Thoughts on separating a CRI for docker from Kubelet

조회수 250회
읽지 않은 첫 메시지로 건너뛰기

Davanum Srinivas

읽지 않음,
2019. 2. 15. 오전 11:08:1519. 2. 15.

The recent runc container breakout vulnerability (CVE-2019-5736 [1]) sparked a discussion in WG-LTS[1] which led to exploring the option of separating out docker CRI into a separate binary. 

Please see issue [1] about a long standing TODO and a prototype for a new cri-dockerd binary [2]. 

The pros are
- cri-dockerd can be maintained independently
- over time we can remove vendored docker dependendencies in kubelet
- docker is not special and just a CRI just like every other CRI in our ecosystem

The cons are
- migration pain with a new binary in addition to kubelet
- updating all the eco-system tools to support the new binary

WDYT? what other pros and cons do you see? 


Eric Ernst

읽지 않음,
2019. 2. 15. 오후 12:51:2319. 2. 15.
받는사람 Davanum Srinivas,,,
TL;DR: sgtm

CRI has been out for a while, so at the very least, I don't think it makes sense to have it built-in at this point.  

More controversially (sorry), with the maturity of other CRI implementations like containerd and CRI-O, I've wondered and questioned why dockershim is still default (in particular since it won't support other runtimes aside from runc).

I understand the pain points, but perhaps by starting the process now we can make this feasible in a near-future release?  Many users already need to use a new binary in addition to kubelet already (containerd/crio).


Aside from that, there’s no reason to have dockershim in Kubelet; CRI has been out for a while now...

You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Davanum Srinivas

읽지 않음,
2019. 2. 16. 오전 9:48:0019. 2. 16.
받는사람 Eric Ernst,,,
Agree Eric.

The other angle to this is ... Do we really need yet another CRI? given we have a bunch of them already. 

How about we just remove the docker shim and adopt one of the existing CRI implementations for use in upstream CI?

If we want to do that, then How do we make people comfortable with the fact that they may not have docker at all in their kubernetes environments? 


Brendan Burns

읽지 않음,
2019. 2. 16. 오후 2:41:2819. 2. 16.
받는사람 Eric Ernst, Davanum Srinivas,,,
One thing to consider is that many people use the built in Docker for in-cluster image build. While that may not be something we recommend for a variety of reasons, it will be a breaking change for many users.


From: <> on behalf of Davanum Srinivas <>
Sent: Saturday, February 16, 2019 6:47:46 AM
To: Eric Ernst
Subject: Re: Thoughts on separating a CRI for docker from Kubelet
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit

Ricardo Aravena

읽지 않음,
2019. 2. 16. 오후 6:30:0219. 2. 16.
받는사람 Brendan Burns, Eric Ernst, Davanum Srinivas,,,
I think longer term ideally there would be just one CRI, I believe that was the original rationale behind it(?)

IMO, the main advantage of having a docker-cri would be keeping docker compatibility while allowing the kubelet to eventually phase out/deprecate docker.  Tons of people are using docker in prod today. One thing to keep in mind when creating a docker-cri would be to set a timeline for phase out/deprecation and create a path for docker prod environments to be migrated to a single CRI.

So short term makes sense to create a docker-cri and long term (i.e 6-months-2years) makes sense to eventually phase out that same docker-cri.

My two cents.

Mike Brown

읽지 않음,
2019. 2. 18. 오후 3:15:5019. 2. 18.
받는사람 kubernetes-sig-node
Notes/Issues Lots of Pros and Cons:  

