kubernetes cluster – only crictl can actually see containers (containers assets)

In my kubernetes (v1.28.7), docker uses containerd as underlying container management engine.
(I guess I can call it Container Runtime Interface – CRI? ).

This is how I assume that (look at the last line and scroll all the way to the right):

lab@worker01:~$ sudo systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-03-27 14:22:36 UTC; 1h 11min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 946 (dockerd)
      Tasks: 7
     Memory: 87.3M
        CPU: 1.080s
     CGroup: /system.slice/docker.service
             └─946 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd <--- HERE!!! containerd instead of docker.

If containerd is my CRI, why the only way to eg. list images or show running containers is "crictl"?

sudo crictl image ls
IMAGE                                      TAG                 IMAGE ID            SIZE
docker.io/calico/cni                       v3.26.0             5d6f5c26c6554       93.3MB
docker.io/calico/node                      v3.26.0             44f52c09decec       87.6MB
docker.io/library/busybox                  latest              ba5dc23f65d4c       2.16MB
docker.io/library/nginx                    latest              92b11f67642b6       70.5MB
docker.io/library/redis                    latest              170a1e90f8436       51.4MB
k8s.gcr.io/metrics-server/metrics-server   v0.6.2              25561daa66605       28.1MB
registry.k8s.io/coredns/coredns            v1.10.1             ead0a4a53df89       16.2MB
registry.k8s.io/kube-proxy                 v1.28.7             123aa721f941b       28.1MB
registry.k8s.io/pause                      3.8                 4873874c08efc       311kB
registry.k8s.io/pause                      3.9                 e6f1816883972       322kB

Why docker OR ctr shows no images:

sudo ctr images ls

sudo docker images ls
Asked By: user205591


Containerd allows clients to set a "namespace" in order to manage different sets of resources. For example, on my local system, running Docker 26.0.0, Docker uses containerd as the container runtime.

There are a couple of running Docker containers:

$ docker ps
CONTAINER ID   IMAGE                   COMMAND                  CREATED         STATUS         PORTS                                       NAMES
7cfbf97a9275   alpinelinux/darkhttpd   "darkhttpd /var/www/…"   7 seconds ago   Up 6 seconds>8080/tcp, :::8080->8080/tcp   boring_thompson
0e1ede44350e   kindest/node:v1.29.2    "/usr/local/bin/entr…"   3 weeks ago     Up 12 hours>6443/tcp                   kind-control-plane

I don’t see anything if I run ctr container ls:

# ctr container ls

But if I use the moby namespace, I see the two Docker containers:

# ctr --namespace moby container ls
CONTAINER                                                           IMAGE    RUNTIME                  
0e1ede44350e15fa2305f4b2dbfa0a5023de645bb535b05cac232e91069c4e7e    -        io.containerd.runc.v2    
7cfbf97a9275edb79228d241c221b665659e3688bbc96ac879bb950db481e912    -        io.containerd.runc.v2    

Similarly, on a system running Kubernetes, running ctr container ls shows no containers in the default namespace, but if we use the k8s.io namespace, we see the Kubernetes-managed containers:

# ctr --namespace k8s.io container ls
CONTAINER                                                           IMAGE                                                          RUNTIME
007dc9290e81c88cc85cf1b74b50c535420f1e1b4188eca4dfbd46e14881d2ab    registry.k8s.io/kube-apiserver-amd64:v1.29.2                   io.containerd.runc.v2
00c5f27f9125eb7132277585d450c904f4ff9542f5f70130855d268debad0624    registry.k8s.io/pause:3.7                                      io.containerd.runc.v2
0f2968f76498a18b098bc5a11f1b8071e261d74e0790bc7df6a56f0b37e9b293    registry.k8s.io/kube-proxy-amd64:v1.29.2                       io.containerd.runc.v2

Namespace support in containerd is described in this article.

Answered By: larsks
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.