The containerd maintainers (including me) are happy to announce the release of containerd 2.0! This is the first major release of containerd since 1.0 was released in 2017, and represents a committment both to the evolution of the containerd project and continued investment in stability, reliability, and efficiency.
With that said, let’s dive in!
What’s changing
containerd 2.0 introduces new features, stabilizes some experimental featuers added in the 1.7 release, and removes support for some features that were previously deprecated.
The release notes are pretty extensive, and there’s a high level document we’ve published here, but a few highlights that I’m excited about:
NRI enabled by default
The node resource interface (NRI) is an extension mechanism that allows for customizing low-level details of the container configuration. I like to think of NRI plugins as analogous to mutating webhooks in the Kubernetes ecosystem; like a mutating webhook, an NRI plugin intercepts container creation and has the ability to modify aspects of it. NRI pairs well with Kubernetes as NRI plugins receive context about the Pod object and hook into the Pod lifecycle in addition to containers.
There are already a set of sample plugins maintained by the containerd project, as well as a set of community-maintained plugins.
Image verifier plugins
Image verifier plugins are now supported in containerd 2.0. These plugins allow for policy enforcement about images at image-pull time, and provide good mechanisms for better securing production usage of containerd. Plugins are executable programs (binaries or scripts) that containerd invokes to determine whether a particular image is allowed to be pulled.
Image verifier plugins integrate with the transfer service, which was introduced in containerd 1.7 and is now stable in 2.0. (Note: the CRI plugin is not yet integrated with the transfer service, so image verifier plugins are not yet available for use with Kubernetes.)
Removals and deprecation warnings
containerd 2.0 removes support for some previously deprecated features. These removals allow the project maintainers to focus their time on core, widely-used features.
To help users migrate away from deprecated features, we added deprecation warnings. Deprecation warnings record when a deprecated feature was used and allow you to know whether you will be impacted. Because deprecation warnings are usage-based, they should have a low false-positive rate.
Deprecation warnings can be retrieved with ctr deprecations list
. Ensure you
are already using containerd 1.7.21+ or 1.6.36+ for the complete and accurate
list.
A basic migration guide
Most users of containerd should be able to safely upgrade to 2.0 without making any changes. For those who may be using removed features or who are using containerd in a production environment and want to exercise due dilligence, the following strategy can be used:
- Upgrade to the latest 1.7.x or 1.6.x release of containerd (prefer at least 1.7.21 or 1.6.36)
- Find your impact through deprecation warnings
- Remediate the warnings (note that config format v1 will be auto-migrated; you can convert fully later)
- Test to make sure no warnings reoccur (restart containerd or create new nodes)
- Try upgrading to containerd 2.0 (test clusters are a good practice)
- Upgrade when you are ready
You do not need to be in a rush to upgrade. containerd 1.6 will be supported until the next LTS with bugfixes and security patches. containerd 1.7 will transition to “Extended” support on May 5, 2024 and will receive security patches until the EOL of 1.6.
KubeCon
Maintainers from the containerd project will be present at KubeCon NA 2024 in Salt Lake City, Utah November 12-15. There are two scheduled talks about containerd and containerd will also have a booth at the project pavillion.
- Talk: What containerd 2.0 means for you
- Friday November 15, 2024 11:55am - 12:30pm MST
- Salt Palace | Level 2 | 254 B
- Talk: What’s going on in the containerd neighborhood
- Friday November 15, 2024 2:55pm - 3:30pm MST
- Hyatt Regency | Level 4 | Regency Ballroom A
Sam’s KubeCon schedule
In addition to the talks above (in which I’m speaking), I also like to share some of the talks I’m interested in attending. These are just talks that happened to pique my particular interests, but if you want to meet up at any talk let me know!
