerdctl namespace ls
NAME      CONTAINERS    IMAGES    VOLUMES    LABELS
k8s.io    3             2         1

crictl 工具

crictl 介绍

crictl 命令是遵循 CRI 接口规范的一个命令行工具,通常用它来检查和管理kubelet节点上的容器运行时和镜像。

在kubernetes集群环境中,当我们执行kubectl 命令式,kubelet 代理会自动调用crictl命令管理镜像和容器。

手动执行 crictl 命令时,一般用于查看镜像和容器。

crictl 安装

bash 复制代码 
# 添加 kubernetes 仓库 key
root@ubuntu2404:~# curl -fsSL https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg

# 添加 kubernetes 仓库
root@ubuntu2404:~# echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.30/deb/ /" > /etc/apt/sources.list.d/kubernetes.list

# 安装软件
root@ubuntu2404:~# apt update && apt install -y cri-tools=1.30.1-1.1

# 配置命令补全
root@ubuntu2404:~# apt install -y bash-completion
root@ubuntu2404:~# [ ! -d /etc/bash_completion.d ] && mkdir /etc/bash_completion.d
root@ubuntu2404:~# crictl completion bash > /etc/bash_completion.d/crictl
root@ubuntu2404:~# source /etc/bash_completion.d/crictl

crictl 配置

配置 crictl 对接 containerd.

bash 复制代码 
root@ubuntu2404:~# crictl config --set \
runtime-endpoint=unix:///var/run/containerd/containerd.sock
root@ubuntu2404:~# cat /etc/crictl.yaml 
runtime-endpoint: "unix:///var/run/containerd/containerd.sock"
image-endpoint: ""
timeout: 0
debug: false
pull-image-on-create: false
disable-pull-on-run: false

crictl 实践

帮助信息

bash 复制代码 
root@ubuntu2404:~# crictl 
NAME:
   crictl - client for CRI

USAGE:
   crictl [global options] command [command options] [arguments...]

VERSION:
   v1.26.0

COMMANDS:
   attach              Attach to a running container
   create              Create a new container
   exec                Run a command in a running container
   version             Display runtime version information
   images, image, img  List images
   inspect             Display the status of one or more containers
   inspecti            Return the status of one or more images
   imagefsinfo         Return image filesystem info
   inspectp            Display the status of one or more pods
   logs                Fetch the logs of a container
   port-forward        Forward local port to a pod
   ps                  List containers
   pull                Pull an image from a registry
   run                 Run a new container inside a sandbox
   runp                Run a new pod
   rm                  Remove one or more containers
   rmi                 Remove one or more images
   rmp                 Remove one or more pods
   pods                List pods
   start               Start one or more created containers
   info                Display information of the container runtime
   stop                Stop one or more running containers
   stopp               Stop one or more running pods
   update              Update one or more running containers
   config              Get and set crictl client configuration options
   stats               List container(s) resource usage statistics
   statsp              List pod resource usage statistics
   completion          Output shell completion code
   checkpoint          Checkpoint one or more running containers
   help, h             Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config value, -c value            Location of the client config file. If not specified and the default does not exist, the program's directory is searched as well (default: "/etc/crictl.yaml") [$CRI_CONFIG_FILE]
   --debug, -D                         Enable debug mode (default: false)
   --image-endpoint value, -i value    Endpoint of CRI image manager service (default: uses 'runtime-endpoint' setting) [$IMAGE_SERVICE_ENDPOINT]
   --runtime-endpoint value, -r value  Endpoint of CRI container runtime service (default: uses in order the first successful one of [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]). Default is now deprecated and the endpoint should be set instead. [$CONTAINER_RUNTIME_ENDPOINT]
   --timeout value, -t value           Timeout of connecting to the server in seconds (e.g. 2s, 20s.). 0 or less is set to default (default: 2s)
   --help, -h                          show help (default: false)
   --version, -v                       print the version (default: false)

镜像命令

  • images, image, img List images
  • pull Pull an image from a registry
  • inspecti Return the status of one or more images
  • imagefsinfo Return image filesystem info
  • rmi Remove one or more images

容器命令

  • ps List containers
  • create Create a new container
  • run Run a new container inside a sandbox
  • inspect Display the status of one or more containers
  • info Display information of the container runtime
  • attach Attach to a running container
  • exec Run a command in a running container
  • logs Fetch the logs of a container
  • update Update one or more running containers
  • stats List container(s) resource usage statistics
  • checkpoint Checkpoint one or more running containers
  • start Start one or more created containers
  • stop Stop one or more running containers
  • rm Remove one or more containers

pod命令

  • pods List pods
  • runp Run a new pod
  • inspectp Display the status of one or more pods
  • statsp List pod resource usage statistics
  • port-forward Forward local port to a pod
  • stopp Stop one or more running pods
  • rmp Remove one or more pods

其他命令

  • version Display runtime version information
  • config Get and set crictl client configuration options
  • completion Output shell completion code
  • help, h Shows a list of commands or help for one command
热门推荐
012026年6月AI大模型全景报告:GPT-5.6、Claude Opus 4.8、Gemini 3.5,中美AI三足鼎立谁主沉浮?022026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?03【AI】2026 年具身智能模型和世界模型总结042026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf05Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析06GitHub 镜像站点07【AI总结】2026年6月 主流国内外大模型总结08AI科技热点日报 | 2026年6月1日09AI科技热点日报 | 2026年6月22日10AI一周事件 · 2026-06-03 至 2026-06-09