Older Versions (containerd 1.1)

Edit this page Create issue

This document describes how to install and run the gvisor-containerd-shim using the untrusted workload CRI extension. This requires containerd 1.1 or later.

Note: The untrusted workload CRI extension is deprecated by containerd and gvisor-containerd-shim is maintained on a best-effort basis. If you are using containerd 1.2+, please see the containerd 1.2+ documentation and use containerd-shim-runsc-v1.


Configure containerd

Create the configuration for the gvisor shim in /etc/containerd/gvisor-containerd-shim.toml:

cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.toml
runc_shim = "/usr/local/bin/containerd-shim"

Update /etc/containerd/config.toml. Be sure to update the path to gvisor-containerd-shim and runsc if necessary:

cat <<EOF | sudo tee /etc/containerd/config.toml
disabled_plugins = ["restart"]
  shim = "/usr/local/bin/gvisor-containerd-shim"
  shim_debug = true
  runtime_type = "io.containerd.runtime.v1.linux"
  runtime_engine = "/usr/local/bin/runsc"
  runtime_root = "/run/containerd/runsc"

Restart containerd:

sudo systemctl restart containerd


You can run containers in gVisor via containerd’s CRI.

Install crictl

Download and install the crictl binary:

wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin

Write the crictl configuration file:

cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock

Create the nginx Sandbox in gVisor

Pull the nginx image:

sudo crictl pull nginx

Create the sandbox creation request:

cat <<EOF | tee sandbox.json
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    "annotations": {
      "io.kubernetes.cri.untrusted-workload": "true"
    "linux": {
    "log_directory": "/tmp"

Create the pod in gVisor:

SANDBOX_ID=$(sudo crictl runp sandbox.json)

Run the nginx Container in the Sandbox

Create the nginx container creation request:

cat <<EOF | tee container.json
  "metadata": {
      "name": "nginx"
      "image": "nginx"
  "linux": {

Create the nginx container:

CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)

Start the nginx container:

sudo crictl start ${CONTAINER_ID}

Validate the container

Inspect the created pod:

sudo crictl inspectp ${SANDBOX_ID}

Inspect the nginx container:

sudo crictl inspect ${CONTAINER_ID}

Verify that nginx is running in gVisor:

sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor