Containerd images

Standard

This page provides additional information about using Container-Optimized OS with Containerd (cos_containerd) and Ubuntu with Containerd (ubuntu_containerd) on Google Kubernetes Engine (GKE) nodes. The cos_containerd and ubuntu_containerd images let you use Containerd as the container runtime in your GKE cluster. For Autopilot clusters, cos_containerd is the only supported image type.

About Containerd

The container runtime is software that is responsible for running containers, and abstracts container management for Kubernetes. There are a few different container runtimes. Containerd is an industry-standard container runtime that's supported by Kubernetes, and used by many other projects. Containerd provides the layering abstraction that allows for the implementation of a rich set of features like gVisor to extend Kubernetes functionality. Containerd is considered more resource efficient and secure when compared to the Docker runtime.

Using Containerd images in GKE clusters

You can select cos_containerd or ubuntu_containerd as the image type when you create a new GKE cluster, create a new node pool in an existing cluster, or when you upgrade an existing cluster. Both Containerd images require GKE version 1.14.3 or later.

Checking the node image type

You can check which image type is used for existing nodes by using the Google Cloud Console, the gcloud tool, or kubectl. Also, refer to the Sample migration script in this document, which iterates over all node pools, and outputs any suggested node pool migrations.

Console

In the Cloud Console, go to the Google Kubernetes Engine page.

Go to Google Kubernetes Engine
In the cluster list, click the name of the cluster you want to verify.
Select the Nodes tab.
In the Node Pools section, see the value in the Image type column.

gcloud

Run the following command, replacing CLUSTER_NAME with the name of the cluster:

gcloud container node-pools list \
    --cluster CLUSTER_NAME \
    --format="table(name,version,config.imageType)"

The output is similar to the following:

NAME          NODE_VERSION    IMAGE_TYPE
default-pool  1.19.6-gke.600  UBUNTU_CONTAINERD

Refer to the gcloud container node-pools list API documentation for more details.

kubectl

Run the following kubectl get nodes command:

kubectl get nodes -o wide

The output is similar to the following:

# For Docker runtime
NAME         STATUS   VERSION             OS-IMAGE                             CONTAINER-RUNTIME
gke-node-1   Ready    v1.16.15-gke.6000   Container-Optimized OS from Google   docker://19.3.1
gke-node-2   Ready    v1.16.15-gke.6000   Container-Optimized OS from Google   docker://19.3.1
gke-node-3   Ready    v1.16.15-gke.6000   Container-Optimized OS from Google   docker://19.3.1

# For Containerd runtime
NAME         STATUS   VERSION           OS-IMAGE                             CONTAINER-RUNTIME
gke-node-1   Ready    v1.19.6-gke.600   Container-Optimized OS from Google   containerd://1.4.1
gke-node-2   Ready    v1.19.6-gke.600   Container-Optimized OS from Google   containerd://1.4.1
gke-node-3   Ready    v1.19.6-gke.600   Container-Optimized OS from Google   containerd://1.4.1

The column CONTAINER-RUNTIME outputs the runtime and its version.

Migrating from the Docker runtime to the Containerd runtime

Most user workloads don't have a dependency on the container runtime. The container runtime is what runs the containers in your Pods, and the Docker runtime actually uses Containerd under the hood, so both runtimes behave similarly.

Even if you use Docker on your developer machine, or as part of a build pipeline that runs outside of your cluster to build and push your images, this itself is not a dependency on the Docker runtime (as these actions happen outside of the cluster).

There are a few instances when you might have a dependency on Docker: running privileged Pods executing Docker commands, running scripts on nodes outside of Kubernetes infrastructure (for example, using ssh to troubleshoot issues), or through third-party tools that perform such similarly privileged operations. You might also have an indirect dependency on Docker if some of your tooling was configured to react to Docker-specific log messages in your monitoring system.

You can find information on potential dependencies on Docker runtime in Migrating from dockershim. To confirm compatibility with Containerd, you might also want to consult with any vendors who supply logging and monitoring, security, or continuous integration tooling that you deploy inside your cluster.

