containerd

http://strikr.in/ CC BY NC-SA 4.0

containerD

[email protected]


pattern seen in FOSS infra stack

infrastructure

Runtime

Orchestration

Differentiators

Commercial

extensions


Docker as an example

InfraKit

containerD

SwarmKit

Docker EE, Store etc.

PluginsStorage

NetworkingAPI CLI Compose Build

DockerContent

Trust

Distri-butionAuth


Docker Engine

● Container platform for– Complete– Distributed– Application– Life cycle


Container engine split

containerD: a daemon born from extracting the container execution subset of the Docker Engine.


What is a 'shim' ?

● A shim is a small library that transparently– intercepts API calls– changes the arguments passed– handles the operation itself or redirects

● Benefit– Support an old API in a new environment– Support a new API in a older environment– Run programs on platform other than they

were developed for


containerD

runC

Docker

runC runC

containerD

containerD-shim containerD-shim containerD-shim


containerD

● Core container runtime● The daemon that controls runC


ContainerD

● Architecture– designed to be embedded into a larger

system– rather than being used directly by developers

or end-users.

● daemon– exposes gRPC API over a local UNIX socket.– unix:///var/run/docker/libcontainerd/docker-containerd.sock


containerD

● API design– low-level one designed for higher layers to

wrap and extend. ● CLI

– a barebone CLI (ctr) designed for development and debugging purpose.

● interface with runC– uses runC to run containers according to the

OCI specification.


RoadMap

Y

Y

Y

Y


the promise of containerD 1.0

● Container execution and supervision● Image distribution● Network Interfaces Management● Local storage● Native plumbing level API● Full OCI support, including the extended OCI

image specification

Windows – Linux parity

8 months ago


the promise of containerD 1.0

● OCI Image Spec support● OCI Runtime Spec support (aka runC)● Image push and pull support● Container runtime and lifecycle support● Network primitives for creation, modification,

and deletion of interfaces● Management of network namespaces

containers to join existing namespaces● Multi-tenant supported with CAS storage for

global images

July 29th 2017


containerD components


ctr shipped with Docker 17.06$ docker-containerd-ctr --help

NAME: ctr - High performance container daemon cli

USAGE: docker-containerd-ctr [global options] command [command options] [arguments...]

VERSION: 0.2.3 commit: cfb82a876ecc11b5ca0977d1733adbe58599088a


ctr shipped with Docker 17.06COMMANDS: checkpoints list all checkpoints

containers interact with running containers

events receive events from the containerd daemon

state get a raw dump of the containerd state

version return the daemon version

help, h Shows a list of commands or help for one command

GLOBAL OPTIONS: --debug enable debug output in the logs

--address value proto://address of GRPC API (default: "unix:///run/containerd/containerd.sock")

--conn-timeout value GRPC connection timeout (default: 1s)

--help, -h show help --version, -v print the version

unix:///var/run/containerd/containerd.sock


ctr (master as of 2017-07-29)USAGE: ctr-20170729 [global options] command [command options] [arguments...]

VERSION: v1.0.0-alpha2-18-g20fa6aee

GLOBAL OPTIONS: --debug enable debug output in logs

--address value, -a value address for containerd's GRPC server (default: "/run/containerd/containerd.sock")

--timeout value total timeout for ctr commands (default: 0s)

--connect-timeout value timeout for connecting to containerd (default: 0s)

--namespace value, -n value namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]

--help, -h show help

--version, -v print the version


COMMANDS: apply apply layer from stdin to dir attach attach to the IO of a running container checkpoint checkpoint a container containers, c manage containers (metadata) content content management events display containerd events exec execute additional processes in an existing container fetch fetch all content for an image into containerd fetch-object retrieve objects from a remote images image management info get info about a container kill signal a container (default: SIGTERM) namespaces manage namespaces pause pause an existing container pprof provides golang pprof outputs for containerd ps list processes for container pull pull an image from a remote push push an image to a remote push-object pushes an object to a remote resume resume a paused container rootfs rootfs setups a rootfs run run a container snapshot snapshot management tasks, t manage tasks version print the version shim interact with a shim directly help, h shows a list of commands or help for one command


ctr usage examplesStart a container saydocker run –interactive –tty alpine:latest /bin/sh

docker-containerd-ctr \ --address "/var/run/docker/libcontainerd/docker-containerd.sock" containers

