All Posts

containerd internals: ctr

containerd internals: ctr

Welcome to day 3 of our series on containerd internals! This post will cover ctr, a command-line tool for containerd.

containerd internals blog series for December 2024

containerd internals blog series for December 2024

Derek already announced this on his blog, but I figured I can post here too. This month, a few of the containerd maintainers plan to write a series of blog posts about containerd internals that we think are interesting and not well-known. Our hope through this series is that you’ll find some useful takeaways in operating containerd (and understanding how to debug), integrating with containerd (through our many extension points), contributing to containerd, or even in writing your own projects.

containerd 2.0 (and KubeCon NA 2024)

containerd 2.0 (and KubeCon NA 2024)

The containerd maintainers (including me) are happy to announce the release of containerd 2.0! This is the first major release of containerd since 1.0 was released in 2017, and represents a commitment both to the evolution of the containerd project and continued investment in stability, reliability, and efficiency.

Deprecation Warnings in containerd - Getting Ready for 2.0!

Deprecation Warnings in containerd - Getting Ready for 2.0!

containerd 2.0 will be the first new major release of containerd since the initial stable release of 1.0 in December, 2017. After six years of iteration, development, and refinement, 2.0 will encapsulate the learning we’ve had building and supporting containerd at large scale (and as the default container runtime for a number of managed container offerings). With that, 2.0 brings some major refactorings of core services (CRI, image management), new functionality (sandbox plugins, transfer plugins, image verifier plugins), improvements (better user namespace support, NRI updates), and removals of deprecated functionality.

My KubeCon+CloudNativeCon EU 2023 Schedule

My KubeCon+CloudNativeCon EU 2023 Schedule

I’ll be speaking at KubeCon+CloudNativeCon EU 2023 in Amsterdam next week. I’d love it if you came to see me! I tried this before with SCALE 18x and shared my expected schedule, and I want to try sharing it again! If you feel like you want to join me or meet up during the conference, please reach out and let me know.

Flexible Test Doubles in Go

It’s been a bit since I’ve written on this blog about anything other than containers, but I’ve been reading a lot of new (to me) Go code lately and wanted to discuss unit testing. I’m pretty firmly in the camp that testing is critical for building reliable, maintainable systems, and unit testing is an important component of that (though I do not believe it is sufficient on its own; integration, functional, or end-to-end testing is also often just as important). Unit testing is a somewhat special form of testing though, since the goal is to test the smallest functional unit of a system. One tool used as a part of unit testing that has been popular for as long as I’ve been employed as a software engineer is that of a test double.

Docker-style networking for FreeBSD jails with runj

One of the really nice things about Docker containers is that the defaults mostly just work. One of those defaults is networking; docker run gives you a perfectly serviceable network experience with containers able to access the Internet, access each other, and expose services. runj is a much lower-level tool than Docker, so that sort of out-of-the-box network experience wouldn’t be something runj would directly provide. However, I recently added support to runj for some of the pieces that make a networking experience like that possible. Higher-level tools that use runj, like nerdctl, might use these pieces in the future.

Experimental Networking Support for FreeBSD Jails with runj

One of the core use-cases for modern container systems is to run networked workloads, often across a group of machines deployed in a cluster. A variety of different networking models exist, but until now no networking at all was possible with runj. Now, after this change, runj has its first networking capability! The functionality that pull request enable jails to share the IPv4 network stack with the underlying FreeBSD host, similar to the “host networking” model common for Linux containers.

A new contribution policy for runj

In March, I open-sourced runj, an experimental OCI-compatible runtime for FreeBSD jails. I started runj in order to teach myself more about FreeBSD in general and jails in particular, and the initial contribution policy I set was designed to give me the space to learn at my own pace. However, as I wrote in that first blog post, the amount of attention runj received on its first day really surprised me. The attention since then has continued, and I’ve had the opportunity to connect with members of the FreeBSD community who have shared my excitement about connecting FreeBSD with the broader container ecosystem. Everyone I’ve spoken with has been incredibly kind and respectful of the space I requested, which did give me the opportunity to learn on my own. I really appreciate their kindness, and now that I’ve achieved the first part of my learning goal I’m ready to move forward and work together rather than working alone.

Joining the containerd and Moby projects

Joining the containerd and Moby projects

This past September, I joined the containerd project as a security advisor. In March, I increased my involvement as a reviewer. And this week, I joined the Moby project as a maintainer. My colleague Kazuyoshi Kato wrote about joining containerd on his blog and I’ve been wanting to do that too.