Containerd Quick Start

Edit this page Create issue

This document describes how to use containerd-shim-runsc-v1 with the containerd runtime handler support on containerd. This is a similar setup as GKE Sandbox, other than the platform configuration.

⚠️ Note: If you are using Kubernetes and set up your cluster using kubeadm you may run into issues. See the FAQ for details.


  • runsc and containerd-shim-runsc-v1: See the installation guide.
  • containerd: See the containerd website for information on how to install containerd. Minimal version supported: 1.3.9 or 1.4.3.

Configure containerd

Update /etc/containerd/config.toml. Make sure containerd-shim-runsc-v1 is in ${PATH} or in the same directory as containerd binary.

cat <<EOF | sudo tee /etc/containerd/config.toml
version = 2
  shim_debug = true
  runtime_type = "io.containerd.runc.v2"
  runtime_type = "io.containerd.runsc.v1"

Restart containerd:

sudo systemctl restart containerd


You can run containers in gVisor via containerd’s CRI.

Install crictl

Download and install the crictl binary:

tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin

Write the crictl configuration file:

cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock

Create the nginx sandbox in gVisor

Pull the nginx image:

sudo crictl pull nginx

Create the sandbox creation request:

cat <<EOF | tee sandbox.json
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    "linux": {
    "log_directory": "/tmp"

Create the pod in gVisor:

SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)

Run the nginx container in the sandbox

Create the nginx container creation request:

cat <<EOF | tee container.json
  "metadata": {
      "name": "nginx"
      "image": "nginx"
  "linux": {

Create the nginx container:

CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)

Start the nginx container:

sudo crictl start ${CONTAINER_ID}

Validate the container

Inspect the created pod:

sudo crictl inspectp ${SANDBOX_ID}

Inspect the nginx container:

sudo crictl inspect ${CONTAINER_ID}

Verify that nginx is running in gVisor:

sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor

Set up the Kubernetes RuntimeClass

Install the RuntimeClass for gVisor:

cat <<EOF | kubectl apply -f -
kind: RuntimeClass
  name: gvisor
handler: runsc

Create a Pod with the gVisor RuntimeClass:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
  name: nginx-gvisor
  runtimeClassName: gvisor
  - name: nginx
    image: nginx

Verify that the Pod is running:

kubectl get pod nginx-gvisor -o wide

What’s next

This setup is already done for you on GKE Sandbox. It is an easy way to get started with gVisor.

Before taking this deployment to production, review the Production guide.