SlideShare una empresa de Scribd logo

[KubeCon EU 2021] Introduction and Deep Dive Into Containerd

A
Akihiro Suda

Join containerd maintainers and reviewers in a combined introduction and deep dive session. They will discuss the overview and the recent updates of containerd as well as how it is being used by Kubernetes, Docker and other container-based systems. The brief introduction about its architecture and service design will be included. The talk will also deep dive into how to leverage contained by extending and customizing it for your use case with low-level plugins like remote snapshotters, as well as by implementing your own containerd client. Upcoming features and recent discussion in containerd community will also be covered. - - - https://kccnceu2021.sched.com/event/iE6v/introduction-and-deep-dive-into-containerd-kohei-tokunaga-akihiro-suda-ntt-corporation?iframe=no

Software
1 de 36
Descargar para leer sin conexión
Kohei Tokunaga & Akihiro Suda, NTT Corporation Introduction and Deep Dive Into Containerd
Introduction to containerd Kohei Tokunaga, NTT Corporation
Overview ● CNCF graduated container runtime project ● Resource manager • Container process • Image artifacts • Filesystem snapshots • Metadata and dependencies management ● Tightly scoped (100% approval is required to stretch) but highly extensible ● Used by Kubernetes, Docker and various container-based projects https://github.com/containerd/containerd
Usage in community ● Managed: GKE, AWS Fargate, AKS, IKS ● Development: Docker/moby, BuildKit ● K8s distribution: k3s, kind、minikube, kubespray, microk8s, k0s ● FaaS: faasd Adoption https://sysdig.com/blog/sysdig-2021-contai ner-security-usage-report/ ● Docker’s use of containerd + pure use of containerd is 83% of container usage (Sysdig 2021 container security and usage report) ● Used by several managed services as well as open source projects in community
How containerd is used? Low-level runtime kubelet CRI Low-level runtime containerd API dockerd Low-level runtime containerd API Arbitrary tools As a CRI runtime As a component of Docker As a general container management tool
Containerd as a CRI runtime Container Registry kubectl apply Detects Pod events Manages Pods using CRI runtime • Manages Pods, containers and images • Pulls image from the registry • Executes low-level runtimes Creates and manipulates isolated execution environments as containers e.g. runc, gVisor, Kata Containers Node Low-level runtime apiserver kubelet CRI pull The de facto standard CRI runtime for Kubernetes ● Managed Kubernetes: IKS, GKE, AKS, AWS Fargate, … ● Kubernetes distributions: K3s, kind, minikube, kubespray, microk8s, k0s, ...
Containerd as a component of Docker Container Registry docker run Manages containers, images, networking and volumes, etc. Low-level runtime • Manages containers • Executes low-level runtimes containerd API dockerd Node pull/push Docker API Creates and manipulates isolated execution environments as containers e.g. runc, gVisor, Kata Containers
Containerd as a general container management tool ● Several applications are developed based on containerd ● Containerd provides a Go client library (discussed later) ● Applications can extend containerd with plugins, without recompilation (discussed later) Applications managing containers Low-level runtime Provides container management functionality to upper tools containerd API BuildKit faasd Pouch Container nerdctl Creates and manipulates isolated execution environments as containers e.g. runc, gVisor, Kata Containers
Containerd Internal Kohei Tokunaga, NTT Corporation
Containerd Architecture OS plugins container image tasks namespace leases version introspection events diff Server runtimes Client containerd API Kubelet CRI ● Client-server architecture • Go client library (used by Docker, BuildKit, etc.) ● Client calls server via containerd API • Through /run/containerd/containerd.sock ● Various low-level runtimes are supported • OCI runtimes (runc, gVisor, Kata Container, etc) • Firecracker (firecracker-containerd) ● Extensibility • Low-level plugins • Extending containerd API with custom services • Client library is easy to customize
Containerd Client ● “Smart” Client (Go library) • Containerd API bindings • Registry client • Pulling/Pushing images • Image unpacker • Creating OCI config for OCI runtimes ● Go application can integrate with containerd using client library OS container image tasks namespace leases version introspection events diff container image Etc… namespace leases content snapshots events tasks Registry client Image unpacker events OCI config constructor Server plugins runtimes API bindings Utilities Utilities
