1- Docker

2- cri-dockerd

3- 如何将Docker切换到Containerd

4- 全新安装Containerd接入集群

5- 如何将Kubernetes扩展为多Master的高可用集群

（1）主机名解析

[root@master01 ~]# cat >> /etc/hosts <EOF

10.0.0.201 master01 master01.koiz1.com vip.koiz1.com

10.0.0.202 master02 master02.koiz1.com

10.0.0.203 master03 master03.koiz1.com

10.0.0.204 node01 node01.koiz1.com

10.0.0.205 node02 node02.koiz1.com

10.0.0.206 node03 node03.koiz1.com

EOF

（2）关闭防火墙

[root@master01 ~]# systemctl stop firewalld && systemctl disable firewalld

[root@master01 ~]# setenforce 0

[root@master01 ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config

（3）关闭swap分区

[root@master01 ~]# sed -ri 's@(.*swap.*)@#\1@g' /etc/fstab

#关闭正在使用的swap

[root@master01 ~]# swapoff -a

#检查swap是否关闭

[root@master01 ~]# free -m

（4）修改内核参数

[root@master01 ~]# cat >> /etc/modules-load.d/k8s.conf <EOF

overlay

br_netfilter

EOF

[root@master01 ~]# sudo modprobe overlay

[root@master01 ~]# sudo modprobe br_netfilter

（5）添加内核参数

[root@master01 ~]# cat >> /etc/sysctl.d/k8s.conf <EOF

net.bridge.bridge-nf-call-ip6tables = 1

net.bridge.bridge-nf-call-iptables = 1

net.ipv4.ip_forward = 1

vm.swappiness = 0

vm.overcommit_memory = 0

EOF

[root@master01 ~]# sysctl -p /etc/sysctl.d/k8s.conf

（6）配置IPVS

[root@master01 ~]# yum install ipset ipvsadm -y

[root@master01 ~]# mkdir /etc/sysconfig/modules -p

[root@master01 ~]# cat >> /etc/sysconfig/modules/ipvs.modules <EOF

#!/bin/bash

modprobe -- ip_vs

modprobe -- ip_vs_rr

modprobe -- ip_vs_wrr

modprobe -- ip_vs_sh

modprobe -- nf_conntrack

EOF

[root@master01 ~]# chmod 755 /etc/sysconfig/modules/ipvs.modules

[root@master01 ~]# bash /etc/sysconfig/modules/ipvs.modules

[root@master01 ~]# lsmod |grep -e ip_vs -e nf_conntrack

（7）配置时间同步

[root@master01 ~]# yum install -y chrony

[root@master01 ~]# systemctl enable chronyd --now

[root@master01 ~]# chronyc sources

（8）部署docker

[root@master01 ~]# yum remove docker* -y && yum install -y yum-utils

[root@master01 ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

[root@master01 ~]# yum install -y docker-ce

[root@master01 ~]# cat >> /etc/docker/daemon.json <EOF

{

"registry-mirrors": [

"https://docker.m.daocloud.io",

"https://dockerproxy.com",

"https://docker.mirrors.ustc.edu.cn",

"https://docker.nju.edu.cn",

"https://hub-mirror.c.163.com",

"https://docker.m.daocloud.io",

"https://dockerproxy.com",

"https://mirror.baidubce.com",

"https://docker.nju.edu.cn",

"https://docker.mirrors.sjtug.sjtu.edu.cn/"

],

"exec-opts": ["native.cgroupdriver=systemd"]

}

EOF

[root@master01 ~]# systemctl daemon-reload

[root@master01 ~]# systemctl enable --now docker

（9）安装cri-dockerd

[root@master01 ~]# wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.4/cri-dockerd-0.3.4.amd64.tgz

[root@master01 ~]# tar xf cri-dockerd-0.3.4.amd64.tgz

[root@master01 ~]# cd cri-dockerd

[root@master01 ~]# cp cri-dockerd /usr/local/bin/

[root@master01 ~]# ll /usr/local/bin/

#cri-dockerd启停脚本

[root@master01 ~]# cat >> /usr/lib/systemd/system/cri-dockerd.service <EOF

[Unit]

Description=CRI Interface for Docker Application Container Engine

Documentation=https://docs.mirantis.com

After=network-online.target firewalld.service docker.service

Wants=network-online.target

[Service]

Type=notify

ExecStart=/usr/local/bin/cri-dockerd --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9

ExecReload=/bin/kill -s HUP $MAINPID

TimeoutSec=0

RestartSec=2

Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.

