1.
http://strikr.in/ CC BY NC-SA 4.0
containerD
saifi@acm.org

2.
http://strikr.in/ CC BY NC-SA 4.0
pattern seen in FOSS infra stack
infrastructure
Runtime
Orchestration
Differentiators
Commercial
extensions

3.
http://strikr.in/ CC BY NC-SA 4.0
Docker as an example
InfraKit
containerD
SwarmKit
Docker EE, Store etc.
Plugins
Storage
Networking
API CLI Compose Build
Docker
Content
Trust
Distri-
bution
Auth

4.
http://strikr.in/ CC BY NC-SA 4.0
Docker Engine
● Container platform for
– Complete
– Distributed
– Application
– Life cycle

5.
http://strikr.in/ CC BY NC-SA 4.0
Container engine split
containerD: a daemon born from extracting
the container execution subset of the Docker Engine.

6.
http://strikr.in/ CC BY NC-SA 4.0
What is a 'shim' ?
● A shim is a small library that transparently
– intercepts API calls
– changes the arguments passed
– handles the operation itself or redirects
● Benefit
– Support an old API in a new environment
– Support a new API in a older environment
– Run programs on platform other than they
were developed for

7.
http://strikr.in/ CC BY NC-SA 4.0
containerD
runC
Docker
runC runC
containerD
containerD-shim containerD-shim containerD-shim

8.
http://strikr.in/ CC BY NC-SA 4.0
containerD
● Core container runtime
● The daemon that controls runC

9.
http://strikr.in/ CC BY NC-SA 4.0
ContainerD
● Architecture
– designed to be embedded into a larger
system
– rather than being used directly by developers
or end-users.
● daemon
– exposes gRPC API over a local UNIX socket.
– unix:///var/run/docker/libcontainerd/docker-containerd.sock

10.
http://strikr.in/ CC BY NC-SA 4.0
containerD
● API design
– low-level one designed for higher layers to
wrap and extend.
● CLI
– a barebone CLI (ctr) designed for
development and debugging purpose.
● interface with runC
– uses runC to run containers according to the
OCI specification.

11.
http://strikr.in/ CC BY NC-SA 4.0
RoadMap
Y
Y
Y
Y

12.
http://strikr.in/ CC BY NC-SA 4.0
the promise of containerD 1.0
● Container execution and supervision
● Image distribution
● Network Interfaces Management
● Local storage
● Native plumbing level API
● Full OCI support, including the extended OCI
image specification
Windows – Linux parity
8 months ago

13.
http://strikr.in/ CC BY NC-SA 4.0
the promise of containerD 1.0
● OCI Image Spec support
● OCI Runtime Spec support (aka runC)
● Image push and pull support
● Container runtime and lifecycle support
● Network primitives for creation, modification,
and deletion of interfaces
● Management of network namespaces
containers to join existing namespaces
● Multi-tenant supported with CAS storage for
global images
July 29th
2017

14.
http://strikr.in/ CC BY NC-SA 4.0

15.
http://strikr.in/ CC BY NC-SA 4.0
containerD components

16.
http://strikr.in/ CC BY NC-SA 4.0
ctr shipped with Docker 17.06
$ docker-containerd-ctr --help
NAME:
ctr - High performance container daemon cli
USAGE:
docker-containerd-ctr [global options] command [command options] [arguments...]
VERSION:
0.2.3 commit: cfb82a876ecc11b5ca0977d1733adbe58599088a

17.
http://strikr.in/ CC BY NC-SA 4.0
ctr shipped with Docker 17.06
COMMANDS:
checkpoints list all checkpoints
containers interact with running containers
events receive events from the containerd daemon
state get a raw dump of the containerd state
version return the daemon version
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug enable debug output in the logs
--address value proto://address of GRPC API
(default: "unix:///run/containerd/containerd.sock")
--conn-timeout value GRPC connection timeout (default: 1s)
--help, -h show help
--version, -v print the version
unix:///var/run/containerd/containerd.sock

18.
http://strikr.in/ CC BY NC-SA 4.0
ctr (master as of 2017-07-29)
USAGE:
ctr-20170729 [global options] command [command options] [arguments...]
VERSION:
v1.0.0-alpha2-18-g20fa6aee
GLOBAL OPTIONS:
--debug enable debug output in logs
--address value, -a value address for containerd's GRPC server
(default: "/run/containerd/containerd.sock")
--timeout value total timeout for ctr commands (default: 0s)
--connect-timeout value timeout for connecting to containerd (default: 0s)
--namespace value, -n value namespace to use with commands
(default: "default") [$CONTAINERD_NAMESPACE]
--help, -h show help
--version, -v print the version

19.
http://strikr.in/ CC BY NC-SA 4.0
COMMANDS:
apply apply layer from stdin to dir
attach attach to the IO of a running container
checkpoint checkpoint a container
containers, c manage containers (metadata)
content content management
events display containerd events
exec execute additional processes in an existing container
fetch fetch all content for an image into containerd
fetch-object retrieve objects from a remote
images image management
info get info about a container
kill signal a container (default: SIGTERM)
namespaces manage namespaces
pause pause an existing container
pprof provides golang pprof outputs for containerd
ps list processes for container
pull pull an image from a remote
push push an image to a remote
push-object pushes an object to a remote
resume resume a paused container
rootfs rootfs setups a rootfs
run run a container
snapshot snapshot management
tasks, t manage tasks
version print the version
shim interact with a shim directly
help, h shows a list of commands or help for one command

