Containerd/containerd: An open and reliable container runtime

<img src="https://raw.githubusercontent.com/cncf/artwork/master/projects/containerd/horizontal/color/containerd-horizontal-color.png" alt="Containerd banner light mode" /

> containerd banner dark mode

Containerd is an industry standard container runtime with an emphasis on simplicity, robustness, and portability. It is available as a daemon for Linux and Windows, which can manage the entire container lifecycle of your host system: image transfer and storage, container execution and monitoring, low-level storage and network connections, etc.

containerd is a CNCF member with ‘graduated’ status.

Containerd is designed to be integrated into a larger system, rather than being used directly by developers or end users.

Announcements Hello Kubernetes v1.24!

The containerd

project wants to announce containerd v1.6.4. While other older versions are supported, the latter version and containerized version v1.5.11 for Kubernetes v1.24 are recommended.

We felt it was important to announce this, particularly in light of the removal of longshoremen from this version of Kubernetes.

It should be noted here that moving to CRI integrations has been in the plan for many years. containerd started as part of Docker and was donated to CNCF. containerd remains in use today by Docker/moby/buildkit, etc., and has many other adopters. containerd has a namespace that isolates containerd usage from multiple customers/adopters. The Kubernetes namespace is appropriately named k8s.io. The CRI API and containerized CRI plugin project has been, from the beginning, an effort to reduce the impact surface for Kubernetes container runtime integration. If you can’t tell, we’re excited to see this come to fruition.

If you have any concerns or questions, we’ll be here to answer them in troubles, discussions, and/or slack. Below you will find information/details about our CRI integration implementation.

For containerized users who are already on v1.6.0-v1.6.3, there are known issues fixed by v1.6.4. The issues are mainly related to CNI

configuration Now Recruitment

We

are a great inclusive OSS project that welcomes help in any kind of shape or form:

  • Documentation help is needed to make the product easier to consume
  • and spread.

  • We need OSS organizing and community outreach help to spread the word; manage and create messages and educational content; and help with social media, Community forums/groups and Google Groups.
  • We are actively inviting new security advisors to join the team.
  • New sub-projects, basic and non-core, are being created that may require additional development assistance.
  • Each of the containerized projects has a list of issues that are currently being worked on or need help solving. If
    • the problem has not yet been assigned to someone or has not progressed recently, and you are interested, please ask
    • .

    • If you’re interested in starting with a smaller/beginner level problem, look for problems with an exp/beginner tag, for example, beginner problems in containers/containers.

Getting Started

See

our documentation on containerd.io:

for

    operation

  • namespaces
  • and administrators
  • Client
  • options

See how to build containers from the source in BUILDING.

If you’re interested in trying containerd, check out our example on Getting Started

. Nightly

compilations Nightly compilations

are

available for download here. Binaries are generated from the main branch every night for Linux and Windows.

Please note: nightly builds may have critical errors, are not recommended for use in production, and are not supported.

Runtime

requirements

The runtime requirements for containerd are very minimal. Most interactions with Linux and Windows container feature sets are handled through runc and/or operating system-specific libraries (e.g., hcsshim for Microsoft). The current required version of runc is described in RUNC.md.

There are specific features used by containerized core code and snapshotters that will require a minimal kernel version on Linux. With the understood caveat of the distribution’s kernel versioning, a reasonable starting point for Linux is a minimum version of the 4.x kernel.

The overlay file system snapshotter, used by default, uses features that were finalized in the 4.x kernel series. If you choose to use btrfs, there may be more flexibility in the kernel version (the recommended minimum is 3.18), but it will require the btrfs kernel module and btrfs tools to be installed on your Linux distribution.

To use the checkpoint and restore features of Linux, you will need criu installed on your system. See more details at Checkpoint and Restore.

Build requirements for developers are listed in BUILDING.

Supported Records

Any record that complies with the OCI distribution specification is containerd compliant

.

To configure logging, see the logging host configuration documentation

Features

Client

containerd

offers a complete client package to help you integrate containerd into your platform

. Namespaces

Namespaces

allow multiple consumers to use the same container without conflicting with each other. It has the advantage of sharing content while maintaining separation with containers and images.

To set a namespace

for API requests: To set

a

default namespace on the client:

Distribution

containers In a container

, a container is a metadata object. Resources such as an OCI runtime specification, image, root file system, and other metadata can be attached to a container.

OCI Runtime Specification

containerd fully supports the OCI runtime specification for running containers. We have built-in features to help you generate runtime specifications based on custom images and parameters.

