Containerd Quick Start

Edit this page Create issue

This document describes how to use containerd-shim-runsc-v1 with the containerd runtime handler support on containerd 1.2 or later.

⚠️ NOTE: If you are using Kubernetes and set up your cluster using kubeadm you may run into issues. See the FAQ for details.

Requirements

Configure containerd

Update /etc/containerd/config.toml. Make sure containerd-shim-runsc-v1 is in ${PATH} or in the same directory as containerd binary.

cat <<EOF | sudo tee /etc/containerd/config.toml
disabled_plugins = ["restart"]
[plugins.linux]
  shim_debug = true
[plugins.cri.containerd.runtimes.runsc]
  runtime_type = "io.containerd.runsc.v1"
EOF

Restart containerd:

sudo systemctl restart containerd

Usage

You can run containers in gVisor via containerd’s CRI.

Install crictl

Download and install the crictl` binary:

{
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin
}

Write the crictl configuration file:

cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
EOF

Create the nginx sandbox in gVisor

Pull the nginx image:

sudo crictl pull nginx

Create the sandbox creation request:

cat <<EOF | tee sandbox.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "linux": {
    },
    "log_directory": "/tmp"
}
EOF

Create the pod in gVisor:

SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)

Run the nginx container in the sandbox

Create the nginx container creation request:

cat <<EOF | tee container.json
{
  "metadata": {
      "name": "nginx"
    },
  "image":{
      "image": "nginx"
    },
  "log_path":"nginx.0.log",
  "linux": {
  }
}
EOF

Create the nginx container:

CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)

Start the nginx container:

sudo crictl start ${CONTAINER_ID}

Validate the container

Inspect the created pod:

sudo crictl inspectp ${SANDBOX_ID}

Inspect the nginx container:

sudo crictl inspect ${CONTAINER_ID}

Verify that nginx is running in gVisor:

sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor

Set up the Kubernetes RuntimeClass

Install the RuntimeClass for gVisor:

cat <<EOF | kubectl apply -f -
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
EOF

Create a Pod with the gVisor RuntimeClass:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx
EOF

Verify that the Pod is running:

kubectl get pod nginx-gvisor -o wide