A talk given at Cloud Native London meetup, February 6, 2018 on the role of container runtimes in Kubernetes, the introduction of the Container Runtime Interface (CRI), and the history of containerd and it's use as a CRI implementing container runtime for Kubernetes.

1. Whose Job Is It
Anyway?
The role of container runtimes,
the CRI, and Kubernetes

2. Hello!
Phil Estes
> Office of the CTO
> IBM Watson & Cloud Platform
> Docker Captain
> Containerd and Moby Project
maintainer
2

3. 1.
Kubernetes &
Runtimes
A quick history

4. @estesp
Kubernetes is an Orchestrator
▪ Kubernetes has no code to execute or run
containers on Linux or Windows
▪ Initially the Kubernetes pod manager
(called “kubelet”) had direct linkage to the
Docker engine
4
kubelet dockershim dockerd
containerd
runc
https://github.com/kubernetes/kubernetes/tree/release-1.4/pkg/kubelet/dockershim

5. Runtime specification
Image specification
runC implementation
2013 2014 2015 2016 2017
Garden-runC
Guardian project
K8sCRI
*[0.2.x branch]
*[1.0 branch]
5

6. 2.
Kubernetes
CRI
The Container Runtime Interface

7. @estesp
Kubernetes Announces the CRI
7
http://blog.kubernetes.io/2016/12/container-runtime-interface-cri-in-kubernetes.html

8. @estesp
The CRI gRPC API
▪ Includes container lifecycle operations
(start, stop, pause, unpause, delete)
▪ Includes K8s pod-centric operations
(start/stop pod, status of pod, remove)
▪ Requires simple image operations (pull,
list, status, remove)
▪ Requires some basic administrative
functions (exec, attach, ports, logs, stats)
8
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto

9. @estesp
So, who implements the CRI today?
▪ Docker, containerd, rkt, frakti, cri-o
□ Future: Kata containers?
9
kubelet
dockershim
dockerd
kubelet
cri-containerd
containerd
kubelet
cri-o
runc
kubelet
frakti
runV dockerd
kubelet --container-runtime {string}
--container-runtime-endpoint {string}

10. 3.
Containerd &
CRI-Containerd
Containerd as a runtime for K8s

11. @estesp
runc
containerd
Why Containerd 1.0?
▪ Continue projects spun out from
monolithic Docker engine
▪ Expected use beyond Docker
engine (Kubernetes CRI)
▪ Donation to foundation for broad
industry collaboration
□ Similar to runc/libcontainer
and the OCI

12. @estesp
Technical Goals/Intentions
▪ Clean gRPC-based API + client library
▪ Full OCI support (runtime and image spec)
▪ Stability and performance with tight,
well-defined core of container function
▪ Decoupled systems (image, filesystem,
runtime) for pluggability, reuse

13. @estesp
Containerd Architecture
Runtimes
Metadata
ContainersContent DiffSnapshot Tasks EventsImages
GRPC Metrics
Runtimes
Storage
OS

14. @estesp
Release Process
https://github.com/containerd/containerd/blob/master/RELEASES.md
Latest Release: v1.0.2 (-rc.1 will release in the next day)
Key Points:
▪ Using SemVer
▪ Major releases have a support horizon with backported
fixes
□ Already proven out post-1.0.0 with 2 releases
▪ Next release (v1.1) plans will include Windows container
runtime support and other enhancements
▪ Stability and compatibility provided for & documented

15. @estesp
▪ Containerd is a member project
within the Cloud Native
Computing Foundation (CNCF)
▪ The Moby project governance,
adopted in Q42017 is not a
BDFL model
▪ The newly formed Moby
Technical Steering Committee
(TSC) oversees Moby projects
▪ Broad base of contributors,
and growing
TOP TEN CONTRIBUTORS
1. Docker
2. Google
3. NTT
4. Tesla*
5. IBM
6. ZTE
7. Microsoft
8. Red Hat**
9. Huawei
10. Amazon Web Services
* Former Docker maintainer left for Tesla
** Red Hat contributions mostly prior to 1.0 codebase
Project Contributors

16. @estesp
Users
- CURRENT
- Docker (moby)
- Kubernetes
(cri-containerd)
- SwarmKit
- LinuxKit
- BuildKit
- PLANNING/DEVELOPING
- CloudFoundry
(Garden-runC)
- Apache OpenWhisk
- Puppet R&D
- {your project here}

17. @estesp
kubelet
kubelet
dockershim (CRI)
Docker engine
containerd
containerd-shim
containerd-shim
containerd-shim
runc
runc
runc
containerd
containerd-shim
containerd-shim
containerd-shim
runc
runc
runc
cri plugin
containerd
cri-containerd
ttrpc: very lightweight
gRPC protocol format
Kubernetes CRI Runtimes:
Docker vs. cri-containerd
( **NOTE: Cri-container project merged into containerd
GitHub project in January 2018; will become a plugin
within the containerd binary )
**
17

18. @estesp
Containerd Benefits
● Designed and implemented with broad
usage as a core container runtime in mind:
○ Docker, LinuxKit, Kubernetes and
embedded core runtime use cases
(OpenWhisk, Cloud Foundry)
● Stress testing validating stability and
performance guarantees 24/7
● Attention to detail re: Go/gRPC APIs for
usability and ease of embedding
● Focus on compatibility guarantees; bug fix
backports for high level of support on major
version levels

19. Source: https://github.com/kelseyhightower/kubernetes-the-hard-way
▪ Requires runc and containerd to be
installed (distro packaging lagging
these projects)
▪ CRI-Containerd project has been
doing binary releases with
dependencies included (future TBD)
▪ No requirement for Docker engine
installation on worker nodes at all
▪ LinuxKit also using (and providing)
this configuration in their default
Kubernetes project:
▪ “make all KUBE_RUNTIME=cri-containerd”
▪ See: https://github.com/linuxkit/kubernetes
Using Containerd in Kubernetes 1.9+

20. @estesp
Summary
▪ Introducing the CRI helped abstract runtime
requirements from a specific container engine
▪ The CRI now gives Kubernetes admins
and/or cluster creators a choice for container
runtime options
▪ Containerd (and its CRI implementation) is
purpose-built for the K8s and Docker stacks
as a high-performance, supported and stable
runtime
20

21. 21
Thanks!
@estesp
github.com/estesp
estesp@gmail.com
https://integratedcode.us
Slack/IRC: estesp