在ubuntu上安装containerd和nerdctl

发表于 更新于 本文字数: 1.4k 阅读时长 ≈ 5 分钟

Ubuntu 24.04为例,安装nerdctl以及containerd

前置准备

ubuntu

  • 安装uidmap
1
sudo apt update && sudo apt install -y uidmap
  • AppArmor配置

由于懒人安装方式跟单独安装方式bin目录不一致,配置内容会有些许差异,放在下面章节各自介绍

依赖包

懒人安装

解压缩nerdctl-full-2.0.3-linux-amd64.tar.gz~/.local,并将~/.local/bin目录添加到PATH

1
2
3
4
5
tar zxf nerdctl-full-2.0.3-linux-amd64.tar.gz -C ~/.local

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc

source ~/.bashrc

看起来已完成安装,但还不行,当你执行nerdctl,这里将会看到一些报错,以下报错表示先需要安装运行rootless containerd

1
2
nerdctl
# FATA[0000] rootless containerd not running? (hint: use `containerd-rootless-setuptool.sh install` to start rootless containerd): stat /run/user/1000/containerd-rootless: no such file or directory

安装rootless containerd第一次尝试,以下报错是因为ubuntu 24.04加强了应用限制,需要通过AppArmor配置非特权用户命名空间应用

1
2
3
4
containerd-rootless-setuptool.sh install
# [INFO] Checking RootlessKit functionality
# [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
# [ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .

配置apparmor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# rootlesskit放在了~/.local/bin目录
filename=$(echo $HOME/.local/bin/rootlesskit | sed -e s@^/@@ -e s@/@.@g)

cat <<EOF > ~/${filename}
abi <abi/4.0>,
include <tunables/global>

"$HOME/.local/bin/rootlesskit" flags=(unconfined) {
  userns,

  include if exists <local/${filename}>
}
EOF

sudo mv ~/${filename} /etc/apparmor.d/${filename}

sudo systemctl restart apparmor.service

安装并启动rootless containerd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
containerd-rootless-setuptool.sh install

# [INFO] Checking RootlessKit functionality
# [INFO] Checking cgroup v2
# [INFO] Checking overlayfs
# [INFO] Requirements are satisfied
# [INFO] Creating "/home/vagrant/.config/systemd/user/containerd.service"
# [INFO] Starting systemd unit "containerd.service"
# + systemctl --user start containerd.service
# + sleep 3
# + systemctl --user --no-pager --full status containerd.service
# ● containerd.service - containerd (Rootless)
#      Loaded: loaded (/home/vagrant/.config/systemd/user/containerd.service; disabled; preset: enabled)
#      Active: active (running) since Sat 2025-02-08 09:10:49 CST; 3s ago
#    Main PID: 3535 (rootlesskit)
#       Tasks: 28
#      Memory: 15.2M (peak: 19.2M)
#         CPU: 287ms
#      CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/containerd.service
#              ├─3535 rootlesskit --state-dir=/run/user/1000/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave --detach-netns /home/vagrant/.local/bin/containerd-rootless.sh
#              ├─3553 /proc/self/exe --state-dir=/run/user/1000/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave --detach-netns /home/vagrant/.local/bin/containerd-rootless.sh
#              ├─3574 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-seccomp --userns-path=/proc/3553/ns/user --netns-type=path /proc/3553/root/run/user/1000/containerd-rootless/netns tap0
#              └─3582 containerd

# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684164811+08:00" level=info msg="Start recovering state"
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684269626+08:00" level=info msg=serving... address=/run/containerd/containerd.sock
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684288884+08:00" level=info msg="Start event monitor"
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684345921+08:00" level=info msg="Start cni network conf syncer for default"
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684355097+08:00" level=info msg="Start streaming server"
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684362261+08:00" level=info msg="Registered namespace \"k8s.io\" with NRI"
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684406574+08:00" level=info msg="runtime interface starting up..."
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684412963+08:00" level=info msg="starting plugins..."
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684427341+08:00" level=info msg="Synchronizing NRI (plugin) with current runtime state"
# Feb 08 09:10:49 noble containerd-rootless.sh[3582]: time="2025-02-08T09:10:49.684492554+08:00" level=info msg="containerd successfully booted in 0.037003s"
# + systemctl --user enable containerd.service
# Created symlink /home/vagrant/.config/systemd/user/default.target.wants/containerd.service → /home/vagrant/.config/systemd/user/containerd.service.
# [INFO] Installed "containerd.service" successfully.
# [INFO] To control "containerd.service", run: `systemctl --user (start|stop|restart) containerd.service`
# [INFO] To run "containerd.service" on system startup automatically, run: `sudo loginctl enable-linger vagrant`
# [INFO] ------------------------------------------------------------------------------------------
# [INFO] Use `nerdctl` to connect to the rootless containerd.
# [INFO] You do NOT need to specify $CONTAINERD_ADDRESS explicitly.