Containerd Client Implementations OS container image tasks namespace leases version introspection events diff Server plugins runtimes ctr, nerdctl, Docker, etc containerd API Client lib ● ctr: https://github.com/containerd/containerd • CLI client for containerd • Mainly for debugging or trying new features ● nerdctl: https://github.com/containerd/nerdctl • Docker-compatible CLI for containerd • Easy to use for Docker users • Supports containerd’s cutting-edge features (e.g. lazy pulling, image encryption) ● containerd-based tools • Arbitrary tools can integrate to containerd using client library • e.g. Docker, BuildKit, faasd
Containerd Core & API container image etc… namespace leases content snapshots CRI tasks Metadata store OS Container management Image management Container execution Shared DB among services shim OCI CRI ● Micro services • Containerd API is the set of APIs of services • Services are loosely connected ● Shared metadata DB • bbolt-based • https://github.com/etcd-io/bbolt • Stores metadata of containers, images, contents, snapshots, etc. • Manages reference graph for GC
CRI Service NRI Plugin Image Service Container Service Image service Runtime service Task Service CNI Plugin Containerd client ・・・ CNI client NRI client ● CRI service implements CRI of Kubernetes ● Implemented as a builtin service • Initially repo and binary were separated from containerd • Merged to containerd/containerd since 1.5 ● Depends on other services for container & image management • Communicates via function call ● Uses external CNI/NRI plugins for networking and resource management plugins kubelet CRI service Pod namespace container container Registry pull
Low-level Services OS container image etc… namespace leases content snapshots CRI tasks C o n t e n t s t o r e S n a p s h o t t e r R u n t i m e ● Content Store • Stores image manifest and layers “as-is” • content addressable (keyed by digest) ● Snapshotter • Manages ”snapshots” • Extracted and stacked view of rootfs layers • Passed to OCI runtimes as rootfs • Snapshotter impl. per backing filesystem • Overlayfs, btrfs, aufs, FUSE, … ● Runtime • Executes low-level runtimes via “shim” • Shim is a wrapper daemon of OCI runtime • Well-suit to stateful runtimes (e.g. Kata Containers)
Image content flow unpacker Content Store Diff Service Snapshotter Unpack layers extracted snapshots Task & Runtime Store layer blobs “as-is” Decompression Decryption etc… Mount snapshots as rootfs rootfs of a container remote container & task service API bindings ・・・ Registry pull containerd client utilities
Containerd Extensibility Kohei Tokunaga, NTT Corporation
Extending containerd with plugins and services OS container image etc… namespace leases content snapshots CRI tasks shim OCI plugins plugins s h i m ● containerd is tightly scoped but highly extensible ● Custom low-level service; no need to recompile • external binary plugins • Plugin via unix socket (proxy snapshotter, proxy content store) • Plugin as an executable binary (stream processor, shim) • Go plugin ● API is extendable by implementing your own custom service • e.g. ”control API” of firecracker-containerd
Extension example 1: Lazy pulling ● Remote snapshotter plugin • allows “lazy pulling” of images from arbitrary remote store (not limited to the registry) • container can startup without waiting for the entire image contents being locally available ● Snapshotter can run as an external daemon (proxy snapshotter) • No re-compilation is required • Containerd talks with the snapshotter via unix socket ● Stargz Snapshotter enables lazy pulling of OCI-compatible eStargz/Stargz images from standard registry • https://github.com/containerd/stargz-snapshotter Arbitrary remote store proce ss container Remote Snapshotter Node Provides rootfs snapshots as mount points Remote Snapshotters in community - Stargz Snapshotter - CVMFS-snapshotter - Nydus-snapshotter - OverlayBD-snapshotter
Extension example 2: Generic image layers ● Containerd can handle arbitrary image layers, not limited to OCI standards • gzip, zstd, encrypted layers… ● Stream Processor plugin converts arbitrary media type to another (e.g. OCI standard types) ● Separated binary can plug into containerd, without re-compilation Stream Processor in community - imgcrypt for encrypted images e.g. layer decription Image layers Rootfs snapshots ・・・ Builtin decompressor Plugin binary Diff Service
Extension example 3: Integrating low-level runtimes ● V2 Shim per low-level runtime ● Both of OCI (e.g. runc) and Non-OCI (e.g. Firecracker) runtime can integrate to containerd ● Binary naming convention: io.containerd.runc.v2 -> containerd-shim-runc-v2 ● Pluggable logging destination • fifo(Linux), npipe(Windows), external binary(Linux, Windows), file(Linux, Windows) runc Kata Containers gVisor Firecracker io.containerd.runc.v2 io.containerd.kata.v2 io.containerd.runsc.v1 io.containerd.aws-firecracker Low-level Runtimes in community V2 shims in community Runtime service
