在 Kubernetes 中,Kubelet 是在每个节点上运行的重要组件之一,它负责管理容器的生命周期。而 CRI(Container Runtime Interface)则是 Kubelet 用于与容器运行时进行通信的接口(如下图)。

CRI 采用了 ProtoBuffer 和 gPRC,规定 kubelet 该如何调用容器运行时去管理容器和镜像,Kubernetes 通过CRI可支持多种类型的OCI容器运行时,例如 docker、contained、CRI-O、runC、fraki和Kata Containers 等)。

为了方便用户进行容器运行时的调试工作,社区提供了 crictl 工具,用于与 CRI 接口进行交互,本文简要介绍如何使用 crictl 对 Kubernetes节点进行调试 。

kubelet-layout:

安装

你可以从 cri-tools 发布页面 下载一个压缩的 crictl 归档文件,用于几种不同的架构。 下载与你的 kubernetes 版本相对应的版本。 提取它并将其移动到系统路径上的某个位置,例如 /usr/local/bin/。

  • 查看版本,验证安装
crictl --version

输出例如如下,说明安装成功:

crictl version v1.23.0 

查看或编辑配置

要查看或编辑当前配置,请查看或编辑 /etc/crictl.yaml 的内容。

cat /etc/crictl.yaml
image-endpoint: unix:///var/run/image-cri-shim.sock
runtime-endpoint: unix:///run/containerd/containerd.sock

调试节点

  • 列出运行中的容器:
crictl ps

例如我们列出k8s集群的所有容器,例如输出:

CONTAINER           IMAGE               CREATED             STATE               NAME                      ATTEMPT             POD ID
508e30da66ce7       7a71aca7b60fc       3 days ago          Running             calico-node               0                   e0ec650992997
9daa288a68426       f822f80398b9a       3 days ago          Running             calico-typha              0                   f5c4bd6471941
300d948e75019       f6bc1b780606f       3 days ago          Running             kube-controller-manager   1                   d5d681744a377
1cfdc1a6726ae       0198979b7707e       3 days ago          Running             kube-scheduler            1                   eb6ff07ees98c
3699c312c56f9       9e6a540eeeb62       3 days ago          Running             kube-proxy                0                   e8707140d12941
4159d7ec37b29       5bc0062e9555c       3 days ago          Running             kube-apiserver            0                   22d043569737f
8f56a047e8627      25f8c7f3da61c       3 days ago          Restart             etcd                      0                   458e540c798c8

本例中,etcd容器一直启动,可以使用以下命令获取容器的日志:

crictl logs container-id

如此,通过日志帮助定位问题。

更多命令

  • 列出所有的pods
crictl pods
  • 创建容器
crictl run --runtime=remote \
  docker.io/library/nginx:latest \
  nginx-container

ps:使用远程容器CRI来使用最新的 nginx 镜像启动nginx-container的容器。

  • 删除容器:
crictl rm nginx-container
  • 列出所有镜像:
crictl images
  • 帮助
 crictl -h 
NAME:
   crictl - client for CRI

USAGE:
   crictl [global options] command [command options] [arguments...]

VERSION:
   v1.23.0

COMMANDS:
   attach              Attach to a running container
   create              Create a new container
   exec                Run a command in a running container
   version             Display runtime version information
   images, image, img  List images
   inspect             Display the status of one or more containers
   inspecti            Return the status of one or more images
   imagefsinfo         Return image filesystem info
   inspectp            Display the status of one or more pods
   logs                Fetch the logs of a container
   port-forward        Forward local port to a pod
   ps                  List containers
   pull                Pull an image from a registry
   run                 Run a new container inside a sandbox
   runp                Run a new pod
   rm                  Remove one or more containers
   rmi                 Remove one or more images
   rmp                 Remove one or more pods
   pods                List pods
   start               Start one or more created containers
   info                Display information of the container runtime
   stop                Stop one or more running containers
   stopp               Stop one or more running pods
   update              Update one or more running containers
   config              Get and set crictl client configuration options
   stats               List container(s) resource usage statistics
   completion          Output shell completion code
   help, h             Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config value, -c value            Location of the client config file. If not specified and the default does not exist, the program's directory is searched as well (default: "/etc/crictl.yaml") [$CRI_CONFIG_FILE]
   --debug, -D                         Enable debug mode (default: false)
   --image-endpoint value, -i value    Endpoint of CRI image manager service (default: uses 'runtime-endpoint' setting) [$IMAGE_SERVICE_ENDPOINT]
   --runtime-endpoint value, -r value  Endpoint of CRI container runtime service (default: uses in order the first successful one of [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]). Default is now deprecated and the endpoint should be set instead. [$CONTAINER_RUNTIME_ENDPOINT]
   --timeout value, -t value           Timeout of connecting to the server in seconds (e.g. 2s, 20s.). 0 or less is set to default (default: 2s)
   --help, -h                          show help (default: false)
   --version, -v                       print the version (default: false)

以上。

参考