nerdctl build安装并运行buildkit

1
2
3
4
5
6
# nerdctl build
# ERRO[0000] `buildctl` needs to be installed and `buildkitd` needs to be running, see https://github.com/moby/buildkit , and `containerd-rootless-setuptool.sh install-buildkit` for OCI worker or `containerd-rootless-setuptool.sh install-buildkit-containerd` for containerd worker  error="failed to ping to host unix:///run/user/1000/buildkit-default/buildkitd.sock: exit status 1\nfailed to ping to host unix:///run/user/1000/buildkit/buildkitd.sock: exit status 1"
# FATA[0000] no buildkit host is available, tried 2 candidates: failed to ping to host unix:///run/user/1000/buildkit-default/buildkitd.sock: exit status 1
# failed to ping to host unix:///run/user/1000/buildkit/buildkitd.sock: exit status 1

containerd-rootless-setuptool.sh install-buildkit

到这里,nerdctl以及containerd已经基本可用了

单独安装

安装软件

安装containerd

1
2
3
4
5
6
7
8
9
10
11
tar zxf /vagrant/containerd-2.0.2-linux-amd64.tar.gz

sudo mv ./bin/* /usr/local/bin/

tree /usr/local/bin
# 输出如下所示
# /usr/local/bin
# ├── containerd
# ├── containerd-shim-runc-v2
# ├── containerd-stress
# └── ctr

安装nerdctl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 安装到/usr/local/bin/
sudo tar zxf nerdctl-2.0.3-linux-amd64.tar.gz -C /usr/local/bin/

# 查看
tree /usr/local/bin
# 输出如下所示
# /usr/local/bin
# ├── containerd
# ├── containerd-rootless-setuptool.sh
# ├── containerd-rootless.sh
# ├── containerd-shim-runc-v2
# ├── containerd-stress
# ├── ctr
# └── nerdctl

安装rootlesskit以及slirp4netns

1
2
3
4
5
6
# 安装到/usr/local/bin/
sudo tar zxf rootlesskit-x86_64.tar.gz -C /usr/local/bin/

chmod +x slirp4netns

sudo mv slirp4netns /usr/local/bin

安装buildkit

1
2
3
tar zxf buildkit-v0.19.0.linux-amd64.tar.gz

sudo mv ./bin/* /usr/local/bin/

安装cni

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# cni安装目录
sudo mkdir -p /opt/cni/bin/

sudo tar zxf cni-plugins-linux-amd64-v1.6.2.tgz -C /opt/cni/bin/

tree /opt/cni/bin
# /opt/cni/bin
# ├── LICENSE
# ├── README.md
# ├── bandwidth
# ├── bridge
# ├── dhcp
# ├── dummy
# ├── firewall
# ├── host-device
# ├── host-local
# ├── ipvlan
# ├── loopback
# ├── macvlan
# ├── portmap
# ├── ptp
# ├── sbr
# ├── static
# ├── tap
# ├── tuning
# ├── vlan
# └── vrf

环境初始化

执行nerdctl,报错需要安装运行rootless containerd

1
2
nerdctl
# FATA[0000] rootless containerd not running? (hint: use `containerd-rootless-setuptool.sh install` to start rootless containerd): stat /run/user/1000/containerd-rootless: no such file or directory

安装rootless containerd第一次尝试,报错表示需要配置AppArmor授权

1
2
3
4
containerd-rootless-setuptool.sh install
# [INFO] Checking RootlessKit functionality
# [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
# [ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .

配置apparmor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# rootlesskit放在了/usr/local/bin目录
cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.local.bin.rootlesskit>
}
EOT

sudo systemctl restart apparmor.service

安装并启动rootless containerd

1
containerd-rootless-setuptool.sh install

nerdctl build安装并运行buildkit

1
containerd-rootless-setuptool.sh install-buildkit

完成安装!

参考文档

nerdctl
Common steps (Read first!)
Rootless mode