update

add
调整cni和tuning的用户权限
2025-01-23 00:08:45 +08:00 · 2025-01-22 23:52:39 +08:00 · 2024-11-12 23:33:03 +08:00 · 2024-11-12 23:31:14 +08:00 · 2024-11-12 22:05:41 +08:00 · 2024-11-12 20:59:01 +08:00
6 changed files with 344 additions and 7 deletions
--- a/docker/README.md
+++ b/docker/README.md
@@ -0,0 +1,77 @@
+## install docker
+
+使用官方源安装（国内直接访问较慢）
+
+curl -fsSL https://get.docker.com | bash
+使用阿里源安装
+
+curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
+使用中国区Azure源安装
+
+curl -fsSL https://get.docker.com | bash -s docker --mirror AzureChinaCloud
+自启动Docker
+
+systemctl enable --now docker
+一键安装最新版Docker Compose：
+
+```shell
+COMPOSE_VERSION=`git ls-remote https://github.com/docker/compose | grep refs/tags | grep -oP "[0-9]+\.[0-9][0-9]+\.[0-9]+$" | sort --version-sort | tail -n 1`
+sh -c "curl -L https://github.com/docker/compose/releases/download/v${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose"
+chmod +x /usr/local/bin/docker-compose
+```
+
+## nvidia-docker
+
+sudo chown -R root:docker /data/docker
+sudo chmod -R 770 /data/docker
+
+
+```shell
+    sudo apt-get update
+    sudo apt-get install -y curl gnupg lsb-release
+
+    curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
+  && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
+    sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
+    sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+
+    sudo apt-get update
+    sudo apt-get install -y nvidia-container-toolkit
+    sudo nvidia-ctk runtime configure --runtime=docker
+    sudo systemctl restart docker
+    echo "NVIDIA Docker 已安装。"
+```
+
+## 更改镜像目录
+
+vim /etc/docker/daemon.json
+
+{
+  "data-root": "/data/docker"
+}
+
+## 换源
+
+https://www.kelen.cc/dry/docker-hub-mirror
+
+添加换源的mirror：
+
+```json
+{
+    "data-root": "/data/docker",
+    "features": {
+        "buildkit": true
+    },
+    "registry-mirrors": [
+        "https://hub.rat.dev",
+        "https://dockerhub.icu",
+        "https://docker.unsee.tech"
+    ],
+    "runtimes": {
+        "nvidia": {
+            "args": [],
+            "path": "nvidia-container-runtime"
+        }
+    }
+}
+```
--- a/nerdctl/README.md
+++ b/nerdctl/README.md
@@ -48,3 +48,116 @@ Rootful mode: /etc/nerdctl/nerdctl.toml
 Rootless mode: ~/.config/nerdctl/nerdctl.toml

