Updates in containerd 1.5

Akihiro Suda
May 3 · 3 min read

containerd 1.5 was released on May 4, 2021. This release enables OCIcrypt decryption by default and introduces support for NRI, zstd, and FreeBSD jails. This release also simplifies the process for contributing to containerd.

See also my previous article about containerd 1.4 (Aug 2020).

OCIcrypt decryption by default

containerd has been supporting running containers from encrypted images (OCIcrypt) since containerd 1.3. However, it was not enabled by default in containerd 1.3 and 1.4.

This feature is enabled by default in containerd 1.5. See the documentation for the usage.

Note that ctd-decoder binary has to be installed for decrypting OCIcrypt images. The binary is included in cri-containerd-cni-1.5.0-linux-amd64.tar.gz , but not included in containerd-1.5.0-linux-amd64.tar.gz . It should be also noted that OCIcrypt is not available for Docker, as Docker does not use containerd for image management at the moment.

NRI: Node Resource Interface

containerd now experimentally implements NRI: Node Resource Interface. The concept of NRI is very similar to CNI (Container Network Interface), but NRI can be used for non-network resources such as CPU scheduling constraints and memory quota. See an example code to learn the usage of NRI.

zstd algorithm

In addition to gzip, containerd now supports zstd as an algorithm for image compression. containerd uses github.com/klauspost/compress/zstd package for implementation of zstd. See the package documentation for the benchmark result. (TL;DR: a few times faster than gzip)

Experimental support for FreeBSD

containerd now experimentally supports FreeBSD hosts, with Samuel Karp’s runj , an OCI runtime for running containers using FreeBSD jails. containerd on FreeBSD currently supports ZFS for snapshot management. Future version will probably support unionfs as well.

containerd on Linux & containerd on FreeBSD

Contributing to containerd is now easier

The CRI plugin repo (github.com/containerd/cri) is now merged into the main repo (github.com/containerd/containerd).

There is no visible change to users about this, however, this merger significantly simplifies the process for contributing to containerd.

nerdctl: Docker-compatible CLI for contaiNERD

nerdctl is a Docker-compatible CLI for containerd:

nerdctl is very similar to Docker but supports modern features of containerd, such as lazy-pulling and ocicrypt.

nerdctl joined the containerd organization as a non-core subproject last month. See my recent article for the further information:

Don’t miss the containerd sessions at KubeCon EU

KubeCon EU 2021 (May 4–7) will have the following sessions presented by containerd maintainers:

Graduated Project Lightning Talk: containerd Project Update — Derek McGowan

Introduction and Deep Dive Into containerd — Kohei Tokunaga & Akihiro Suda (me), NTT Corporation

Meet the Maintainer: containerd (Zoom meeting)

NTT is hiring!

We NTT are looking for engineers who work in Open Source communities like containerd, Docker/Moby, Kubernetes, and their relevant projects. Visit https://www.rd.ntt/e/sic/recruit/ to see how to join us.

私たちNTTは、containerd 、Docker/Moby、 Kubernetes などのオープンソースコミュニティで共に活動する仲間を募集しています。ぜひ弊社採用情報ページをご覧ください: https://www.rd.ntt/sic/recruit/


NTT Open Source

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store