[Japan Community Day at KubeCon JP 2025] Overview of containerd
KoheiTokunaga
15 views
25 slides
Sep 01, 2025
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
Talked at Japan Community Day at KubeCon + CloudNativeCon Japan 2025
https://community.cncf.io/events/details/cncf-cloud-native-community-japan-presents-japan-community-day-at-kubecon-cloudnativecon-japan-2025/
Slide Content
Kohei Tokunaga, NTT
Overview of containerd
Japan Community Day at KubeCon Japan 2025 (Jun 15)
Overview of containerd
Japan Community Day at KubeCon Japan 2025 (Jun 15)
What is containerd?
-Open source container runtime (CNCF graduated)
-Used for managing workloads on Kubernetes, Docker, and more
-Open source container runtime (CNCF graduated)
-Used for managing workloads on Kubernetes, Docker, and more
Containerd adoption
-Container management tools: Docker/Moby, BuildKit, …
-Managed Kubernetes services: Google Kubernetes Engine, Azure
Kubernetes Service, Amazon Elastic Kubernetes Service, …
-Kubernetes distributions: k3s, kind, minikube
-FaaS: faasd
-Container management tools: Docker/Moby, BuildKit, …
-Managed Kubernetes services: Google Kubernetes Engine, Azure
Kubernetes Service, Amazon Elastic Kubernetes Service, …
-Kubernetes distributions: k3s, kind, minikube
-FaaS: faasd
containerd as a component of Docker
-Docker uses containerd for
managing containers & images
-Docker accesses containerd via
the containerd API
-Containerd extensions can be used
from Docker
-e.g. low-level runtimes,
snapshotters, etc (discussed
later)
Docker
Low-level runtimes
(e.g. runc)
Image &
container
management
UI/UX, Build,
Compose, …
Containerd API
-Docker uses containerd for
managing containers & images
-Docker accesses containerd via
the containerd API
-Containerd extensions can be used
from Docker
-e.g. low-level runtimes,
snapshotters, etc (discussed
later)
Docker
Low-level runtimes
(e.g. runc)
Image &
container
management
UI/UX, Build,
Compose, …
Containerd API
containerd as a Kubernetes runtime
-Containerd can be used as a
runtime on Kubernetes nodes
-Kubelet communicates with
containerd via CRI (Container
Runtime Interface)
-Containerd extensions can be
used on Kubernetes
kubelet
Low-level runtimes
(e.g. runc)
Pulls images,
creates pods
Managing
Pod’s lifecycle
CRI
-Containerd can be used as a
runtime on Kubernetes nodes
-Kubelet communicates with
containerd via CRI (Container
Runtime Interface)
-Containerd extensions can be
used on Kubernetes
kubelet
Low-level runtimes
(e.g. runc)
Pulls images,
creates pods
Managing
Pod’s lifecycle
CRI
CRI Plugin for Kubernetes integration
-CRI: gRPC API for communication between kubelet and the runtime
-Standardized in Kubernetes community
-Defines operations for Pods, containers and images, etc.
https://github.com/kubernetes/cri-api/blob/v0.33.1/pkg/apis/runtime/v1/api.proto
Pulling an image
PullImage(PullImageRequest) returns (PullImageResponse)
Creating a container in a Pod
CreateContainer(CreateContainerRequest) returns (CreateContainerResponse)
https://github.com/kubernetes/cri-api
e.g.
-CRI: gRPC API for communication between kubelet and the runtime
-Standardized in Kubernetes community
-Defines operations for Pods, containers and images, etc.
https://github.com/kubernetes/cri-api/blob/v0.33.1/pkg/apis/runtime/v1/api.proto
Pulling an image
PullImage(PullImageRequest) returns (PullImageResponse)
Creating a container in a Pod
CreateContainer(CreateContainerRequest) returns (CreateContainerResponse)
https://github.com/kubernetes/cri-api
e.g.