Implementing your own containerd client Akihiro Suda, NTT Corporation
Two APIs are available containerd API is recommended for most use cases, but CRI API might be easier to get started Implementing your own containerd client containerd API CRI API Consumers Docker/Moby, BuildKit, faasd, nerdctl... Kubernetes Paradigm Container-oriented Pod-oriented Flexibility Good Bad Simplicity Bad Good Transportation gRPC over UNIX socket gRPC over UNIX socket
Implementing your own containerd client ● Both containerd API and CRI API use gRPC ● In theory you could use any language for your own client ● But containerd API depends on “smart client” written in Go, especially for pulling images ● So, currently, Go is the best language for Native API ● Contribution is wanted for other languages
Implementing your own containerd client Example: https://containerd.io/docs/getting-started/
Implementing your own containerd client Example: https://containerd.io/docs/getting-started/
Implementing your own containerd client Example: https://containerd.io/docs/getting-started/ You will add WithXXX options here: - oci.WithProcessArgs - oci.WithMounts - oci.WithMemoryLimit - seccomp.WithProfile - ...
Implementing your own containerd client In addition to the client, you will also want to implement OCI hooks and logger binary ● OCI Hooks: custom commands called on creation and deletion of containers ○ e.g., for setting up and tearing down CNI bridge and portmap ○ Optional, but necessary if you want your containers to be restarted automatically on host reboot ○ Example: https://github.com/containerd/nerdctl/blob/v0.7.2/run.go#L629-L663 ● Logger Binary: custom command for handling container logs ○ e.g., store as a local file, transfer to fluentd, … ○ Example: https://github.com/containerd/nerdctl/blob/v0.7.2/run.go#L618-L627
Implementing your own containerd client Full example: nerdctl https://github.com/containerd/nerdctl Spun out from `ctr` tool with more practical features: - Automatic restarting - Port forwarding - Logging - Rootless - Stargz - OCIcrypt - … You may copy the code as the “starter pack” to create your own client :)
containerd 1.5 updates and future plan Akihiro Suda, NTT Corporation
containerd 1.5 updates (April) ● Support zstd as an image compression algorithm ○ Faster than gzip ○ https://facebook.github.io/zstd/ ● Support NRI: Node Resource Interface ○ Akin to CNI, but for managing resources, e.g., cgroup ○ https://github.com/containerd/nri ● Enable OCIcrypt decryption by default ○ Supported since 1.3, but it was not enabled by default ○ https://github.com/containers/ocicrypt https://github.com/containerd/imgcrypt ● nerdctl (contaiNERD ctl) joined containerd, as a non-core subproject ○ Docker-compatible CLI but with stargz and ocicrypt ○ https://github.com/containerd/nerdctl
containerd 1.5 updates (April) ● The CRI plugin repo (github.com/containerd/cri) is now merged into the main repo (github.com/containerd/containerd) ○ No visible change to users, but significantly simplifies contribution process ● Client library is now available as a Go module
Future plan ● Filesystem quota (#759) ● CRI support for user namespaces (KEP #2101) ○ Run Kubernetes pods as a user that is different from the daemon user ○ Akin to “Rootless Containers”, but different (and does not conflict, either) ● Chown-less user namespaces (#4734) ○ Requires idmapped mounts, introduced in kernel 5.12 ● Pause-less pod sandboxes (#4131) ● More documentation (help wanted! 🙏)
Third party plugin updates ● Nydus Snapshotter https://github.com/dragonflyoss/image-service ○ Similar to Stargz Snapshotter but with a different image format ● OverlayBD Snapshotter https://github.com/alibaba/accelerated-container-image ○ Boot containers from iSCSI ● runu https://github.com/ukontainer/runu ○ Linux containers on macOS, using LKL (Linux Kernel Library) ● runj https://github.com/samuelkarp/runj ○ FreeBSD containers
Recap ● The de facto standard runtime for Kubernetes, but not only for Kubernetes ● Extensible with plugins ○ Runtime plugins, e.g., gVisor, Kata ○ Snapshotter plugins, e.g., Stargz Snapshotter ○ Stream processor plugins, e.g., OCIcrypt ○ Logging binary plugins, e.g., json-file ○ ... ● New subproject: nerdctl (https://github.com/containerd/nerdctl) ○ Like `docker` but with full features of containerd ○ Like `ctr` but with full user experience of `docker` ○ nerdctl run -d -p 80:80 --restart=always nginx
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd

Recomendados

[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep DiveAkihiro Suda
 
Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph Community
 
How OpenShift SDN helps to automate
How OpenShift SDN helps to automateHow OpenShift SDN helps to automate
How OpenShift SDN helps to automateIlkka Tengvall
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installationRobert Bohne
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
GlusterFS CTDB Integration
GlusterFS CTDB IntegrationGlusterFS CTDB Integration
GlusterFS CTDB IntegrationEtsuji Nakai
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageGreg Hoelzer
 

Recomendados

[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep DiveAkihiro Suda
 
Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph Community
 
How OpenShift SDN helps to automate
How OpenShift SDN helps to automateHow OpenShift SDN helps to automate
How OpenShift SDN helps to automateIlkka Tengvall
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installationRobert Bohne
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
GlusterFS CTDB Integration
GlusterFS CTDB IntegrationGlusterFS CTDB Integration
GlusterFS CTDB IntegrationEtsuji Nakai
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageGreg Hoelzer
 
Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitNTT Software Innovation Center
 
Redhat ha cluster with pacemaker
Redhat ha cluster with pacemakerRedhat ha cluster with pacemaker
Redhat ha cluster with pacemakerIndika Dias
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門Kohei Tokunaga
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesKublr
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionHao Fan
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking ShapeBlue
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveCeph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveRed_Hat_Storage
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatMultiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatOpenStack
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPCDocker, Inc.
 
Docker Hub: Past, Present and Future by Ken Cochrane & BC Wong
Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker Hub: Past, Present and Future by Ken Cochrane & BC Wong
Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker, Inc.
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rookRohan Gupta
 
Block Storage For VMs With Ceph
Block Storage For VMs With CephBlock Storage For VMs With Ceph
Block Storage For VMs With CephThe Linux Foundation
 
Ceph and RocksDB
Ceph and RocksDBCeph and RocksDB
Ceph and RocksDBSage Weil
 
Starting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesStarting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesKohei Tokunaga
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 
Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
 

Más contenido relacionado

La actualidad más candente

Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitNTT Software Innovation Center
 
Redhat ha cluster with pacemaker
Redhat ha cluster with pacemakerRedhat ha cluster with pacemaker
Redhat ha cluster with pacemakerIndika Dias
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門Kohei Tokunaga
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesKublr
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionHao Fan
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking ShapeBlue
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveCeph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveRed_Hat_Storage
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatMultiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatOpenStack
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPCDocker, Inc.
 
