Containerd Quick Start

Edit this page Create issue

This document describes how to use containerd-shim-runsc-v1 with the containerd runtime handler support on containerd.

⚠️ NOTE: If you are using Kubernetes and set up your cluster using kubeadm you may run into issues. See the FAQ for details.


  • runsc and containerd-shim-runsc-v1: See the installation guide.
  • containerd: See the containerd website for information on how to install containerd. Minimal version supported: 1.3.9 or 1.4.3.

Configure containerd

Update /etc/containerd/config.toml. Make sure containerd-shim-runsc-v1 is in ${PATH} or in the same directory as containerd binary.

cat <<EOF | sudo tee /etc/containerd/config.toml
version = 2
  shim_debug = true
  runtime_type = "io.containerd.runc.v2"
  runtime_type = "io.containerd.runsc.v1"

Restart containerd:

sudo systemctl restart containerd


You can run containers in gVisor via containerd’s CRI.

Install crictl

Download and install the crictl binary:

tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin

Write the crictl configuration file:

cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock

Create the nginx sandbox in gVisor

Pull the nginx image:

sudo crictl pull nginx

Create the sandbox creation request:

cat <<EOF | tee sandbox.json
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    "linux": {
    "log_directory": "/tmp"

Create the pod in gVisor:

SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)

Run the nginx container in the sandbox

Create the nginx container creation request:

cat <<EOF | tee container.json
  "metadata": {
      "name": "nginx"
      "image": "nginx"
  "linux": {

Create the nginx container:

CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)

Start the nginx container:

sudo crictl start ${CONTAINER_ID}

Validate the container

Inspect the created pod:

sudo crictl inspectp ${SANDBOX_ID}

Inspect the nginx container:

sudo crictl inspect ${CONTAINER_ID}

Verify that nginx is running in gVisor:

sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor

Set up the Kubernetes RuntimeClass

Install the RuntimeClass for gVisor:

cat <<EOF | kubectl apply -f -
kind: RuntimeClass
  name: gvisor
handler: runsc

Create a Pod with the gVisor RuntimeClass:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
  name: nginx-gvisor
  runtimeClassName: gvisor
  - name: nginx
    image: nginx

Verify that the Pod is running:

kubectl get pod nginx-gvisor -o wide