Be taught how to Migrate Away From Dockershim In Kubernetes  v1.24 and Later

Be taught how to Migrate Away From Dockershim In Kubernetes v1.24 and Later

Kubernetes logo

Kubernetes v1.24 and later releases ship without Dockershim after its deprecation in December 2020’s v1.20 liberate. Dockershim’s now no longer available as a built-in container runtime. You must always make employ of a obvious supported runtime as a change apart, equivalent to containerd, CRI-O, or Docker Engine with the cri-dockerd adapter.

On this text, we’ll point out how to take a look at whether you’re affected, then prove the procedure in which you would per chance per chance per chance additionally migrate to a obvious runtime. You ought to level-headed dangle these steps earlier than you give a pick up to to Kubernetes v1.24 or a later version so your cluster’s workloads aren’t impacted.

What Modified into Dockershim?

Dockershim became developed as a most necessary factor so Kubernetes would possibly per chance toughen more container runtimes. At first of the mission, Kubernetes ideally suited labored with Docker Engine. This restriction became removed by the introduction of the CRI identical old. Any CRI-luxuriate in minded runtime would possibly per chance now be broken-down with Kubernetes, including containerd and CRI-O, an OCI implementation of the fashioned.

While CRI brought unique flexibility to Kubernetes, it offered a problem for present clusters. Docker lacked toughen for the CRI identical old so Dockershim became built to let the Kubernetes crew layer compatibility on high. Dockershim became a correct away integration with Docker Engine that became consistently supposed to be a short-timeframe measure.

The container fling is now powerful better than Docker, as the customary Kubernetes push to CRI demonstrates. Docker itself has spoil up into individual parts with its runtime extracted as containerd, a graduate of the Cloud Native Computing Foundation (CNCF).

containerd is fully supported by Kubernetes and more suited to standalone employ in cloud environments. Kubernetes doesn’t require the Docker CLI and its bevy of aspects to bustle your Pods; all it desires is the flexibility to beginning and bustle containers at a somewhat low stage. Dockershim has been removed because it became complicated to grab care of. Its employ created fragile code that became tightly coupled to Docker Engine’s implementation.

Checking Whether or no longer You’re The utilization of Dockershim

Fair just these days created clusters on contemporary platforms are highly no longer going to be the utilization of Dockershim. This contains clusters managed by standard cloud providers equivalent to Amazon EKS, Azure AKS, Google GKE, and DigitalOcean DOKS.

You’re per chance to place shut to grab motion whenever you place your have faith cluster and first dilemma it up several years within the past. You may per chance take a look at whether you’re the utilization of Dockershim as the runtime for any of your Nodes by running this Kubectl reveal:

$ kubectl pick up nodes -o wide
NAME    STATUS  VERSION     CONTAINER-RUNTIME
node-1  Ready   v1.22.8     docker://19.3.1
node-2  Ready   v1.22.8     containerd://1.4.13

On this example, one in every of the nodes is the utilization of containerd and would possibly per chance furthermore be left as-is. The opposite node is configured the utilization of Docker and ought to level-headed be plagued by the Dockershim elimination. You may per chance take a look at by running this reveal on the Node:

$ tr \0 ' ' < /proc/"$(pgrep kubelet)"/cmdline | grep "--container-runtime"

Your Node is using Dockershim to run containers if no output’s displayed. If you do get some output, inspect the displayed --container-runtime-endpoint flag value to determine if Dockershim is active. A runtime endpoint of unix:///run/containerd/containerd.sock signals containerd is used, so no migration is necessary.

Changing A Node’s Runtime

Nodes that are using Dockershim need to be updated to use a different runtime. First drain the Node’s workloads using Kubectl, so your Pods are rescheduled to other Nodes in your cluster. You should cordon the Node too to stop any new Pods being scheduled.

$ kubectl cordon node-1
$ kubectl drain node-1 --ignore-daemonsets

Next run the following commands on the Node itself. Begin by stopping the Docker daemon and the Node’s Kubelet worker process:

$ systemctl stop kubelet
$ systemctl disable docker.service --now

Now you can install your new runtime.

Using containerd

containerd is generally the preferred solution for current clusters. You should be able to migrate to containerd if you’re not relying on specific features of Docker Engine. If you are, head to the following section and install cri-dockerd instead.

Add Docker’s repository to your system if your package lists don’t already include it. containerd is distributed in Docker’s repository.

$ sudo apt-get update
$ sudo apt-get install ca-certificates curl gnupg lsb-release
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
$ echo 
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian 
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install containerd:

$ sudo excellent change
$ sudo excellent set up containerd

Now change the Node’s Kubelet configuration file to make employ of the unique runtime. Launch /var/lib/kubelet/kubeadm-flags.env. Search for or add the --container-runtime and --container-runtime-endpoint flags with the next values:

  • --container-runtime=distant
  • --container-runtime-endpoint=unix:///bustle/containerd/containerd.sock

Subsequent alternate the socket annotation saved against the Node object within the Kubernetes relieve watch over airplane:

$ kubectl edit node node-1

Within the file that opens, pick up the kubeadm.alpha.kubernetes.io/cri-socket annotation and alternate it to unix:///bustle/containerd/containerd.sock. Put and shut the file to change the Node’s object.

Now restart Kubelet:

$ systemctl beginning kubelet

Enable the Node a couple of moments to beginning and connect to the Kubernetes relieve watch over airplane. Strive to be succesful to repeat the pick up nodes reveal and gaze that containerd is now being broken-down.

$ kubectl pick up nodes -o wide
NAME    STATUS  VERSION     CONTAINER-RUNTIME
node-1  Ready   v1.22.8     containerd://1.4.13
node-2  Ready   v1.22.8     containerd://1.4.13

Sooner or later place shut the cordon you positioned around the Node so it goes to commence to accumulate Pods:

$ kubectl uncordon node-1

The utilization of cri-dockerd

cri-dockerd is a runtime jointly developed by Docker and Mirantis. It’s effectively a standalone version of Dockershim that’s independently maintained. It means that you can place the utilization of acquainted functionality without encumbering the Kubernetes mission with Dockershim’s upkeep requirements.

Procure sure you’ve already got Docker Engine place in. Then set up cri-dockerd by downloading the most contemporary binary from GitHub releases:

$ wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.2.0/cri-dockerd-v0.2.0-linux-amd64.tar.gz
$ tar xvf cri-dockerd-v0.2.0-linux-amd64.tar.gz
$ mv cri-dockerd /usr/native/bin/

Subsequent download, set up, and enable cri-dockerd’s systemd carrier configurations:

wget https://uncooked.githubusercontent.com/Mirantis/cri-dockerd/grasp/packaging/systemd/cri-docker.carrier
wget https://uncooked.githubusercontent.com/Mirantis/cri-dockerd/grasp/packaging/systemd/cri-docker.socket
sudo mv cri-docker.socket cri-docker.carrier /and heaps others/systemd/draw/
sudo sed -i -e 's,/usr/bin/cri-dockerd,/usr/native/bin/cri-dockerd,' /and heaps others/systemd/draw/cri-docker.carrier

sudo systemctl daemon-reload
sudo systemctl enable cri-docker.carrier
sudo systemctl enable --now cri-docker.socket

Now you would per chance per chance per chance additionally regulate your Node’s Kubelet configuration to make employ of cri-dockerd. Right here is a linked to configuring a Node to make employ of containerd.

Launch /var/lib/kubelet/kubeadm-flags.env. Search for or add the --container-runtime and --container-runtime-endpoint flags with the next values:

  • --container-runtime=distant
  • --container-runtime-endpoint=unix:///var/bustle/cri-dockerd.sock

Subsequent alternate the Node object’s socket annotation:

$ kubectl edit node node-1

Within the file that opens, pick up the kubeadm.alpha.kubernetes.io/cri-socket annotation and alternate it to unix:///var/bustle/cri-dockerd.sock. Put and shut the file to change the Node’s object.

Now restart Kubelet:

$ systemctl beginning kubelet

Wait a couple of moments and then employ Kubectl to take a look at the Node is up. It can per chance level-headed point out the Docker runtime but it absolutely’s now primarily based mostly on the standalone cri-dockerd, as a change apart of the Dockershim that’s integrated with Kubernetes.

$ kubectl pick up nodes -o wide
NAME    STATUS  VERSION     CONTAINER-RUNTIME
node-1  Ready   v1.22.8     docker://19.3.1
node-2  Ready   v1.22.8     containerd://1.4.13

You may per chance now place shut the cordon you positioned around the Node. It can per chance commence to just pick up Pod scheduling requests over again.

$ kubectl uncordon node-1

Conclusion

Kubernetes v1.24 removed the Dockershim factor that previously integrated CRI compatibility for Docker Engine. While most most contemporary clusters will most seemingly be unaffected, you ought to level-headed take a look at whether you’re the utilization of Dockershim earlier than upgrading to the unique liberate.

The runtime to swap to is dependent on the procedure in which you presently employ your cluster. containerd in most cases is a factual preference whenever you’re no longer the utilization of Docker aspects. You may per chance employ cri-dockerd to bring relieve Dockershim-luxuriate in integration whenever you would per chance per chance per chance must place compatibility with present tooling that’s reliant on Docker Engine. This also helps whenever you’re mounting the Docker daemon socket (/var/bustle/docker.sock) into your containers to energy Docker-in-Docker workflows.

Dockershim’s elimination doesn’t impact the procedure in which you manufacture and employ container photos. Kubernetes can level-headed bustle photos created with docker manufacture and they’re luxuriate in minded with all supported runtimes. CRI runtimes work with any OCI-structure characterize, as output by Docker and other characterize builders.