containerd
TRANSCRIPT
![Page 2: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/2.jpg)
http://strikr.in/ CC BY NC-SA 4.0
pattern seen in FOSS infra stack
infrastructure
Runtime
Orchestration
Differentiators
Commercial
extensions
![Page 3: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/3.jpg)
http://strikr.in/ CC BY NC-SA 4.0
Docker as an example
InfraKit
containerD
SwarmKit
Docker EE, Store etc.
PluginsStorage
NetworkingAPI CLI Compose Build
DockerContent
Trust
Distri-butionAuth
![Page 4: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/4.jpg)
http://strikr.in/ CC BY NC-SA 4.0
Docker Engine
● Container platform for– Complete– Distributed– Application– Life cycle
![Page 5: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/5.jpg)
http://strikr.in/ CC BY NC-SA 4.0
Container engine split
containerD: a daemon born from extracting the container execution subset of the Docker Engine.
![Page 6: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/6.jpg)
http://strikr.in/ CC BY NC-SA 4.0
What is a 'shim' ?
● A shim is a small library that transparently– intercepts API calls– changes the arguments passed– handles the operation itself or redirects
● Benefit– Support an old API in a new environment– Support a new API in a older environment– Run programs on platform other than they
were developed for
![Page 7: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/7.jpg)
http://strikr.in/ CC BY NC-SA 4.0
containerD
runC
Docker
runC runC
containerD
containerD-shim containerD-shim containerD-shim
![Page 8: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/8.jpg)
http://strikr.in/ CC BY NC-SA 4.0
containerD
● Core container runtime● The daemon that controls runC
![Page 9: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/9.jpg)
http://strikr.in/ CC BY NC-SA 4.0
ContainerD
● Architecture– designed to be embedded into a larger
system– rather than being used directly by developers
or end-users.
● daemon– exposes gRPC API over a local UNIX socket.– unix:///var/run/docker/libcontainerd/docker-containerd.sock
![Page 10: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/10.jpg)
http://strikr.in/ CC BY NC-SA 4.0
containerD
● API design– low-level one designed for higher layers to
wrap and extend. ● CLI
– a barebone CLI (ctr) designed for development and debugging purpose.
● interface with runC– uses runC to run containers according to the
OCI specification.
![Page 11: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/11.jpg)
http://strikr.in/ CC BY NC-SA 4.0
RoadMap
Y
Y
Y
Y
![Page 12: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/12.jpg)
http://strikr.in/ CC BY NC-SA 4.0
the promise of containerD 1.0
● Container execution and supervision● Image distribution● Network Interfaces Management● Local storage● Native plumbing level API● Full OCI support, including the extended OCI
image specification
Windows – Linux parity
8 months ago
![Page 13: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/13.jpg)
http://strikr.in/ CC BY NC-SA 4.0
the promise of containerD 1.0
● OCI Image Spec support● OCI Runtime Spec support (aka runC)● Image push and pull support● Container runtime and lifecycle support● Network primitives for creation, modification,
and deletion of interfaces● Management of network namespaces
containers to join existing namespaces● Multi-tenant supported with CAS storage for
global images
July 29th 2017
![Page 14: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/14.jpg)
http://strikr.in/ CC BY NC-SA 4.0
![Page 15: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/15.jpg)
http://strikr.in/ CC BY NC-SA 4.0
containerD components
![Page 16: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/16.jpg)
http://strikr.in/ CC BY NC-SA 4.0
ctr shipped with Docker 17.06$ docker-containerd-ctr --help
NAME: ctr - High performance container daemon cli
USAGE: docker-containerd-ctr [global options] command [command options] [arguments...]
VERSION: 0.2.3 commit: cfb82a876ecc11b5ca0977d1733adbe58599088a
![Page 17: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/17.jpg)
http://strikr.in/ CC BY NC-SA 4.0
ctr shipped with Docker 17.06COMMANDS: checkpoints list all checkpoints
containers interact with running containers
events receive events from the containerd daemon
state get a raw dump of the containerd state
version return the daemon version
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --debug enable debug output in the logs
--address value proto://address of GRPC API (default: "unix:///run/containerd/containerd.sock")
--conn-timeout value GRPC connection timeout (default: 1s)
--help, -h show help --version, -v print the version
unix:///var/run/containerd/containerd.sock
![Page 18: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/18.jpg)
http://strikr.in/ CC BY NC-SA 4.0
ctr (master as of 2017-07-29)USAGE: ctr-20170729 [global options] command [command options] [arguments...]