docker-containerd-ctr \ --address "/var/run/docker/libcontainerd/docker-containerd.sock" containers \ exec \ --id=346c1b7bbb04b760032557e1324a4027ec0055ea84dca109134c02e03dc1242c \ --pid=20 \ --cwd=/ -a /bin/ps aux

docker-containerd-ctr \ --address "/var/run/docker/libcontainerd/docker-containerd.sock" state 346c1b7bbb04b760032557e1324a4027ec0055ea84dca109134c02e03dc1242c


the promise of containerD 1.0https://github.com/containerd/containerd/milestones

July 29th 20170630 IST


containerD in the ecosystem

SmartOS

containerD

Swarm

Docker

$$

Linux Solaris Windows MacOS

Pivotal

$$

Mesos

DC/OS

$$

k8s

$$

Ope

nShi

ft

Goo

gle

Swarm

Azure

$$

Cloud Foundry

BlueMix

$$

Yourown Mesos k8s ECS

AWS

$$


containerD in the ecosystem

containerD

Swarm

Docker

$$

Pivotal

$$

Mesos

DC/OS

$$

k8s

$$

Ope

nShi

ft

Goo

gle

Swarm

Azure

$$

Cloud Foundry

BlueMix

$$

Yourown Mesos k8s ECS

AWS

$$

SmartOS Linux Solaris Windows MacOS

OCI

(Open Container Initiative)


runC

● universal runtime for OS Containers● CLI tool for spawning and running containers

according to the OCI specification.


runC

● a CLI tool for spawning and running containers according to the OCI specification.

● runC– Depends on runtime-spec repo– Supports Linux platform only– Must be built with Go 1.6+– Executes build tags for features– Linux kernel 4.3+– Uses 'vndr' for dependency management


runC

rootfs

config.json

runC

Container executed

Containers are configured using bundles.

A bundle for a container is a directory that includes - a specification file named "config.json" and - a root filesystem rootfs.

The root filesystem contains the contents of the container.


runCUSAGE:

runc [global options] command [command options] [arguments...] COMMANDS:

checkpoint checkpoint a running container delete delete any resources held by the container often used with detached containers events display container events such as OOM notifications, cpu, memory, IO, network stats exec execute new process inside the container init initialize the namespaces and launch the process (do not call it outside of runc) kill kill sends the specified signal (default: SIGTERM) to the container's init process list lists containers started by runc with the given root pause pause suspends all processes inside the container restore restore a container from a previous checkpoint resume resumes all processes that have been previously paused spec create a new specification file start create and run a container state output the state of a container help, h Shows a list of commands or help for one command


runC CLI

GLOBAL OPTIONS:

--debug enable debug output for logging

--log "/dev/null" set the log file path where internal debug information is written

--log-format "text" set the format used by logs ('text' (default), or 'json')

--root "/run/runc" root directory for storage of container state (this should be located in tmpfs)

--criu "criu" path to the criu binary used for checkpoint and restore

--systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"

--help, -h show help

--version, -v print the version


runC client

● runc is a command line client for running applications packaged according to the Open Container Format (OCF) and is a compliant implementation of the Open Container Initiative (OCI) specification.


runC and process supervisors

● runc integrates well with existing process supervisors to provide a production container runtime environment for applications.

● runc can be used with your existing process monitoring tools and the container will be spawned as a direct child of the process supervisor.


References (shim)

● https://en.wikipedia.org/wiki/Shim_(computing)● http://www.ryde.net/code/bind.c.txt● http://technet.microsoft.com/en-us/library/dd837644(v=WS.10).aspx

https://en.wikipedia.org/wiki/Shim_(computing

http://www.ryde.net/code/bind.c.txt

http://technet.microsoft.com/en-us/library/dd837644(v=WS.10).aspx


References (containerD)

● https://github.com/containerd/containerd

● https://github.com/containerd/containerd/milestones

https://github.com/containerd/containerd

https://github.com/containerd/containerd/milestones


References (runC)

● https://github.com/opencontainers/runc●

https://github.com/opencontainers/runc


References (OCI Specs)

● OCI Image Spec https://www.slideshare.net/StrikrHQ/oci-image-spec

● OCI Runtime Spec https://www.slideshare.net/StrikrHQ/oci-runtime-spec

https://www.slideshare.net/StrikrHQ/oci-image-spec

https://www.slideshare.net/StrikrHQ/oci-runtime-spec

containerd

Technology