# Both the old, and new location are accepted by systemd 229 and up, so using the old location

# to make them work for either version of systemd.

StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.

# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make

# this option work for either version of systemd.

StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead

# in the kernel. We recommend using cgroups to do container-local accounting.

LimitNOFILE=infinity

LimitNPROC=infinity

LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.

# Only systemd 226 and above support this option.

TasksMax=infinity

Delegate=yes

KillMode=process

[Install]

WantedBy=multi-user.target

EOF

[root@master01 ~]# systemctl daemon-reload

[root@master01 ~]# systemctl start cri-dockerd

[root@master01 ~]# ll /usr/local/bin/cri-dockerd

（10） Kubernetes组件部署

#配置k8s源

[root@master01 ~]# cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo

[kubernetes]

name=Kubernetes

baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.28/rpm/

enabled=1

gpgcheck=0

gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.28/rpm/repodata/repomd.xml.key

EOF

[root@master01 ~]# yum makecache

[root@master01 ~]# yum install -y kubelet-1.28.0 kubeadm-1.28.0 kubectl-1.28.0

[root@master01 ~]# systemctl enable kubelet

[root@master01 ~]# systemctl restart kubelet

[root@master01 ~]# systemctl status kubelet

###镜像拉取###

#默认国外k8s源

[root@master01 ~]# kubeadm config images list --kubernetes-version v1.28.0

#更改国内阿里源

[root@master01 ~]# kubeadm config images list --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.28.0

#拉取镜像

[root@master01 ~]# kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.28.0

#修改runtime

[root@master01 ~]# kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.28.0 --cri-socket=unix:///var/run/cri-dockerd.sock

（11）master初始化 ---> 仅Master执行

[root@master01 ~]# kubeadm init --apiserver-advertise-address="10.0.0.201" --control-plane-endpoint="vip.koiz1.com" --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.28.0 --service-cidr=10.96.0.0/16 --pod-network-cidr=192.168.0.0/16 --cri-socket=unix:///var/run/cri-dockerd.sock

（12） node节点初始化

kubeadm join vip.koiz1.com:6443 --token azy18m.5i3n2cb7l4p9dk73 \

--discovery-token-ca-cert-hash sha256:860feeafec0b3d81b645d2a0d173ccb5662a81fe61cf34326c8ce63b4991d72d \

--cri-socket="unix:///run/cri-dockerd.sock"

（13）网络插件部署

[root@master01 ~]# wget https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml

[root@master01 ~]# kubectl apply -f kube-flannel.yml

（14） 命令补全

[root@master01 ~]# yum install bash-completion -y

[root@master01 ~]# echo 'source <(kubectl completion bash)' >>~/.bashrc

将docker切换到containerd

#Master节点操作

（1）驱逐Master的pod --->所有节点

kubectl drain master01.koiz1.com --ignore-daemonsets

（2）停止docker和kubelet --->所有节点

systemctl stop docker.socket

systemctl stop cri-dockerd

systemctl stop kubelet

systemctl disable docker cri-dockerd

（3）安装Containerd --->所有节点

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum install -y containerd

mkdir -p /etc/containerd

containerd config default > /etc/containerd/config.toml

修改一下内容 vim /etc/containerd/config.toml

sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"

SystemdCgroup = true

systemctl enable containerd

systemctl start containerd

（4）安装nerdctl客户端 --->所有节点

wget https://github.com/containerd/nerdctl/releases/download/v1.5.0/nerdctl-full-1.5.0-linux-amd64.tar.gz

tar xf nerdctl-full-1.5.0-linux-amd64.tar.gz -C /tmp/

cp /tmp/bin/nerdctl /usr/local/bin/

（5）安装buildkitd --->构建镜像用的，也在上面这个包里

cp /tmp/bin/{buildctl,buildkitd} /usr/local/bin/

echo 'source <(nerdctl completion bash)' >> /etc/profile

source /etc/profile

cp /tmp/lib/systemd/system/buildkit.service /usr/lib/systemd/system/

systemctl daemon-reload

systemctl enable buildkit.service --now

（6）修改kubelet使用containerd作为其容器运行时

[root@* ~]# cat /var/lib/kubelet/kubeadm-flags.env

KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9"

systemctl restart kubelet.service

systemctl status kubelet.service

（7）使用containerd重新拉取镜像 --->Master需要，Node不需要

kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.28.0 --cri-socket=unix:///var/run/containerd/containerd.sock