VERSION: v1.0.0-alpha2-18-g20fa6aee
GLOBAL OPTIONS: --debug enable debug output in logs
--address value, -a value address for containerd's GRPC server (default: "/run/containerd/containerd.sock")
--timeout value total timeout for ctr commands (default: 0s)
--connect-timeout value timeout for connecting to containerd (default: 0s)
--namespace value, -n value namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version
![Page 19: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/19.jpg)
http://strikr.in/ CC BY NC-SA 4.0
COMMANDS: apply apply layer from stdin to dir attach attach to the IO of a running container checkpoint checkpoint a container containers, c manage containers (metadata) content content management events display containerd events exec execute additional processes in an existing container fetch fetch all content for an image into containerd fetch-object retrieve objects from a remote images image management info get info about a container kill signal a container (default: SIGTERM) namespaces manage namespaces pause pause an existing container pprof provides golang pprof outputs for containerd ps list processes for container pull pull an image from a remote push push an image to a remote push-object pushes an object to a remote resume resume a paused container rootfs rootfs setups a rootfs run run a container snapshot snapshot management tasks, t manage tasks version print the version shim interact with a shim directly help, h shows a list of commands or help for one command
![Page 20: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/20.jpg)
http://strikr.in/ CC BY NC-SA 4.0
ctr usage examplesStart a container saydocker run –interactive –tty alpine:latest /bin/sh
docker-containerd-ctr \ --address "/var/run/docker/libcontainerd/docker-containerd.sock" containers
docker-containerd-ctr \ --address "/var/run/docker/libcontainerd/docker-containerd.sock" containers \ exec \ --id=346c1b7bbb04b760032557e1324a4027ec0055ea84dca109134c02e03dc1242c \ --pid=20 \ --cwd=/ -a /bin/ps aux
docker-containerd-ctr \ --address "/var/run/docker/libcontainerd/docker-containerd.sock" state 346c1b7bbb04b760032557e1324a4027ec0055ea84dca109134c02e03dc1242c
![Page 21: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/21.jpg)
http://strikr.in/ CC BY NC-SA 4.0
the promise of containerD 1.0https://github.com/containerd/containerd/milestones
July 29th 20170630 IST
![Page 22: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/22.jpg)
http://strikr.in/ CC BY NC-SA 4.0
containerD in the ecosystem
SmartOS
containerD
Swarm
Docker
$$
Linux Solaris Windows MacOS
Pivotal
$$
Mesos
DC/OS
$$
k8s
$$
Ope
nShi
ft
Goo
gle
Swarm
Azure
$$
Cloud Foundry
BlueMix
$$
Yourown Mesos k8s ECS
AWS
$$
![Page 23: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/23.jpg)
http://strikr.in/ CC BY NC-SA 4.0
containerD in the ecosystem
containerD
Swarm
Docker
$$
Pivotal
$$
Mesos
DC/OS
$$
k8s
$$
Ope
nShi
ft
Goo
gle
Swarm
Azure
$$
Cloud Foundry
BlueMix
$$
Yourown Mesos k8s ECS
AWS
$$
SmartOS Linux Solaris Windows MacOS
OCI
(Open Container Initiative)
![Page 24: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/24.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runC
● universal runtime for OS Containers● CLI tool for spawning and running containers
according to the OCI specification.
![Page 25: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/25.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runC
● a CLI tool for spawning and running containers according to the OCI specification.
● runC– Depends on runtime-spec repo– Supports Linux platform only– Must be built with Go 1.6+– Executes build tags for features– Linux kernel 4.3+– Uses 'vndr' for dependency management
![Page 26: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/26.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runC
rootfs
config.json
runC
Container executed
Containers are configured using bundles.
A bundle for a container is a directory that includes - a specification file named "config.json" and - a root filesystem rootfs.
The root filesystem contains the contents of the container.
![Page 27: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/27.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runCUSAGE:
runc [global options] command [command options] [arguments...] COMMANDS:
checkpoint checkpoint a running container delete delete any resources held by the container often used with detached containers events display container events such as OOM notifications, cpu, memory, IO, network stats exec execute new process inside the container init initialize the namespaces and launch the process (do not call it outside of runc) kill kill sends the specified signal (default: SIGTERM) to the container's init process list lists containers started by runc with the given root pause pause suspends all processes inside the container restore restore a container from a previous checkpoint resume resumes all processes that have been previously paused spec create a new specification file start create and run a container state output the state of a container help, h Shows a list of commands or help for one command
![Page 28: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/28.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runC CLI
GLOBAL OPTIONS:
--debug enable debug output for logging
--log "/dev/null" set the log file path where internal debug information is written
--log-format "text" set the format used by logs ('text' (default), or 'json')
--root "/run/runc" root directory for storage of container state (this should be located in tmpfs)
--criu "criu" path to the criu binary used for checkpoint and restore
--systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
--help, -h show help
--version, -v print the version
![Page 29: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/29.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runC client
● runc is a command line client for running applications packaged according to the Open Container Format (OCF) and is a compliant implementation of the Open Container Initiative (OCI) specification.
![Page 30: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/30.jpg)
http://strikr.in/ CC BY NC-SA 4.0
runC and process supervisors
● runc integrates well with existing process supervisors to provide a production container runtime environment for applications.
● runc can be used with your existing process monitoring tools and the container will be spawned as a direct child of the process supervisor.
![Page 31: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/31.jpg)
http://strikr.in/ CC BY NC-SA 4.0
References (shim)
● https://en.wikipedia.org/wiki/Shim_(computing)● http://www.ryde.net/code/bind.c.txt● http://technet.microsoft.com/en-us/library/dd837644(v=WS.10).aspx
![Page 32: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/32.jpg)
http://strikr.in/ CC BY NC-SA 4.0
References (containerD)
● https://github.com/containerd/containerd
● https://github.com/containerd/containerd/milestones
![Page 33: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/33.jpg)
http://strikr.in/ CC BY NC-SA 4.0
References (runC)
● https://github.com/opencontainers/runc●
![Page 34: containerD](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a65aac07f8b9aa4758b57e5/html5/thumbnails/34.jpg)
http://strikr.in/ CC BY NC-SA 4.0
References (OCI Specs)
● OCI Image Spec https://www.slideshare.net/StrikrHQ/oci-image-spec
● OCI Runtime Spec https://www.slideshare.net/StrikrHQ/oci-runtime-spec