The containerd maintainers (including me) are happy to announce the release of containerd 2.0! This is the first major release of containerd since 1.0 was released in 2017, and represents a committment both to the evolution of the containerd project and continued investment in stability, reliability, and efficiency.

With that said, let’s dive in!

What’s changing

containerd 2.0 introduces new features, stabilizes some experimental featuers added in the 1.7 release, and removes support for some features that were previously deprecated.

The release notes are pretty extensive, and there’s a high level document we’ve published here, but a few highlights that I’m excited about:

NRI enabled by default

The node resource interface (NRI) is an extension mechanism that allows for customizing low-level details of the container configuration. I like to think of NRI plugins as analogous to mutating webhooks in the Kubernetes ecosystem; like a mutating webhook, an NRI plugin intercepts container creation and has the ability to modify aspects of it. NRI pairs well with Kubernetes as NRI plugins receive context about the Pod object and hook into the Pod lifecycle in addition to containers.

There are already a set of sample plugins maintained by the containerd project, as well as a set of community-maintained plugins.

Image verifier plugins

Image verifier plugins are now supported in containerd 2.0. These plugins allow for policy enforcement about images at image-pull time, and provide good mechanisms for better securing production usage of containerd. Plugins are executable programs (binaries or scripts) that containerd invokes to determine whether a particular image is allowed to be pulled.

Image verifier plugins integrate with the transfer service, which was introduced in containerd 1.7 and is now stable in 2.0. (Note: the CRI plugin is not yet integrated with the transfer service, so image verifier plugins are not yet available for use with Kubernetes.)

Removals and deprecation warnings

containerd 2.0 removes support for some previously deprecated features. These removals allow the project maintainers to focus their time on core, widely-used features.

To help users migrate away from deprecated features, we added deprecation warnings. Deprecation warnings record when a deprecated feature was used and allow you to know whether you will be impacted. Because deprecation warnings are usage-based, they should have a low false-positive rate.

Deprecation warnings can be retrieved with ctr deprecations list. Ensure you are already using containerd 1.7.21+ or 1.6.36+ for the complete and accurate list.

A basic migration guide

Most users of containerd should be able to safely upgrade to 2.0 without making any changes. For those who may be using removed features or who are using containerd in a production environment and want to exercise due dilligence, the following strategy can be used:

  1. Upgrade to the latest 1.7.x or 1.6.x release of containerd (prefer at least 1.7.21 or 1.6.36)
  2. Find your impact through deprecation warnings
  3. Remediate the warnings (note that config format v1 will be auto-migrated; you can convert fully later)
  4. Test to make sure no warnings reoccur (restart containerd or create new nodes)
  5. Try upgrading to containerd 2.0 (test clusters are a good practice)
  6. Upgrade when you are ready

You do not need to be in a rush to upgrade. containerd 1.6 will be supported until the next LTS with bugfixes and security patches. containerd 1.7 will transition to “Extended” support on May 5, 2024 and will receive security patches until the EOL of 1.6.

KubeCon

Maintainers from the containerd project will be present at KubeCon NA 2024 in Salt Lake City, Utah November 12-15. There are two scheduled talks about containerd and containerd will also have a booth at the project pavillion.

Sam’s KubeCon schedule

In addition to the talks above (in which I’m speaking), I also like to share some of the talks I’m interested in attending. These are just talks that happened to pique my particular interests, but if you want to meet up at any talk let me know!

Wednesday, November 13, 2024

Start time End time Title Speaker Location
11:15 am 11:50 am Architecting Tomorrow: The Heterogeneous Compute Resources for New Types of Workloads Alexander Kanevskiy, Intel Finland Salt Palace, Level 2, 254 B
12:10 pm 12:45 pm Beyond ‘Can You Mentor Me?’ - Crafting the Contribution Ladder Nitish Kumar, Akuity; Wenjia Zhang, Google; Lucas Käldström, Upbound; Carol Valencia, Elastic; Nabarun Pal, Broadcom Salt Palace, Level 2, 251
2:30 pm 3:05 pm Kubernetes WG Device Management - Advancing K8s Support for GPUs John Belamaric, Google; Patrick Ohly, Intel; Kevin Klues, NVIDIA Hyatt Regency, Level 4, BCD
3:25 pm 4:00 pm SIG-Node: Intro and Deep Dive Sergey Kanzhelev & Dawn Chen, Google; Mrunal Patel, Red Hat Salt Palace, Level 3, 355 B
4:30 pm 5:05 pm Platform Performance Optimization for AI - a Resource Management Perspective Antti Kervinen, Intel & Dixita Narang, Google Salt Palace, Level 2, 255 EF
4:30 pm 5:05 pm CNI Updates and Direction! Michael Zappa, Microsoft Hyatt Regency, Level 4 BCD
5:00 pm 6pm containerd booth Samuel Karp Project Pavillion

Thursday, November 14, 2024

Start time End time Title Speaker Location
2:30 pm 3:05 pm Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads Jiaxiao Zhou, Microsoft Salt Palace, Level 2, 255 BC
4:30 pm 5:05 pm Which GPU Sharing Strategy Is Right for You? a Comprehensive Benchmark Study Using DRA Kevin Klues & Yuan Chen, NVIDIA Salt Palace, Level 2, 255 EF
5:25 pm 6:00 pm Managing and Distributing AI Models Using OCI Standards and Harbor Steven Zou & Steven Ren, VMware by Broadcom Salt Palace, Level 2, 255 EF
5:25 pm 6:00 pm Navigating Failures in Pods with Devices: Challenges and Solutions Sergey Kanzhelev, Google & Mrunal Patel, Red Hat Salt Palace, Level 2, 250
5:25 pm 6:00 pm Pod Power: Liberating Kubernetes Users from Container Resource Micromanagement Dixita Narang, Google & Peter Hunt, Red Hat Salt Palace, Level 1, 155 BC

Friday, November 15, 2024

Start time End time Title Speaker Location
11:00 am 11:35 am Better Together! GPU, TPU and NIC Topological Alignment with DRA John Belamaric, Google & Patrick Ohly, Intel Salt Palace, Level 2, 250
11:00 am 11:35 am CRI-O Features for Fun and Profit Peter Hunt & Sohan Kunkerkar, Red Hat Hyatt Regency, Level 2, Salt Lake CDE
11:55 am 12:30 pm What containerd 2.0 Means for You Samuel Karp, Google Salt Palace, Level 2, 254
2:00 pm 2:35 pm Seccomp and eBPF; What’s the Difference? Why Do I Need to Know? Natalia Reka Ivanko & Duffie Cooley, Isovalent @ Cisco - Salt Palace Level 1 151
2:55 pm 3:30 pm What’s Going on in the containerd Neighborhood? Phil Estes, AWS; Samuel Karp, Google; Akihiro Suda, NTT; Michael Brown, IBM; Kirtana Ashok, Microsoft Hyatt Regency, Level 4, Regency Ballroom A
4:55 pm 5:30 pm Distributed Multi-Node Model Inference Using the LeaderWorkerSet API Abdullah Gharaibeh & Rupeng Liu, Google Salt Palace, Level 2, 255 EF

Looking forward to 2.1

containerd 1.7 came out in March 10, 2023 and 2.0 was released today, November 5, 2024. This was a bit of a longer release cycle with the scope of change in 2.0 and the work to make sure there was a migration path for the removed features. While we do not have a timeline for 2.1, I do not expect us to have a similarly-long release timeline for it. We’re already starting to shape the work, but I’m in particular looking forward to: