# 官方提供@yunTaoScripts 沙箱 🔥🔥

loading

宿主机中运行容器,但是在宿主机中依然可以看到容器中的进程。通过沙箱实将容器隔离,宿主机就看不到容器进程了。 运行时分为高级别和低级别

  • 高级别运行时
    • docker
    • podman
    • container-d
    • rkt
    • cri-o
  • 低级别运行时
    • runc (默认)
    • lxc
    • gvisor
    • kata

高低级别运行时区别

  • 低级别运行时只能提供创建 删除容器。
  • 高级别运行时可以管理镜像,创建网络,卷。

# 非k8s集群环境使用

# 使用gvisor

# docker 下 使用 gvisor

  • 通过gvisor起容器,在宿主机是看不见容器进程的。
root@vms150:~# ll /usr/local/bin/   #所有人增加执行权限
-rwxr-xr-x  1 root root 26647799 Aug 20 07:15 containerd-shim-runsc-v1*
-rwxr-xr-x  1 root root 33632243 Aug 20 07:15 runsc*
root@vms150:/usr/local/bin# ./runsc install
2022/09/10 21:11:57 Added runtime "runsc" with arguments [] to "/etc/docker/daemon.json".
###更改运行时名称
root@vms150:~# cat /etc/docker/daemon.json 
{
    "runtimes": {
        "gvisor": {              ### 把runc改成gvisor
            "path": "/usr/local/bin/runsc"
        }
    }
}
root@vms150:~# dockerd --help | grep runtime
--default-runtime string        Default OCI runtime for containers (default "runc")
root@vms150:~# systemctl status docker.service 
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
root@vms150:~# cat /lib/systemd/system/docker.service | grep -i execstart
ExecStart=/usr/bin/dockerd -H fd:// --default-runtime=gvisor --containerd=/run/containerd/containerd.sock   ##指定默认容器运行时,也可以直接在命令行中临时指定。
root@vms150:~# systemctl daemon-reload 
root@vms150:~# systemctl restart docker.service
root@vms150:~# docker run -dit --name gvisor --runtime gvisor nginx
19440e57953c68de1e34d34d8516bba102cc4a1cdd5b6062c7b2cbadf9fc353d
root@vms150:~# docker ps 
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS         PORTS     NAMES
19440e57953c   nginx     "/docker-entrypoint.…"   10 seconds ago   Up 9 seconds   80/tcp    gvisor
root@vms150:~# ps -ef | grep nginx
root       2349   1254  0 21:02 pts/0    00:00:00 grep --color=auto nginx

# containerd下 使用 gvisor

  • 指定 gvisor 运行时,宿主机 查看不到进程。
root@vms152:~# cat /etc/containerd/config.toml 
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]

        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          base_runtime_spec = ""
          cni_conf_dir = ""
          cni_max_conf_num = 0
          container_annotations = []
          pod_annotations = []
          privileged_without_host_devices = false
          runtime_engine = ""
          runtime_path = ""
          runtime_root = ""
          runtime_type = "io.containerd.runc.v2"

          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            SystemdCgroup = true
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] ###增加下面几行
          privileged_without_host_devices = false
          cni_conf_dir = ""
          cni_max_conf_num = 0
          base_runtime_spec = ""
          container_annotations = []
          runtime_type = "io.containerd.runsc.v1"
root@vms152:~# systemctl daemon-reload 
root@vms152:~# systemctl restart containerd.service
root@vms152:~# mv /etc/nerdctl/nerdctl.toml ~/   # 移除配置文件
root@vms152:~# export CONTAINERD_NAMESPACE=k8s.io #切换 nerdctl 在 containerd 的命名空间
root@vms152:~# nerdctl run -d --name gvisor --runtime runsc nginx                                                        
174fe2b6d8b9ee033b34a9e0711bb973c0267f77e979a7b00660918a15c53c8e
root@vms152:~# nerdctl ps
CONTAINER ID    IMAGE                             COMMAND                   CREATED           STATUS    PORTS    NAMES
174fe2b6d8b9    docker.io/library/nginx:latest    "/docker-entrypoint.…"    14 seconds ago    Up                 gvisor    
root@vms152:~# ps -ef | grep nginx
root       1523   1021  0 21:21 pts/0    00:00:00 grep --color=auto nginx

# 使用kata

在kvm虚拟机中创建一个容器,使用kata创建的已经不是容器,而是传统意义大的kvm虚拟机。

kvm 基于硬件辅助的虚拟化,必须要开启cpu虚拟化功能。

  • 检查是否开启虚拟化(英特尔vmx,amd svm)
root@vms150:~# egrep 'vmx|svm' /proc/cpuinfo 
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat md_clear flush_l1d arch_capabilities
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat md_clear flush_l1d arch_capabilities

