Docker 学习笔记(七):Docker Swarm 服务管理与 Containerd 实践
Docker swarm
如何实现 Service 伸缩(续)
默认配置下 manager node 也是 worker node,所以 swarm-manager 上也运行了副本。如果不希望在 manager 上运行 service,可以执行如下命令:
[root@swarm-manager ~]# docker node update --availability drain swarm-manager
swarm-manager
[root@swarm-manager ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
t2wuubtvlwx0qngw3qi6kp6zc * swarm-manager Ready Drain Leader 26.1.3
m8w1ijonr4jrp006rg5o7fgft swarm-worker1 Ready Active 26.1.3
qiw3ydp7o20a65rlfare0g0a8 swarm-worker2 Ready Active 26.1.3# Drain 表示 swarm-manager 已经不负责运行 service
[root@swarm-manager ~]# docker service ps web_server
scale down,减少副本数
[root@swarm-manager ~]# docker service scale web_server=3
web_server scaled to 3
overall progress: 3 out of 3 tasks
1/3:
2/3: running [==================================================>]
3/3:
verify: Service web_server converged
[root@swarm-manager ~]# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
jmtb8n27v4u1 web_server replicated 3/3 httpd:latest
[root@swarm-manager ~]# docker service ps web_server
web_server.4 和 web_server.5 这两个副本已经被删除了。
Swarm 如何实现 Failover
故障迁移
测试 swarm 的 failover 特性,关闭 swarm-worker1
[root@swarm-worker1 ~]# shutdown nowSwarm 会检测到 swarm-worker1 的故障,并标记为 Down。
[root@swarm-manager ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
t2wuubtvlwx0qngw3qi6kp6zc * swarm-manager Ready Drain Leader 26.1.3
m8w1ijonr4jrp006rg5o7fgft swarm-worker1 Down Active 26.1.3
qiw3ydp7o20a65rlfare0g0a8 swarm-worker2 Ready Active 26.1.3Swarm 会将 swarm-worker1 上的副本调度到其他可用节点。我们可以通过 docker service ps 观察 这个 failover 过程。
[root@swarm-manager ~]# docker service ps web_server
可以看到, web_server.2 已经从 swarm-worker1 迁移到了 swarm-worker2,之前运行在故障节点 swarm-worker1 上的副本状态被标记为 Shutdown 。
如何访问 Service
重新部署web_server
[root@swarm-manager ~]# docker service rm web_server
web_server
[root@swarm-manager ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
t2wuubtvlwx0qngw3qi6kp6zc * swarm-manager Ready Drain Leader 26.1.3
m8w1ijonr4jrp006rg5o7fgft swarm-worker1 Ready Active 26.1.3
qiw3ydp7o20a65rlfare0g0a8 swarm-worker2 Ready Active 26.1.3
[root@swarm-manager ~]# docker service create --name web_server --replicas=2 httpd
cxu3lbxvh42nok2nncpg3om37
overall progress: 2 out of 2 tasks
1/2: running [==================================================>]
2/2: running [==================================================>]
verify: Service cxu3lbxvh42nok2nncpg3om37 converged[root@swarm-manager ~]# docker service ps web_server
# worker1的网络配置
[root@swarm-worker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
14d5448d32cf httpd:latest "httpd-foreground" 8 minutes ago Up 8 minutes 80/tcp web_server.1.cxy5klqd2n4bhrbc1t0a3n9yj# 查看容器ip
[root@swarm-worker1 ~]# docker inspect web_server.1.cxy5klqd2n4bhrbc1t0a3n9yj
......
"Networks": {"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"MacAddress": "02:42:ac:11:00:02","NetworkID": "ef4f7982d0c5cc5a89cda53204ce6018ad44da9f797a250ff7889d3a54101939","EndpointID": "bff65265ec804677b5675a2f4c9673f137ff56112f85010f673c8902578709c0","Gateway": "172.17.0.1","IPAddress": "172.17.0.2",
......
容器 IP 为 172.17.0.2 ,实际上连接的是 Docker 默认 bridge 网络。
# 可以直接在 swarm-worker1 上访问容器的 http 服务。
[root@swarm-worker1 ~]# curl 172.17.0.2
<html><body><h1>It works!</h1></body></html>但这样的访问也仅仅是容器层面的访问,服务并没有暴露给外部网络,只能在 Docker 主机上访问。换句 话说,当前配置下,我们无法访问 service web_server。
从外部访问 service
# 要将 service 暴露到外部,方法其实很简单,执行下面的命令:
[root@swarm-manager ~]# docker service update --publish-add 8080:80 web_server
web_server
overall progress: 2 out of 2 tasks
1/2: running [==================================================>]
2/2: running [==================================================>]
verify: Service web_server converged# 如果是新建 service,可以直接用使用 --publish 参数
[root@swarm-manager ~]# docker service create --name web_server --publish 8080:80 --replicas=2 httpd测试访问
容器在 80 端口上监听 http 请求, --publish-add 8080:80 将容器的 80 映射到主机的 8080 端口,这 样外部网络就能访问到 service 了。
[root@swarm-manager ~]# curl http://192.168.108.30:8080
<html><body><h1>It works!</h1></body></html>
[root@swarm-manager ~]# curl http://192.168.108.31:8080
<html><body><h1>It works!</h1></body></html>
[root@swarm-manager ~]# curl http://192.168.108.32:8080
<html><body><h1>It works!</h1></body></html>容器管理工具Containerd
Containerd介绍
Containerd 架构
架构图
Containerd 为嵌入 Kubernetes 而设计,是工业级容器运行时,不直接供开发人员和终端用户使用,避免与 Docker 竞争。实际上,它已实现多数容器管理功能,如容器生命周期管理、镜像传输和管理、存储与网络管理等。
Containerd 采用标准 C/S 架构:
- 服务端通过 GRPC 协议提供稳定 API。
- 客户端通过调用服务端 API 进行高级操作。
为实现解耦,Containerd 将不同职责分给不同组件,每个组件相当于子系统,连接子系统的组件称为模块。
Containerd 两大子系统: - Bundle:包含配置、元数据和根文件系统数据,可理解为容器的文件系统,该子系统允许用户从镜像中提取和打包 Bundles。
- Runtime:用于执行 Bundles,如创建容器。
每个子系统的行为由一个或多个模块协作完成(架构图中 Core 部分),每种类型的模块以插件形式集成,且插件间相互依赖。例如,长虚线方框表示 Service Plugin、Metadata Plugin 等类型插件,Service Plugin 依赖 Metadata Plugin、GC Plugin 和 Runtime Plugin;小方框表示细分插件,如 Metadata Plugin 依赖 Containers Plugin、Content Plugin 等。
常用插件
- Content Plugin:提供对镜像中可寻址内容的访问,所有不可变内容存储于此。
- Snapshot Plugin:管理容器镜像的文件系统快照,镜像的每个 layer 会被解压为文件系统快照,类似 Docker 中的 graphdriver。
- Metrics:暴露各个组件的监控指标。
架构缩略图
Containerd 分为三大块:Storage、Metadata 和 Runtime。
与其它容器运行时工具性能对比
使用 bucketbench 对 Docker、crio 和 Containerd 进行性能测试,测试启动、停止和删除容器所耗时间。结果显示,Containerd 在各方面表现良好,总体性能优于 Docker 和 crio。
Containerd安装
方法一:yum安装
安装工具
[root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2 vim
安装Containerd
# 获取阿里云YUM源
[root@localhost yum.repos.d]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Adding repo from: https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo[root@localhost yum.repos.d]# yum clean all
13 files removed
[root@localhost yum.repos.d]# yum makecache# 查看YUM源中Containerd软件
[root@localhost yum.repos.d]# yum list | grep containerd
containerd.io.x86_64 1.6.32-3.1.el8 docker-ce-stable# 安装Containerd.io软件,即可安装Containerd
[root@localhost ~]# yum -y install containerd.io# 检查是否安装
[root@localhost ~]# rpm -qa | grep containerd
containerd.io-1.6.32-3.1.el8.x86_64# 设置containerd服务启动及开机自启动
[root@localhost ~]# systemctl enable containerd --now
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /usr/lib/systemd/system/containerd.service.
[root@localhost ~]# systemctl status containerd# 验证
[root@localhost ~]# ctr version
Client:Version: 1.6.32Revision: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89Go version: go1.21.10Server:Version: 1.6.32Revision: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89UUID: 435c778f-f1d1-44c8-bc8b-dab5019d6ccf方法二:二进制安装
Containerd有两种安装包:
- 第一种是containerd-xxx,这种包用于单机测试没问题,不包含runC,需要提前安装。
- 第二种是cri-containerd-cni-xxxx,包含runc和k8s里的所需要的相关文件。k8s集群里需要用到此 包。虽然包含runC,但是依赖系统中的seccomp(安全计算模式,是一种限制容器调用系统资源的 模式。)
安装 Containerd
# 下载安装包
wget https://github.com/containerd/containerd/releases/download/v1.6.32/cricontainerd-cni-1.6.32-linux-amd64.tar.gz有现成的直接拖拽就可以
# 安装containerd
[root@localhost ~]# mkdir containerd
[root@localhost ~]# tar xf cri-containerd-cni-1.6.32-linux-amd64.tar.gz -C containerd/
[root@localhost ~]# cd containerd/
[root@localhost containerd]# ls
cri-containerd.DEPRECATED.txt etc opt usr
[root@localhost containerd]#[root@localhost containerd]# tree
.
├── cri-containerd.DEPRECATED.txt
├── etc
│ ├── cni
│ │ └── net.d
│ │ └── 10-containerd-net.conflist
│ ├── crictl.yaml
│ └── systemd
│ └── system
│ └── containerd.service
├── opt
│ ├── cni
│ │ └── bin
│ │ ├── bandwidth
│ │ ├── bridge
│ │ ├── dhcp
│ │ ├── firewall
│ │ ├── host-device
│ │ ├── host-local
│ │ ├── ipvlan
│ │ ├── loopback
│ │ ├── macvlan
│ │ ├── portmap
│ │ ├── ptp
│ │ ├── sbr
│ │ ├── static
│ │ ├── tuning
│ │ ├── vlan
│ │ └── vrf
│ └── containerd
│ └── cluster
│ ├── gce
│ │ ├── cloud-init
│ │ │ ├── master.yaml
│ │ │ └── node.yaml
│ │ ├── cni.template
│ │ ├── configure.sh
│ │ └── env
│ └── version
└── usr└── local├── bin│ ├── containerd│ ├── containerd-shim│ ├── containerd-shim-runc-v1│ ├── containerd-shim-runc-v2│ ├── containerd-stress│ ├── crictl│ ├── critest│ ├── ctd-decoder│ └── ctr└── sbin└── runc16 directories, 36 files#查看containerd.service文件,了解containerd文件安装位置
[root@localhost containerd]# cat etc/systemd/system/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd # #查看此位置,把containerd二进制文件放置于此处即可完成安装。Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999[Install]
WantedBy=multi-user.target# 复制containerd运行时文件至系统
[root@localhost containerd]# cp usr/local/bin/* /usr/local/bin#添加containerd.service文件至系统
[root@localhost containerd]# cp etc/systemd/system/containerd.service /usr/lib/systemd/system/containerd.service# 生成containerd模块配置文件,可以自定义一下配置,如有私有镜像仓库等,按需配置
[root@localhost containerd]# mkdir /etc/containerd
[root@localhost containerd]# containerd config default > /etc/containerd/config.toml
[root@localhost containerd]# cat /etc/containerd/config.toml# 启动containerd并验证
[root@localhost containerd]# systemctl enable containerd --now
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /usr/lib/systemd/system/containerd.service.
[root@localhost containerd]# systemctl status containerd[root@localhost containerd]# ctr version
Client:Version: v1.6.32Revision: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89Go version: go1.21.10Server:Version: v1.6.32Revision: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89UUID: 424df75e-b805-4e24-9893-b3341d4c1f78安装runC
由于二进制包中提供的runC默认需要系统中安装seccomp支持,需要单独安装,且不同版本runC对 seccomp版本要求一致,所以建议单独下载runC 二进制包进行安装,里面包含了seccomp模块支持 下载地址:https://github.com/opencontainers/runc/releases
# 使用wget下载runc
[root@localhost ~]# wget https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.amd64# 安装runc
[root@localhost ~]# mv runc.amd64 /usr/sbin/runc# 为runc添加可执行权限
[root@localhost ~]# chmod +x /usr/sbin/runc# 使用runc命令验证是否安装成功
[root@localhost ~]# runc -v
runc version 1.3.0
commit: v1.3.0-0-g4ca628d1
spec: 1.2.1
go: go1.23.8
libseccomp: 2.5.6Containerd容器镜像管理
查看镜像
[root@localhost ~]# ctr images list
REF TYPE DIGEST SIZE PLATFORMS LABELS
[root@localhost ~]# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS下载镜像
containerd支持oci标准的镜像,所以可以直接使用docker官方或dockerfile构建的镜像
[root@localhost ~]# ctr images pull 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest[root@localhost ~]# ctr image ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e 69.0 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x,unknown/unknown -镜像挂载
[root@localhost ~]# ctr images mount 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest /mnt
sha256:6d03e4aefb16ea9e0d73cacb9a9fcb8f7fb3a806c41606600cab179aa381550f
/mnt[root@localhost ~]# ls /mnt
bin docker-entrypoint.d home media proc sbin tmp
boot docker-entrypoint.sh lib mnt root srv usr
dev etc lib64 opt run sys var[root@localhost ~]# umount /mnt
[root@localhost ~]# ls /mnt
hgfs镜像导出
[root@localhost ~]# ctr i export --platform linux/amd64 nginx.img 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest
[root@localhost ~]# ls
anaconda-ks.cfg containerd cri-containerd-cni-1.6.32-linux-amd64.tar.gz nginx.img镜像删除
[root@localhost ~]# ctr image rm 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest
[root@localhost ~]# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS镜像导入
[root@localhost ~]# ctr images import --platform linux/amd64 nginx.img