 需要安装RootlessKit和slirp4netns，并且设置Nerdctl使用这些工具。参照 [Rootless模式文档](https://github.com/containerd/nerdctl/blob/main/docs/rootless.md) 进行配置。
+
+## 构建镜像时候没有使用缓存的原因
+
+[参考 nerdctl build](https://github.com/containerd/nerdctl/blob/main/docs/build.md)
+
+BuildKit 的两种工作模式：
+
+containerd worker：允许 BuildKit 使用 containerd 管理的本地镜像缓存，也就是说 nerdctl 构建的镜像能够用作基础镜像。
+OCI worker：不使用 containerd 管理的镜像缓存，这意味着无法访问由 nerdctl 构建的镜像，因为它们被 containerd 所管理。因此，若使用 OCI worker，BuildKit 只能直接从镜像仓库拉取镜像，无法利用本地缓存。
+
+默认情况下，如果没有特别设置，BuildKit 很可能使用 OCI worker，因此无法使用 containerd 管理的镜像。
+若要确保 BuildKit 使用 containerd worker，需要配置 /etc/buildkit/buildkitd.toml (/etc/buildkit/buildkit.toml) 文件，将 [worker.containerd] 设置为 enabled = true 并指定 namespace 为 "default"（或你指定的 namespace）。
+
+sudo systemctl status buildkit
+
+sudo systemctl enable --now buildkit
+
+编辑文件`/etc/buildkit/buildkit.toml`
+
+```shell
+[worker.oci]
+  # 关闭OCI
+  enabled = false
+
+[worker.containerd]
+  enabled = true
+  # namespace should be "k8s.io" for Kubernetes (including Rancher Desktop)
+  namespace = "buildkit" # 修改为'k8s.io' 可以从这里进行缓存镜像。
+  platforms = [ "linux/amd64", "linux/arm64" ]
+  gc = true
+  # gckeepstorage sets storage limit for default gc profile, in MB.
+  gckeepstorage = 9000
+
+# registry configures a new Docker register used for cache import or output.
+[registry."docker.io"]
+  # mirror configuration to handle path in case a mirror registry requires a /project path rather than just a host:port
+  mirrors = ["https://upnuemce.mirror.aliyuncs.com", "core.harbor.domain/proxy.docker.io"]
+  http = true
+  insecure = true
+  #ca=["/etc/config/myca.pem"]
+  #[[registry."docker.io".keypair]]
+    #key="/etc/config/key.pem"
+    #cert="/etc/config/cert.pem"
+```
+
+https://docker.unsee.tech https://dockerhub.icu
+
+sudo systemctl restart buildkit
+
+## root 用户创建 buildkit.service
+
+```shell
+    echo "配置 buildkitd 服务..."
+
+    # 创建 buildkitd 配置文件目录
+    sudo mkdir -p /etc/buildkit
+    # https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md
+    sudo tee /etc/buildkit/buildkit.toml > /dev/null <<EOT
+[worker.oci]
+  enabled = false
+
+[worker.containerd]
+  enabled = true
+  # namespace should be "k8s.io" for Kubernetes (including Rancher Desktop)
+  namespace = "buildkit"
+  platforms = [ "linux/amd64", "linux/arm64" ]
+  gc = true
+  # gckeepstorage sets storage limit for default gc profile, in MB.
+  gckeepstorage = 9000
+
+# registry configures a new Docker register used for cache import or output.
+[registry."docker.io"]
+  # mirror configuration to handle path in case a mirror registry requires a /project path rather than just a host:port
+  mirrors = ["https://upnuemce.mirror.aliyuncs.com", "core.harbor.domain/proxy.docker.io"]
+  http = true
+  insecure = true
+  #ca=["/etc/config/myca.pem"]
+  #[[registry."docker.io".keypair]]
+    #key="/etc/config/key.pem"
+    #cert="/etc/config/cert.pem"
+EOT
+
+    sudo tee /etc/systemd/system/buildkit.service > /dev/null <<EOT
+[Unit]
+Description=BuildKit Daemon
+Documentation=https://github.com/moby/buildkit
+Requires=buildkit.socket
+After=network.target buildkit.socket
+
+[Service]
+Type=notify
+ExecStart=/usr/local/bin/buildkitd --config /etc/buildkit/buildkit.toml --addr fd://
+Restart=always
+RestartSec=10s
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target
+EOT
+
+    sudo tee /etc/systemd/system/buildkit.socket > /dev/null <<EOT
+[Unit]
+Description=BuildKit
+Documentation=https://github.com/moby/buildkit
+
+[Socket]
+ListenStream=%t/buildkit/buildkitd.sock
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
+EOT
+```
--- a/nerdctl/setup_buildkit_config_rootless.sh
+++ b/nerdctl/setup_buildkit_config_rootless.sh
@@ -2,7 +2,6 @@

 # setup_buildkit_config_rootless.sh
 # 说明：此脚本用于配置 BuildKit 的 rootless 模式配置文件。
-# 官方文档和配置选项请参考：https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md

 # 获取当前执行脚本的用户
 CURRENT_USER=$(whoami)
@@ -11,6 +10,7 @@ echo "当前用户：$CURRENT_USER"
 # BuildKit 配置文件路径
 CONFIG_DIR="$HOME/.config/buildkit"
 CONFIG_FILE="$CONFIG_DIR/buildkit.toml"
+CONFIG_FILE_D="$CONFIG_DIR/buildkitd.toml"  # 新增 buildkitd.toml 文件路径

 # 镜像源配置
 declare -A mirrors
@@ -31,8 +31,8 @@ mirrors=(
 # 创建配置目录
 mkdir -p "$CONFIG_DIR"

-# 生成 BuildKit 配置文件
-echo "生成 BuildKit 配置文件..."
+# 生成 BuildKit 配置文件 buildkit.toml
+echo "生成 BuildKit 配置文件 buildkit.toml..."
 cat > "$CONFIG_FILE" <<EOF
 [worker.oci]
  enabled = false
@@ -49,6 +49,10 @@ cat > "$CONFIG_FILE" <<EOF
 # 注册表配置，包含多个镜像加速器
 EOF

+# 生成 BuildKit 配置文件 buildkitd.toml (复制 buildkit.toml 内容)
+cp "$CONFIG_FILE" "$CONFIG_FILE_D"
+echo "生成 BuildKit 配置文件 buildkitd.toml..."
+
 # 添加镜像源到配置文件
 echo "配置镜像加速器..."
 for registry in "${!mirrors[@]}"; do
@@ -62,6 +66,9 @@ for registry in "${!mirrors[@]}"; do
 EOF
 done

+# 将同样的镜像源配置追加到 buildkitd.toml
+cat "$CONFIG_FILE" > "$CONFIG_FILE_D"
+
 # 设置 /run/containerd/containerd.sock 权限
 echo "配置 containerd.sock 的权限..."

