Se ha denunciado esta presentación.

[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose implementation, based on containerd

2

Compartir

Cargando en…3
×
1 de 23
1 de 23

Más Contenido Relacionado

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose implementation, based on containerd

  1. 1. nerdctl: yet another Docker & Docker Compose implementation, based on containerd Akihiro Suda, NTT Paris Container Day (June 2-3, 2021) github.com/containerd/nerdctl
  2. 2. What is nerdctl? • Docker-compatible CLI for containerd • Same UI/UX as Docker & Docker Compose • Supports lazy-pulling (Stargz) • Supports encrypted images (OCIcrypt) • Also supports rootless mode, of course ☺ 2
  3. 3. Demo 3 $ nerdctl run … $ nerdctl compose up …
  4. 4. What is containerd? • The universal container runtime • Used by Docker, Kubernetes, BuildKit, faasd, etc. 4 Docker Kubernetes nerdctl runc Linux kernel
  5. 5. Why another Docker-like CLI? 5 • Docker partially uses containerd, but not fully • Docker cannot support recent innovations in the containerd ecosystem • Lazy-pulling (Stargz) • Encryption (OCIcrypt) • …
  6. 6. Why another Docker-like CLI? 6 Runtime Subsystem Image Subsystem Docker nerdctl runc Stargz OCIcrypt Unavailable for Docker
  7. 7. Why another Docker-like CLI? 7 • So we had to create a new CLI for the containerd-native ecosystem • Designed to be Docker-compatible so that users do not need to learn something new
  8. 8. What about ctr? crictl? 8 • ctr: the CLI included in containerd • crictl: the CLI for Kubernetes CRI API • Unlike nerdctl, ctr and crictl were made solely for debugging purpose
  9. 9. What about ctr? crictl? 9 • ctr lacks lots of features • docker run -p • docker run --restart=always • docker pull, with ~/.docker/config.json • docker logs … • crictl has similar restrictions, too • nerdctl provides all these features
  10. 10. The goal is to defeat Docker…? • No • The goal is to provide a comfortable environment for playing around with the modern ecosystem of containerd • Lazy-pulling, OCIcrypt, … • These features are expected to be available in Docker as well, eventually (but not soon) https://github.com/moby/moby/pull/41002 10
  11. 11. Lazy-pulling • Lazy-pulling means running a container ahead of completion of pulling its image from the registry • With a new image format: eStargz • Forked from Stargz: Seekable tar gz ( https://github.com/google/crfs ) • Compatible with the legacy Docker/OCI format • https://github.com/containerd/stargz-snapshotter 11
  12. 12. Lazy-pulling 12 https://github.com/containerd/stargz-snapshotter/blob/v0.6.1/docs/images/benchmarking-result-ecdb227.png
  13. 13. Demo: lazy-pulling 13 $ nerdctl --snapshotter=stargz …
  14. 14. OCIcrypt • Transparently encrypt and decrypted images • Tolerant to leakage of private images on a registry • https://github.com/containers/ocicrypt 14
  15. 15. nerdctl on macOS (for Linux containers) • Lima: Linux virtual machines on macOS (The name may change in future) https://github.com/AkihiroSuda/lima • Made for containerd & nerdctl • Supports filesystem sharing & port forwarding • Similar to WSL2 15
  16. 16. Demo: nerdctl on macOS 16 $ lima start $ lima nerdctl run …
  17. 17. nerdctl on macOS (for Linux containers) • Hypervisor: QEMU with HVF accelerator • Intel Mac: no patch is needed • ARM Mac: QEMU needs to be patched https://lists.gnu.org/archive/html/qemu-devel/2021-05/msg06220.html • File system sharing • Current implementation: “Reverse SSHFS” (sshfs –o slave) • Future: virtio-9p-pci • Port forwarding • The guest agent daemon watches /proc/net/tcp, per 3 seconds • The host agent runs `ssh –L` on demand to set up port forwarding 17
  18. 18. nerdctl on Windows • Known to work on WSL2 for running Linux containers • Native support for Windows is in progress (Thanks to James Sturtevant) https://github.com/containerd/nerdctl/pull/197 18
  19. 19. Recap 19 • Docker-compatible CLI for containerd • Same UI/UX as Docker & Docker Compose • Supports lazy-pulling (Stargz) • Supports encrypted images (OCIcrypt) • Also supports rootless mode, of course ☺
  20. 20. Getting started 20 • https://github.com/containerd/nerdctl/releases • nerdctl-full-<VERSION>-linux-amd64.tar.gz contains all the dependencies (containerd, runc, …)
  21. 21. Getting started 21 $ sudo systemctl enable --now containerd $ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine Rootful : Rootless (more secure) : $ containerd-rootless-setuptool.sh install $ nerdctl run -d --name nginx -p 8080:80 nginx:alpine 80:80 is typically prohibited for non-root users, so use 8080:80
  22. 22. Further information 22 • https://github.com/containerd/nerdctl • #containerd channel of CNCF slack ( https://slack.cncf.io )
  23. 23. • Fahed Dorgaa • Shishir Mahajan • Sho Haraki • Wei Fu • Dax McDonald • Kohei Tokunaga • Jack Kelly • Andrey Platonov • James Sturtevant • Sherif Mowafy • Alex Ellis • Matt Thalman • Hu Shuai • Jian Zeng • Harshvardhan Karn • Gaurav Gahlot Thanks to contributors! 23 https://github.com/containerd/nerdctl/graphs/contributors

×