unpacking 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest (sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e)...done
[root@localhost ~]# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e 69.0 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x,unknown/unknown -修改镜像tag
[root@localhost ~]# ctr images tag 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest nginx:latest
nginx:latest
[root@localhost ~]# ctr image ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e 69.0 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x,unknown/unknown -
nginx:latest application/vnd.oci.image.index.v1+json sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e 69.0 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x,unknown/unknown -Containerd容器管理
# 查看容器(container表示静态容器,可用c缩写代表container)
[root@localhost ~]# ctr container ls
CONTAINER IMAGE RUNTIME
[root@localhost ~]# ctr c ls
CONTAINER IMAGE RUNTIME# 查看任务(task表示容器里跑的进程, 可用t缩写代表task)
[root@localhost ~]# ctr t ls
TASK PID STATUS
[root@localhost ~]# ctr task ls
TASK PID STATUS# 创建静态容器
[root@localhost ~]# ctr container create nginx:latest nginx1
[root@localhost ~]# ctr c ls
CONTAINER IMAGE RUNTIME
nginx1 nginx:latest io.containerd.runc.v2[root@localhost ~]# ctr container info nginx1# 静态容器启动为动态容器
[root@localhost ~]# ctr task start -d nginx1
[root@localhost ~]# ctr t ls
TASK PID STATUS
nginx1 1956 RUNNING
[root@localhost ~]# ps aux | grep 1956
root 1956 0.2 0.1 11476 7368 ? Ss 14:13 0:00 nginx: master process nginx -g daemon off;
root 2009 0.0 0.0 12216 1096 pts/0 S+ 14:13 0:00 grep --color=auto 1956# 进入容器操作
[root@localhost ~]# ctr task exec --exec-id $RANDOM -t nginx1 /bin/sh
# ip a
/bin/sh: 1: ip: not found
# ls
bin docker-entrypoint.d home media proc sbin tmp
boot docker-entrypoint.sh lib mnt root srv usr
dev etc lib64 opt run sys var# 直接运行一个动态容器
[root@localhost ~]# ctr run -d --net-host nginx:latest nginx2
[root@localhost ~]# ctr tasks ls
TASK PID STATUS
nginx1 1956 RUNNING
nginx2 2077 RUNNING# 暂停容器
[root@localhost ~]# ctr tasks pause nginx2
[root@localhost ~]# ctr t ls
TASK PID STATUS
nginx1 1956 RUNNING
nginx2 2077 PAUSED# 恢复容器
[root@localhost ~]# ctr t resume nginx2
[root@localhost ~]# ctr t ls
TASK PID STATUS
nginx2 2077 RUNNING
nginx1 1956 RUNNING# 停止容器
[root@localhost ~]# ctr t kill nginx2
[root@localhost ~]# ctr t ls
TASK PID STATUS
nginx1 1956 RUNNING
nginx2 2077 STOPPED# 删除容器
# 删除容器前要先停止容器再进行删除操作
[root@localhost ~]# ctr t delete nginx2
[root@localhost ~]# ctr t ls
TASK PID STATUS
nginx1 1956 RUNNING
## 查看静态容器,确认其还存在于系统中
[root@localhost ~]# ctr c ls
CONTAINER IMAGE RUNTIME
nginx1 nginx:latest io.containerd.runc.v2
nginx2 nginx:latest io.containerd.runc.v2
[root@localhost ~]# ctr c delete nginx2
[root@localhost ~]# ctr c ls
CONTAINER IMAGE RUNTIME
nginx1 nginx:latest io.containerd.runc.v2# ctr t delete → 停止并清理 "运行中的进程"
# ctr c delete → 彻底删除 "容器配置信息"
Containerd NameSpace管理
# 列出已有namespace
[root@localhost ~]# ctr namespace ls
NAME LABELS
default# 创建namespace
[root@localhost ~]# ctr namespace create myns
[root@localhost ~]# ctr namespace create testns
[root@localhost ~]# ctr namespace ls
NAME LABELS
default
myns
testns# 删除namespace
[root@localhost ~]# ctr namespace rm testns
testns
[root@localhost ~]# ctr namespace ls
NAME LABELS
default
myns# 查看指定namespace中镜像
[root@localhost ~]# ctr -n myns images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
# 空的# 查看指定namespace中是否有用户进程在运行
[root@localhost ~]# ctr -n myns tasks ls
TASK PID STATUS# 在指定namespace中下载容器镜像
[root@localhost ~]# ctr -n myns images pull 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest[root@localhost ~]# ctr -n myns images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e 69.0 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x,unknown/unknown -# 在指定namespace中创建静态容器
[root@localhost ~]# ctr -n myns container create 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest mynginx# 查看在指定namespace中创建的容器
[root@localhost ~]# ctr -n myns container ls