Docker Hub: Past, Present and Future by Ken Cochrane & BC Wong
Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker Hub: Past, Present and Future by Ken Cochrane & BC Wong
Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker, Inc.
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rookRohan Gupta
 
Ceph and RocksDB
Ceph and RocksDBCeph and RocksDB
Ceph and RocksDBSage Weil
 
Starting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesStarting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesKohei Tokunaga
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 
Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 

La actualidad más candente (20)

Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKit
 
Redhat ha cluster with pacemaker
Redhat ha cluster with pacemakerRedhat ha cluster with pacemaker
Redhat ha cluster with pacemaker
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on Kubernetes
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveCeph Block Devices: A Deep Dive
Ceph Block Devices: A Deep Dive
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatMultiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Docker Hub: Past, Present and Future by Ken Cochrane & BC Wong
Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker Hub: Past, Present and Future by Ken Cochrane & BC Wong
Docker Hub: Past, Present and Future by Ken Cochrane & BC Wong
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rook
 
Block Storage For VMs With Ceph
Block Storage For VMs With CephBlock Storage For VMs With Ceph
Block Storage For VMs With Ceph
 
Ceph and RocksDB
Ceph and RocksDBCeph and RocksDB
Ceph and RocksDB
 
Starting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesStarting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of Images
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 
Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 

Similar a [KubeCon EU 2021] Introduction and Deep Dive Into Containerd

containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
 
LXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software DeliveryLXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software DeliveryDocker, Inc.
 
Looking Under The Hood: containerD
Looking Under The Hood: containerDLooking Under The Hood: containerD
Looking Under The Hood: containerDDocker, Inc.
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...All Things Open
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilionAkihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdfAkihiro Suda
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilionAkihiro Suda
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013dotCloud
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka Mario Ishara Fernando
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deploymentjavaonfly
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesPhil Estes
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 

Similar a [KubeCon EU 2021] Introduction and Deep Dive Into Containerd (20)

containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
 
LXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software DeliveryLXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software Delivery
 
Looking Under The Hood: containerD
Looking Under The Hood: containerDLooking Under The Hood: containerD
Looking Under The Hood: containerD
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Containers 101
Containers 101Containers 101
Containers 101
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Docker.pptx
Docker.pptxDocker.pptx
Docker.pptx
 
Docker.ppt
Docker.pptDocker.ppt
Docker.ppt
 
Docker mentorweek
Docker mentorweekDocker mentorweek
Docker mentorweek
 

Más de Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdfAkihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless PodmanAkihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilionAkihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdfAkihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with DockerfileAkihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10Akihiro Suda
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container imagesAkihiro Suda
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 

Más de Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 

Último

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

Último (20)