# 在docker 下使用kata

vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -D --add-runtime kata-runtime=/usr/bin/kata-runtime --default-runtime=kataruntime -H fd:// --containerd=/run/containerd/containerd.soc
root@vms152:~/kata-ubuntu# apt install ./*  ## 安装kata
root@vms152:~/kata-ubuntu# which kata-runtime 
/usr/bin/kata-runtime
root@vms150:/usr/local/bin# dockerd --help | grep add-runtime
      --add-runtime runtime                     Register an additional OCI compatible runtime (default [])
root@vms150:/usr/local/bin# systemctl status docker.service | grep lib
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
root@vms150:/usr/local/bin# grep -i execstart /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// -D --add-runtime kata-my=/usr/bin/kata-runtime --containerd=/run/containerd/containerd.sock
root@vms150:/usr/local/bin# docker info | grep -i runtime -A 20   #增加了kata-my
 Runtimes: io.containerd.runtime.v1.linux kata-my runc runsc gvisor io.containerd.runc.v2
 Default Runtime: runc 
root@vms150:~/kata-ubuntu# docker run -dit --name kata --runtime kata-my nginx
2f73499dc924694f0844ac413e117c510456ee72d83ecee4f081e4e1bcc3c277
root@vms150:~/kata-ubuntu# ps aux | grep nginx   ##宿主机查看不到进程 
root       3738  0.0  0.0  13136  1004 pts/0    S+   22:12   0:00 grep --color=auto nginx
root@vms150:~/kata-ubuntu# docker inspect kata | grep -i runtime
            "Runtime": "kata-my",
            "CpuRealtimeRuntime": 0,

一定要开启硬件虚拟化

如果没有开启硬件 虚拟化,kata运行不起来。

# 在containerd下使用kata

root@vms152:~/kata-ubuntu# find / -name "containerd-shim*"  ## runtime 写法参考
/usr/bin/containerd-shim-runc-v1
/usr/bin/containerd-shim-kata-v2
/usr/bin/containerd-shim
/usr/bin/containerd-shim-runc-v2
/usr/local/bin/containerd-shim-runsc-v1

root@vms152:~/kata-ubuntu# grep kata /etc/containerd/config.toml 
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-runtime]
          runtime_type = "io.containerd.kata.v2"
root@vms152:~/kata-ubuntu# systemctl daemon-reload ;systemctl restart containerd.service 
root@vms152:~/kata-ubuntu# crictl info | grep -i runtime -A 20
"runtimes": {
        "kata-runtime": {
          "runtimeType": "io.containerd.kata.v2",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": null,
          "ContainerAnnotations": null,
          "runtimeRoot": "",
          "options": null,
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        },
root@vms152:~/kata-ubuntu# nerdctl run -d --name kata1 --runtime kata-runtime nginx
aaf169f218ded1b24761bc361604645473c49ed95ac77ddddf2bb31819695c7f
root@vms152:~/kata-ubuntu# ps aux | grep nginx
root       3795  0.0  0.0  13136  1004 pts/0    S+   22:44   0:00 grep --color=auto nginx
root@vms152:~/kata-ubuntu# nerdctl ps
CONTAINER ID    IMAGE                             COMMAND                   CREATED           STATUS    PORTS    NAMES
aaf169f218de    docker.io/library/nginx:latest    "/docker-entrypoint.…"    11 seconds ago    Up                 kata1 

# k8s集群下使用

针对k8s 集群开发的opa,gatekeeper

  • 在 34 节点创建 nginx pod,默认使用runc,可以在宿主机中看到nginx进程
root@vms33:~# cat pod1.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod1
  name: pod1
spec:
  nodeName: vms34.rhce.cc
  terminationGracePeriodSeconds: 0
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: pod1
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
root@vms33:~# kubectl get pod -A -owide
NAMESPACE        NAME                                       READY   STATUS    RESTARTS         AGE     IP               NODE     
netpolicy        pod1                                       1/1     Running   0                3s      10.244.194.144   vms34.rhce.cc   <none>           <none>
root@vms34:~# ps -ef | grep nginx
root       1550   1208  0 07:28 pts/0    00:00:00 grep --color=auto nginx
root@vms34:~# ps -ef | grep nginx
root       5525   5453  0 07:37 ?        00:00:00 nginx: master process nginx -g daemon off;
systemd+   5572   5525  0 07:37 ?        00:00:00 nginx: worker process
systemd+   5573   5525  0 07:37 ?        00:00:00 nginx: worker process
root       5662   1208  0 07:37 pts/0    00:00:00 grep --color=auto nginx

