containerd: Project Update and Deep Dive (KubeCon + CloudNativeCon EU 2025)

Transcript

1. containerd: Project Update and Deep Dive Maksym Pavlenko, NVIDIA Akihiro

   Suda, NTT Laura Brehm, Docker Samuel Karp, Google Jiaxiao (Joe) Zhou, Microsoft 1

2. Title Agenda Intro v2.0 recap Brief project updates: • v2.1

   coming soon! • New release cadence • Changes to the LTS model • Improved KEP process • Runwasi 1.0! and Maintainer panel discussion! 2

3. Introduction to containerd • The industry’s standard container runtime, supporting

   both Docker and Kubernetes • Adopted by well-known enterprise Kubernetes services and distributions ◦ Amazon EKS, Azure Kubernetes Service, Google Kubernetes Engine, … https://containerd.io/ 3

4. Title Introduction to containerd 4 Client kubelet Container Engine BuildKit

   API system CRI Backend containerd Prometheus otel Runtime Content Store containerd containerd client containerd-shim kata runhcs runc Firecracker Snapshotter overlay btrfs native devmapper windows plugin runj ttrpc gRPC Core Services Content Service Containers Service Leases Service Images Service Tasks Service Snapshots Service Namespaces Service Diff Service local plugin Service Handlers Metrics Collector Metadata (namespaced) GC Containers CRI Runtime containerd client containerd client nerdctl ecosystem Sandboxes Controller Sandboxes Content Images Leases Namespaces Snapshots lcow blockfile runwasi sandbox task shim manager container development

5. Introduction to containerd 5 Client kubelet Container Engine BuildKit API

   system CRI Backend containerd Prometheus otel Runtime Content Store containerd containerd client containerd-shim kata runhcs runc Firecracker Snapshotter overlay btrfs native devmapper windows plugin runj ttrpc gRPC Core Services Content Service Containers Service Leases Service Images Service Tasks Service Snapshots Service Namespaces Service Diff Service local plugin Service Handlers Metrics Collector Metadata (namespaced) GC Containers CRI Runtime containerd client containerd client nerdctl ecosystem Sandboxes Controller Sandboxes Content Images Leases Namespaces Snapshots lcow blockfile runwasi sandbox task shim manager container development Extend containerd with clients (nerdctl), snapshoers (lazy loading), shims (WASM), and various pluggable interfaces

6. Title Introduction to containerd: nerdctl • Same UI/UX as the

   docker CLI (including Compose) • Originally made for facilitating new experiments in the containerd platform (e.g., stargz, fast rootless with bypass4netns) • Useful for debugging Kubernetes nodes too $ nerdctl run hello-world $ nerdctl compose up 6 https://github.com/containerd/nerdctl

7. Title v2.0 recap • Released in November 2024 • The

   first major update since v1.0 (December 2017) • Stabilized experimental APIs • Removed deprecated features 7

8. Title v2.0 breaking changes • Docker Schema 1 (migrate images

   to Schema 2 and OCI Image Spec) • Legacy V1 shims (use containerd-shim-runc-v2) • CRI v1alpha2 (use CRI v1) • AUFS (use OverlayFS) • io_uring_* syscalls disallowed by default • Removed LimitNOFILE • Removed cri-containerd-*.tar.gz release bundles 8 AUFS: Another Union File System, CRI: Container Runtime Interface, OCI: Open Container Initiative

9. Title v2.0 new features • Transfer service (Stable) • Sandbox

   API (Stable, enabled by default) • NRI (Enabled by default) • CDI (Enabled by default) • Image verifier plugins (New) • CRI support for user namespaces • CRI support for recursive read-only mounts • Plugin introspection (New) • igzip support (New) 9 NRI: Node Resource Interface, CDI: Container Device Interface CRI: Container Runtime Interface

10. Title v2.1 coming soon! • EROFS (Enhanced Read-Only File System)

    (#10705) ◦ Suitable for images with many layers • Image volumes (#10579) ◦ Allow mounting an image as a Kubernetes volume ◦ Useful for distributing AI models, etc. so as to split the code image from the data image 10