We recommend that you first deploy your workload on a test node pool with Containerd to verify that everything runs as expected. If you have a canary or staging cluster, we recommend migrating this first. You might also want to migrate nodes in stages using the approach explained in Migrating workloads to different machine types.

Updating your node images

You can migrate nodes from a Docker runtime image to a Containerd image by updating the node pool and setting a different image. This migration can be done using the Google Cloud Console or the gcloud tool.

Console

In the Cloud Console, go to the Google Kubernetes Engine page.

Go to Google Kubernetes Engine
Click the name of the cluster you want to modify.
On the Cluster details page, click the Nodes tab.
Under Node Pools, click the name of the node pool you want to modify.
On the Node pools details page, click Edit.
In the Nodes section, under Image type, click Change.
Select one of the Containerd image variants for your operating system.
Click Change.

gcloud

In the gcloud tool, you can update a node pool by using the gcloud container clusters upgrade command and specifying the --image-type parameter.

For example, to change a node pool's image to Container-Optimized OS with Containerd, run the following command:

gcloud container clusters upgrade CLUSTER_NAME --image-type COS_CONTAINERD \
    --node-pool POOL_NAME

If after updating your node image you notice a problem and need to revert back to the Docker image variants, you can perform this same command but select a Docker image variant.

Refer to the gcloud container clusters upgrade API documentation for more details.

Running Docker commands on Containerd nodes

While the Docker binary is currently available on Containerd nodes, we do not recommend using it after you migrate to Containerd. Docker does not manage the containers Kubernetes runs on Containerd nodes, thus you cannot use it to view or interact with running Kubernetes containers using Docker commands or the Docker API.

Troubleshooting containers on Containerd nodes

For debugging or troubleshooting on the node, you can interact with Containerd using the portable command-line tool built for Kubernetes container runtimes: crictl. crictl supports common functionalities to view containers and images, read logs, and execute commands in the containers. Refer to the crictl user guide for the complete set of supported features and usage information.

Accessing Docker Engine from privileged Pods

Some users currently access Docker Engine on a node from within privileged Pods. It is recommended that you update your workloads so that they do not rely on Docker directly. For example, if you currently extract application logs or monitoring data from Docker Engine, consider using GKE system add-ons for logging and monitoring instead.

Building images

Containerd does not support building images, because the feature is not supported by Kubernetes itself.

Kubernetes is not aware of system resources used by local processes outside the scope of Kubernetes, and the Kubernetes control plane cannot account for those processes when allocating resources. This can starve your GKE workloads of resources or cause instability on the node. For this reason, it is not recommended to run commands on local nodes. Instead, consider accomplishing these tasks using other services outside the scope of the individual container, such as Cloud Build, or use a tool such as kaniko to build images as a Kubernetes workload.

If none of these suggestions work for you, and you understand the risks, you can continue using Docker to build images. You need to push the images to a registry before attempting to use them in a GKE cluster. Kubernetes is not aware of locally-built images.

Known issues

There are no known issues on GKE versions 1.19 and later.

Node auto-provisioning only provisions Container-Optimized OS with Docker node pools

Node auto-provisioning allows auto-scaling node pools with any supported image type, but can only create new nodepools with the image type Container-Optimized OS with Docker.

Conflict with 172.17/16 range

Affected GKE versions: 1.14, 1.15, 1.16, 1.17.0 to 1.17.17-gke.2800, 1.18.0 to 1.18.14

The 172.17/16 IP range is occupied by the docker0 interface on the node VM with Containerd enabled. Traffic sending to or originating from that range might not be routed correctly (for example, a Pod might not be able to connect to a VPN-connected host with an IP within 172.17/16).

Images with more than 56 layers cannot be used on Containerd

Affected GKE versions: 1.14, 1.15, 1.16, 1.17

When the image has more than 56 layers, the image cannot be downloaded. The following error occurs:

info.Labels: label key and value greater than maximum size (4096 bytes), key: containerd: invalid argument

For more information, see https://github.com/containerd/containerd/issues/4684.

