Older Versions (containerd 1.1)

Edit this page Create issue

WARNING: containerd 1.1 and shim v1 is no longer supported. The instructions below is kept just for reference in case you’re dealing with an old version. It’s highly recommended upgrading to the latest version.

This document describes how to install and run the gvisor-containerd-shim using the untrusted workload CRI extension. This requires containerd 1.1 or later.

Note: The untrusted workload CRI extension is deprecated by containerd and gvisor-containerd-shim is maintained on a best-effort basis. If you are using containerd 1.2+, please see the containerd 1.2+ documentation and use containerd-shim-runsc-v1.

Requirements

runsc and gvisor-containerd-shim: See the installation guide.
containerd: See the containerd website for information on how to install containerd.

Configure containerd

Create the configuration for the gvisor shim in /etc/containerd/gvisor-containerd-shim.toml:

cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.toml
runc_shim = "/usr/local/bin/containerd-shim"
EOF

Update /etc/containerd/config.toml. Be sure to update the path to gvisor-containerd-shim and runsc if necessary:

cat <<EOF | sudo tee /etc/containerd/config.toml
disabled_plugins = ["restart"]
[plugins.linux]
  shim = "/usr/local/bin/gvisor-containerd-shim"
  shim_debug = true
[plugins.cri.containerd.untrusted_workload_runtime]
  runtime_type = "io.containerd.runtime.v1.linux"
  runtime_engine = "/usr/local/bin/runsc"
  runtime_root = "/run/containerd/runsc"
EOF

Restart containerd:

sudo systemctl restart containerd

Usage

You can run containers in gVisor via containerd’s CRI.

Install crictl

Download and install the crictl binary:

{
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin
}

Write the crictl configuration file:

cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
EOF

Create the nginx Sandbox in gVisor

Pull the nginx image:

sudo crictl pull nginx

Create the sandbox creation request:

cat <<EOF | tee sandbox.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "annotations": {
      "io.kubernetes.cri.untrusted-workload": "true"
    },
    "linux": {
    },
    "log_directory": "/tmp"
}
EOF

Create the pod in gVisor:

SANDBOX_ID=$(sudo crictl runp sandbox.json)

Run the nginx Container in the Sandbox

Create the nginx container creation request:

cat <<EOF | tee container.json
{
  "metadata": {
      "name": "nginx"
    },
  "image":{
      "image": "nginx"
    },
  "log_path":"nginx.0.log",
  "linux": {
  }
}
EOF

Create the nginx container:

CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)

Start the nginx container:

sudo crictl start ${CONTAINER_ID}

Validate the container

Inspect the created pod:

sudo crictl inspectp ${SANDBOX_ID}

Inspect the nginx container:

sudo crictl inspect ${CONTAINER_ID}

Verify that nginx is running in gVisor:

sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor