Contents:
Runtime Component Description
As one of the most important components of Kubernetes (K8s), a container runtime is responsible for managing the lifecycle of images and containers. Kubelet interacts with the container runtime through the Container Runtime Interface (CRI) to manage images and containers.
TKE supports containerd and Docker as a runtime component:
- (Recommended) Containerd has a shorter call chain and fewer components and features higher stability and lower node resource consumption.
- Docker should be used as the runtime component if you need to use the following:
- Docker in docker;
- Commands such as docker build/push/save/load;
- Docker API;
- Docker compose or docker swarm.
Common Commands in containerd and Docker
containerd does not support the docker API or docker CLI, however you can get this feature by cri-tool commands.
| Image-related Features | Docker | containerd |
|---|---|---|
| Display the local image list | docker images | crictl ps |
| Download an image | docker pull | crictl pull |
| Upload an image | docker push | None |
| Delete a local image | docker rmi | crictl rmi |
| View image details | docker inspect | crictl inspecti |
| Container-related Functions | Docker | containerd |
|---|---|---|
| Display the container list | docker ps | crictl ps |
| Create a container | docker create | crictl create |
| Start a container | docker start | crictl start |
| Stop a container | docker stop | crictl stop |
| Delete a container | docker rm | crictl rm |
| View container details | docker inspect | crictl inspect |
| attach | docker attach | crictl attach |
| exec | docker exec | crictl exec |
| logs | docker logs | crictl logs |
| stats | docker stats | crictl stats |
| Pod-related Functions | Docker | containerd |
|---|---|---|
| Display the pod list | None | crictl pods |
| View pod Details | None | crictl inspectp |
| Run a pod | None | crictl runp |
| Stop a pod | None | crictl stopp |
Call Chain Description
- If Docker is selected as the K8s container runtime, the call relationship is as follows:
kubelet --> docker shim (in the kubelet process) --> dockerd --> containerd - If containerd is selected as the K8s container runtime, the call relationship is as follows:
kubelet --> cri plugin (in the containerd process) --> containerd
Although dockerd adds functions such as swarm cluster, docker build, and docker API, it may also introduce some bugs and has one more layer of call than containerd.
Stream Service
Commands such as kubectl exec and kubectl logs require the establishment of a stream forwarding tunnel between the apiserver and the container runtime.
Using and Configuring the Stream Service of containerd
The docker API itself provides a stream service, and the docker-shim inside the Kubelet forwards the stream through the docker API.
The stream service of containerd has to be configured separately:
[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "0"
enable_tls_streaming = falseConfiguration Differences
The stream service of containerd has different configurations for different versions of K8s.
- Before K8s v1.11:
Kubelet performs redirection but not stream proxying. That is, Kubelet sends the stream server address opened by containerd to apiserver and lets apiserver directly access the stream service of containerd. At this point, authentication should be implemented for the stream service forwarder for security protection. - K8s v1.11 and later:
K8s v1.11 introduced kubelet stream proxy, so that the stream service of containerd only needs to listen to the local address.
Other Differences
Container Log and Related Parameters
| Item | Docker | containerd |
|---|---|---|
| Storage path |
If Docker is selected as the K8s container runtime, the container logs will be stored by Docker in a directory like /var/lib/docker/containers/$CONTAINERID. Kubelet will create a soft link under /var/log/pods and /var/log/containers pointing to the container log files in the /var/lib/docker/containers/$CONTAINERID directory.
|
If containerd is selected as the K8s container runtime, the container logs will be stored by Kubelet in the /var/log/pods/$CONTAINER_NAME directory, which will create a soft link under /var/log/containers pointing to the log files.
|
| Configuration parameters |
Specify in the Docker configuration files:
"log-driver": "json-file",
"log-opts": {"max-size": "100m","max-file": "5"}
|
|
| Save container logs to the data disk | Mount the data disk to "data-root" (/var/lib/docker by default). |
Create a soft link /var/log/pods to point to a directory under the data disk mount point. Selecting "Store containers and images in the data disk" in TKE will automatically create the soft link /var/log/pods.
|
CNI Network
| Item | Docker | containerd |
|---|---|---|
| Component responsible for calling CNI | docker-shim inside Kubelet | containerd's built-in cri-plugin (in containerd v1.1 or later) |
| How to configure CNI | Kubelet parameters --cni-bin-dir and --cni-conf-dir |
containerd configuration file (toml): [plugins.cri.cni]bin_dir = "/opt/cni/bin"conf_dir = "/etc/cni/net.d" |