（8）在Master上修改注解

kubectl edit nodes master01.koiz1.com

修改：kubeadm.alpha.kubernetes.io/cri-socket: unix:///run/containerd/containerd.sock

（9）使用uncordon恢复节点

kubectl uncordon master01.koiz1.com

（10）查看节点信息 ---> 容器运行时

[root@master01 ~]# kubectl get nodes -o wide

#Node节点切换Containerd

（1）驱逐Node的pod

kubectl drain node01.koiz1.com --ignore-daemonsets

（2）停止docker和kubelet --->所有节点

systemctl stop docker.socket

systemctl stop cri-dockerd

systemctl stop kubelet

systemctl disable docker cri-dockerd

（3）安装Containerd --->所有节点

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum install -y containerd

mkdir -p /etc/containerd

containerd config default > /etc/containerd/config.toml

修改一下内容 vim /etc/containerd/config.toml

sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"

SystemdCgroup = true

systemctl enable containerd

systemctl start containerd

（4）安装nerdctl客户端 --->所有节点

wget https://github.com/containerd/nerdctl/releases/download/v1.5.0/nerdctl-full-1.5.0-linux-amd64.tar.gz

tar xf nerdctl-full-1.5.0-linux-amd64.tar.gz -C /tmp/

cp /tmp/bin/nerdctl /usr/local/bin/

（5）安装buildkitd --->构建镜像用的，也在上面这个包里

cp /tmp/bin/{buildctl,buildkitd} /usr/local/bin/

echo 'source <(nerdctl completion bash)' >> /etc/profile

source /etc/profile

cp /tmp/lib/systemd/system/buildkit.service /usr/lib/systemd/system/

systemctl daemon-reload

systemctl enable buildkit.service --now

（6）修改kubelet使用containerd作为其容器运行时

[root@* ~]# cat /var/lib/kubelet/kubeadm-flags.env

KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9"

systemctl restart kubelet.service

systemctl status kubelet.service

eg： 如果kubelet起不来，重启containerd服务

（7）在Master上修改注解

kubectl edit nodes master01.koiz1.com

修改：kubeadm.alpha.kubernetes.io/cri-socket: unix:///run/containerd/containerd.sock

（8）在Master上使用uncordon恢复节点

kubectl uncordon node01.koiz1.com

（9）在Master上查看节点信息 ---> 容器运行时

[root@master01 ~]# kubectl get nodes -o wide

#全新安装Containerd接入集群

（1） Kubernetes组件部署

#配置k8s源

[root@master01 ~]# cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo

[kubernetes]

name=Kubernetes

baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.28/rpm/

enabled=1

gpgcheck=0

gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.28/rpm/repodata/repomd.xml.key

EOF

[root@master01 ~]# yum makecache

[root@master01 ~]# yum install -y kubelet-1.28.0 kubeadm-1.28.0 kubectl-1.28.0

[root@master01 ~]# systemctl enable kubelet

[root@master01 ~]# systemctl restart kubelet

[root@master01 ~]# systemctl status kubelet

（2）安装Containerd --->所有节点

yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum install -y containerd

mkdir -p /etc/containerd

containerd config default > /etc/containerd/config.toml

修改一下内容 vim /etc/containerd/config.toml

sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"

SystemdCgroup = true

systemctl enable containerd

systemctl start containerd

（3）安装nerdctl客户端 --->所有节点

wget https://github.com/containerd/nerdctl/releases/download/v1.5.0/nerdctl-full-1.5.0-linux-amd64.tar.gz

tar xf nerdctl-full-1.5.0-linux-amd64.tar.gz -C /tmp/

cp /tmp/bin/nerdctl /usr/local/bin/

（4）安装buildkitd --->构建镜像用的，也在上面这个包里

cp /tmp/bin/{buildctl,buildkitd} /usr/local/bin/

echo 'source <(nerdctl completion bash)' >> /etc/profile

source /etc/profile

cp /tmp/lib/systemd/system/buildkit.service /usr/lib/systemd/system/

systemctl daemon-reload

systemctl enable buildkit.service --now

（5）Master上执行加入进群命令

kubeadm token create --print-join-command

（6）Node加入集群

kubeadm join vip.koiz1.com:6443 --token a3gmgq.wlw595pjmhbl0a73 --discovery-token-ca-cert-hash sha256:860feeafec0b3d81b645d2a0d173ccb5662a81fe61cf34326c8ce63b4991d72d

!镜像会自动下载，如网络插件等，下载完成会自动Ready

eg：报错日志 tail -f /var/log/message