Containerd 镜像 pull 过程分析操作实践
2021-08-22 本文已影响0人
Xiao_Yang
看完源码后了解从公开的镜像 repository 上 pull 一个 image 到本地再到作为运行一个 containerd rootfs 的全流程,相应的除了源码 debug 这种复杂的方式外,今天我们从一个外围操作层面来分析一下 containerd image pull 的整个流程(拉取 -> 存储 -> 容器的文件系统),对于熟悉 image pull 源码的同学可以通过此实现来验证并加深理解,对于不熟源码的也可以先熟悉操作层面的过程分析,将来对源码有兴趣学习时更有助于理解代码实现逻辑。废话少说,直接开干!
pull 镜像下载
# 本实例以一个nginx镜像为例,如何安装 containerd 可参考我的另外文章
[~]# ctr image pull daocloud.io/library/nginx:1.12.0-alpine
daocloud.io/library/nginx:1.12.0-alpine: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:6a88bc1398333a1a508824c13cc214119510bf7d5898557640606d5edf5da244: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:30cf39878add9b76abdfccd79b79d1eb76629f7eca924822f6b68df9735a9f00: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:09b2eb12555fd1a51a97f9231f7edefd4e242af42cc6ce73fc94a4fd2014bf1e: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ab14e39f58e6d8ba465d2bb577a82a750ec0bcd2342b380920f9e7f307be3c4f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:b719aad0065e54869664cc345032763a5ef015431b4b712c55c26d591d2a2281: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:193bc4296e28af74c271e70ffc4456f2f2e39972dd7912dff5a0b542d8f2c3a4: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 15.1s total: 5.9 Mi (399.1 KiB/s)
unpacking linux/amd64 sha256:6a88bc1398333a1a508824c13cc214119510bf7d5898557640606d5edf5da244...
done: 347.589512ms
第一步观察: 下载过程中 ingest (下载完成后移至content,并清理 ingest 目录)
注:在上面拉取镜像时可以通过 ctrl+c 中断下载,保持未完成状态,这样可能到下载过程数据断点续传的机制,这也就是 content 服务 ingest 实现
[root@i-ratolcyu ingest]# pwd
/var/lib/containerd/io.containerd.content.v1.content/ingest
[root@i-ratolcyu ingest]# tree
.
└── 640b3de94bbe6f243a26ee8a5ad6edc21997868a961280068a6d48e9504106b6
├── data
├── ref
├── startedat
├── total
└── updated
1 directory, 5 files
第二步观察 下载完后 content 内容
[root@i-ratolcyu sha256]# pwd
/var/lib/containerd/io.containerd.content.v1.content/blobs/sha256
[root@i-ratolcyu sha256]# ls -alh
总用量 7.3M
drwxr-xr-x 2 root root 4.0K 8月 17 15:52 .
drwxr-xr-x 3 root root 4.0K 5月 25 17:33 ..
-r--r--r-- 1 root root 8.6K 8月 17 15:52 09b2eb12555fd1a51a97f9231f7edefd4e242af42cc6ce73fc94a4fd2014bf1e # config-sha256
-r--r--r-- 1 root root 492 8月 17 15:52 193bc4296e28af74c271e70ffc4456f2f2e39972dd7912dff5a0b542d8f2c3a4 # layer-sha256
-r--r--r-- 1 root root 631 8月 17 15:52 30cf39878add9b76abdfccd79b79d1eb76629f7eca924822f6b68df9735a9f00 # layer-sha256
-r--r--r-- 1 root root 1.2K 8月 17 15:52 6a88bc1398333a1a508824c13cc214119510bf7d5898557640606d5edf5da244 # manifest-sha256
-r--r--r-- 1 root root 1.9M 8月 17 15:52 ab14e39f58e6d8ba465d2bb577a82a750ec0bcd2342b380920f9e7f307be3c4f # layer-sha256
-r--r--r-- 1 root root 4.6M 8月 17 15:52 b719aad0065e54869664cc345032763a5ef015431b4b712c55c26d591d2a2281 # layer-sha256
# layer tar files
[root@i-ratolcyu sha256]# file b719aad0065e54869664cc345032763a5ef015431b4b712c55c26d591d2a2281
b719aad0065e54869664cc345032763a5ef015431b4b712c55c26d591d2a2281: gzip compressed data
查看的 meta.db 元数据库信息
[~ io.containerd.metadata.v1.bolt]# pwd
/var/lib/containerd/io.containerd.metadata.v1.bolt
[~ io.containerd.metadata.v1.bolt]# ls
meta.db
# 查看工具 boltbrowser
===============================================================================================|
- v1 |
- default |
+ containers |
- content |
- blob |
