github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/g3doc/user_guide/containerd/quick_start.md (about) 1 # Containerd Quick Start 2 3 This document describes how to use `containerd-shim-runsc-v1` with the 4 containerd runtime handler support on `containerd`. 5 6 > ⚠️ NOTE: If you are using Kubernetes and set up your cluster using kubeadm you 7 > may run into issues. See the [FAQ](../FAQ.md#runtime-handler) for details. 8 9 ## Requirements 10 11 - **runsc** and **containerd-shim-runsc-v1**: See the 12 [installation guide](/docs/user_guide/install/). 13 - **containerd**: See the [containerd website](https://containerd.io/) for 14 information on how to install containerd. **Minimal version supported: 1.3.9 15 or 1.4.3.** 16 17 ## Configure containerd 18 19 Update `/etc/containerd/config.toml`. Make sure `containerd-shim-runsc-v1` is in 20 `${PATH}` or in the same directory as `containerd` binary. 21 22 ```shell 23 cat <<EOF | sudo tee /etc/containerd/config.toml 24 version = 2 25 [plugins."io.containerd.runtime.v1.linux"] 26 shim_debug = true 27 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 28 runtime_type = "io.containerd.runc.v2" 29 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] 30 runtime_type = "io.containerd.runsc.v1" 31 EOF 32 ``` 33 34 Restart `containerd`: 35 36 ```shell 37 sudo systemctl restart containerd 38 ``` 39 40 ## Usage 41 42 You can run containers in gVisor via containerd's CRI. 43 44 ### Install crictl 45 46 Download and install the `crictl` binary: 47 48 ```shell 49 { 50 wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz 51 tar xf crictl-v1.13.0-linux-amd64.tar.gz 52 sudo mv crictl /usr/local/bin 53 } 54 ``` 55 56 Write the `crictl` configuration file: 57 58 ```shell 59 cat <<EOF | sudo tee /etc/crictl.yaml 60 runtime-endpoint: unix:///run/containerd/containerd.sock 61 EOF 62 ``` 63 64 ### Create the nginx sandbox in gVisor 65 66 Pull the nginx image: 67 68 ```shell 69 sudo crictl pull nginx 70 ``` 71 72 Create the sandbox creation request: 73 74 ```shell 75 cat <<EOF | tee sandbox.json 76 { 77 "metadata": { 78 "name": "nginx-sandbox", 79 "namespace": "default", 80 "attempt": 1, 81 "uid": "hdishd83djaidwnduwk28bcsb" 82 }, 83 "linux": { 84 }, 85 "log_directory": "/tmp" 86 } 87 EOF 88 ``` 89 90 Create the pod in gVisor: 91 92 ```shell 93 SANDBOX_ID=$(sudo crictl runp --runtime runsc sandbox.json) 94 ``` 95 96 ### Run the nginx container in the sandbox 97 98 Create the nginx container creation request: 99 100 ```shell 101 cat <<EOF | tee container.json 102 { 103 "metadata": { 104 "name": "nginx" 105 }, 106 "image":{ 107 "image": "nginx" 108 }, 109 "log_path":"nginx.0.log", 110 "linux": { 111 } 112 } 113 EOF 114 ``` 115 116 Create the nginx container: 117 118 ```shell 119 CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json) 120 ``` 121 122 Start the nginx container: 123 124 ```shell 125 sudo crictl start ${CONTAINER_ID} 126 ``` 127 128 ### Validate the container 129 130 Inspect the created pod: 131 132 ```shell 133 sudo crictl inspectp ${SANDBOX_ID} 134 ``` 135 136 Inspect the nginx container: 137 138 ```shell 139 sudo crictl inspect ${CONTAINER_ID} 140 ``` 141 142 Verify that nginx is running in gVisor: 143 144 ```shell 145 sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor 146 ``` 147 148 ### Set up the Kubernetes RuntimeClass 149 150 Install the RuntimeClass for gVisor: 151 152 ```shell 153 cat <<EOF | kubectl apply -f - 154 apiVersion: node.k8s.io/v1beta1 155 kind: RuntimeClass 156 metadata: 157 name: gvisor 158 handler: runsc 159 EOF 160 ``` 161 162 Create a Pod with the gVisor RuntimeClass: 163 164 ```shell 165 cat <<EOF | kubectl apply -f - 166 apiVersion: v1 167 kind: Pod 168 metadata: 169 name: nginx-gvisor 170 spec: 171 runtimeClassName: gvisor 172 containers: 173 - name: nginx 174 image: nginx 175 EOF 176 ``` 177 178 Verify that the Pod is running: 179 180 ```shell 181 kubectl get pod nginx-gvisor -o wide 182 ```