CONTAINER IMAGE RUNTIME
mynginx 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest io.containerd.runc.v2[root@localhost ~]# ctr -n myns task start -d mynginx
[root@localhost ~]# ctr -n myns task ls
TASK PID STATUS
mynginx 2429 RUNNING# 在 myns 命名空间中启动了一个名为 mynginx 的任务,并且该任务当前处于 RUNNING 状态(PID 为 2429)
nerdctl 实践
nerdctl 安装
使用 nerdctl 管理containerd,命令语法与 docker 一致
# 下载并安装
[root@localhost ~]# wget https://github.com/containerd/nerdctl/releases/download/v1.4.0/nerdctl-1.4.0-linux-amd64.tar.gz
有现成的直接拖进来
[root@localhost ~]# tar -xf nerdctl-1.4.0-linux-amd64.tar.gz -C /usr/bin/# 配置nerdctl命令自动补全
[root@localhost ~]# nerdctl completion bash > /etc/bash_completion.d/nerdctl
[root@localhost ~]# source /etc/bash_completion.d/nerdctl# 下载nerdctl所需要的cni插件
[root@localhost ~]# wget https://github.com/containernetworking/plugins/releases/download/v1.3.0/cniplugins-linux-amd64-v1.3.0.tgz
有现成的直接拖进来
[root@localhost ~]# mkdir -p /opt/cni/bin
[root@localhost ~]# tar -xf cni-plugins-linux-amd64-v1.3.0.tgz -C /opt/cni/bin[root@localhost ~]# yum install -y bash-completion
[root@localhost ~]# bash配置镜像加速
#编辑containerd的配置文件config.toml,如果不存在,需要手动生成,方法 containerd config default > /etc/containerd/config.toml,在配置文件中搜索关键字“config_path”,在其下面添加镜像加速参数
[root@localhost ~]# vim /etc/containerd/config.toml[plugins."io.containerd.grpc.v1.cri".registry]onfig_path = "/etc/containerd/certs.d"
[root@localhost ~]# mkdir -p /etc/containerd/certs.d/docker.io
[root@localhost ~]# vim /etc/containerd/certs.d/docker.io/hosts.toml
server = "https://054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com"
[host."https://054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com"]capabilities = ["pull", "resolve"]#重启containerd服务生效
[root@localhost ~]# systemctl restart containerdnerdctl 管理镜像
ls
[root@localhost ~]# nerdctl image ls
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx latest d5f28ef21aab About an hour ago linux/amd64 194.5 MiB 69.0 MiB
nginx latest d5f28ef21aab About an hour ago linux/amd64 194.5 MiB 69.0 MiB[root@localhost ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx latest d5f28ef21aab About an hour ago linux/amd64 194.5 MiB 69.0 MiB
nginx latest d5f28ef21aab About an hour ago linux/amd64 194.5 MiB 69.0 MiBpull
[root@localhost ~]# nerdctl image pull busybox[root@localhost ~]# nerdctl pull httpd[root@localhost ~]# nerdctl image ls
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx latest d5f28ef21aab About an hour ago linux/amd64 194.5 MiB 69.0 MiB
busybox latest ab33eacc8251 About a minute ago linux/amd64 4.3 MiB 2.1 MiB
httpd latest 027c678f36d3 39 seconds ago linux/amd64 121.0 MiB 43.1 MiB
nginx latest d5f28ef21aab About an hour ago linux/amd64 194.5 MiB 69.0 MiBrm
[root@localhost ~]# nerdctl image rm httpd
Untagged: docker.io/library/httpd:latest@sha256:027c678f36d3cd3dd2b44ad1e963e81be66f9eba065381c1126d3019fffeb01a
Deleted: sha256:daf557c4f08e0cb77b2af2a08d8bca4f333cf408d88191911715e6f393eca215
Deleted: sha256:d694d07f5d65d415315bff8edb757d3339a1eb9a701c22ca14bc4948c0934a7d
Deleted: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
Deleted: sha256:09c56534a3469b43d9a4c11d4bc6792a3d0cd15f4d86db79c30c441aa91ddf33
Deleted: sha256:664c74752319cdf4c16832e0959ed64cb048e8cf9156431e817c4837a4c37e1f
Deleted: sha256:4ed3261aa08cd0153410bc1096ccbb8179de180818a6b7a9c177407f7d6603c6[root@localhost ~]# nerdctl images
tag
[root@localhost ~]# nerdctl tag busybox busybox_containerd
[root@localhost ~]# nerdctl images
save
将本地镜像导出为文件
[root@localhost ~]# nerdctl save busybox -o busybox.tar[root@localhost ~]# nerdctl image rm busybox
Untagged: docker.io/library/busybox:latest@sha256:ab33eacc8251e3807b85bb6dba570e4698c3998eca6f0fc2ccb60575a563ea74
Deleted: sha256:80e840de630d08a6a1e0ee30e7c8378cf1ed6a424315d7e437f54780aee6bf5a[root@localhost ~]# nerdctl images
load
导入tar文件中镜像
[root@localhost ~]# nerdctl load -i busybox.tar
unpacking docker.io/library/busybox:latest (sha256:ab33eacc8251e3807b85bb6dba570e4698c3998eca6f0fc2ccb60575a563ea74)...