+ sha256:09b2eb12555fd1a51a97f9231f7edefd4e242af42cc6ce73fc94a4fd2014bf1e |
+ sha256:193bc4296e28af74c271e70ffc4456f2f2e39972dd7912dff5a0b542d8f2c3a4 |
+ sha256:30cf39878add9b76abdfccd79b79d1eb76629f7eca924822f6b68df9735a9f00 |
+ sha256:6a88bc1398333a1a508824c13cc214119510bf7d5898557640606d5edf5da244 |
+ sha256:ab14e39f58e6d8ba465d2bb577a82a750ec0bcd2342b380920f9e7f307be3c4f |
+ sha256:b719aad0065e54869664cc345032763a5ef015431b4b712c55c26d591d2a2281 |
+ ingests |
- images |
- daocloud.io/library/nginx:1.12.0-alpine |
- target |
digest: sha256:6a88bc1398333a1a508824c13cc214119510bf7d5898557640606d5edf5da244 | # manifest-sha256
mediatype: application/vnd.docker.distribution.manifest.v2+json |
size: 8212 |
createdat: 010000000ed8ad61c714c53555ffff |
updatedat: 010000000ed8ad61c714c53555ffff |
+ leases |
+ snapshots |
version: 06 |
第三步观察 镜像层的应用,解压至 snapshot 文件系统
#查看镜像config配置文件 ( 获取关于layer 文件chain_IDs)
[root@i-ratolcyu sha256]# cat 09b2eb12555fd1a51a97f9231f7edefd4e242af42cc6ce73fc94a4fd2014bf1e
{…
… 略
"rootfs”:{
"type":"layers”,
"diff_ids":["sha256:040fd7841192c4f283485d5c7817f4508a774a8fabef8fc265c87f4d2a2ae635”, # layer 文件chain_IDs, sha256sum计算方式,可扩展学习本文最后
"sha256:613b41d784fd502fed68d437a35318388828394a9d099dbdac24d4162c79c172",
"sha256:9854154a6906e0b692131dd23c739a70ef376e32c89a79bc3adb0039c4529355",
"sha256:96c62e4b6ca4c84a1dc877e7a93408ce41e9d0b25d276d8703ac689e95fbb842"]
}
}
# 查看 layers 父子关系链
[root@i-ratolcyu ~]# ctr snapshot tree
sha256:040fd7841192c4f283485d5c7817f4508a774a8fabef8fc265c87f4d2a2ae635
\_ sha256:7ce319e17b0b70ff9abdff5a32d9442a1218f9fd5d38432a9818426577d3836e
\_ sha256:5e8742c74622849e0886659428fb6b295edb5e8a3d0808b85b390e62e8c2a7ca
\_ sha256:2c01bb519bed0697c239bcef756503e5fe4f308f5297db3527dd1e2b4df7e14f
# 查看snapshot的 metadata.db 元数据库
[~ snapshots]# pwd
/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots
[~ io.containerd.snapshotter.v1.overlayfs]# ls
metadata.db snapshots
===============================================================================================|
- v1 |
- parents |
010003: default/4/demo_lab |
1c001d: default/56/commit_add02 |
1c001e: default/57/activeLayer0 |
1d001f: default/58/activeLayer1 |
200021: default/62/sha256:7ce319e17b0b70ff9abdff5a32d9442a1218f9fd5d38432a9818426577d3...|
210022: default/64/sha256:5e8742c74622849e0886659428fb6b295edb5e8a3d0808b85b390e62e8c2...|
220023: default/66/sha256:2c01bb519bed0697c239bcef756503e5fe4f308f5297db3527dd1e2b4df7...|
- snapshots |
+ default/2/sha256:d0d0905d7be4eff6a63efe4a38647a679de1e024101f67db4fe4b5736c1... |
+ default/4/demo_lab |
+ default/48/sha256:5b8c72934dfc08c7d2bd707e93197550f06c0751023dabb3a045b723c5... |
+ default/54/commit_add01 |
+ default/56/commit_add02 |
+ default/57/activeLayer0 |
+ default/58/activeLayer1 |
+ default/60/sha256:040fd7841192c4f283485d5c7817f4508a774a8fabef8fc265c87f4d2a... |
+ default/62/sha256:7ce319e17b0b70ff9abdff5a32d9442a1218f9fd5d38432a9818426577... |
+ default/64/sha256:5e8742c74622849e0886659428fb6b295edb5e8a3d0808b85b390e62e8... |
+ default/66/sha256:2c01bb519bed0697c239bcef756503e5fe4f308f5297db3527dd1e2b4d... |
|
|
# 查看 snapshots layers的内容
# 注意此文件目录名在元数据库内为 snapshot 的 id (十六进制)号
[~ snapshots]# pwd
/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots
[~ snapshots]# ls -alh
总用量 52K
drwx------ 13 root root 4.0K 8月 17 15:52 .
