containerd is an industry-standard core container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc..
containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.
containerd includes a daemon exposing gRPC API over a local UNIX socket. The API is a low-level one designed for higher layers to wrap and extend. It also includes a barebone CLI (ctr) designed specifically for development and debugging purpose. It uses runC to run containers according to the OCI specification. The code can be found on GitHub, and here are the contribution guidelines.
containerd is based on the Docker Engine’s core container runtime to benefit from its maturity and existing contributors.
2. Agenda
09:00 -11:00 - containerd Deep Dive / What’s new / Roadmap (Michael Crosby & team)
• Container execution and supervision
• Image distribution & Local storage
• Network Interfaces Management
• Integrating containerd with other systems, Native plumbing level API, etc
11:00 -11:30 - Talk #1 - Use of the gRPC API for “driving” containerd by Phil Estes (IBM)
11:30 -12:00 - Talk #2 - containerd and Kubernetes CRI by Tim Hockin (Google)
12:30 to 13:00 Lunch & networking
13:00 to 15:00 - Hacking & Open-source-a-thon
• Container execution and supervision by Michael (video game room)
• Image distribution & Local storage by Stephen and Derek (main room)
15:30 - 16:30 Feedback on governance - Integrating containerd with other systems (Native plumbing level API, CRI, Networking) by Phil
and Tim, Michael (main room)
16:30 - BOFs recap + AMA / panel
17:30 - Happy hour
2
3. Donations going to Girls Develop It
$1.5K going to Girls Develop It thanks to your donations!
Girl Develop It, a national nonprofit, provides women with low-cost,
judgment-free opportunities to learn software development through
in-person programs. In 50 cities throughout the US, they cultivate thriving
tech communities built around education and support.
3
4. Docker Internals Summit @ DockerCon
• containerd only in the AM
• Other Docker Internals in the PM (Libnetwork, Notary, SwarmKit,
InfraKit, VPNKit, DataKit, HyperKit, etc)
You don’t have to attend the whole conference to attend this summit on 4/20
4
5. containerd: What is a Core Container Runtime?
Component that provides core primitives to manage containers on a host
• Container execution and supervision
• Image distribution
• Network Interfaces & Mgmt
• Local storage
• Native plumbing level API
5
16. Content Service
// Content provides access to a content addressable storage system.
service Content {
// Info returns information about a committed object.
rpc Info(InfoRequest) returns (InfoResponse);
// Read allows one to read an object based on the offset into the content.
rpc Read(ReadRequest) returns (stream ReadResponse);
// Status returns the status of ongoing object ingestions, started via
// Write.
rpc Status(StatusRequest) returns (stream StatusResponse);
// Write begins or resumes writes to a resource identified by a unique ref.
// Only one active stream may exist at a time for each ref.
rpc Write(stream WriteRequest) returns (stream WriteResponse);
}
16
Content Service
Write
Read
Content
Digested
22. Remotes
Locators and Resolution
22
type Fetcher interface {
Fetch(ctx context.Context, id string, hints ...string) (io.ReadCloser, error)
}
type Resolver interface {
Resolve(ctx context.Context, locator string) (Fetcher, error)
}
fetcher := resolver.Resolve("docker.io/library/ubuntu")
Endlessly Configurable!
(hint: think git remotes)
23. Pulling an Image
1. Resolve manifest or index (manifest list)
2. Download all the resources referenced by the manifest
3. Unpack layers into snapshots
4. Register the mappings between manifests and constituent resources
23
25. The Dist Tool
$ ./bin/dist
USAGE:
dist [global options] command [command options] [arguments...]
VERSION:
a463ba3.m
COMMANDS:
pull pull an image into containerd
fetch retrieve objects from a remote
ingest accept content into the store
active display active transfers.
get get the data for an object
delete, del permanently delete one or more blobs.
list, ls list all blobs in the store.
apply apply layer from stdin to dir
help, h Shows a list of commands or help for one command
25
Experimental Toolkit for Image Distribution
26. Docker Graph Driver
• History
– AUFS - union filesystem model for layers
– Graph Driver interface
• Block level snapshots (devicemapper,
btrfs, zfs)
• Union filesystems (aufs, overlay)
– Content Addressability (1.10.0)
• No changes to graph driver
• Layerstore - content addressability over
layers
• ImageStore - content addressability over
images
• ReferenceStore - name to image content
address
26
27. Docker Storage Architecture
27
Graph Driver
“layers” “mounts”
Layer Store
“content addressable layers”
Image Store
“image configs”
Containers
“container configs”
Reference Store
“names to image”
Daemon
32. Networking in Containerd...
32
• Provide a network namespace
– Join a pre populated network namespace
• Use OCI Hooks to initialize namespace
– Exec a command with the container’s state to initialize network
• Setup networking between create and start
– Create container
– Setup network interfaces
– Start user’s process
33. Runtime
33
• Manage Containers Lifecycle
• Mount Root Filesystems
– No container mounting in the daemon
• Resilient to daemon death (e.g. Restore Containers)
• Multi-Platform Support
– Differences in functionality