Wednesday, November 13, 2024
Start time | End time | Title | Speaker | Location |
---|---|---|---|---|
11:15 am | 11:50 am | Architecting Tomorrow: The Heterogeneous Compute Resources for New Types of Workloads | Alexander Kanevskiy, Intel Finland | Salt Palace, Level 2, 254 B |
12:10 pm | 12:45 pm | Beyond ‘Can You Mentor Me?’ - Crafting the Contribution Ladder | Nitish Kumar, Akuity; Wenjia Zhang, Google; Lucas Käldström, Upbound; Carol Valencia, Elastic; Nabarun Pal, Broadcom | Salt Palace, Level 2, 251 |
2:30 pm | 3:05 pm | Kubernetes WG Device Management - Advancing K8s Support for GPUs | John Belamaric, Google; Patrick Ohly, Intel; Kevin Klues, NVIDIA | Hyatt Regency, Level 4, BCD |
3:25 pm | 4:00 pm | SIG-Node: Intro and Deep Dive | Sergey Kanzhelev & Dawn Chen, Google; Mrunal Patel, Red Hat | Salt Palace, Level 3, 355 B |
4:30 pm | 5:05 pm | Platform Performance Optimization for AI - a Resource Management Perspective | Antti Kervinen, Intel & Dixita Narang, Google | Salt Palace, Level 2, 255 EF |
4:30 pm | 5:05 pm | CNI Updates and Direction! | Michael Zappa, Microsoft | Hyatt Regency, Level 4 BCD |
5:00 pm | 6pm | containerd booth | Samuel Karp | Project Pavillion |
Thursday, November 14, 2024
Start time | End time | Title | Speaker | Location |
---|---|---|---|---|
2:30 pm | 3:05 pm | Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads | Jiaxiao Zhou, Microsoft | Salt Palace, Level 2, 255 BC |
4:30 pm | 5:05 pm | Which GPU Sharing Strategy Is Right for You? a Comprehensive Benchmark Study Using DRA | Kevin Klues & Yuan Chen, NVIDIA | Salt Palace, Level 2, 255 EF |
5:25 pm | 6:00 pm | Managing and Distributing AI Models Using OCI Standards and Harbor | Steven Zou & Steven Ren, VMware by Broadcom | Salt Palace, Level 2, 255 EF |
5:25 pm | 6:00 pm | Navigating Failures in Pods with Devices: Challenges and Solutions | Sergey Kanzhelev, Google & Mrunal Patel, Red Hat | Salt Palace, Level 2, 250 |
5:25 pm | 6:00 pm | Pod Power: Liberating Kubernetes Users from Container Resource Micromanagement | Dixita Narang, Google & Peter Hunt, Red Hat | Salt Palace, Level 1, 155 BC |
Friday, November 15, 2024
Start time | End time | Title | Speaker | Location |
---|---|---|---|---|
11:00 am | 11:35 am | Better Together! GPU, TPU and NIC Topological Alignment with DRA | John Belamaric, Google & Patrick Ohly, Intel | Salt Palace, Level 2, 250 |
11:00 am | 11:35 am | CRI-O Features for Fun and Profit | Peter Hunt & Sohan Kunkerkar, Red Hat | Hyatt Regency, Level 2, Salt Lake CDE |
11:55 am | 12:30 pm | What containerd 2.0 Means for You | Samuel Karp, Google | Salt Palace, Level 2, 254 |
2:00 pm | 2:35 pm | Seccomp and eBPF; What’s the Difference? Why Do I Need to Know? | Natalia Reka Ivanko & Duffie Cooley, Isovalent @ Cisco - Salt Palace Level 1 | 151 |
2:55 pm | 3:30 pm | What’s Going on in the containerd Neighborhood? | Phil Estes, AWS; Samuel Karp, Google; Akihiro Suda, NTT; Michael Brown, IBM; Kirtana Ashok, Microsoft | Hyatt Regency, Level 4, Regency Ballroom A |
4:55 pm | 5:30 pm | Distributed Multi-Node Model Inference Using the LeaderWorkerSet API | Abdullah Gharaibeh & Rupeng Liu, Google | Salt Palace, Level 2, 255 EF |
Looking forward to 2.1
containerd 1.7 came out in March 10, 2023 and 2.0 was released today, November 5, 2024. This was a bit of a longer release cycle with the scope of change in 2.0 and the work to make sure there was a migration path for the removed features. While we do not have a timeline for 2.1, I do not expect us to have a similarly-long release timeline for it. We’re already starting to shape the work, but I’m in particular looking forward to:
- OCI Volume Source support (KEP-4639)
- More image pull improvements
- Integration for CRI with the transfer service
- Credential manager plugins for the transfer service