To learn how to work with container images and containers using containerd

In container runtime and runC hands-on lab, we have looked at the evolution of containers and their use cases with runC implementation. But with the help of runC, we can only create one container. If we have to manage multiple such runC containers we have a tool called containerd, and its command-line client called ctr.   

In this hands-on lab, we will understand the basic working of containerd and ctr.

Containerd is a high-level core container runtime that Docker created. It was donated to CNCF later. It pulls images from registries, mounts storage, and creates container networking. It is a daemon process that starts, stops, and kills containers. Thus, it manages the lifecycle of containers. Software projects can use this to run containers and manage container images. 

 It has most of Docker’s functionality for managing containers and images, which makes it suitable for large-scale use as part of container orchestrators like Kubernetes.

Containerd follows and supports OCI standards. It also supports Container Runtime Interface (CRI), a Kubernetes specification, which helps run multiple container runtimes in a cluster.

Comparison between Containerd and Docker

Docker provides many features to run and manage containers, and one of them is Docker Engine, an advanced container runtime with developer tools.

Containerd is also a container runtime out of Docker, and Docker Engine uses containerd behind the scenes. Docker Engine is a high-level container engine, while containerd is a low-level container engine mainly suitable for automated mechanisms.

Installation of Containerd

Hands-on plays an important role to understand the concept thoroughly so you can Install containerd as compatible to your machine’s operating system and proceed further. Alternatively, you can also use VM on top of your OS and install ubuntu Linux distribution and follow this blog.

• For ubuntu-based distribution, install it via apt

apt update && apt install -y containerd

Now, confirm the installation by running the following command:

containerd --help

containerd installation comes with the following downstream dependencies:

• runC : to run containers
• ctr : A CLI for containerd
• containerd-shim : to support daemonless (containers can either be run as root or in rootless mode) containers

Managing Containerd

In Linux, Services are managed using the systemctl command. We can use systemctl commands to manage our containers or pods as services. Run the following command to check the status of containerd service.

systemctl status containerd

On the successful start of containerd, you will see the following output on status command.

Interaction with Containerd

Containerd contains a command-line tool ctr that can issue commands against containerd daemon. To get started, we can look over the available ctr commands:

ctr --help

As we have installed containerd and its dependencies, we can now interact with it using ctr.

There are other CLI tools other than ctr to communicate with containers, such as crictl and nerdctl.  

Image Operations with Containerd ctr

• Pull an image from the docker registry. While pulling the image, a fully-qualified repository URL is required, which must include a registry and tag.

ctr images pull docker.io/library/nginx:latest

ctr images pull docker.io/library/golang:latest

• List out the images

ctr images ls

For listing the images with names, then use the -q flag with the above command.

ctr images ls -q

There are many complex cases where we need to explore the image itself. For that, we need to mount the image locally into the system.

• With ctr, we can also mount images for future exploration

mkdir /tmp/golang
ctr images mount docker.io/library/golang:latest /tmp/golang
ls -l /tmp/golang/

You can now see the library files and explore them easily.

If you are willing to unmount the image, then you can use the ctr images unmount /tmp/golang command.

• To delete the images, use the rm command.

ctr images rm docker.io/library/golang:latest

Container Operations with Containerd ctr

• To create a container with containerd ctr

However, unlike docker, we need to provide a unique container ID. Run the following command to create a container.

ctr container create docker.io/library/nginx:latest nginx_ctr

This would create a container with container id, nginx_ctr, based on the image that we have used.

• List out the containers

ctr containers ls

• To run a container via containerd, create a task of the container, whereas in docker, the docker start command is used.

ctr task start nginx_ctr

• List the tasks

ctr task ls

It is interesting to know that we can use the ctr run command as a shortcut for the ctr container create + ctr task start. Try it by running the following command.

ctr run -d docker.io/library/nginx:latest nginx_web

You can execute the following commands to verify container and task creation.

ctr container ls

ctr task ls

• Like docker, we can interact with the container with ctr through the following command.

ctr task exec -t --exec-id bash_1 nginx_web bash

Now you are inside the container, run the following command to verify that the nginx server is running:

curl 127.0.0.1:80

You should be able to see the output as:

• To check the usage of the metrics by the task

ctr task metrics nginx_web

• Before removing a container, it is necessary to stop all the tasks. Run the following command to stop the task nginx_web.

ctr task kill nginx_web

Finally, to remove the container, run:

ctr container rm nginx_web

Conclusion

In this hands-on lab, we have seen the most widely used container runtime interface, containerd, its installation, and how to work with container images and containers using ctr.