Upgrade to Pro — share decks privately, control downloads, hide ads and more …

containerd: Project Update and Deep Dive (KubeCon + CloudNativeCon EU 2023)

Samuel Karp
April 20, 2023
Technology
0
18

containerd: Project Update and Deep Dive (KubeCon + CloudNativeCon EU 2023)

Join containerd maintainers for an introduction and deep dive into the latest updates on containerd. For Kubernetes users, we will cover how to get started and configure containerd. We’ll then dive into the exciting work going on in the containerd ecosystem. In 1.7, exciting new experimental features like the Sandbox API bring the ability to better-model non-traditional runtime environments while the Transfer Service builds a new model of extensibility for image operations. 2.0 is around the corner, and will bring stability to the new features and form a strong base for long-term maintenance through the removal of deprecated functionality. The ecosystem is vibrant and expanding, with subprojects of containerd (nerdctl, wasm, some snapshotters) and as vendor- or community-driven projects for image streaming, developer experience, and new OS platforms. Rust has made its appearance in the containerd ecosystem too, with a new non-core library to build Rust-based shims.

Samuel Karp

April 20, 2023
Tweet

More Decks by Samuel Karp

See All by Samuel Karp
Linux Container Primitives: cgroups, namespaces, and more! (LinuxFest Northwest 2020)
samuelkarp
1
340
Extending containerd (SCaLE 18x)
samuelkarp
0
310
Deep Dive into firecracker-containerd (re:Invent 2019, CON408)
samuelkarp
1
4.2k
Extending containerd (KubeCon/CloudNativeCon NA 2019)
samuelkarp
2
410
Deep Dive into firecracker-containerd (DockerCon 2019)
samuelkarp
2
630
Deep Dive into firecracker-containerd (LinuxFest Northwest 2019)
samuelkarp
0
220
Linux Container Primitives: cgroups, namespaces, and more! (LinuxFest Northwest 2019)
samuelkarp
4
510
Linux Container Primitives and Runtimes (re:Invent 2018, CON407)
samuelkarp
0
700
Windows Containers on Amazon ECS (re:Invent 2017, CON324)
samuelkarp
0
290

Other Decks in Technology

See All in Technology
推薦によるプロダクト改善とマイクロサービスが噛み合った話
hazumirr
2
790
Virtual Threads - 導入の背景と、効果的な使い方 -
skrb
2
340
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
150
Semantic Kernel を使って ChatGPT Plugins をアプリに組み込んでみよう
okazuki
0
150
Watson Assistant チャットボットと連携するアプリ開発体験 (会話フロー作成・API会話編)
teruterubohz_ibm
0
100
データマイニングと機械学習 - ニューラルネットワーク
trycycle
0
170
Oracle Exadata Database Service on [email protected] ([email protected]) - UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
440
Evolving ML Platform with OSS Upstream Community
y_iwai
0
270
組込みRustでも でかい?JSONを扱いたい!
ciniml
2
590
Predictive back transition Animation on Android 14
line_developers
PRO
1
560
失敗から学ぶQA組織
taro_nanairo
1
310
「無料・容量無制限でアップロード」を 支える みてねのコスト削減術
mixi_engineers
PRO
3
690

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
A Modern Web Designer's Workflow
chriscoyier
689
190k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
GraphQLとの向き合い方2022年版
quramy
23
11k
It's Worth the Effort
3n
179
26k
Optimizing for Happiness
mojombo
366
66k
BBQ
matthewcrist
75
8.3k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Designing the Hi-DPI Web
ddemaree
273
33k
Designing with Data
zakiwarfel
92
4.3k
Unsuck your backbone
ammeep
660
56k

Transcript

  1. View Slide

  2. Maksym Pavlenko, Apple
    Samuel Karp, Google
    containerd maintainers
    containerd: Project Update
    and Deep Dive

    View Slide

  3. containerd's support lifecycle
    Three types of releases:
    ● Active
    ○ At least one year of support
    ○ Bug fixes and security fixes
    ● Extended
    ○ After the Active window ends
    ○ Security fixes only
    ○ No set window length
    ● Long Term Stable
    ○ At least three years of support
    ○ Bug fixes, security fixes, and dependency version updates
    ○ Should remain usable by current containerd clients

