Containerd Quick Start

Edit this page Create issue

This document describes how to use containerd-shim-runsc-v1 with the containerd runtime handler support on containerd. This is a similar setup as GKE Sandbox, other than the platform configuration.

⚠️ Note: If you are using Kubernetes and set up your cluster using kubeadm you may run into issues. See the FAQ for details.

Requirements

  • runsc and containerd-shim-runsc-v1: See the installation guide.
  • containerd: See the containerd website for information on how to install containerd. Minimal version supported: 1.3.9 or 1.4.3.

Configure containerd

Update /etc/containerd/config.toml. Make sure containerd-shim-runsc-v1 is in ${PATH} or in the same directory as containerd binary.

cat <<EOF | sudo tee /etc/containerd/config.toml
version = 2
[plugins."io.containerd.runtime.v1.linux"]
  shim_debug = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
  runtime_type = "io.containerd.runsc.v1"
EOF

Restart containerd:

sudo systemctl restart containerd

Usage

You can run containers in gVisor via containerd’s CRI.

Install crictl

Download and install the crictl binary:

{
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin
}

Write the crictl configuration file:

cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
EOF

Create the nginx sandbox in gVisor

Pull the nginx image:

sudo crictl pull nginx

Create the sandbox creation request:

cat <<EOF | tee sandbox.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "linux": {
    },
    "log_directory": "/tmp"
}
EOF

Create the pod in gVisor:

SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json)

Run the nginx container in the sandbox

Create the nginx container creation request:

cat <<EOF | tee container.json
{
  "metadata": {
      "name": "nginx"
    },
  "image":{
      "image": "nginx"
    },
  "log_path":"nginx.0.log",
  "linux": {
  }
}
EOF

Create the nginx container:

CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)

Start the nginx container:

sudo crictl start ${CONTAINER_ID}

Validate the container

Inspect the created pod:

sudo crictl inspectp ${SANDBOX_ID}

Inspect the nginx container:

sudo crictl inspect ${CONTAINER_ID}

Verify that nginx is running in gVisor:

sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor

Set up the Kubernetes RuntimeClass

Install the RuntimeClass for gVisor:

cat <<EOF | kubectl apply -f -
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
EOF

Create a Pod with the gVisor RuntimeClass:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx
EOF

Verify that the Pod is running:

kubectl get pod nginx-gvisor -o wide

What’s next

This setup is already done for you on GKE Sandbox. It is an easy way to get started with gVisor.

Before taking this deployment to production, review the Production guide.