A talk given at FOSDEM 2020 in the containers devroom on the current status of the CNCF containerd project as well as a dive into the ways users are extending and embedding containerd in other platforms and projects.
Extended and embedding: containerd update & project use cases
1. Extending and embedding:
containerd project use cases
A 2020 FOSDEM containerd project update
Phil Estes
Distinguished Engineer & CTO, IBM Cloud Platform
CNCF containerd project maintainer
3. What is containerd
● A “Container runtime”
○ Below platforms (Docker, Kubernetes)
○ Above lower level runtimes (runc, Kata, Firecracker, gVisor)
● Resource Manager
○ Container processes
○ Image artifacts
○ Filesystem snapshots
○ Metadata and dependencies
● Tightly scoped
○ 100% maintainer approval required to increase scope
○ Built-in CRI plugin only scope increase
4. State of containerd
● 5th project to graduate within the CNCF - February 2019
● Broad support and contribution from across the ecosystem
○ Over 200 individual contributors; represent > 100 companies
○ 13 maintainers represent 9 different companies
● All major cloud providers using containerd
● Supports Linux and Windows platforms, multiple architectures
● Added sub-projects to governance (Rust-based ttrpc; image encryption)
5. containerd 1.3
● Windows support for shim V2 API
● Device mapper snapshotter (Amazon Firecracker team contribution)
● New plugin interface for processing layers (encryption, compression)
● (CRI) Support for per-pod container shim
6. In progress
● Remote snapshotter for sharing snapshots in a cluster
● cgroups v2
● Windows CRI
● Mount and resource management
● Image encryption
7. Who is using containerd?
● Public Clouds
● Kubernetes Infra
● End Users
● DevOps Tools
● Custom Sandboxes
8. How is containerd used?
● Library
○ Go client API
■ oras, BuildKit, Weaveworks Ignite, IBM Cloud Functions, OpenFaaS
“faasd”, Alibaba PouchContainer
○ Extensibility
■ Amazon ECR resolver, Azure Teleport, remote snapshotters [cvmfs, stargz]
○ Imports/Subprojects (cri-o use of containerd/cgroups)
● Kubernetes Runtime
○ CRI-containerd
■ IBM Kubernetes Service, GKE, Ticketmaster, Alibaba, microk8s, KinD, k3s,
AWS Fargate
● Daemon
○ Docker, BuildKit
18. Plugins - Backend
- No re-compilation required
- Proxy plugins for content store and snapshotters
- Runtime shims are separate binaries
implementing shim interface
24. Runtime shim v2 API
● Minimal and scoped to the execution lifecycle of a container
● Binary naming convention
○ Type io.containerd.runsc.v1 -> Binary containerd-shim-runsc-v1