containerd as a general-purpose framework
-Containerd is a general-purpose framework to manage workloads
-Provides containerd API and its client library
・・・
containerd API
Client tools
containerd core
Docker BuildKit nerdctl faasd
-Containerd is a general-purpose framework to manage workloads
-Provides containerd API and its client library
・・・
containerd API
Client tools
containerd core
Docker BuildKit nerdctl faasd
Client library
-Containerd APIs are wrapped by the client library
-Go: in-tree (/client/ dir)
-Rust: https://github.com/containerd/rust-extensions
-Examples:
-Pulling an image: (*Client).Pull()
-Creating a container: (*Client).NewContainer()
-Containerd APIs are wrapped by the client library
-Go: in-tree (/client/ dir)
-Rust: https://github.com/containerd/rust-extensions
-Examples:
-Pulling an image: (*Client).Pull()
-Creating a container: (*Client).NewContainer()
Example: nerdctl
-Docker-compabile CLI for containerd, written in Go
-Non-core subproject of containerd
-Leverages containerd’s extensibility for advanced features
-lazy pulling, faster rootless, image encryption, IPFS, etc…
nerdctl pull alpine
nerdctl run -it --rm alpine
nerdctl build -t foo .
https://github.com/containerd/nerdctl
-Docker-compabile CLI for containerd, written in Go
-Non-core subproject of containerd
-Leverages containerd’s extensibility for advanced features
-lazy pulling, faster rootless, image encryption, IPFS, etc…
nerdctl pull alpine
nerdctl run -it --rm alpine
nerdctl build -t foo .
https://github.com/containerd/nerdctl
Debugging Kubernetes nodes with nerdctl
-Usable for debugging containerd-based nodes on Kubernetes
-Loading an image to Kubernetes
-nerdctl --namespace=k8s.io load < ./image.tar
-Building an image for Kubernetes on the node
-nerdctl --namespace=k8s.io build -t foo .
-Retrieving the log from a container
-nerdctl --namespace=k8s.io logs -f CONTAINER_ID
Details:
https://github.com/containerd/nerdctl?tab=readme-ov-file#debugging-kubernetes
-Usable for debugging containerd-based nodes on Kubernetes
-Loading an image to Kubernetes
-nerdctl --namespace=k8s.io load < ./image.tar
-Building an image for Kubernetes on the node
-nerdctl --namespace=k8s.io build -t foo .
-Retrieving the log from a container
-nerdctl --namespace=k8s.io logs -f CONTAINER_ID
Details:
https://github.com/containerd/nerdctl?tab=readme-ov-file#debugging-kubernetes
Containerd Extensibility
Containerd components overview
This image is copied from the documentation https://containerd.io/ (Copyright
containerd Authors 2025 | Documentation Distributed under CC-BY-4.0)
Shims: run
containers, VMs
and WebAssembly
Snapshotters:
support variety of
filesystem, lazy
pulling, etc.
NRI: managing
variety of node
resources
This image is copied from the documentation https://containerd.io/ (Copyright
containerd Authors 2025 | Documentation Distributed under CC-BY-4.0)
Shims: run
containers, VMs
and WebAssembly
Snapshotters:
support variety of
filesystem, lazy
pulling, etc.
NRI: managing
variety of node
resources
Containerd snapshotter
-Container image is composed by changesets = filesystem layer archives
-Snapshotter manages unpacked layers = snapshots
-Containerd has in-tree snapshotters relying on filesystems on the host
such as overlayfs, erofs, btrfs, devmapper, etc.
layer(tar.gz)
layer(tar.gz)
snapshotsnapshot
Image
Snapshotter
app
Container’s
rootfs
Merge
(e.g. overlayfs)
Pull & unpack
snapshot
-Container image is composed by changesets = filesystem layer archives
-Snapshotter manages unpacked layers = snapshots
-Containerd has in-tree snapshotters relying on filesystems on the host
such as overlayfs, erofs, btrfs, devmapper, etc.
