containerd
Definition
Containerd is an industry-standard core container runtime that manages the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, and low-level storage and network attachments. It is designed to be embedded into a larger system, such as Docker or Kubernetes, providing a robust and efficient interface for container management.
Secure Settings Example
# Example configuration for containerd with secure settings
version = 2
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "k8s.gcr.io/pause:3.5"
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
Insecure Settings Example
# Example configuration for containerd with insecure settings
version = 2
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "k8s.gcr.io/pause:3.1" # Outdated image
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "aufs" # Deprecated and less secure
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/usr/local/bin" # Non-standard directory
conf_dir = "/etc/cni/net.d"
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["http://insecure-registry.local"] # Insecure HTTP endpoint
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v1" # Deprecated runtime type