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

[KubeCon EU 2021] Introduction and Deep Dive Into Containerd

  • 1. Kohei Tokunaga & Akihiro Suda, NTT Corporation Introduction and Deep Dive Into Containerd
  • 2. Introduction to containerd Kohei Tokunaga, NTT Corporation
  • 3. Overview ● CNCF graduated container runtime project ● Resource manager • Container process • Image artifacts • Filesystem snapshots • Metadata and dependencies management ● Tightly scoped (100% approval is required to stretch) but highly extensible ● Used by Kubernetes, Docker and various container-based projects https://github.com/containerd/containerd
  • 4. Usage in community ● Managed: GKE, AWS Fargate, AKS, IKS ● Development: Docker/moby, BuildKit ● K8s distribution: k3s, kind、minikube, kubespray, microk8s, k0s ● FaaS: faasd Adoption https://sysdig.com/blog/sysdig-2021-contai ner-security-usage-report/ ● Docker’s use of containerd + pure use of containerd is 83% of container usage (Sysdig 2021 container security and usage report) ● Used by several managed services as well as open source projects in community
  • 5. How containerd is used? Low-level runtime kubelet CRI Low-level runtime containerd API dockerd Low-level runtime containerd API Arbitrary tools As a CRI runtime As a component of Docker As a general container management tool
  • 6. Containerd as a CRI runtime Container Registry kubectl apply Detects Pod events Manages Pods using CRI runtime • Manages Pods, containers and images • Pulls image from the registry • Executes low-level runtimes Creates and manipulates isolated execution environments as containers e.g. runc, gVisor, Kata Containers Node Low-level runtime apiserver kubelet CRI pull The de facto standard CRI runtime for Kubernetes ● Managed Kubernetes: IKS, GKE, AKS, AWS Fargate, … ● Kubernetes distributions: K3s, kind, minikube, kubespray, microk8s, k0s, ...
  • 7. Containerd as a component of Docker Container Registry docker run Manages containers, images, networking and volumes, etc. Low-level runtime • Manages containers • Executes low-level runtimes containerd API dockerd Node pull/push Docker API Creates and manipulates isolated execution environments as containers e.g. runc, gVisor, Kata Containers
  • 8. Containerd as a general container management tool ● Several applications are developed based on containerd ● Containerd provides a Go client library (discussed later) ● Applications can extend containerd with plugins, without recompilation (discussed later) Applications managing containers Low-level runtime Provides container management functionality to upper tools containerd API BuildKit faasd Pouch Container nerdctl Creates and manipulates isolated execution environments as containers e.g. runc, gVisor, Kata Containers
  • 10. Containerd Architecture OS plugins container image tasks namespace leases version introspection events diff Server runtimes Client containerd API Kubelet CRI ● Client-server architecture • Go client library (used by Docker, BuildKit, etc.) ● Client calls server via containerd API • Through /run/containerd/containerd.sock ● Various low-level runtimes are supported • OCI runtimes (runc, gVisor, Kata Container, etc) • Firecracker (firecracker-containerd) ● Extensibility • Low-level plugins • Extending containerd API with custom services • Client library is easy to customize
  • 11. Containerd Client ● “Smart” Client (Go library) • Containerd API bindings • Registry client • Pulling/Pushing images • Image unpacker • Creating OCI config for OCI runtimes ● Go application can integrate with containerd using client library OS container image tasks namespace leases version introspection events diff container image Etc… namespace leases content snapshots events tasks Registry client Image unpacker events OCI config constructor Server plugins runtimes API bindings Utilities Utilities
  • 12. Containerd Client Implementations OS container image tasks namespace leases version introspection events diff Server plugins runtimes ctr, nerdctl, Docker, etc containerd API Client lib ● ctr: https://github.com/containerd/containerd • CLI client for containerd • Mainly for debugging or trying new features ● nerdctl: https://github.com/containerd/nerdctl • Docker-compatible CLI for containerd • Easy to use for Docker users • Supports containerd’s cutting-edge features (e.g. lazy pulling, image encryption) ● containerd-based tools • Arbitrary tools can integrate to containerd using client library • e.g. Docker, BuildKit, faasd
