How to Choose Containerd and Docker

Last updated: 2022-05-23 16:56:36

How do I select a runtime component?

As one of the most important components of Kubernetes (K8s), a container runtime manages the lifecycle of images and containers. Kubelet interacts with the container runtime through the Container Runtime Interface (CRI) to manage images and containers.

You can choose Containerd and Docker as container runtime components:

(Recommended) Containerd has a shorter calling chain and fewer components, and features higher stability and lower node resource consumption.
Docker should be used as the runtime component in the following situations:
You need to use docker in docker;
You need to use commands such as docker build/push/save/load in the TKE node;
You need to call the docker API;
You need the docker compose or docker swarm.

How do I modify a runtime component?

Log in to the TKE console and click Cluster in the left sidebar.
On the Cluster management page, click the target cluster ID to enter the cluster basic information page.
Modify the runtime component in the Basic information section.

Note：

Modifications on the runtime component and version only take effect for added nodes that are not assigned to any node pool. The existing nodes are not affected.

What are the commands commonly used in Containerd and Docker?

Containerd does not support docker API or docker CLI. However, you can get similar features with the cri-tool command.

Image Feature	Docker	Containerd
Display the local image list	docker images	crictl images
Download an image	docker pull	crictl pull
Upload an image	docker push	None
Delete a local image	docker rmi	crictl rmi
View image details	docker inspect IMAGE-ID	crictl inspect IMAGE-ID

Container Feature	Docker	Containerd
Display the container list	docker ps	crictl ps
Create a container	docker create	crictl create
Start a container	docker start	crictl start
Stop a container	docker stop	crictl stop
Delete a container	docker rm	crictl rm
View container details	docker inspect	crictl inspect
attach	docker attach	crictl attach
exec	docker exec	crictl exec
logs	docker logs	crictl logs
stats	docker stats	crictl stats

Pod Feature	Docker	Containerd
Display the Pod list	None	crictl pods
View Pod details	None	crictl inspectp
Run a Pod	None	crictl runp
Stop a Pod	None	crictl stopp

What are the differences between the calling chains?

When Docker is used as the K8s container runtime, the calling chain is as follows:
kubelet --> docker shim (in the kubelet process) --> dockerd --> containerd
When Containerd is used as the K8s container runtime, the calling chain is as follows:
kubelet --> cri plugin (in the containerd process) --> containerd

Although Docker offers more features such as swarm cluster, docker build, and docker API, it may also introduce some bugs and requires one more calling step than containerd.

Stream Service

Note：

Commands such as kubectl exec and kubectl logs require the establishment of a stream forwarding tunnel between the apiserver and the container runtime.

How do I use and configure stream services in Containerd?

The docker API itself provides a stream service, and the docker-shim inside the Kubelet forwards streams through the docker API.
The stream service of Containerd needs to be configured separately:

[plugins.cri]
 stream_server_address = "127.0.0.1"
 stream_server_port = "0"
 enable_tls_streaming = false

What are the configuration differences between versions before and after K8s v1.11?

The stream service of Containerd has different configurations for different versions of K8s.

Before K8s v1.11:
Kubelet performs redirection but not stream proxying. That is, Kubelet sends the stream server address opened by containerd to the apiserver which then directly accesses the stream service of containerd. You need to authenticate the stream service forwarder for security purposes.
After K8s v1.11:
K8s v1.11 introduced kubelet stream proxy, so that the stream service of containerd only needs to listen to the local address.

Other Differences

Container logs and parameters

Item	Docker	Containerd
Storage path	If Docker serves as the K8s container runtime, it saves container logs to a directory such as `/var/lib/docker/containers/$CONTAINERID`. Kubelet will create a soft link under `/var/log/pods` and `/var/log/containers`, pointing to the container log files in the `/var/lib/docker/containers/$CONTAINERID` directory.	If Containerd serves as the K8s container runtime, Kubelet saves container logs to the `/var/log/pods/$CONTAINER_NAME` directory, and creates a soft link under `/var/log/containers`, pointing to the log files.
Configuration parameters	Specify in the Docker configuration files: `"log-driver": "json-file",` `"log-opts": {"max-size": "100m","max-file": "5"}`	Method 1: Specify in the Kubelet parameters: `--container-log-max-files=5 --container-log-max-size="100Mi"` Method 2: Specify in KubeletConfiguration: `"containerLogMaxSize": "100Mi",` `"containerLogMaxFiles": 5,`
Save container logs to the data disk	Mount the data disk to `data-root` (`/var/lib/docker` by default).	Create a soft link `/var/log/pods` to point to a directory under the data disk mounting point. Selecting "Store containers and images in the data disk" in TKE will automatically create the soft link `/var/log/pods`.

CNI network

Item	Docker	Containerd
Component responsible for calling CNI	docker-shim inside Kubelet	Containerd's built-in cri-plugin (in containerd v1.1 or later)
How to configure CNI	Kubelet parameters `--cni-bin-dir` and `--cni-conf-dir`	Containerd configuration file (toml): `[plugins.cri.cni]` `bin_dir = "/opt/cni/bin"` `conf_dir = "/etc/cni/net.d"`

tencent cloud

Tencent Cloud Partner Network

Become a Partner

International Partner Academy

Recent Pages