containerd

root@ubuntu:~# netstat -aux | grep containerd.sock
unix  2      [ ACC ]     STREAM     LISTENING     2959473  /run/containerd/containerd.sock
unix  2      [ ACC ]     STREAM     LISTENING     2959472  /run/containerd/containerd.sock.ttrpc
unix  3      [ ]         STREAM     CONNECTED     3037344  /run/containerd/containerd.sock
unix  3      [ ]         STREAM     CONNECTED     3037345  /run/containerd/containerd.sock
unix  3      [ ]         STREAM     CONNECTED     2951600  /run/containerd/containerd.sock
unix  3      [ ]         STREAM     CONNECTED     3009712  /run/containerd/containerd.sock
unix  3      [ ]         STREAM     CONNECTED     2968154  /run/containerd/containerd.sock
root@ubuntu:~# 

version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
plugin_dir = ""
disabled_plugins = []
required_plugins = []
oom_score = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  tcp_address = ""
  tcp_tls_cert = ""
  tcp_tls_key = ""
  uid = 0
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216

[ttrpc]
  address = ""
  uid = 0
  gid = 0

[debug]
  address = ""
  uid = 0
  gid = 0
  level = ""

[metrics]
  address = ""
  grpc_histogram = false

[cgroup]
  path = ""

[timeouts]
  "io.containerd.timeout.shim.cleanup" = "5s"
  "io.containerd.timeout.shim.load" = "5s"
  "io.containerd.timeout.shim.shutdown" = "3s"
  "io.containerd.timeout.task.state" = "2s"

[plugins]
  [plugins."io.containerd.gc.v1.scheduler"]
    pause_threshold = 0.02
    deletion_threshold = 0
    mutation_threshold = 100
    schedule_delay = "0s"
    startup_delay = "100ms"
  [plugins."io.containerd.grpc.v1.cri"]
    disable_tcp_service = true
    stream_server_address = "127.0.0.1"
    stream_server_port = "0"
    stream_idle_timeout = "4h0m0s"
    enable_selinux = false
    sandbox_image = "k8s.gcr.io/pause:3.1"
    stats_collect_period = 10
    systemd_cgroup = false
    enable_tls_streaming = false
    max_container_log_line_size = 16384
    disable_cgroup = false
    disable_apparmor = false
    restrict_oom_score_adj = false
    max_concurrent_downloads = 3
    disable_proc_mount = false
    [plugins."io.containerd.grpc.v1.cri".containerd]
      snapshotter = "overlayfs"
      default_runtime_name = "runc"
      no_pivot = false
      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
        runtime_type = ""
        runtime_engine = ""
        runtime_root = ""
        privileged_without_host_devices = false
      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
        runtime_type = "io.containerd.kata.v2"
        runtime_engine = ""
        runtime_root = ""
        privileged_without_host_devices = false
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          runtime_type = "io.containerd.runc.v1"
          runtime_engine = ""
          runtime_root = ""
          privileged_without_host_devices = false
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
         runtime_type = "io.containerd.kata.v2"
         [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]
       ConfigPath = "/etc/kata-containers/config.toml"
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.katacli]
         runtime_type = "io.containerd.runc.v1"
         [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.katacli.options]
           NoPivotRoot = false
           NoNewKeyring = false
           ShimCgroup = ""
           IoUid = 0
           IoGid = 0
           BinaryName = "/usr/bin/kata-runtime"
           Root = ""
           CriuPath = ""
           SystemdCgroup = false
    [plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""
  [plugins."io.containerd.internal.v1.opt"]
    path = "/opt/containerd"
  [plugins."io.containerd.internal.v1.restart"]
    interval = "10s"
  [plugins."io.containerd.metadata.v1.bolt"]
    content_sharing_policy = "shared"
  [plugins."io.containerd.monitor.v1.cgroups"]
    no_prometheus = false
  [plugins."io.containerd.runtime.v1.linux"]
    shim = "containerd-shim"
    runtime = "runc"
    runtime_root = ""
    no_shim = false
    shim_debug = false
  [plugins."io.containerd.runtime.v2.task"]
    platforms = ["linux/amd64"]
  [plugins."io.containerd.service.v1.diff-service"]
    default = ["walking"]
  [plugins."io.containerd.snapshotter.v1.devmapper"]
    root_path = ""
    pool_name = ""
    base_image_size = ""

Setting Runtime Classes

You can create Kubernetes runtime classes to specify whether containers should be run as the default runtime, runc, or using kata-runtime. The examples in this book use the name native to specify the use of runc, and the name kata-containers to specify the use of kata-runtime. You can use any name you like.

To create a runtime class:

1. Create a file for a runtime class for Kata Containers named kata-runtime.yaml with the following contents:

   kind: RuntimeClass
   apiVersion: node.k8s.io/v1beta1
   metadata:
       name: kata-containers
   handler: kata

   Load the runtime class to the Kubernetes deployment:

   $ kubectl apply -f kata-runtime.yaml

   The runtime class kata-containers can now be used in pod configuration files to specify a container should be run as a Kata container, using the kata-containers runtime. For examples of creating pods using this runtime class, see Section 3.3, “Creating Kata Containers”.

2. (Optional) If you want to specify a runtime for runc, you can do this in a similar way. This is an optional configuration step. As runc is the default runtime, pods automatically run using runc unless you specify otherwise. This file is named runc-runtime.yaml:

   kind: RuntimeClass
   apiVersion: node.k8s.io/v1beta1
   metadata:
       name: native
   handler: runc 

   Load the runtime class to the Kubernetes deployment:

   $ kubectl apply -f runc-runtime.yaml

   The runtime class native can be used in pod configuration files to specify a container should be run as a runC container, using the runc runtime.

3. You can see a list of the available runtime classes for a Kubernetes cluster using the kubectl get runtimeclass. For example:

   $ kubectl get runtimeclass
   NAME              CREATED AT
   kata-containers   2019-09-11T06:48:12Z
   native            2019-09-11T07:08:56Z

root@ubuntu:~# cat kata-runtime.yaml 
kind: RuntimeClass
apiVersion: node.k8s.io/v1beta1
metadata:
  name: kata-containers
handler: kata
root@ubuntu:~# cat kata-nginx.yaml
apiVersion: v1
kind: Pod
metadata:
  name: kata-nginx
spec:
  runtimeClassName: kata-containers
  containers:
    - name: nginx
      image: nginx
      ports:
      - containerPort: 80
root@ubuntu:~# 

root@ubuntu:~# kubectl apply -f kata-runtime.yaml
runtimeclass.node.k8s.io/kata-containers created
root@ubuntu:~# kubectl get runtimeclass
NAME              HANDLER   AGE
kata-containers   kata      9s
root@ubuntu:~#

root@ubuntu:~# kubectl apply -f kata-nginx.yaml 
pod/kata-nginx created

 root@ubuntu:~# kubectl apply -f kata-nginx.yaml 
pod/kata-nginx created

　

root@ubuntu:~# kubectl get pods
NAME         READY   STATUS              RESTARTS   AGE
kata-nginx   0/1     ContainerCreating   0          107s
root@ubuntu:~#