  • 13. Containerd Core & API container image etc… namespace leases content snapshots CRI tasks Metadata store OS Container management Image management Container execution Shared DB among services shim OCI CRI ● Micro services • Containerd API is the set of APIs of services • Services are loosely connected ● Shared metadata DB • bbolt-based • https://github.com/etcd-io/bbolt • Stores metadata of containers, images, contents, snapshots, etc. • Manages reference graph for GC
  • 14. CRI Service NRI Plugin Image Service Container Service Image service Runtime service Task Service CNI Plugin Containerd client ・・・ CNI client NRI client ● CRI service implements CRI of Kubernetes ● Implemented as a builtin service • Initially repo and binary were separated from containerd • Merged to containerd/containerd since 1.5 ● Depends on other services for container & image management • Communicates via function call ● Uses external CNI/NRI plugins for networking and resource management plugins kubelet CRI service Pod namespace container container Registry pull
  • 15. Low-level Services OS container image etc… namespace leases content snapshots CRI tasks C o n t e n t s t o r e S n a p s h o t t e r R u n t i m e ● Content Store • Stores image manifest and layers “as-is” • content addressable (keyed by digest) ● Snapshotter • Manages ”snapshots” • Extracted and stacked view of rootfs layers • Passed to OCI runtimes as rootfs • Snapshotter impl. per backing filesystem • Overlayfs, btrfs, aufs, FUSE, … ● Runtime • Executes low-level runtimes via “shim” • Shim is a wrapper daemon of OCI runtime • Well-suit to stateful runtimes (e.g. Kata Containers)
  • 16. Image content flow unpacker Content Store Diff Service Snapshotter Unpack layers extracted snapshots Task & Runtime Store layer blobs “as-is” Decompression Decryption etc… Mount snapshots as rootfs rootfs of a container remote container & task service API bindings ・・・ Registry pull containerd client utilities
  • 18. Extending containerd with plugins and services OS container image etc… namespace leases content snapshots CRI tasks shim OCI plugins plugins s h i m ● containerd is tightly scoped but highly extensible ● Custom low-level service; no need to recompile • external binary plugins • Plugin via unix socket (proxy snapshotter, proxy content store) • Plugin as an executable binary (stream processor, shim) • Go plugin ● API is extendable by implementing your own custom service • e.g. ”control API” of firecracker-containerd
  • 19. Extension example 1: Lazy pulling ● Remote snapshotter plugin • allows “lazy pulling” of images from arbitrary remote store (not limited to the registry) • container can startup without waiting for the entire image contents being locally available ● Snapshotter can run as an external daemon (proxy snapshotter) • No re-compilation is required • Containerd talks with the snapshotter via unix socket ● Stargz Snapshotter enables lazy pulling of OCI-compatible eStargz/Stargz images from standard registry • https://github.com/containerd/stargz-snapshotter Arbitrary remote store proce ss container Remote Snapshotter Node Provides rootfs snapshots as mount points Remote Snapshotters in community - Stargz Snapshotter - CVMFS-snapshotter - Nydus-snapshotter - OverlayBD-snapshotter
  • 20. Extension example 2: Generic image layers ● Containerd can handle arbitrary image layers, not limited to OCI standards • gzip, zstd, encrypted layers… ● Stream Processor plugin converts arbitrary media type to another (e.g. OCI standard types) ● Separated binary can plug into containerd, without re-compilation Stream Processor in community - imgcrypt for encrypted images e.g. layer decription Image layers Rootfs snapshots ・・・ Builtin decompressor Plugin binary Diff Service
  • 21. Extension example 3: Integrating low-level runtimes ● V2 Shim per low-level runtime ● Both of OCI (e.g. runc) and Non-OCI (e.g. Firecracker) runtime can integrate to containerd ● Binary naming convention: io.containerd.runc.v2 -> containerd-shim-runc-v2 ● Pluggable logging destination • fifo(Linux), npipe(Windows), external binary(Linux, Windows), file(Linux, Windows) runc Kata Containers gVisor Firecracker io.containerd.runc.v2 io.containerd.kata.v2 io.containerd.runsc.v1 io.containerd.aws-firecracker Low-level Runtimes in community V2 shims in community Runtime service
  • 22. Implementing your own containerd client Akihiro Suda, NTT Corporation
