前置步骤
腾空节点
[root@master~] # kubectl drain node1 --ignore-daemonsets --force停止节点相关服务
[root@node1~] # systemctl stop kubelet
[root@node1~] # systemctl disable docker --nowK8S版本对应关系
containerd对应
ingress版本对应
calico对应
https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements
第一步:安装containerd
1.1:先下载使用的软件
containerd()
cni-plugins()
runc()
https://github.com/opencontainers/runc/releases/download/v1.2.5/runc.amd64
nerdctl(containerd的命令行)
https://github.com/containerd/nerdctl/releases/download/v2.1.2/nerdctl-2.1.2-linux-amd64.tar.gz
1.2:解压containerd
[root@node1/home] # tar -vxf containerd-1.7.27-linux-amd64.tar.gz -C /usr/local/
bin/
bin/ctr
bin/containerd-stress
bin/containerd-shim
bin/containerd
bin/containerd-shim-runc-v2
bin/containerd-shim-runc-v11.3:创建containerd服务
[root@node1~] # mkdir -p /usr/local/lib/systemd/system/
[root@node1~] # touch /usr/local/lib/systemd/system/containerd.service
[root@node1~] # vim /usr/local/lib/systemd/system/containerd.service将官方配置文件写入
官方配置文件:https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
1.4:设置开机自启
[root@node1~] # systemctl daemon-reload
[root@node1~] # systemctl enable --now containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/local/lib/systemd/system/containerd.service.1.5:安装runc
[root@node1/home] # install -m 755 runc.amd64 /usr/local/sbin/runc1.6:安装cni
[root@node1/home] # mkdir -p /opt/cni/bin
[root@node1/home] # tar -vxf cni-plugins-linux-amd64-v1.6.2.tgz -C /opt/cni/bin/
./
./ipvlan
./tap
./loopback
./host-device
./README.md
./portmap
./ptp
./vlan
./bridge
./firewall
./LICENSE
./macvlan
./dummy
./bandwidth
./vrf
./tuning
./static
./dhcp
./host-local
./sbr1.7:生成配置文件
#生产containerd的配置文件
mkdir /etc/containerd
containerd config default > /etc/containerd/config.toml
#定义 crictl 如何连接到容器运行时
cat >/etc/crictl.yaml<<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF1.8:修改配置文件
[root@node1/etc/containerd] # grep 'sandbox_image' /etc/containerd/config.toml
sandbox_image = "registry.k8s.io/pause:3.8"
[root@node1/etc/containerd] # sed -i 's#registry.k8s.io/pause:3.8#registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.8#' /etc/containerd/config.toml
[root@node1/etc/containerd] # grep 'sandbox_image' /etc/containerd/config.toml
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.8"
[root@node1/etc/containerd] # grep SystemdCgroup /etc/containerd/config.toml
SystemdCgroup = false
[root@node1/etc/containerd] # sed -ri 's#(SystemdCgroup = )false#\1true#' /etc/containerd/config.toml
[root@node1/etc/containerd] # grep SystemdCgroup /etc/containerd/config.toml
SystemdCgroup = true
#将该配置文件的 [plugins."io.containerd.grpc.v1.cri".registry] 下的config_path = ""修改成自己的镜像加速配置文件夹(就是步骤1.9的certs.d总文件夹)
注意:如果你使用 cgroup v2,则推荐 systemd cgroup 驱动。 识别 Linux 节点上的 cgroup 版本:cgroup 版本取决于正在使用的 Linux 发行版和操作系统上配置的默认 cgroup 版本。 要检查你的发行版使用的是哪个 cgroup 版本,请在该节点上运行 stat -fc %T /sys/fs/cgroup/ 命令
stat -fc %T /sys/fs/cgroup/
对于 cgroup v2,输出为 cgroup2fs。
对于 cgroup v1,输出为 tmpfs
置 systemd cgroup 驱动
要在 /etc/containerd/config.toml 中将 runc 配置为使用 systemd cgroup 驱动, 请根据你使用的 Containerd 版本设置以下配置:
Containerd 1.x 版本:
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
Containerd versions 2.x 版本:
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]
...
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
SystemdCgroup = true1.9:创建文件夹(这里配的是镜像加速,根据自己实际情况来)
[root@node1/etc/containerd] # mkdir -p /etc/containerd/certs.d/{10.0.0.105:9080,docker.io,registry.k8s.io}1.10:将配置分别写入
[root@node1/etc/containerd] # cat > /etc/containerd/certs.d/docker.io/hosts.toml <<EOF
server = "https://docker.io"
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
[host."https://dockerproxy.com/"]
capabilities = ["pull", "resolve"]
EOF
[root@node1/etc/containerd] # cat > /etc/containerd/certs.d/registry.k8s.io/hosts.toml << EOF
server = "registry.k8s.io"
[host."k8s.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
#根据自己的私有仓库地址进行修改
[root@node1/etc/containerd] # cat > /etc/containerd/certs.d/10.0.0.105\:9080/hosts.toml << EOF
server = "http://10.0.0.105:9080"
[host."http://10.0.0.105:9080"]
capabilities = ["pull", "resolve", "push"]
skip_verify = true
EOF
1.11:将containerd命令行nerdctl放到/usr/local/bin下
[root@node1/home] # tar -vxf nerdctl-2.1.2-linux-amd64.tar.gz -C /usr/local/bin/1.12:重启
[root@node1/etc/containerd] # systemctl restart containerd1.13:在主节点上修改node的运行socket为containerd
[root@master~] # kubectl edit no node1将kubeadm.alpha.kubernetes.io/cri-socket由dockershim改为unix:///run/containerd/containerd.sock
1.14:卸载docker
...省略.....
1.15:修改kubelet启动配置
vim /var/lib/kubelet/kubeadm-flags.env
#在参数后加上 --container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock
1.16:重启kubelet
[root@node1~] # systemctl daemon-reload
[root@node1~] # systemctl restart kubelet.service1.17:在主节点验证
[root@master~] # kubectl get node -o wide | grep node1
1.18:让节点恢复调度
[root@master~] # kubectl uncordon node1
评论区