layer(tar.gz)
layer(tar.gz)
snapshotsnapshot
Image
Snapshotter
app
Container’s
rootfs
Merge
(e.g. overlayfs)
Pull & unpack
snapshot
Extending snapshotter plugin
-You can bring your own snapshotter implementation
-“Proxy plugin” feature allows using external snapshotters via gRPC
Snapshotter plugin implementations in the community
Stargz Snapshotter: https://github.com/containerd/stargz-snapshotter
SOCI Snapshotter: https://github.com/awslabs/soci-snapshotter
Nydus Snapshotter: https://github.com/containerd/nydus-snapshotter
OverlayBD Snapshotter: https://github.com/containerd/overlaybd
CVMFS Snapshotter: https://github.com/cvmfs/cvmfs/tree/devel/snapshotter
[proxy_plugins]
[proxy_plugins.stargz]
type = "snapshot"
address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
config.toml exmaple
-You can bring your own snapshotter implementation
-“Proxy plugin” feature allows using external snapshotters via gRPC
Snapshotter plugin implementations in the community
Stargz Snapshotter: https://github.com/containerd/stargz-snapshotter
SOCI Snapshotter: https://github.com/awslabs/soci-snapshotter
Nydus Snapshotter: https://github.com/containerd/nydus-snapshotter
OverlayBD Snapshotter: https://github.com/containerd/overlaybd
CVMFS Snapshotter: https://github.com/cvmfs/cvmfs/tree/devel/snapshotter
[proxy_plugins]
[proxy_plugins.stargz]
type = "snapshot"
address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
config.toml exmaple
Example: Stargz Snapshotter
-Supports lazy pulling = Starts a container before the image is fully pulled
-Uses OCI-compatible eStargz image format
-Still usable on eStargz-unaware runtimes
-Based on Google’s stargz (CRFS), extending for prefetch support
https://github.com/containerd/stargz-snapshotter
(Containerd non-core
subproject)
eStargz layer
bin/ls
usr/bin/apt
・・・
・・・
entrypoint.sh
bin/bash Prioritized files
Prefetched by a single request
TOC and footer
Files metadata, offset, etc…
Files fetched on demand
Downloaded in background
gzip member per file
fetched per-file
using HTTP
Range Request
stargz layer
bin/ls
usr/bin/apt
・・・
・・・
entrypoint.sh
bin/bash
-Supports lazy pulling = Starts a container before the image is fully pulled
-Uses OCI-compatible eStargz image format
-Still usable on eStargz-unaware runtimes
-Based on Google’s stargz (CRFS), extending for prefetch support
https://github.com/containerd/stargz-snapshotter
(Containerd non-core
subproject)
eStargz layer
bin/ls
usr/bin/apt
・・・
・・・
entrypoint.sh
bin/bash Prioritized files
Prefetched by a single request
TOC and footer
Files metadata, offset, etc…
Files fetched on demand
Downloaded in background
gzip member per file
fetched per-file
using HTTP
Range Request
stargz layer
bin/ls
usr/bin/apt
・・・
・・・
entrypoint.sh
bin/bash
Faster pulling by Stargz Snapshotter
https://github.com/containerd/stargz
-snapshotter/blob/09d0115ee0906e
fd198ba13c0a075e818cc2d2e3/RE
ADME.md
https://github.com/containerd/stargz
-snapshotter/blob/09d0115ee0906e
fd198ba13c0a075e818cc2d2e3/RE
ADME.md
Trying Stargz Snapshotter on Lima
-Lima is a tool to manage Linux virtual machines (CNCF Sandbox project)
-Default VM image bundles nerdctl, containerd and Stargz Snapshotter
$ nerdctl.lima --snapshotter=stargz run -it ghcr.io/stargz-containers/python:3.13-esgz
Python 3.13.2 (main, Feb 6 2025, 22:37:13) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
Details:
https://github.com/containerd/stargz-snapshotter/blob/09d0115ee0906efd198ba13c0a075e818
cc2d2e3/docs/lima.md
https://github.com/lima-vm/lima
-Lima is a tool to manage Linux virtual machines (CNCF Sandbox project)
-Default VM image bundles nerdctl, containerd and Stargz Snapshotter
$ nerdctl.lima --snapshotter=stargz run -it ghcr.io/stargz-containers/python:3.13-esgz
Python 3.13.2 (main, Feb 6 2025, 22:37:13) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
Details:
https://github.com/containerd/stargz-snapshotter/blob/09d0115ee0906efd198ba13c0a075e818
cc2d2e3/docs/lima.md
https://github.com/lima-vm/lima
Managing containers, VMs and more
-Low-level runtimes are pluggable via shims
-Runc shim (containerd-shim-runc-v2) is maintained by containerd
-Other third-party shims enable a variety of workloads
Container runtimes
●runc (written in Go)
●crun (written in C)
●Youki (written in Rust)
Virtual Machines
●Kata Containers
●Firecracker
User-space kernel: gVisor
WebAssembly: Runwasi
containerd-shim-runc-v2
containerd-shim-kata-v2
containerd-shim-aws-firecracker
containerd-shim-runsc-v1
containerd-shim-[ wasmedge |
wasmtime | wasmer ]-v1
-Low-level runtimes are pluggable via shims
-Runc shim (containerd-shim-runc-v2) is maintained by containerd
-Other third-party shims enable a variety of workloads
Container runtimes
●runc (written in Go)
●crun (written in C)
●Youki (written in Rust)