This issue is fixed on Containerd 1.4.2. Container-Optimized OS 85 includes this fix.

GPU metrics not collected

Affected GKE versions: 1.14, 1.15, 1.16, 1.17, 1.18

GPU usage metrics are not collected when using containerd as a runtime on GKE versions before 1.19.

Image metrics missing labels

Affected GKE versions: all

Image metrics container_fs_usage_bytes and container_tasks_state don't show labels like image, container_name, name namespace.

Volume gets mounted with noexec option

Affected GKE versions: 1.14, 1.15.0 to 1.15.12-gke.17, 1.16.0 to 1.16.13-gke.400

Volume mounted at /var/lib/containerd is mounted with no-exec options. This denies running any executable from the volume.

File descriptor leak in containerd

Affected GKE versions: 1.14, 1.15, 1.16, 1.17.0 to 1.17.12

Containerd had a known eventfd leak issue on v1.3.0+ and was fixed by v1.3.3. For more information, see https://github.com/containerd/containerd/issues/3949.

Sample migration script

The following sample script iterates over all node pools across available projects, and for each node pool outputs the suggestion on whether the node pool should be migrated to Containerd. This script also outputs the node pool version and suggested migration command as listed in the updating your node images section. Make sure that you review the known issues for a node pool version

Sample script: iterate over all node pools for Containerd migration

migrating-to-containerd/find-nodepools-to-migrate.sh

View on GitHub Feedback

for project in  $(gcloud projects list --format="value(projectId)")
do
  echo "ProjectId:  $project"
  for clusters in $( \
    gcloud container clusters list \
      --project $project \
      --format="csv[no-heading](name,location,autopilot.enabled,currentMasterVersion,autoscaling.enableNodeAutoprovisioning,autoscaling.autoprovisioningNodePoolDefaults.imageType)")
  do
    IFS=',' read -r -a clustersArray <<< "$clusters"
    cluster_name="${clustersArray[0]}"
    cluster_zone="${clustersArray[1]}"
    cluster_isAutopilot="${clustersArray[2]}"
    cluster_version="${clustersArray[3]}"
    cluster_minorVersion=${cluster_version:0:4}
    cluster_autoprovisioning="${clustersArray[4]}"
    cluster_autoprovisioningImageType="${clustersArray[5]}"

    if [ "$cluster_isAutopilot" = "True" ]; then
      echo "  Cluster: $cluster_name (autopilot) (zone: $cluster_zone)"
      echo "    Autopilot clusters are running Containerd."
    else
      echo "  Cluster: $cluster_name (zone: $cluster_zone)"

      if [ "$cluster_autoprovisioning" = "True" ]; then
        if [ "$cluster_minorVersion"  \< "1.20" ]; then
          echo "    Node autoprovisioning is enabled, and new node pools will have image type 'COS'."
          echo "    This settings is not configurable on the current version of a cluster."
          echo "    Please upgrade you cluster and configure the default node autoprovisioning image type."
          echo "    "
        else
          if [ "$cluster_autoprovisioningImageType" = "COS" ]; then
            echo "    Node autoprovisioning is configured to create new node pools of type 'COS'."
            echo "    Run the following command to update:"
            echo "    gcloud container clusters update '$cluster_name' --project '$project' --zone '$cluster_zone' --enable-autoprovisioning --autoprovisioning-image-type='COS_CONTAINERD'"
            echo "    "
          fi

          if [ "$cluster_autoprovisioningImageType" = "UBUNTU" ]; then
            echo "    Node autoprovisioning is configured to create new node pools of type 'UBUNTU'."
            echo "    Run the following command to update:"
            echo "    gcloud container clusters update '$cluster_name' --project '$project' --zone '$cluster_zone' --enable-autoprovisioning --autoprovisioning-image-type='UBUNTU_CONTAINERD'"
            echo "    "
          fi
        fi
      fi

