kubernetes cluster – only crictl can actually see containers (containers assets)

In my kubernetes (v1.28.7), docker uses containerd as underlying container management engine.
(I guess I can call it Container Runtime Interface – CRI? ).

This is how I assume that (look at the last line and scroll all the way to the right):

lab@worker01:~$ sudo systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-03-27 14:22:36 UTC; 1h 11min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 946 (dockerd)
      Tasks: 7
     Memory: 87.3M
        CPU: 1.080s
     CGroup: /system.slice/docker.service
             └─946 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd <--- HERE!!! containerd instead of docker.

Question:
If containerd is my CRI, why the only way to eg. list images or show running containers is "crictl"?

sudo crictl image ls
IMAGE                                      TAG                 IMAGE ID            SIZE
docker.io/calico/cni                       v3.26.0             5d6f5c26c6554       93.3MB
docker.io/calico/node                      v3.26.0             44f52c09decec       87.6MB
docker.io/library/busybox                  latest              ba5dc23f65d4c       2.16MB
docker.io/library/nginx                    latest              92b11f67642b6       70.5MB
docker.io/library/redis                    latest              170a1e90f8436       51.4MB
k8s.gcr.io/metrics-server/metrics-server   v0.6.2              25561daa66605       28.1MB
registry.k8s.io/coredns/coredns            v1.10.1             ead0a4a53df89       16.2MB
registry.k8s.io/kube-proxy                 v1.28.7             123aa721f941b       28.1MB
registry.k8s.io/pause                      3.8                 4873874c08efc       311kB
registry.k8s.io/pause                      3.9                 e6f1816883972       322kB

Why docker OR ctr shows no images:

sudo ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS

sudo docker images ls
REPOSITORY   TAG       IMAGE ID   CREATED   SIZE
Asked By: user205591

||

Containerd allows clients to set a "namespace" in order to manage different sets of resources. For example, on my local system, running Docker 26.0.0, Docker uses containerd as the container runtime.

There are a couple of running Docker containers:

$ docker ps
CONTAINER ID   IMAGE                   COMMAND                  CREATED         STATUS         PORTS                                       NAMES
7cfbf97a9275   alpinelinux/darkhttpd   "darkhttpd /var/www/…"   7 seconds ago   Up 6 seconds   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   boring_thompson
0e1ede44350e   kindest/node:v1.29.2    "/usr/local/bin/entr…"   3 weeks ago     Up 12 hours    127.0.0.1:39949->6443/tcp                   kind-control-plane

I don’t see anything if I run ctr container ls:

# ctr container ls
CONTAINER    IMAGE    RUNTIME    

But if I use the moby namespace, I see the two Docker containers:

# ctr --namespace moby container ls
CONTAINER                                                           IMAGE    RUNTIME                  
0e1ede44350e15fa2305f4b2dbfa0a5023de645bb535b05cac232e91069c4e7e    -        io.containerd.runc.v2    
7cfbf97a9275edb79228d241c221b665659e3688bbc96ac879bb950db481e912    -        io.containerd.runc.v2    

Similarly, on a system running Kubernetes, running ctr container ls shows no containers in the default namespace, but if we use the k8s.io namespace, we see the Kubernetes-managed containers:

# ctr --namespace k8s.io container ls
CONTAINER                                                           IMAGE                                                          RUNTIME
007dc9290e81c88cc85cf1b74b50c535420f1e1b4188eca4dfbd46e14881d2ab    registry.k8s.io/kube-apiserver-amd64:v1.29.2                   io.containerd.runc.v2
00c5f27f9125eb7132277585d450c904f4ff9542f5f70130855d268debad0624    registry.k8s.io/pause:3.7                                      io.containerd.runc.v2
0f2968f76498a18b098bc5a11f1b8071e261d74e0790bc7df6a56f0b37e9b293    registry.k8s.io/kube-proxy-amd64:v1.29.2                       io.containerd.runc.v2
...

Namespace support in containerd is described in this article.

Answered By: larsks
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.