@@ -87,5 +94,5 @@ sudo systemctl restart buildkit
 echo "完成。请重新登录会话以应用对组的更改，使 $CURRENT_USER 可以使用 /run/containerd/containerd.sock。"

 # 输出完成信息
-echo "BuildKit 配置文件已生成: $CONFIG_FILE"
+echo "BuildKit 配置文件已生成: $CONFIG_FILE 和 $CONFIG_FILE_D"
 echo "镜像配置已设置完成，详细选项请参考官方文档：https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md"
--- a/nerdctl/setup_containerd_mirror_rootless.sh
+++ b/nerdctl/setup_containerd_mirror_rootless.sh
@@ -69,7 +69,7 @@ fi
 # 配置镜像源的主机和路径
 declare -A mirrors
 mirrors=(
-  ["docker.io"]="https://docker.io https://docker.unsee.tech https://dockerhub.icu"
+  ["docker.io"]="https://docker.io https://docker.unsee.tech https://dockerhub.icu https://upnuemce.mirror.aliyuncs.com"
  ["registry.k8s.io"]="https://registry.k8s.io https://k8s.m.daocloud.io"
  ["docker.elastic.co"]="https://docker.elastic.co https://elastic.m.daocloud.io"
  ["gcr.io"]="https://gcr.io https://gcr.m.daocloud.io"
@@ -106,9 +106,19 @@ done
 nerdctl --namespace k8s.io image prune -a --force
 nerdctl --namespace default image prune -a --force