You can specify options when creating a container about how to modify the specification.

Root Filesystems

containerd allows you to use overlapping or snapshot file systems with your containers. It comes with built-in support for overlays and btrfs.

Tasks

Taking a container object and converting it into an executable process on a system is done by creating a new task from the container. A task represents the executable object within containerd.

Checkpoint

and restore

If you have criu installed on your machine, you can control and restore containers and their tasks. This allows you to clone and/or migrate live containers to other machines.

In addition to

the containerized Snapshot plugins, additional external plug-ins can be configured using GRPC. An external plugin is available with the configured name and appears as a plugin next to the built-in ones.

To add an external snapshot plug-in, add the plug-in to the containerd’s configuration file (by default in /etc/containerd/config.toml). The chain that follows proxy_plugin. will be used as the name of the snapshotter and the address must refer to a socket with a GRPC listener serving the containerd’s snapshot GRPC API. Remember to restart the container for the configuration changes to take effect.

See

PLUGINS.md to learn how to create plugins

API versions

and stability

See RELEASES.md for details on versioning and stability of containerized components

.

Downloadable Intel/AMD 64-bit binaries of all official versions are available on our release page.

For other architectures and distribution support,

you’ll find that many Linux distributions package their own container and provide it through various architectures, such as Canonical’s Ubuntu packaging

.

Enabling

command autocompletion

Starting with containerd 1.4, the urfave client feature is enabled for automatic creation of bash and zsh autocomplete data. To use

the autocomplete feature in a bash shell, for example, get the autocomplete/ctr file in your .bashrc, or manually as:

Ctr

autocomplete distribution for bash and zsh

For bash, copy the contrib/autocomplete/ctr script into /etc/bash_completion.d/ and rename it to ctr. The zsh_autocomplete file is also available and can be used similarly for zsh users.

Provide documentation to users to source this file in their shell if you do not place the autocomplete file in a location where it is automatically loaded for the user’s shell environment.

CRI

cri is a containerized plug-in implementation of the Kubernetes container runtime interface (CRI). With it, you can use containerd as the container runtime for a Kubernetes cluster.

CRI Status

cri is a native containerd plugin. Since containerd 1.1, the cri plugin is integrated into the release binaries and enabled by default.

Note: Starting with containerd 1.5, the cri plugin is merged into the containerd/containerd repository. For example, source code previously stored in containerd/cri/pkg was moved to the containerd/containerd/pkg/cri package.

The cri plugin has reached GA status, which represents that it is:

  • Full feature
  • Works with Kubernetes 1.10 and above
  • Passes all CRI validation tests. It passes all

  • e2e node tests. Pass all e2e tests
  • . View results in the containerized k8s test dashboard Validating the cri configuration A Kubernetes incubator project, cri-tools, includes programs for exercising CRI deployments.

More importantly, cri-tools includes the critest program that is used to run CRI Validation Testing.

CRI

Guides

Installing with Ansible and Kubeadm

  • For non-Ansible users, preforming a custom installation using the Release Tarball and Kubeadm
  • CRI
  • Add-ins Test Guide

  • Debugging pods, containers, and images with crictl
  • Configuring

  • cri plug-ins Configuring
  • communication

containerized For asynchronous communication and long-running discussions, use issues and pull requests in the GitHub repository. This will be the best place to discuss design and implementation.

For sync communication, catch us in the #containerd Slack and #containerd-dev channels in Cloud Native Computing Foundation (CNCF) Slack – cloud-native.slack.com. Everyone is welcome to join and chat. Get an invitation to CNCF Slack.

Security audit

Security audits for the containerized project are hosted on our website. See the security page on containerd.io for more information.

Reporting Security

Issues Follow the instructions in Container/Project

Licensing

The containerized codebase is released under the Apache 2.0 license. The README.md file and files in the “docs” folder are licensed under the Creative Commons Attribution 4.0 International License. You can obtain a copy of the license, titled CC-BY-4.0, from http://creativecommons.org/licenses/by/4.0/.

Project Details

containerd is the premier open source project within the broader containerized GitHub organization. However, all projects within the repository have common maintenance, governance, and contribution guidelines that are stored in a project repository commonly for all containerized projects.

Find all of these basic project documents, including:

  • Project Governance
  • , Maintainers, and

  • contribution guidelines
  • information in our

  • container/
  • project repository

.

Adoption

Interested in seeing who’s using containerd? Are you using containers in a project? Add via a pull request to our ADOPTERS.md file.