Loaded image: busybox:latest[root@localhost ~]# nerdctl images
history
查看镜像构建时的历史命令层次结构
[root@localhost ~]# nerdctl image history busybox
SNAPSHOT CREATED CREATED BY SIZE COMMENT
sha256:80e840de630d08a6a1e0ee30e7c8378cf1ed6a424315d7e437f54780aee6bf5a 11 months ago BusyBox 1.37.0 (glibc), Debian 13 4.3 MiBinspect
查看镜像详细信息
[root@localhost ~]# nerdctl image inspect busybox
[{"Id": "sha256:0ed463b26daee791b094dc3fff25edb3e79f153d37d274e5c2936923c38dac2b","RepoTags": ["busybox:latest"],"RepoDigests": ["busybox@sha256:ab33eacc8251e3807b85bb6dba570e4698c3998eca6f0fc2ccb60575a563ea74"],"Comment": "","Created": "2024-09-26T21:31:42Z","Author": "","Config": {"AttachStdin": false,"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd": ["sh"]},"Architecture": "amd64","Os": "linux","Size": 4493312,"RootFS": {"Type": "layers","Layers": ["sha256:80e840de630d08a6a1e0ee30e7c8378cf1ed6a424315d7e437f54780aee6bf5a"]},"Metadata": {"LastTagTime": "0001-01-01T00:00:00Z"}}
]prune
删除所有未使用的镜像。
[root@localhost ~]# nerdctl image prune --all --force
Deleted Images:
Untagged: 054b8ac70e8010d90f2ac00ef29e6580.mirror.swr.myhuaweicloud.com/library/nginx:latest
deleted: sha256:36f5f951f60a9fa1d51878e76fc16ba7b752f4d464a21b758a8ac88f0992c488
deleted: sha256:c855abf10cdcf792853d61ec842e41c85cb82a5cb926c86217a7fa632dfc56c4
deleted: sha256:8e7d6b51107830934d3dcdcf0883f193250d22b3d0dc7a2d7d57e4403d1a3489
deleted: sha256:50da593f622278859c89ed290484a8cafa3ddb1fef0090530fff63c9de06845f
deleted: sha256:72fa904a482c9806187aeb804837f58f54da8aeb564f0ce4ef01426e08f68a01
deleted: sha256:7d95a4a72e110d4fe6bab4059f2d2968058c8006d0f3976ea7065186acc49fbd
deleted: sha256:3ce214e9ebc59367731dc352744c8392822aceddcee0a3806537dfd9fa984268
Untagged: docker.io/library/busybox:latest
deleted: sha256:80e840de630d08a6a1e0ee30e7c8378cf1ed6a424315d7e437f54780aee6bf5a
Untagged: docker.io/library/busybox_containerd:latest
deleted: sha256:80e840de630d08a6a1e0ee30e7c8378cf1ed6a424315d7e437f54780aee6bf5a[root@localhost ~]#
[root@localhost ~]# nerdctl image ls
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
nginx latest d5f28ef21aab 2 hours ago linux/amd64 194.5 MiB 69.0 MiBnerdctl 管理容器
ls
[root@localhost ~]# nerdctl container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
nginx1 nginx:latest "/docker-entrypoint.…" About an hour ago Up
[root@localhost ~]# nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
nginx1 nginx:latest "/docker-entrypoint.…" About an hour ago Up
[root@localhost ~]# nerdctl container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
nginx1 nginx:latest "/docker-entrypoint.…" About an hour ago Uprun
创建并运行容器
[root@localhost ~]# nerdctl container run -it ubuntu
或
[root@localhost ~]# nerdctl run -it ubuntu
root@62060a71c452:/# exit[root@localhost ~]# nerdctl container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
nginx1 nginx:latest "/docker-entrypoint.…" About an hour ago Up
rm
[root@localhost ~]# nerdctl container rm 62
62
[root@localhost ~]# nerdctl container ls -a
prune
删除所有未运行的容器
[root@localhost ~]# nerdctl container run ubuntu
[root@localhost ~]# nerdctl container run ubuntu
[root@localhost ~]# nerdctl container run ubuntu
[root@localhost ~]# nerdctl container ls -a[root@localhost ~]# nerdctl container prune --force
Deleted Containers:
4f3007ec8029910e7583727faf8c3ba3cdfa6310e89c42a8a8c168163f460c39
9c880a79d596460144d78b1b1d1aef19f0ec3557d352def0f55dbc6f3963d73b
be629a61ffd9dff7b5b870bc8d6344b4d1f9e2ff31e9f03b7bfa4e641887cd63
d13182198c9ab2a45f3fba048ea7dd9a6631f4ffd001b57d189e802c5f54a738
[root@localhost ~]# nerdctl container ls -a
rename
重命名容器
[root@localhost ~]# nerdctl container run --name ubuntu-1 ubuntu
[root@localhost ~]# nerdctl container ls -a[root@localhost ~]# nerdctl container rename ubuntu-1 ubuntu
[root@localhost ~]# nerdctl container ls -a[root@localhost ~]# nerdctl container rm ubuntu
ubuntu
[root@localhost ~]# nerdctl container ls -a
stop 和 start
停止和启动容器
[root@localhost ~]# nerdctl container run -d --name nginx1 nginx[root@localhost ~]# nerdctl container ls --format "{{.Names}} {{.Status}}"
nginx1 UpUp
[root@localhost ~]# nerdctl container ls -a[root@localhost ~]# nerdctl container stop 50f16e4fae1a