  • 23. Two APIs are available containerd API is recommended for most use cases, but CRI API might be easier to get started Implementing your own containerd client containerd API CRI API Consumers Docker/Moby, BuildKit, faasd, nerdctl... Kubernetes Paradigm Container-oriented Pod-oriented Flexibility Good Bad Simplicity Bad Good Transportation gRPC over UNIX socket gRPC over UNIX socket
  • 24. Implementing your own containerd client ● Both containerd API and CRI API use gRPC ● In theory you could use any language for your own client ● But containerd API depends on “smart client” written in Go, especially for pulling images ● So, currently, Go is the best language for Native API ● Contribution is wanted for other languages
  • 25. Implementing your own containerd client Example: https://containerd.io/docs/getting-started/
  • 26. Implementing your own containerd client Example: https://containerd.io/docs/getting-started/
  • 27. Implementing your own containerd client Example: https://containerd.io/docs/getting-started/ You will add WithXXX options here: - oci.WithProcessArgs - oci.WithMounts - oci.WithMemoryLimit - seccomp.WithProfile - ...
  • 28. Implementing your own containerd client In addition to the client, you will also want to implement OCI hooks and logger binary ● OCI Hooks: custom commands called on creation and deletion of containers ○ e.g., for setting up and tearing down CNI bridge and portmap ○ Optional, but necessary if you want your containers to be restarted automatically on host reboot ○ Example: https://github.com/containerd/nerdctl/blob/v0.7.2/run.go#L629-L663 ● Logger Binary: custom command for handling container logs ○ e.g., store as a local file, transfer to fluentd, … ○ Example: https://github.com/containerd/nerdctl/blob/v0.7.2/run.go#L618-L627
  • 29. Implementing your own containerd client Full example: nerdctl https://github.com/containerd/nerdctl Spun out from `ctr` tool with more practical features: - Automatic restarting - Port forwarding - Logging - Rootless - Stargz - OCIcrypt - … You may copy the code as the “starter pack” to create your own client :)
  • 30. containerd 1.5 updates and future plan Akihiro Suda, NTT Corporation
  • 31. containerd 1.5 updates (April) ● Support zstd as an image compression algorithm ○ Faster than gzip ○ https://facebook.github.io/zstd/ ● Support NRI: Node Resource Interface ○ Akin to CNI, but for managing resources, e.g., cgroup ○ https://github.com/containerd/nri ● Enable OCIcrypt decryption by default ○ Supported since 1.3, but it was not enabled by default ○ https://github.com/containers/ocicrypt https://github.com/containerd/imgcrypt ● nerdctl (contaiNERD ctl) joined containerd, as a non-core subproject ○ Docker-compatible CLI but with stargz and ocicrypt ○ https://github.com/containerd/nerdctl
  • 32. containerd 1.5 updates (April) ● The CRI plugin repo (github.com/containerd/cri) is now merged into the main repo (github.com/containerd/containerd) ○ No visible change to users, but significantly simplifies contribution process ● Client library is now available as a Go module
  • 33. Future plan ● Filesystem quota (#759) ● CRI support for user namespaces (KEP #2101) ○ Run Kubernetes pods as a user that is different from the daemon user ○ Akin to “Rootless Containers”, but different (and does not conflict, either) ● Chown-less user namespaces (#4734) ○ Requires idmapped mounts, introduced in kernel 5.12 ● Pause-less pod sandboxes (#4131) ● More documentation (help wanted! 🙏)
  • 34. Third party plugin updates ● Nydus Snapshotter https://github.com/dragonflyoss/image-service ○ Similar to Stargz Snapshotter but with a different image format ● OverlayBD Snapshotter https://github.com/alibaba/accelerated-container-image ○ Boot containers from iSCSI ● runu https://github.com/ukontainer/runu ○ Linux containers on macOS, using LKL (Linux Kernel Library) ● runj https://github.com/samuelkarp/runj ○ FreeBSD containers
  • 35. Recap ● The de facto standard runtime for Kubernetes, but not only for Kubernetes ● Extensible with plugins ○ Runtime plugins, e.g., gVisor, Kata ○ Snapshotter plugins, e.g., Stargz Snapshotter ○ Stream processor plugins, e.g., OCIcrypt ○ Logging binary plugins, e.g., json-file ○ ... ● New subproject: nerdctl (https://github.com/containerd/nerdctl) ○ Like `docker` but with full features of containerd ○ Like `ctr` but with full user experience of `docker` ○ nerdctl run -d -p 80:80 --restart=always nginx