Skip to content

Containerd

containerd is available as a daemon for Linux and Windows. It manages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision to low-level storage to network attachments and beyond.

Containerd supports namespaces at the container runtime level. These namespaces are entirely different from the Kubernetes namespaces. Containerd namespaces are used to provide isolation to different applications that might be using containerd like docker, kubelet, etc.

Below are two well-known namespaces.

K8s.io: contains all the containers started from the CRI plugin by kubelet, irrespective of the namespace in Kubernetes
moby: comprises all containers started by docker

Managing containerd

  • crictl - is a tool for managing containers through the Container Runtime Interface (CRI).
  • ctr- is a tool for managing containers directly through the containerd runtime.

cri-tools

crictl is a command-line interface for CRI-compatible container runtimes. You can use it to list, run, stop, inspect and debug container runtimes and applications on a Kubernetes node. It can also used to pull an image and execute a command in a container. crictl and its source are hosted in the cri-tools repository.

https://kubernetes.io/docs/tasks/debug-application-cluster/crictl/

https://github.com/kubernetes-sigs/cri-tools

https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md

The crictl command has several subcommands and runtime flags. Use crictl help or crictl help for more details.

You can set the endpoint for crictl by doing one of the following:

  • Set the --runtime-endpoint and --image-endpoint flags.
  • Set the CONTAINER_RUNTIME_ENDPOINT and IMAGE_SERVICE_ENDPOINT environment variables.
  • Set the endpoint in the configuration file /etc/crictl.yaml. To specify a different file, use the --config=PATH_TO_FILE flag when you run crictl.

Note

If you don't set an endpoint, crictl attempts to connect to a list of known endpoints, which might result in an impact to performance. You can also specify timeout values when connecting to the server and enable or disable debugging, by specifying timeout or debug values in the configuration file or using the --timeout and --debug command-line flags.

To view or edit the current configuration, view or edit the contents of /etc/crictl.yaml. For example, the configuration when using the containerd container runtime would be similar to this:

runtime-endpoint: unix:///var/run/containerd/containerd.sock
image-endpoint: unix:///var/run/containerd/containerd.sock
timeout: 10
debug: true

Note

microk8s default endpoint is: unix:////var/snap/microk8s/common/run/containerd.sock

$ cat /etc/crictl.yaml
runtime-endpoint: unix:////var/snap/microk8s/common/run/containerd.sock
image-endpoint: unix:////var/snap/microk8s/common/run/containerd.sock
timeout: 10
debug: false

https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/

To List pods

crictl pods
crictl pods --name nginx-65899c769f-wv2gp
crictl pods --label run=nginx

To List images

crictl images
crictl images nginx
crictl images -q

To pull private images using username and password using crictl

crictl pull --creds "UserName:Password" "image details from private registry@SHA details"

To list running containers

crictl ps -a
crictl ps

Execute a command in a running container

crictl exec -i -t 1f73f2d81bf98 ls

Get a container's logs

crictl logs 87d3992f84f74
crictl logs --tail=1 87d3992f84f74

ctr

ctr is a tool for managing containers directly through the containerd runtime. ctr can be used to perform a variety of tasks, such as listing all Images, Pulling an Image, Running a Container, Removing an Image, Executing a command in a container etc..

To list all containers managed by kubelett

ctr -n k8s.io containers list

To list the containers managed by docker daemon

ctr -n moby containers list