50f16e4fae1a[root@localhost ~]# nerdctl container ls --format "{{.Names}} {{.Status}}" -a
nginx1 Exited (0) 10 seconds agoUp[root@localhost ~]# nerdctl container start 50f16e4fae1a
50f16e4fae1a
[root@localhost ~]# nerdctl container ls --format "{{.Names}} {{.Status}}"
nginx1 UpUprestart
重启容器
[root@localhost ~]# nerdctl container restart 50
50f16e4fae1apause 和 unpause
挂起和取消挂起容器
[root@localhost ~]# nerdctl container pause 50f16e4fae1a
50f16e4fae1a
[root@localhost ~]# nerdctl container ls --format "{{.Names}} {{.Status}}" -a
nginx1 PausedUp
[root@localhost ~]# nerdctl container unpause 50f16e4fae1a
50f16e4fae1a
[root@localhost ~]# nerdctl container ls --format "{{.Names}} {{.Status}}" -a
nginx1 UpUp
kill
给容器发信号,默认发KILL信号
[root@localhost ~]# nerdctl container kill 50f16e4fae1a
50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed[root@localhost ~]# nerdctl container ls -a --format "{{.Names}} {{.Status}}"
nginx1 Exited (137) 12 seconds agoUpexec
在运行的容器内部执行命令
[root@localhost ~]# nerdctl container start 50f16e4fae1a
50f16e4fae1a
[root@localhost ~]# nerdctl container exec -it 50f16e4fae1a bash
root@50f16e4fae1a:/# ls
bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var
boot docker-entrypoint.d etc lib media opt root sbin sys usr
root@50f16e4fae1a:/# exit
exitcp
将宿主机文件复制给容器
[root@localhost ~]# nerdctl container cp /etc/hostname 50f16e4fae1a:
[root@localhost ~]# nerdctl container exec 50f16e4fae1a ls hostname
hostnameinspect
查看容器详细信息
[root@localhost ~]# nerdctl container inspect 50f16e4fae1a
[{"Id": "50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed","Created": "2025-09-11T07:46:16.858460709Z","Path": "/docker-entrypoint.sh","Args": ["nginx","-g","daemon off;"],"State": {"Status": "running","Running": true,"Paused": false,"Restarting": false,"Pid": 5778,"ExitCode": 0,"Error": "","FinishedAt": "0001-01-01T00:00:00Z"},"Image": "docker.io/library/nginx:latest","ResolvConfPath": "/var/lib/nerdctl/1935db59/containers/default/50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed/resolv.conf","HostnamePath": "/var/lib/nerdctl/1935db59/containers/default/50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed/hostname","LogPath": "/var/lib/nerdctl/1935db59/containers/default/50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed/50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed-json.log","Name": "nginx1","RestartCount": 0,"Driver": "overlayfs","Platform": "linux","AppArmorProfile": "","Mounts": null,"Config": {"Hostname": "50f16e4fae1a","AttachStdin": false,"Labels": {"containerd.io/restart.explicitly-stopped": "false","io.containerd.image.config.stop-signal": "SIGQUIT","nerdctl/extraHosts": "null","nerdctl/hostname": "50f16e4fae1a","nerdctl/log-uri": "binary:///usr/bin/nerdctl?_NERDCTL_INTERNAL_LOGGING=%2Fvar%2Flib%2Fnerdctl%2F1935db59","nerdctl/name": "nginx1","nerdctl/namespace": "default","nerdctl/networks": "[\"bridge\"]","nerdctl/platform": "linux/amd64","nerdctl/state-dir": "/var/lib/nerdctl/1935db59/containers/default/50f16e4fae1a29ee43fed12025cf2e9d16de9f27fb21cbb3c0709f71070bfeed"}},"NetworkSettings": {"GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"IPAddress": "10.4.0.11","IPPrefixLen": 24,"MacAddress": "da:8c:04:e9:1d:39","Networks": {"unknown-eth0": {"IPAddress": "10.4.0.11","IPPrefixLen": 24,"GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"MacAddress": "da:8c:04:e9:1d:39"}}}}
]logs
显示容器console终端内容
[root@localhost ~]# nerdctl container logs 50f16e4fae1a
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2025/09/11 07:55:52 [notice] 1#1: using the "epoll" event method
2025/09/11 07:55:52 [notice] 1#1: nginx/1.29.1
2025/09/11 07:55:52 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14+deb12u1)
2025/09/11 07:55:52 [notice] 1#1: OS: Linux 4.18.0-553.6.1.el8.x86_64
2025/09/11 07:55:52 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1024:1024
2025/09/11 07:55:52 [notice] 1#1: start worker processes
2025/09/11 07:55:52 [notice] 1#1: start worker process 22
2025/09/11 07:55:52 [notice] 1#1: start worker process 23
2025/09/11 07:55:52 [notice] 1#1: start worker process 24
2025/09/11 07:55:52 [notice] 1#1: start worker process 25port
显示宿主机和容器之间端口映射关系
[root@localhost ~]# nerdctl container run --name nginx -d -p 8080:80 nginx