drwx------ 3 root root 4.0K 8月 17 16:06 ..
drwx------ 4 root root 4.0K 5月 25 17:33 1
drwx------ 4 root root 4.0K 6月 18 18:39 25
drwx------ 4 root root 4.0K 6月 28 09:40 28
drwx------ 4 root root 4.0K 6月 28 09:41 29
drwx------ 4 root root 4.0K 5月 25 17:53 3
drwx------ 4 root root 4.0K 6月 28 09:59 30
drwx------ 4 root root 4.0K 6月 28 10:01 31
drwx------ 4 root root 4.0K 8月 17 15:52 32
drwx------ 4 root root 4.0K 8月 17 15:52 33
drwx------ 4 root root 4.0K 8月 17 15:52 34
drwx------ 4 root root 4.0K 8月 17 15:52 35
[root@i-ratolcyu snapshots]# ls 32
fs work
[root@i-ratolcyu snapshots]# ls 32/fs
bin dev etc home lib media mnt proc root run sbin srv sys tmp usr var
[root@i-ratolcyu snapshots]# ls 33/fs
etc lib tmp usr var
[root@i-ratolcyu snapshots]# ls 34/fs
etc
[root@i-ratolcyu snapshots]# ls 35/fs
etc
最后 当镜像下载后就可以作为容器的基础来运行一个 container ,这样我们可通看文件来查看一下容器的 rootfs
/run/containerd/io.containerd.runtime.v2.task/default/
[~]# ls /run/containerd/io.containerd.runtime.v2.task/default/demo_lab/
address config.json init.pid log log.json options.json rootfs runtime work
[root@i-ratolcyu containerd]# ls /run/containerd/io.containerd.runtime.v2.task/default/demo_lab/rootfs
bin dev etc home proc root run sys tmp usr var
# rootfs通过挂载overlay文件系统实现
[~]# mount | grep /run/containerd/io.containerd.runtime.v2.task/default/demo_lab/rootfs
overlay on /run/containerd/io.containerd.runtime.v2.task/default/demo_lab/rootfs type overlay (rw,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/work)
#底层
[~]# ls /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1/fs/
bin dev etc home root tmp usr var
#上层
[~]# ls /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/
proc root run sys
附 从镜像的diff_ids计算出chain-id扩展学习
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:c1eac31e742f9787152adeb8d82dbff43882214993210f684a432ec5b8f276ec”, //base_image
"sha256:9161a60cc9644083de5cafc67d0efe1d03aeabe6159f1df397dcccf2a049e533",
"sha256:6872307367a6d0aef099e87420442dc2b75e73244f2e00cd55747e9440e84c09"
]
}
最顶层为 base_image ,作为下一层的 “父”
需要使用 echo -n ,因为默认命令为加上’\n’等字符,计算将出错
第一次计算:
#echo -n 'sha256:c1eac31e742f9787152adeb8d82dbff43882214993210f684a432ec5b8f276ec sha256:9161a60cc9644083de5cafc67d0efe1d03aeabe6159f1df397dcccf2a049e533' | sha256sum
318d73f100e4c2697a545df715b171afc9774b7a37944c684a6f67c6c1cd0397 -
第二次计算:
# echo -n 'sha256:318d73f100e4c2697a545df715b171afc9774b7a37944c684a6f67c6c1cd0397 sha256:6872307367a6d0aef099e87420442dc2b75e73244f2e00cd55747e9440e84c09' | sha256sum
aa9ec45414d1cfeb999a6755caad9075e263bc591caa89d59e0e488cdfee10d5 -
//shasum(parent_chainid diff_id) == chain_id
# echo -n 'sha256:318d73f100e4c2697a545df715b171afc9774b7a37944c684a6f67c6c1cd0397 sha256:6872307367a6d0aef099e87420442dc2b75e73244f2e00cd55747e9440e84c09' | sha256sum
aa9ec45414d1cfeb999a6755caad9075e263bc591caa89d59e0e488cdfee10d5 -
~~Finish~~