    View Slide

  4. containerd 1.6 - first LTS!
    ● Supported until February 2025 (3 years from release)
    ○ Longer support window for bug fixes and security patches
    ○ Expanded scope for backports
    ■ (and compatibility with current Kubernetes versions)
    ● Converts to a regular stable release up to 6 months before
    (August 2024)
    ● Kubernetes versions
    ○ Existing versions: 1.24 – 1.27
    ○ Future versions: 1.28 (2023), 1.29 (2023), 1.30 (2024)

    View Slide

  5. containerd 1.7 - just released!
    ● New! Sandbox API (experimental)
    ○ Shim-level API to support groups of containers
    ○ Try it with CRI using ENABLE_CRI_SANDBOXES=1 environment variable
    ● New! Transfer Service (experimental)
    ○ Support new workflows with images
    ● Supported until March 2024 (1 year from release)
    ○ Or 6 months after 2.0 is released
    ○ This is before the EOL of 1.6
    ● Kubernetes versions
    ○ Existing versions: 1.24 – 1.27
    ○ Future versions: 1.28 (2023), 1.29 (2023)
    ● Last 1.x release of containerd

    View Slide

  6. containerd 2.0
    ● Production-ready Sandbox API (sbserver)
    ○ Modular sandboxed CRI plugin
    ○ Legacy CRI server to be removed
    ● Production-ready Transfer Service
    ○ Cover more use cases
    ○ Sandbox API integration
    ● Container runtime interface (CRI) updates
    ● Node resource interface (NRI) updates
    ● Removing deprecated features

    View Slide

  7. Sandbox API == New API for container groups:
    ● Controller interface to handle sandbox lifecycle
    ○ pod-sandbox (extract from CRI)
    ○ microVM
    ○ VM
    ● Shims provide Controller implementation
    ● CRI invokes Controller
    Sandbox API

    View Slide

  8. Ongoing CRI integration:
    ● CRI server fork to enable integration (sbserver directory)
    ○ Calls sandbox Controller interface instead of
    podsandbox
    ○ Adding RemoteController to call shims
    ● Default implementation in v2.0
    ● Try it out with ENABLE_CRI_SANDBOXES environment
    variable in v1.7
    Sandbox API

    View Slide

  9. Source Destination Description Local Implementation Version
    Registry Image Store "pull" 1.7
    Image Store Registry "push" 1.7
    Object stream (Archive) Image Store "import" 1.7
    Image Store Object stream (Archive) "export" 1.7 (in progress)
    Object stream (Layer) Mount/Snapshot "unpack" Not implemented
    Mount/Snapshot Object stream (Layer) "diff" Not implemented
    Image Store Image Store "tag" Not implemented
    Registry Registry mirror registry image Not implemented
    Transfer service

    View Slide

  10. ● New use cases and extension points
    ○ Signing and image validation
    ○ Credential management
    ○ Custom pull logic
    ○ Image decryption
    ○ Pluggable sources / destinations
    ● Sandbox API integration in future
    ○ Confidential computing
    ○ Custom image handling (skip snapshotter)
    Transfer service

    View Slide

  11. registry.k8s.io is GA!🎉
    🚨❄k8s.gcr.io is frozen❄🚨
    More info on
    https://k8s.io/image-registry-redirect
    Redirect to registry.k8s.io

    View Slide

  12. containerd config file (/etc/containerd/config.toml)
    version = 2
    required_plugins = ["io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "registry.k8s.io/pause:3.9"
    Configuring containerd
    Use registry.k8s.io, not
    k8s.gcr.io now!

    View Slide

  13. ● Middleware between CRI and OCI
    ● Reworked in 1.7
    ● New API for tracking state changes of containers,
    pod-sandboxes, and other new sandbox types like micro
    VMs
    ● Sandbox API integration in 2.0
    NRI updates