aa30235e74dd215e60b77dca49ecb8dde06b9c07d5e682324de851d27b78758d[root@localhost ~]# nerdctl container ls -a
[root@localhost ~]# nerdctl container port aa30235e74dd
commit
将容器提交为镜像
[root@localhost ~]# nerdctl commit aa30235e74dd nginx_containerd
sha256:2b569b93e67b64df563f33c7538f832c98474cd1f47af0c32cd8b6cc13f981c9
[root@localhost ~]# nerdctl images
nerdctl 管理网络
Containerd 中的网络与Docker类似,所有网络接口默认都是虚拟接口。
当使用nerdctl创建容器时,nerdctl命令会创建一个名称为bridge的Linux网桥(其上有一个nerdctl0内 部接口),利用了Linux虚拟网络技术,在本地主机和容器内分别创建一个虚拟接口,并让它们彼此连通 (这样的一对接口叫做vethpair)。Containerd 默认指定了nerdctl0接口的IP地址和子网掩码,让主机 和容器之间可以通过网桥相互通信。
示例
[root@localhost ~]# nerdctl run -d busybox -- sleep infinity
[root@localhost ~]# nerdctl container ls[root@localhost ~]# nerdctl exec busybox-81f8a -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
2: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 72:33:46:46:03:cb brd ff:ff:ff:ff:ff:ffinet 10.4.0.13/24 brd 10.4.0.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::7033:46ff:fe46:3cb/64 scope linkvalid_lft forever preferred_lft forever# 容器内看到的网卡名: 2: eth0@if15 ,@if5代表对端是15号网卡。[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:93:2a:f6 brd ff:ff:ff:ff:ff:ffaltname enp3s0inet 192.168.108.132/24 brd 192.168.108.255 scope global dynamic noprefixroute ens160valid_lft 1227sec preferred_lft 1227secinet6 fe80::20c:29ff:fe93:2af6/64 scope link noprefixroutevalid_lft forever preferred_lft forever
3: nerdctl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether ee:67:ec:67:b0:6a brd ff:ff:ff:ff:ff:ffinet 10.4.0.1/24 brd 10.4.0.255 scope global nerdctl0valid_lft forever preferred_lft foreverinet6 fe80::ec67:ecff:fe67:b06a/64 scope linkvalid_lft forever preferred_lft forever
13: vethc714eaa3@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master nerdctl0 state UP group defaultlink/ether 8a:b0:d0:81:fe:86 brd ff:ff:ff:ff:ff:ff link-netnsid 0inet6 fe80::88b0:d0ff:fe81:fe86/64 scope linkvalid_lft forever preferred_lft forever
14: vethc16955fc@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master nerdctl0 state UP group defaultlink/ether d6:f7:64:16:a5:c0 brd ff:ff:ff:ff:ff:ff link-netnsid 1inet6 fe80::d4f7:64ff:fe16:a5c0/64 scope linkvalid_lft forever preferred_lft forever
15: vethb4f82774@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master nerdctl0 state UP group defaultlink/ether e6:67:37:50:67:30 brd ff:ff:ff:ff:ff:ff link-netnsid 2inet6 fe80::e467:37ff:fe50:6730/64 scope linkvalid_lft forever preferred_lft forever# 对应容器主机的网卡: 15: veth790d9140@if2 , @if2 代表对端容器内对应2号网卡。
[root@localhost ~]# nerdctl network ls
NETWORK ID NAME FILE
17f29b073143 bridge /etc/cni/net.d/nerdctl-bridge.conflisthostnone[root@localhost ~]# nerdctl network inspect bridge
[{"Name": "bridge","Id": "17f29b073143d8cd97b5bbe492bdeffec1c5fee55cc1fe2112c8b9335f8b6121","IPAM": {"Config": [{"Subnet": "10.4.0.0/24","Gateway": "10.4.0.1"}]},"Labels": {"nerdctl/default-network": "true"}}
]# 主机中nerdctl0就是容器的网关
[root@localhost ~]# ip addr show nerdctl0
3: nerdctl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether ee:67:ec:67:b0:6a brd ff:ff:ff:ff:ff:ffinet 10.4.0.1/24 brd 10.4.0.255 scope global nerdctl0valid_lft forever preferred_lft foreverinet6 fe80::ec67:ecff:fe67:b06a/64 scope linkvalid_lft forever preferred_lft forever# 目前 Containerd 网桥是Linux网桥,用户可以使用 brctl show 命令查看网桥和端口连接信息。
# 要使用brctl show命令要先配置yum源
# 然后yum install -y bridge-utils就可以使用了
[root@localhost ~]# vim /etc/yum.repos.d/cloud.repo
[root@localhost ~]# cat /etc/yum.repos.d/cloud.repo
[centos-openstack-victoria]
name=CentOS 8 - OpenStack victoria
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/cloud/x86_64/openstack-victoria/
enabled=1
gpgcheck=0[root@localhost ~]# yum clean all
13 files removed
[root@localhost ~]# yum makecache
CentOS 8 - OpenStack victoria 1.2 MB/s | 3.3 MB 00:02
CentOS Stream 8 - BaseOS 2.1 MB/s | 10 MB 00:05
CentOS Stream 8 - AppStream 1.9 MB/s | 29 MB 00:15
Last metadata expiration check: 0:00:01 ago on Thu 11 Sep 2025 04:34:06 PM CST.
Metadata cache created.
[root@localhost ~]# yum install -y bridge-utils[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
nerdctl0 8000.ee67ec67b06a no vethb4f82774vethc16955fcvethc714eaa3