tencent cloud

Feedback

How to Choose Containerd and Docker

Last updated: 2022-05-23 16:56:36

    How do I select a runtime component?

    As one of the most important components of Kubernetes (K8s), a container runtime manages the lifecycle of images and containers. Kubelet interacts with the container runtime through the Container Runtime Interface (CRI) to manage images and containers.

    You can choose Containerd and Docker as container runtime components:

    • (Recommended) Containerd has a shorter calling chain and fewer components, and features higher stability and lower node resource consumption.
    • Docker should be used as the runtime component in the following situations:
    • You need to use docker in docker;
    • You need to use commands such as docker build/push/save/load in the TKE node;
    • You need to call the docker API;
    • You need the docker compose or docker swarm.

    How do I modify a runtime component?

    1. Log in to the TKE console and click Cluster in the left sidebar.
    2. On the Cluster management page, click the target cluster ID to enter the cluster basic information page.
    3. Modify the runtime component in the Basic information section.
      Note:

      Modifications on the runtime component and version only take effect for added nodes that are not assigned to any node pool. The existing nodes are not affected.

    What are the commands commonly used in Containerd and Docker?

    Containerd does not support docker API or docker CLI. However, you can get similar features with the cri-tool command.

    Image Feature Docker Containerd
    Display the local image list docker images crictl images
    Download an image docker pull crictl pull
    Upload an image docker push None
    Delete a local image docker rmi crictl rmi
    View image details docker inspect IMAGE-ID crictl inspect IMAGE-ID
    Container Feature Docker Containerd
    Display the container list docker ps crictl ps
    Create a container docker create crictl create
    Start a container docker start crictl start
    Stop a container docker stop crictl stop
    Delete a container docker rm crictl rm
    View container details docker inspect crictl inspect
    attach docker attach crictl attach
    exec docker exec crictl exec
    logs docker logs crictl logs
    stats docker stats crictl stats
    Pod Feature Docker Containerd
    Display the Pod list None crictl pods
    View Pod details None crictl inspectp
    Run a Pod None crictl runp
    Stop a Pod None crictl stopp

    What are the differences between the calling chains?

    • When Docker is used as the K8s container runtime, the calling chain is as follows:
      kubelet --> docker shim (in the kubelet process) --> dockerd --> containerd
    • When Containerd is used as the K8s container runtime, the calling chain is as follows:
      kubelet --> cri plugin (in the containerd process) --> containerd

    Although Docker offers more features such as swarm cluster, docker build, and docker API, it may also introduce some bugs and requires one more calling step than containerd.

    Stream Service

    Note:

    Commands such as kubectl exec and kubectl logs require the establishment of a stream forwarding tunnel between the apiserver and the container runtime.

    How do I use and configure stream services in Containerd?

    The docker API itself provides a stream service, and the docker-shim inside the Kubelet forwards streams through the docker API.
    The stream service of Containerd needs to be configured separately:

    [plugins.cri]
     stream_server_address = "127.0.0.1"
     stream_server_port = "0"
     enable_tls_streaming = false
    

    What are the configuration differences between versions before and after K8s v1.11?

    The stream service of Containerd has different configurations for different versions of K8s.

    • Before K8s v1.11:
      Kubelet performs redirection but not stream proxying. That is, Kubelet sends the stream server address opened by containerd to the apiserver which then directly accesses the stream service of containerd. You need to authenticate the stream service forwarder for security purposes.
    • After K8s v1.11:
      K8s v1.11 introduced kubelet stream proxy, so that the stream service of containerd only needs to listen to the local address.

    Other Differences

    Container logs and parameters

    Item Docker Containerd
    Storage path If Docker serves as the K8s container runtime, it saves container logs to a directory such as /var/lib/docker/containers/$CONTAINERID. Kubelet will create a soft link under /var/log/pods and /var/log/containers, pointing to the container log files in the /var/lib/docker/containers/$CONTAINERID directory. If Containerd serves as the K8s container runtime, Kubelet saves container logs to the /var/log/pods/$CONTAINER_NAME directory, and creates a soft link under /var/log/containers, pointing to the log files.
    Configuration parameters Specify in the Docker configuration files:
    "log-driver": "json-file",
    "log-opts": {"max-size": "100m","max-file": "5"}
    • Method 1: Specify in the Kubelet parameters:
      --container-log-max-files=5
      --container-log-max-size="100Mi"

    • Method 2: Specify in KubeletConfiguration:
      "containerLogMaxSize": "100Mi",
      "containerLogMaxFiles": 5,
    Save container logs to the data disk Mount the data disk to `data-root` (/var/lib/docker by default). Create a soft link /var/log/pods to point to a directory under the data disk mounting point.
    Selecting "Store containers and images in the data disk" in TKE will automatically create the soft link /var/log/pods.

    CNI network

    Item Docker Containerd
    Component responsible for calling CNI docker-shim inside Kubelet Containerd's built-in cri-plugin (in containerd v1.1 or later)
    How to configure CNI Kubelet parameters --cni-bin-dir and --cni-conf-dir Containerd configuration file (toml):
    [plugins.cri.cni]
    bin_dir = "/opt/cni/bin"
    conf_dir = "/etc/cni/net.d"
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support