containerd v2.0, nerdctl v2.0, and Lima v1.0

Ahead of the KubeCon North America 2024 (November 12–15), this week saw the releases of containerd v2.0, nerdctl (contaiNERD CTL) v2.0, and Lima v1.0 🎉.

containerd v2.0

containerd is the industry’s standard container runtime used by Docker and several Kubernetes-based products such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE).

The internals and the latest trends of container runtimes (2023)

containerd was originally written by Docker, Inc. in 2015 to provide a minimalistic daemon to manage the lifecycles of containers, under the hood of the Docker daemon.

containerd was transferred to the Cloud Native Computing Foundation (CNCF) and reached its v1.0 in 2017, with the expanded scope of the project to support non-Docker use cases. The built-in support for Kubernetes was merged in v1.1 (2018).

containerd v2.0 focuses on the removal of the legacy features that have been deprecated through the past nine years. This breaking change resulted in bumping up the major number from v1 to v2.

Removed features

• The old containerd-shim and containerd-shim-runc-v1, in favor of containerd-shim-runc-v2. The old shims lacked the support for modern features such as cgroup v2, and were inefficient to support Kubernetes pods. Those old shims had been deprecated since containerd v1.4 (2020).
• The support for AUFS , in favor of OverlayFS that has been merged in the upstream of the Linux kernel. The support for AUFS had been deprecated since containerd v1.5 (2021).
• The support for the Kubernetes CRI v1alpha2 API, in favor of CRI v1. Kubernetes has already dropped the support for CRI v1alpha2, in Kubernetes v1.26 (2022).
• The support for "Docker Schema 1" images is now disabled, in preparation of removal in containerd v2.1. Schema 1 has been substantially deprecated since circa. 2017 in favor of Schema 2 introduced in Docker v1.10 (2016), but some image registries did not support Schema 2 until 2020-ish. Docker has already disabled pushing Schema 1 images in Docker v20.10 (2020), so almost all images built in the last few years should have been formatted in Schema 2, or, its successor OCI Image Spec v1. ("OCI" here refers to "Open Container Initiative", not to "Oracle Cloud Infrastructure".)

containerd v1.6.27+/v1.7.12+ users can investigate whether they are using those removed features, by running the ctr deprecations list command.

New features

• User Namespaces for Kubernetes, so as to map the user IDs in pods to different user IDs on the host. Especially, this features allows mapping the root user in the pod to an unprivileged user on the host.
• Recursive Read-only Mounts for Kubernetes, so as to prohibit accidentally having writable submounts. See also my previous blog at kubernetes.io: <https://kubernetes.io/blog/2024/04/23/recursive-read-only-mounts/>.
• Image verifier plugins, so as to enforce cryptographic signing, malware scanning, etc.

Other notable changes

• Sandboxed CRI is now enabled by default, for efficient handling of pods
• NRI (Node Resource Interface) is now enabled by default, for plugging vendor-specific logic into runtimes
• CDI (Container Device Interface) is now enabled by default, for the enhanced support for Kubernetes Device Plugins.
• /etc/containerd/config.toml now expects the version=3 header. The previous config versions are still supported.
• The Go package github.com/containerd/containerd is now renamed to github.com/containerd/containerd/v2/client .

See also:

• https://github.com/containerd/containerd/blob/v2.0.0/docs/containerd-2.0.md
• https://github.com/containerd/containerd/releases/tag/v2.0.0

nerdctl v2.0

nerdctl (contaiNERD CTL) is a Docker-like command line interface tool for containerd.

nerdctl was originally written by myself in 2020 to facilitate experimental features such as eStargz that were not supported in Docker at that time. nerdctl became a subproject of containerd in 2021, and reached its v1.0 in 2022.

Released nerdctl v1.0

nerdctl v2.0 enables detach-netns for Rootless mode by default:

• Faster and more stable nerdctl pull, nerdctl push, and nerdctl build
• Proper support for nerdctl pull 127.0.0.1:.../...
• Proper support for nerdctl run --net=host .

The detach-netnsmode may sound similar to bypass4netns, which utilizes SECCOMP_IOCTL_NOTIF_ADDFD to accelerate socket syscalls in rootless containers. While bypass4netns accelerates containers, detach-netns accelerates the runtime layers that are responsible for pulling and pushing images, by leaving them in the host network namespace. Containers are executed in the "detached" network namespace so that they can obtain IP addresses used for container-to-container communications.

Other major changes in nerdctl v2.0 include the addition of nerdctl run --systemd for running systemd in containers. Also, the stability was significantly improved in this release, thanks to lots of refactoring and testing by the GitHub user @apostasie .

See also the release note: https://github.com/containerd/nerdctl/releases/tag/v2.0.0

Lima v1.0

Lima is a command line utility to run containerd and nerdctl on desktop operating systems such as macOS, by running a Linux virtual machine with automatic filesystem sharing and port forwarding. Lima is often compared with WSL2, former Docker Machine, and Vagrant.

brew install lima
limactl start
lima nerdctl run -p 80:80 nginx

Lima was originally written by myself too in 2021, and joined CNCF in 2022. Lima has been adapted by several famous third-party projects such as Colima, Rancher Desktop, and AWS’s Finch.
Lima is also used by several organizations including NTT Communications.

Lima is now a CNCF project 🎉

Lima finally reached v1.0 today, with the support from 110+ contributors and 15,000+ stargazers in the past 3+ years.

https://star-history.com/#lima-vm/lima

This release introduces several breaking changes, such as switching the default machine driver on macOS from QEMU to Virtualization.framework (VZ) for better filesystem performance.

The limactl CLI is designed to print hints when the user hits those breaking changes. e.g., limactl create template://experimental/vz now fails with a hint that suggests using limactl create --vm-type=vz template://default instead.

Other notable changes include the addition of the support for nested virtualization, UDP port forwarding, and the limactl tunnel command (SOCKS proxy).

See also the release note: https://github.com/lima-vm/lima/releases/tag/v1.0.0

Visit the maintainers at KubeCon

Some of the maintainers of the projects, including myself, will show up at KubeCon North America 2024:

Wednesday, November 13

• 15:15–20:00: Project Kiosk: containerd

Friday, November 15

• 10:30-14:30: Project Kiosk: Lima
• 11:55-12:30: What Containerd 2.0 Means for You — Samuel Karp, Google
• 14:55-15:30: What’s Going on in the Containerd Neighborhood? — Phil Estes, AWS; Samuel Karp, Google; Akihiro Suda (myself), NTT; Michael Brown, IBM; Kirtana Ashok, Microsoft

The full schedule of the conference can be found at <https://kccncna2024.sched.com/>.

NTT is hiring!

We at NTT are looking for engineers who work in Open Source communities in the fields of containers, etc. Visit <https://www.rd.ntt/e/sic/recruit/> to see how to join us.

私たちNTTは、コンテナなどの領域でのオープンソースコミュニティで共に活動する仲間を募集しています。ぜひ弊社採用情報ページをご覧ください: <https://www.rd.ntt/sic/recruit/>