    View Slide

  14. Deprecations in 2.0
    Component Deprecation
    release
    Target release for
    removal
    Recommendation
    Runtime V1 API and implementation
    (io.containerd.runtime.v1.linux)
    containerd v1.4 containerd v2.0 ✅ Use io.containerd.runc.v2
    Runc V1 implementation of Runtime V2 (io.containerd.runc.v1) containerd v1.4 containerd v2.0 ✅ Use io.containerd.runc.v2
    config.toml version = 1 containerd v1.5 containerd v2.0 ✅ Use config.toml version = 2
    Built-in aufs snapshotter containerd v1.5 containerd v2.0 ✅ Use overlayfs snapshotter
    Container label containerd.io/restart.logpath containerd v1.5 containerd v2.0 ✅ Use containerd.io/restart.loguri label
    cri-containerd-*.tar.gz release bundles containerd v1.6 containerd v2.0 Use containerd-*.tar.gz bundles
    Pulling Schema 1 images
    (application/vnd.docker.distribution.manifest.v1+json)
    containerd v1.7 containerd v2.0 Use Schema 2 or OCI images
    CRI v1alpha2 containerd v1.7 containerd v2.0 ✅ Use CRI v1

    View Slide

  15. containerd's expanded ecosystem
    ● Built to be extensible
    ● Lots of places to plug in new functionality!
    ○ Snapshotters
    ○ Runtimes
    ○ Clients
    ● Plugins/projects that are part of the containerd organization
    ● Community projects
    ● Vendor products
    ● Lots of adopters!

    View Slide

  16. Kubernetes distros adopting containerd
    ● Amazon Elastic Kubernetes Service
    ● Azure Kubernetes Service
    ● Google Kubernetes Engine
    ● IBM Cloud Kubernetes Service
    ● Rancher K3s
    ● VMware Tanzu
    Kubelet command-line flag
    --container-runtime-endpoint=unix:///run/containerd/containerd.sock

    View Slide

  17. containerd clients
    ● ctr - command-line development tool
    ○ typically bundled with containerd
    ○ core containerd project
    ● crictl - a CLI for CRI
    ○ Kubernetes project (part of
    cri-tools)
    ● nerdctl - a Docker-like CLI
    ○ expanded functionality
    ■ Lazy-loading images, image
    encryption, image signing
    ○ non-core containerd project
    ● Colima - Docker-like experience on
    MacOS
    ○ Built in nerdctl and LIMA
    ○ community project
    ● Rancher Desktop - Docker-like
    experience on MacOS, Windows, and
    Linux
    ○ Built on nerdctl + LIMA
    ○ Includes a GUI
    ○ vendor product
    ● Finch - Docker-like CLI on MacOS
    ○ Built on nerdctl + LIMA + plugins
    ○ vendor product

    View Slide

  18. Snapshotters
    ● Built-in
    ○ overlay (Linux)
    ○ btrfs (Linux)
    ○ devmapper (Linux)
    ○ native (Linux, Windows,
    FreeBSD)
    ○ lcow (Windows)
    ○ windows (Windows)
    ○ zfs (Linux, FreeBSD)
    ● Extension via proxy plugins
    ● Remote (lazy-loading)
    ○ eStargz (non-core project)
    ○ Nydus (non-core project)
    ○ overlayBD (non-core project)
    ○ SOCI (OSS vendor project)
    ○ GKE image streaming
    (vendor product)

    View Slide

  19. Runtimes and shims
    ● runc - standard OCI runtime for
    Linux containers
    ● crun - alternative OCI runtime for
    Linux containers
    ● runwasi - OCI runtime for WASM
    ● hcsshim/runhcs - containerd shim
    and OCI runtime for Windows
    containers
    ● runj - experimental OCI runtime for
    FreeBSD jails
    ● Kata Containers -
    hypervisor-based isolation for pods
    ● gVisor/runsc - independent kernel
    for isolation
    ● firecracker-containerd -
    hypervisor-based isolation for
    containers based on Firecracker

    View Slide

  20. Getting involved
    ● #containerd and #containerd-dev channel on
    CNCF Slack (https://slack.cncf.io)
    ● Community Meeting on the second Thursday each month
    ○ See CNCF Calendar for your timezone
    ○ https://cncf.io/calendar
    ● Build something in the ecosystem!
    ● Discussion, issues and pull requests welcome!
    https://github.com/containerd/containerd

    View Slide

  21. Session Q+A
    ● Virtual attendees may submit questions to speakers through
    the CNCF Slack channel: #2-Kubecon-sessions
    ● Please create a thread and tag the speaker(s) with questions
    about their talk.
    ● Questions will be answered by the speaker and/or other
    community members after the session concludes.

    View Slide

  22. Session QR Codes will be
    sent via email before the event
    Please scan the QR Code above
    to leave feedback on this session

    View Slide