# 安装 gvisor 和 kata

  • 安装gvisor
root@vms34:/usr/local/bin# chmod a+rx *
root@vms34:/usr/local/bin# ll
-rwxr-xr-x  1 root root 26647799 Aug 20 07:15 containerd-shim-runsc-v1*
-rwxr-xr-x  1 root root 33632243 Aug 20 07:15 runsc*
  • 安装kata
root@vms34:~# tar -zxf kata-ubuntu.tar.gz
root@vms34:~# cd kata-ubuntu/
root@vms34:~/kata-ubuntu# apt install ./*
  • 增加containerd 容器运行时
root@vms34:/etc/containerd# find / -name "containerd-shim*"
/usr/bin/containerd-shim-runc-v1
/usr/bin/containerd-shim-kata-v2
/usr/bin/containerd-shim
/usr/bin/containerd-shim-runc-v2
/usr/local/bin/containerd-shim-runsc-v1
root@vms34:~# vim /etc/containerd/config.toml
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          base_runtime_spec = ""
          cni_conf_dir = ""
          cni_max_conf_num = 0
          container_annotations = []
          pod_annotations = []
          privileged_without_host_devices = false
          runtime_engine = ""
          runtime_path = ""
          runtime_root = ""
          runtime_type = "io.containerd.runc.v2"
          
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            SystemdCgroup = true
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] # gvisor
          runtime_type = "io.containerd.runsc.v1"
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-runtime]
          runtime_type = "io.containerd.kata.v2"                        # kata          
root@vms34:~# crictl info | grep -i runtime -A 20
"runtimes": {
        "kata-runtime": {
          "runtimeType": "io.containerd.kata.v2",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": null,
          "ContainerAnnotations": null,
          "runtimeRoot": "",
          "options": null,
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        },
        "runc": {
          "runtimeType": "io.containerd.runc.v2",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": [],
          "ContainerAnnotations": [],
          "runtimeRoot": "",
          "options": {
            "SystemdCgroup": true
          },
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        },
        "runsc": {
          "runtimeType": "io.containerd.runsc.v1",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": null,
          "ContainerAnnotations": null,
          "runtimeRoot": "",
          "options": null,
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        }
      },

# pod 启动 指定 Runtime Classs (opens new window)

# RuntimeClass is defined in the node.k8s.io API group
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  # The name the RuntimeClass will be referenced by.
  # RuntimeClass is a non-namespaced resource.
  name: myclass 
# The name of the corresponding CRI configuration
handler: runsc   ## 已经定义过的runtime

# 创建gvisor runtime class

root@vms33:~# kubectl apply -f runsc.yaml 
runtimeclass.node.k8s.io/myclass created
root@vms33:~# kubectl get runtimeclasses.node.k8s.io 
NAME      HANDLER   AGE
myclass   runsc     11s
  • 启动pod并引用 gvisor runtime class,此时在34 节点宿主机已经看不到nginx进程。
root@vms33:~# vim pod1.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod1
  name: pod1
spec:
  nodeName: vms34.rhce.cc
  terminationGracePeriodSeconds: 0
  runtimeClassName: myclass                   ##引用runtime
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: pod1
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
root@vms33:~# kubectl apply -f pod1.yaml 
pod/pod1 created
root@vms33:~# kubectl get pod -owide
NAME   READY   STATUS    RESTARTS   AGE   IP               NODE            NOMINATED NODE   READINESS GATES
pod1   1/1     Running   0          8s    10.244.194.145   vms34.rhce.cc   <none>           <none>
root@vms34:~# ps -ef | grep nginx
root      19945   1208  0 08:18 pts/0    00:00:00 grep --color=auto nginx

# 创建kata runtime class

root@vms33:~# vim kata.yaml 
# RuntimeClass is defined in the node.k8s.io API group
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  # The name the RuntimeClass will be referenced by.
  # RuntimeClass is a non-namespaced resource.
  name: myclass2
# The name of the corresponding CRI configuration
handler: kata-runtime
root@vms33:~# kubectl get runtimeclasses.node.k8s.io 
NAME       HANDLER        AGE
myclass    runsc          8m59s
myclass2   kata-runtime   3m25s
  • 启动pod并引用 kata runtime class,此时在34 节点宿主机已经看不到nginx进程。
root@vms33:~# vim pod2.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod2
  name: pod2
spec:
  nodeName: vms34.rhce.cc
  terminationGracePeriodSeconds: 0
  runtimeClassName: myclass2
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: pod2
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
root@vms33:~# kubectl apply -f pod2.yaml
root@vms33:~# kubectl get pod -owide
NAME   READY   STATUS    RESTARTS   AGE     IP               NODE           
pod2   1/1     Running   0          2m38s   10.244.194.146   vms34.rhce.cc   <none>           <none>

root@vms34:~# ps -ef | grep nginx
root      22589   1208  0 08:25 pts/0    00:00:00 grep --color=auto nginx

如果kata pod创建不起来怎么办?

grep "svm|vmx" /proc/cpuinfo  # 检查是否开启硬件虚拟化
modprobe kvm  # 开启内核模块
modprobe kvm_intel
最后修改时间: 12/31/2022, 12:00:03 PM