+# 重启 containerd 服务
+echo "重启 containerd 服务..."
+systemctl --user daemon-reload
+systemctl --user restart containerd
+sudo systemctl daemon-reload
+sudo systemctl restart containerd
+
 # 测试配置是否生效
 echo '测试配置是否生效...'
-if ctr --namespace=default image pull --hosts-dir "$CONFIG_PATH" docker.io/library/alpine:latest; then
+# nerdctl --namespace=default pull docker.io/bioconductor/cuda:devel
+# nerdctl --namespace=default pull docker.io/bioconductor/cuda:devel-R-devel
+# nerdctl --namespace=default --hosts-dir="$HOME/.config/containerd/certs.d" pull docker.io/ollama/ollama:latest
+if nerdctl --namespace=default --hosts-dir="$CONFIG_PATH" pull docker.io/library/alpine:latest; then
  echo "镜像加速配置成功！"
 else
  echo "镜像加速配置失败，请检查配置。"
--- a/nerdctl/setup_nerdctl_config_rootless.sh
+++ b/nerdctl/setup_nerdctl_config_rootless.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# setup_nerdctl_config.sh
+# 说明：此脚本用于配置 nerdctl 的 rootless 模式配置文件 ~/.config/nerdctl/nerdctl.toml。
+# 该配置文件包含 nerdctl 的基础配置，如调试模式、socket 地址、命名空间等。
+
+# 获取当前用户
+CURRENT_USER=$(whoami)
+echo "当前用户：$CURRENT_USER"
+
+# 配置文件路径
+CONFIG_DIR="$HOME/.config/nerdctl"
+CONFIG_FILE="$CONFIG_DIR/nerdctl.toml"
+
+# 创建配置目录
+mkdir -p "$CONFIG_DIR"
+
+# 生成 nerdctl 配置文件
+echo "生成 nerdctl 配置文件..."
+cat > "$CONFIG_FILE" <<EOF
+debug = false
+address = "unix:///run/containerd/containerd.sock"
+namespace = "buildkit"
+snapshotter = "overlayfs"
+cgroup_manager = "cgroupfs"
+hosts_dir = ["$HOME/.config/containerd/certs.d"]
+experimental = true
+EOF
+
+# 确保 /run/containerd/containerd.sock 权限正确
+echo "配置 containerd.sock 的权限..."
+sudo groupadd -f containerd      # 创建 containerd 组（如果不存在）
+sudo usermod -aG containerd "$CURRENT_USER"  # 将当前用户添加到 containerd 组
+sudo chgrp containerd /run/containerd/containerd.sock
+sudo chmod 660 /run/containerd/containerd.sock
+
+# 重启相关服务
+echo "重启相关服务以应用新配置..."
+systemctl --user daemon-reload
+systemctl --user restart nerdctl
+sudo systemctl daemon-reload
+sudo systemctl restart containerd
+
+# 提示用户重新登录以应用对组的更改
+echo "完成。请重新登录会话以应用对 containerd 组的更改，使 $CURRENT_USER 可以使用 /run/containerd/containerd.sock。"
+
+# 输出完成信息
+echo "nerdctl 配置文件已生成: $CONFIG_FILE"
+echo "相关服务已重启，详细配置选项请参考官方文档：https://github.com/containerd/nerdctl/blob/main/docs/config.md"
--- a/nerdctl/setup_nvidia_docker_containerd_rootless.sh
+++ b/nerdctl/setup_nvidia_docker_containerd_rootless.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# 获取当前执行脚本的用户
+CURRENT_USER=$(whoami)
+echo "当前用户：$CURRENT_USER"
+
+# 安装 NVIDIA Docker 工具包
+install_nvidia_docker() {
+    echo "正在安装 NVIDIA Docker..."
+    sudo apt-get update
+    sudo apt-get install -y curl gnupg lsb-release
+
+    # 配置 NVIDIA Docker 源
+    if ! grep -q "^deb .\+nvidia-container-toolkit" /etc/apt/sources.list /etc/apt/sources.list.d/*; then
+        curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
+        && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
+        sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
+        sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+    else
+        echo "NVIDIA Docker 源已经配置，跳过此步骤。"
+    fi
+
+    sudo apt-get update
+    sudo apt-get install -y nvidia-container-toolkit
+}
+
+# 配置 NVIDIA Container Toolkit
+configure_nvidia_ctk() {
+    echo "正在配置 NVIDIA Container Toolkit..."
+    
+    # 创建 Rootless 模式下的 containerd 配置目录
+    mkdir -p "$HOME/.config/containerd"
+
+    # 配置 nvidia-ctk 到 Rootless 模式下的 config.toml
+    nvidia-ctk runtime configure --runtime=containerd --config="$HOME/.config/containerd/config.toml"
+
+    # 确保 /etc/nvidia-container-runtime/config.toml 存在，并配置为默认 runtime
+    if [ ! -f /etc/nvidia-container-runtime/config.toml ]; then
+        sudo nvidia-ctk config --set default-runtime --config=/etc/nvidia-container-runtime/config.toml
+    fi
+
+    # 配置 NVIDIA 共享库路径，确保加载 GPU 驱动
+    echo "/usr/lib/x86_64-linux-gnu" | sudo tee /etc/ld.so.conf.d/nvidia.conf
+    sudo ldconfig
+
+    # 添加 nvidia-container-cli 到 PATH
+    if ! echo "$PATH" | grep -q "/usr/bin"; then
+        echo 'export PATH=$PATH:/usr/bin' >> ~/.profile
+        source ~/.profile
+    fi
+}
+
+# 启用 cgroup v2 支持和权限调整
+configure_cgroup_v2() {
+    echo "配置 cgroup v2 支持..."
+    sudo chmod -R 755 /sys/fs/cgroup
+    sudo chown -R $(whoami) /sys/fs/cgroup
+
+    # 创建并设置 /etc/cni/tuning/allowlist.conf 文件
+    sudo mkdir -p /etc/cni/tuning
+    sudo touch /etc/cni/tuning/allowlist.conf
+    sudo chmod 644 /etc/cni/tuning/allowlist.conf
+    sudo chown -R $(whoami) /etc/cni
+}
+
+# 重启 containerd 服务
+restart_containerd() {
+    echo "重启 containerd 服务..."
+    systemctl --user daemon-reload
+    systemctl --user restart containerd
+    sudo systemctl daemon-reload
+    sudo systemctl restart containerd
+}
+
+# 执行所有步骤
+install_nvidia_docker
+configure_nvidia_ctk
+configure_cgroup_v2
+restart_containerd
+
+echo "所有步骤已完成，NVIDIA Docker 和 containerd 配置已更新。"
Author	SHA1	Message	Date
Your Name	14728853aa	update	2025-01-23 00:08:45 +08:00
Your Name	0692b1aec1	add	2025-01-22 23:52:39 +08:00
Your Name	664ad9b993	调整cni和tuning的用户权限	2024-11-12 23:33:03 +08:00
Your Name	948c4cc762	add path and cgroup v2 支持和权限调整	2024-11-12 23:31:14 +08:00
Your Name	9d5c4c90d1	add	2024-11-12 22:05:41 +08:00
Your Name	36e5154be0	update	2024-11-12 20:59:01 +08:00
Your Name	da19176e27	change name	2024-11-12 20:57:40 +08:00
Your Name	3cd77a4ae9	add nerdctl config	2024-11-12 20:57:09 +08:00
Your Name	1b2945a001	add mirror in aliyun	2024-11-12 20:45:48 +08:00
Your Name	8d49d85064	add buildkitd.toml 两个文件	2024-11-12 20:44:22 +08:00