Virtual Machines
●Kata Containers
●Firecracker
User-space kernel: gVisor
WebAssembly: Runwasi
containerd-shim-runc-v2
containerd-shim-kata-v2
containerd-shim-aws-firecracker
containerd-shim-runsc-v1
containerd-shim-[ wasmedge |
wasmtime | wasmer ]-v1
Example: runc
-Low-level container runtime by OCI (Open Container Initiative)
-Reference implementation of OCI Runtime Spec
-OCI’s Specification for low level runtimes
-Uses Linux’s namespaces & cgroups to isolate processes as containers
-Written in Go
https://github.com/opencontainers/runc
-Low-level container runtime by OCI (Open Container Initiative)
-Reference implementation of OCI Runtime Spec
-OCI’s Specification for low level runtimes
-Uses Linux’s namespaces & cgroups to isolate processes as containers
-Written in Go
https://github.com/opencontainers/runc
Example: Kata Containers
-VM-based runtime implementation
-Developed under OpenInfra Foundation
-Isolates each container from the host
using a specialized lightweight virtual
machine
-Kata Container project maintains a shim
to integrate to containerd
containerd-shim-kata-v2
VM
container
https://github.com/kata-containers/kata-containers
-VM-based runtime implementation
-Developed under OpenInfra Foundation
-Isolates each container from the host
using a specialized lightweight virtual
machine
-Kata Container project maintains a shim
to integrate to containerd
containerd-shim-kata-v2
VM
container
https://github.com/kata-containers/kata-containers
Example: gVisor
-Container runtime implementation by Google
-Strong isolation by a Linux-like kernel (Sentry) running in the user space
-Sentry intercepts and handles app’s syscalls using seccomp, etc.
-Some syscalls are unimplemented[1]
Application
Intercepted
syscalls
Sentry Linux
Limited set
of syscalls
https://github.com/google/gvisor
[1] https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
-Container runtime implementation by Google
-Strong isolation by a Linux-like kernel (Sentry) running in the user space
-Sentry intercepts and handles app’s syscalls using seccomp, etc.
-Some syscalls are unimplemented[1]
Application
Intercepted
syscalls
Sentry Linux
Limited set
of syscalls
https://github.com/google/gvisor
[1] https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
Example: Runwasi
-A containerd shim to manage WebAssembly applications
-WebAssembly: Application binary format with sandboxed execution
environment and enhanced portability (covering browsers, servers, IoT
devices, etc.)
https://github.com/containerd/runwasi (Non-core subproject
of containerd)
-A containerd shim to manage WebAssembly applications
-WebAssembly: Application binary format with sandboxed execution
environment and enhanced portability (covering browsers, servers, IoT
devices, etc.)
https://github.com/containerd/runwasi (Non-core subproject
of containerd)
-NRI (Node Resource Interface)
-Plugin to track container's state and modify the spec
-E.g. getting notified container/pods state, applying resource
limitation, attaching CDI devices
Extending Resource/Devices Management
NRI plugin
Modify specs
Notify pods and
containers info
Connecting to the
plugin via unix socket
https://github.com/containerd/nri
-Plugin to track container's state and modify the spec
-E.g. getting notified container/pods state, applying resource
limitation, attaching CDI devices
Extending Resource/Devices Management
NRI plugin
Modify specs
Notify pods and
containers info
Connecting to the
plugin via unix socket
https://github.com/containerd/nri
Recent containerd releases
-The latest minor version v2.1 was released in May 2025
-Changes include:
-Linux’s EROFS filesystem support
-Kubernetes’s Image Volume (KEP 4639)
-and more...
For details about the updates, join the containerd maintainer track!
Tuesday June 17, 2025 16:30 - 17:00 JST
Containerd: Project Update and Deep Dive - Akihiro Suda & Kohei
Tokunaga, NTT; Kirtana Ashok, Microsoft; Akhil Mohan, VMware by
Broadcom
-The latest minor version v2.1 was released in May 2025
-Changes include:
-Linux’s EROFS filesystem support
-Kubernetes’s Image Volume (KEP 4639)
-and more...
For details about the updates, join the containerd maintainer track!
Tuesday June 17, 2025 16:30 - 17:00 JST
Containerd: Project Update and Deep Dive - Akihiro Suda & Kohei
Tokunaga, NTT; Kirtana Ashok, Microsoft; Akhil Mohan, VMware by
Broadcom
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 15
- Slides 25
- Age 101 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
63 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
60 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
46 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
47 views
21
Know for Certain
DaveSinNM
29 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
32 views