在 Kubernetes 中,Kubelet 是在每个节点上运行的重要组件之一,它负责管理容器的生命周期。而 CRI(Container Runtime Interface)则是 Kubelet 用于与容器运行时进行通信的接口(如下图)。
CRI 采用了 ProtoBuffer 和 gPRC,规定 kubelet 该如何调用容器运行时去管理容器和镜像,Kubernetes 通过CRI可支持多种类型的OCI容器运行时,例如 docker、contained、CRI-O、runC、fraki和Kata Containers 等)。
为了方便用户进行容器运行时的调试工作,社区提供了 crictl 工具,用于与 CRI 接口进行交互,本文简要介绍如何使用 crictl 对 Kubernetes节点进行调试 。
kubelet-layout:
安装
你可以从 cri-tools 发布页面 下载一个压缩的 crictl 归档文件,用于几种不同的架构。 下载与你的 kubernetes 版本相对应的版本。 提取它并将其移动到系统路径上的某个位置,例如 /usr/local/bin/。
- 查看版本,验证安装
crictl --version
输出例如如下,说明安装成功:
crictl version v1.23.0
查看或编辑配置
要查看或编辑当前配置,请查看或编辑 /etc/crictl.yaml 的内容。
cat /etc/crictl.yaml
image-endpoint: unix:///var/run/image-cri-shim.sock
runtime-endpoint: unix:///run/containerd/containerd.sock
调试节点
- 列出运行中的容器:
crictl ps
例如我们列出k8s集群的所有容器,例如输出:
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID
508e30da66ce7 7a71aca7b60fc 3 days ago Running calico-node 0 e0ec650992997
9daa288a68426 f822f80398b9a 3 days ago Running calico-typha 0 f5c4bd6471941
300d948e75019 f6bc1b780606f 3 days ago Running kube-controller-manager 1 d5d681744a377
1cfdc1a6726ae 0198979b7707e 3 days ago Running kube-scheduler 1 eb6ff07ees98c
3699c312c56f9 9e6a540eeeb62 3 days ago Running kube-proxy 0 e8707140d12941
4159d7ec37b29 5bc0062e9555c 3 days ago Running kube-apiserver 0 22d043569737f
8f56a047e8627 25f8c7f3da61c 3 days ago Restart etcd 0 458e540c798c8
本例中,etcd容器一直启动,可以使用以下命令获取容器的日志:
crictl logs container-id
如此,通过日志帮助定位问题。
更多命令
- 列出所有的pods
crictl pods
- 创建容器
crictl run --runtime=remote \
docker.io/library/nginx:latest \
nginx-container
ps:使用远程容器CRI来使用最新的 nginx 镜像启动nginx-container的容器。
- 删除容器:
crictl rm nginx-container
- 列出所有镜像:
crictl images
- 帮助
crictl -h
NAME:
crictl - client for CRI
USAGE:
crictl [global options] command [command options] [arguments...]
VERSION:
v1.23.0
COMMANDS:
attach Attach to a running container
create Create a new container
exec Run a command in a running container
version Display runtime version information
images, image, img List images
inspect Display the status of one or more containers
inspecti Return the status of one or more images
imagefsinfo Return image filesystem info
inspectp Display the status of one or more pods
logs Fetch the logs of a container
port-forward Forward local port to a pod
ps List containers
pull Pull an image from a registry
run Run a new container inside a sandbox
runp Run a new pod
rm Remove one or more containers
rmi Remove one or more images
rmp Remove one or more pods
pods List pods
start Start one or more created containers
info Display information of the container runtime
stop Stop one or more running containers
stopp Stop one or more running pods
update Update one or more running containers
config Get and set crictl client configuration options
stats List container(s) resource usage statistics
completion Output shell completion code
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config value, -c value Location of the client config file. If not specified and the default does not exist, the program's directory is searched as well (default: "/etc/crictl.yaml") [$CRI_CONFIG_FILE]
--debug, -D Enable debug mode (default: false)
--image-endpoint value, -i value Endpoint of CRI image manager service (default: uses 'runtime-endpoint' setting) [$IMAGE_SERVICE_ENDPOINT]
--runtime-endpoint value, -r value Endpoint of CRI container runtime service (default: uses in order the first successful one of [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]). Default is now deprecated and the endpoint should be set instead. [$CONTAINER_RUNTIME_ENDPOINT]
--timeout value, -t value Timeout of connecting to the server in seconds (e.g. 2s, 20s.). 0 or less is set to default (default: 2s)
--help, -h show help (default: false)
--version, -v print the version (default: false)
以上。