11. Title v2.1 coming soon! • Writable /sys/fs/cgroup (#11131) ◦ Allow

    a container to self-control the resources (CPU, memory, …) • More flexible support for UserNS-remap (#10722) ◦ The UID mapping range can be now non-contiguous e.g., uidmap=0:666:1000,1000:6666:64536' 11

12. Title v2.1 coming soon! : nerdctl • UserNS-remap mode (#3941,

    WIP) ◦ Not to be confused with Rootless mode (available since v0.6) ◦ Rootless: execute everything as a non-root user ◦ UserNS-remap: execute containers as a non-root, but containerd per se still runs as the root 12 Rootless UserNS-Remap Rootful Secure Performant

13. Title v2.1 coming soon! : nerdctl • gomodjail (#4012, WIP,

    experimental) ◦ Imposes syscall restrictions on a specific set of Go modules so as to mitigate potential vulnerabilities and supply chain attacks (Caveat: Not applicable to ones that use unsafe pointers, reflections, etc.) 13 //gomodjail:confined module github.com/containerd/nerdctl/v2 require ( github.com/Masterminds/semver/v3 v3.3.1 ... golang.org/x/sys v0.31.0 //gomodjail:unconfined ... )

14. New release cadence! 14 • New minor releases (2.x) every

    6 months • Starting with the 2.1 release in May and 2.2 in November ◦ (and continuing May and November after that) • Beta builds start 8-10 weeks before a minor release (March and September) • Feature freeze and RCs start 2-4 weeks before a minor release (April and October) March 2025 2.1 Beta April 2025 2.1 feature freeze and RC May 2025 2.1 release! June - August 2025 Development focused on 2.2 September 2025 2.2 Beta October 2025 2.2 feature freeze and RC November 2025 2.2 release!

15. Changed Long-Term Supported model 15 • Named volunteer maintainers for

    each LTS branch • LTS releases are supported for a minimum of 2 years ◦ Can be longer at discretion of branch owners • containerd 1.7 is now LTS, with EOL scheduled for March 10, 2026 • containerd 1.6 EOL scheduled for July 23, 2025 Release Status EOL 1.6 LTS July 23 2025 1.7 LTS March 10 2026 2.0 Active November 7 2025 (tentative)

16. Improved KEP process 16 • Goal: improved visibility and communication

    • Tracking issues in containerd/containerd repo (New!) • “KEP shepherd” containerd maintainer to help move PRs along (New!) • “SIG-Node liaison” containerd maintainer to improve containerd project <-> SIG-Node communication (New!) • Covers KEPs and minor non-KEP integration issues • See more: https://containerd.io/keps

17. runwasi 17 runwasi.dev • A rust containerd-shim library designed to

    facilitate running WebAssembly workloads managed by containerd. • Includes ready-to-use shims for wasmtime, WasmEdge and more. • Adopted by SpinKube and used in production in Azure Kubernetes Service, Civo etc.

18. 18 runwasi RuntimeClass apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: wasmtime

    handler: wasm apiVersion: v1 kind: Pod metadata: name: wasm labels: app: wasm spec: runtimeClassName: wasmtime containers: - name: … # /etc/containerd/config.toml version = 3 [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.wasm] runtime_type = "io.containerd.wasmtime.v1"

19. Title runwasi v1.0 github.com/containerd/runwasi v1.0.0-rc.1 was released on March 30th,

    2025: ◦ Shim and Sandbox traits to implement containerd shims for Wasm workloads ◦ Extensive benchmarking ◦ Support OCI artifacts and optimizations including precompilation of the modules ◦ Can execute Linux container and Wasm side-by-side thanks to youki github.com/youki-dev/youki 19

20. runwasi.dev/benchmarks runwasi v1.0 Performance 20 Runtime Tasks Time Throughput runwasi

    wasmtime 1000 3s 31ms 329.85 tasks/s runc distroless wasmtime 1000 11s 795ms 84.78 tasks/s

21. Panel discussion 21

22. Join the community! 22 • GitHub: https://github.com/containerd • Slack: https://slack.cncf.io/

    (Channels: #containerd #containerd-dev) • X (former Twitter): @containerd • Bluesky: @containerd.dev

23. 23