20.
http://strikr.in/ CC BY NC-SA 4.0
ctr usage examples
Start a container say
docker run –interactive –tty alpine:latest /bin/sh
docker-containerd-ctr
--address "/var/run/docker/libcontainerd/docker-containerd.sock"
containers
docker-containerd-ctr
--address "/var/run/docker/libcontainerd/docker-containerd.sock"
containers
exec
--id=346c1b7bbb04b760032557e1324a4027ec0055ea84dca109134c02e03dc1242c
--pid=20
--cwd=/ -a /bin/ps aux
docker-containerd-ctr
--address "/var/run/docker/libcontainerd/docker-containerd.sock"
state 346c1b7bbb04b760032557e1324a4027ec0055ea84dca109134c02e03dc1242c

21.
http://strikr.in/ CC BY NC-SA 4.0
the promise of containerD 1.0
https://github.com/containerd/containerd/milestones
July 29th
2017
0630 IST

22.
http://strikr.in/ CC BY NC-SA 4.0
containerD in the ecosystem
SmartOS
containerD
Swarm
Docker
$$
Linux Solaris Windows MacOS
Pivotal
$$
Mesos
DC/OS
$$
k8s
$$
OpenShift
Google
Swarm
Azure
$$
Cloud Foundry
BlueMix
$$
Your
own
Mesos k8s ECS
AWS
$$

23.
http://strikr.in/ CC BY NC-SA 4.0
containerD in the ecosystem
containerD
Swarm
Docker
$$
Pivotal
$$
Mesos
DC/OS
$$
k8s
$$
OpenShift
Google
Swarm
Azure
$$
Cloud Foundry
BlueMix
$$
Your
own
Mesos k8s ECS
AWS
$$
SmartOS Linux Solaris Windows MacOS
OCI
(Open Container Initiative)

24.
http://strikr.in/ CC BY NC-SA 4.0
runC
● universal runtime for OS Containers
● CLI tool for spawning and running containers
according to the OCI specification.

25.
http://strikr.in/ CC BY NC-SA 4.0
runC
● a CLI tool for spawning and running containers
according to the OCI specification.
● runC
– Depends on runtime-spec repo
– Supports Linux platform only
– Must be built with Go 1.6+
– Executes build tags for features
– Linux kernel 4.3+
– Uses 'vndr' for dependency management

26.
http://strikr.in/ CC BY NC-SA 4.0
runC
rootfs
config.json
runC
Container executed
Containers are configured using bundles.
A bundle for a container is a directory that includes
- a specification file named "config.json" and
- a root filesystem rootfs.
The root filesystem contains the contents of the container.

27.
http://strikr.in/ CC BY NC-SA 4.0
runC
USAGE:
runc [global options] command [command options] [arguments...]
COMMANDS:
checkpoint checkpoint a running container
delete delete any resources held by the container often used with detached containers
events display container events such as OOM notifications, cpu, memory, IO, network stats
exec execute new process inside the container
init initialize the namespaces and launch the process (do not call it outside of runc)
kill kill sends the specified signal (default: SIGTERM) to the container's init process
list lists containers started by runc with the given root
pause pause suspends all processes inside the container
restore restore a container from a previous checkpoint
resume resumes all processes that have been previously paused
spec create a new specification file
start create and run a container
state output the state of a container
help, h Shows a list of commands or help for one command

28.
http://strikr.in/ CC BY NC-SA 4.0
runC CLI
GLOBAL OPTIONS:
--debug enable debug output for logging
--log "/dev/null" set the log file path where internal debug information is written
--log-format "text" set the format used by logs ('text' (default), or 'json')
--root "/run/runc" root directory for storage of container state (this should be located in tmpfs)
--criu "criu" path to the criu binary used for checkpoint and restore
--systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form
"slice:prefix:name" for e.g. "system.slice:runc:434234"
--help, -h show help
--version, -v print the version

29.
http://strikr.in/ CC BY NC-SA 4.0
runC client
● runc is a command line client for running
applications packaged according to the Open
Container Format (OCF) and is a compliant
implementation of the Open Container Initiative
(OCI) specification.

30.
http://strikr.in/ CC BY NC-SA 4.0
runC and process supervisors
● runc integrates well with existing process
supervisors to provide a production container
runtime environment for applications.
● runc can be used with your existing process
monitoring tools and the container will be
spawned as a direct child of the process
supervisor.

31.
http://strikr.in/ CC BY NC-SA 4.0
References (shim)
● https://en.wikipedia.org/wiki/Shim_(computing)
● http://www.ryde.net/code/bind.c.txt
● http://technet.microsoft.com/en-us/library/dd837644(

32.
http://strikr.in/ CC BY NC-SA 4.0
References (containerD)
● https://github.com/containerd/containerd
● https://github.com/containerd/containerd/milestones

33.
http://strikr.in/ CC BY NC-SA 4.0
References (runC)
● https://github.com/opencontainers/runc
●

34.
http://strikr.in/ CC BY NC-SA 4.0
References (OCI Specs)
● OCI Image Spec
https://www.slideshare.net/StrikrHQ/oci-image-spec
● OCI Runtime Spec
https://www.slideshare.net/StrikrHQ/oci-runtime-spec