This document describes how to install and run the gvisor-containerd-shim
using the untrusted workload CRI extension. This requires containerd 1.1 or
later.
Note: The untrusted workload CRI extension is deprecated by containerd. If you are using containerd 1.2, please consider using runtime handler.
- runsc: See the gVisor documentation for information on how to install runsc.
- containerd: See the containerd website for information on how to install containerd.
- Download the latest release of the
gvisor-containerd-shim
. See the releases page
{ # Step 1(release): Install gvisor-containerd-shim
LATEST_RELEASE=$(wget -qO - https://api.github.com/repos/google/gvisor-containerd-shim/releases | grep -oP '(?<="browser_download_url": ")https://[^"]*gvisor-containerd-shim.linux-amd64' | head -1)
wget -O gvisor-containerd-shim ${LATEST_RELEASE}
chmod +x gvisor-containerd-shim
sudo mv gvisor-containerd-shim /usr/local/bin/gvisor-containerd-shim
}
- Create the configuration for the gvisor shim in
/etc/containerd/gvisor-containerd-shim.toml
:
{ # Step 2: Create the gvisor-containerd-shim.toml
cat <<EOF | sudo tee /etc/containerd/gvisor-containerd-shim.toml
# This is the path to the default runc containerd-shim.
runc_shim = "/usr/local/bin/containerd-shim"
EOF
}
- Update
/etc/containerd/config.toml
. Be sure to update the path togvisor-containerd-shim
andrunsc
if necessary:
{ # Step 1: Create containerd config.toml
cat <<EOF | sudo tee /etc/containerd/config.toml
disabled_plugins = ["restart"]
[plugins.linux]
shim = "/usr/local/bin/gvisor-containerd-shim"
shim_debug = true
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/usr/local/bin/runsc"
runtime_root = "/run/containerd/runsc"
EOF
}
- Restart
containerd
sudo systemctl restart containerd
You can run containers in gVisor via containerd's CRI.
- Download and install the crictl binary:
{ # Step 1: Download crictl
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz
tar xf crictl-v1.13.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin
}
- Write the crictl configuration file
{ # Step 2: Configure crictl
cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
EOF
}
- Pull the nginx image
{ # Step 1: Pull the nginx image
sudo crictl pull nginx
}
- Create the sandbox creation request
{ # Step 2: Create sandbox.json
cat <<EOF | tee sandbox.json
{
"metadata": {
"name": "nginx-sandbox",
"namespace": "default",
"attempt": 1,
"uid": "hdishd83djaidwnduwk28bcsb"
},
"annotations": {
"io.kubernetes.cri.untrusted-workload": "true"
},
"linux": {
},
"log_directory": "/tmp"
}
EOF
}
- Create the pod in gVisor
{ # Step 3: Create the sandbox
SANDBOX_ID=$(sudo crictl runp sandbox.json)
}
- Create the nginx container creation request
{ # Step 1: Create nginx container config
cat <<EOF | tee container.json
{
"metadata": {
"name": "nginx"
},
"image":{
"image": "nginx"
},
"log_path":"nginx.0.log",
"linux": {
}
}
EOF
}
- Create the nginx container
{ # Step 2: Create nginx container
CONTAINER_ID=$(sudo crictl create ${SANDBOX_ID} container.json sandbox.json)
}
- Start the nginx container
{ # Step 3: Start nginx container
sudo crictl start ${CONTAINER_ID}
}
- Inspect the created pod
{ # Step 1: Inspect the pod
sudo crictl inspectp ${SANDBOX_ID}
}
- Inspect the nginx container
{ # Step 2: Inspect the container
sudo crictl inspect ${CONTAINER_ID}
}
- Verify that nginx is running in gVisor
{ # Step 3: Check dmesg
sudo crictl exec ${CONTAINER_ID} dmesg | grep -i gvisor
}