      for nodepools in $( \
        gcloud container node-pools list \
          --project $project \
          --cluster $cluster_name \
          --zone $cluster_zone \
          --format="csv[no-heading](name,version,config.imageType)")
      do
        IFS=',' read -r -a nodepoolsArray <<< "$nodepools"
        nodepool_name="${nodepoolsArray[0]}"
        nodepool_version="${nodepoolsArray[1]}"
        nodepool_imageType="${nodepoolsArray[2]}"

        nodepool_minorVersion=${nodepool_version:0:4}

        echo "    Nodepool: $nodepool_name, version: $nodepool_version ($nodepool_minorVersion), image: $nodepool_imageType"

        suggestedImageType="COS_CONTAINERD"

        if [ "$nodepool_imageType" = "UBUNTU" ]; then
          suggestedImageType="UBUNTU_CONTAINERD"
        fi

        tab=$'\n      ';
        nodepool_message="$tab Please update the nodepool to use Containerd."
        nodepool_message+="$tab Make sure to consult with the list of known issues https://cloud.google.com/kubernetes-engine/docs/concepts/using-containerd#known_issues."
        nodepool_message+="$tab Run the following command to upgrade:"
        nodepool_message+="$tab "
        nodepool_message+="$tab gcloud container clusters upgrade '$cluster_name' --project '$project' --zone '$cluster_zone' --image-type '$suggestedImageType' --node-pool '$nodepool_name'"
        nodepool_message+="$tab "

        # see https://cloud.google.com/kubernetes-engine/docs/concepts/node-images
        if [ "$nodepool_imageType" = "COS_CONTAINERD" ] || [ "$nodepool_imageType" = "UBUNTU_CONTAINERD" ]; then
          nodepool_message="$tab Nodepool is using Containerd already"
        elif [ "$nodepool_imageType" = "WINDOWS_LTSC" ] || [ "$nodepool_imageType" = "WINDOWS_SAC" ]; then
          nodepool_message="$tab Containerd is not currently available for Windows nodepools"
        elif [ "$nodepool_minorVersion" \< "1.14" ]; then
          nodepool_message="$tab Upgrade nodepool to the version that supports Containerd"
        fi
        echo "$nodepool_message"
      done
    fi # not autopilot
  done
done

# Sample output:
#
# ProjectId:  my-project-id
#  Cluster: autopilot-cluster-1 (autopilot) (zone: us-central1)
#    Autopilot clusters are running Containerd.
#  Cluster: cluster-1 (zone: us-central1-c)
#    Nodepool: default-pool, version: 1.18.12-gke.1210 (1.18), image: COS
#
#       Please update the nodepool to use Containerd.
#       Make sure to consult with the list of known issues https://cloud.google.com/kubernetes-engine/docs/concepts/using-containerd#known_issues.
#       Run the following command to upgrade:
#
#       gcloud container clusters upgrade 'cluster-1' --project 'my-project-id' --zone 'us-central1-c' --image-type 'COS_CONTAINERD' --node-pool 'default-pool'
#
#    Nodepool: pool-1, version: 1.18.12-gke.1210 (1.18), image: COS
#
#       Please update the nodepool to use Containerd.
#       Make sure to consult with the list of known issues https://cloud.google.com/kubernetes-engine/docs/concepts/using-containerd#known_issues.
#       Run the following command to upgrade:
#
#       gcloud container clusters upgrade 'cluster-1' --project 'my-project-id' --zone 'us-central1-c' --image-type 'COS_CONTAINERD' --node-pool 'pool-1'
#
#  Cluster: another-test-cluster (zone: us-central1-c)
#    Nodepool: default-pool, version: 1.20.4-gke.400 (1.20), image: COS_CONTAINERD
#
#      Nodepool is using Containerd already
#

What's next

Learn more about the Containerd integration in the Kubernetes 1.11 announcement. For even more information, visit the documentation for Containerd and the CRI plugins.
Review the migration from Dockershim information on kubernetes.io.
Read about DockerShim deprecation by Kubernetes.
Learn how you can secure your apps with the gVisor on Containerd.
Read about the benefits of using Cloud Build to build images securely and reliably on Google Cloud to replace a custom solution that might require Docker.