1) CRI is still in alpha(2) should probably get a 1.0 out there splitting out docker shim completely from kublet.
2) Breaking change issues wrt. direct use of docker.
3) New releases of docker run on / have a dependency to containerd. There is a new namespace type in containerd that splits out containers/images created by docker, containerd cli, and k8s through containerd/cri plugin. By default containers / images pulled into docker are not seen by the k8s namespace containers/images. 
4) If docker shim is split out .. it becomes a dependency, yes it can be maintained independently, but that might actually be more work and will need maintainers to keep up with the new CRI integration features/issues. 
5) Once the effort of spitting it out is complete... one has to ask is there a need for two CRI enabled binaries 1) containerd (which has CRI build in) and 2) docker CRI -> docker -> containerd(with CRI built in but disabled?). 
6) To date the rule for extern enabled CRI implementations has been that there would be no "default" extern CRI. If one wanted to change the default from docker one had to build a custom kubelet. 
7) Though the new runtimes configuration, and recent v2 shim api have been drastic improvements to how CRI integrations are configured... there is still a lot of movement at the CRI api layer and below, and there are many different ways in which the CRI dependency can be configured. This begs the question.. how will CRI be tested by kubernetes? Today k8s relies on the CRI implementors to do this testing after the fact on k8s changes, thus causing regressions when k8s is tested on different CRIs than docker shim. (a similar issue to today when docker updates are not tested on k8s)

Cheers, Mike Brown

읽지 않음,
2019. 2. 19. 오전 11:45:2219. 2. 19.
받는사람 kubernetes-sig-node
I think this is probably best discussed in a KEP, but I am supportive of documenting a plan to eventually eliminate the dockershim from the in-tree kubelet at a time that is responsible for the whole community just to reduce the amount of code to maintain.  The KEP would have to address many of the questions raised from Mike.  From experience, I can say that transitioning from dockershim -> external CRI is non-trivial, and we would need to give a sufficient amount of advanced warning announcing the intent over many releases.

Yu-Ju Hong

읽지 않음,
2019. 2. 19. 오후 5:30:0219. 2. 19.
받는사람, kubernetes-sig-node
On Tue, Feb 19, 2019 at 8:45 AM <> wrote:
I think this is probably best discussed in a KEP, but I am supportive of documenting a plan to eventually eliminate the dockershim from the in-tree kubelet at a time that is responsible for the whole community just to reduce the amount of code to maintain.  The KEP would have to address many of the questions raised from Mike.  From experience, I can say that transitioning from dockershim -> external CRI is non-trivial, and we would need to give a sufficient amount of advanced warning announcing the intent over many releases.

+1 for writing up a plan to *move* the dockershim out of kubelet eventually. I think dockershim can still be in-tree, but it could be packaged separately from kubelet *as an option* for the first step to help with the transition.

Let me add a few to the pile of issues that have been brought up in this thread. We've tried hard to adapt dockershim to use CRI, but as of today, dockershim still enjoys some backdoors for various backward compatibility issues, including:
 - kubelet flags that are used to configure dockershim.
 - kubelet's support to get container logs when docker uses journald as the driver.
- moving docker processes to a given cgroup

Deprecating these features in kubelet will take quite sometime, so a plan spanning multiple releases would make sense.  On top of that, we'd need to benchmark performance degradation caused by this shift to see the impact. I'm not sure whether SIG Node will have the bandwidth to prioritize this, but either way, this won't happen in one release.

You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to

Lei Zhang

읽지 않음,
2019. 2. 19. 오후 10:29:2819. 2. 19.
받는사람 kubernetes-sig-node
@yujuhong @dchen1107 @derekwaynecarr

Me & my team have been working on refactoring build-in dockershim to out-of-tree recently (

I will create a KEP for discussing this topic detailly today. I believe this work would take several releases to complete.
To unsubscribe from this group and stop receiving emails from it, send an email to

Brian Grant

읽지 않음,
2019. 2. 20. 오전 12:59:0019. 2. 20.
받는사람 Davanum Srinivas, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,

Hi, Dims.

In addition to thinking about pros and cons, have you lined up the developers and reviewers/approvers necessary to make this happen, or is this at the "should this be an eventual goal" stage?

How would this compare to SIG Network and SIG Storage plans for CNI and CSI plugins for in-tree/in-binary implementations that predated the plugin mechanisms?

On Fri, Feb 15, 2019 at 8:08 AM Davanum Srinivas <> wrote:
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit


읽지 않음,
2019. 2. 20. 오전 7:44:4519. 2. 20.
받는사람 kubernetes-sig-node

Besides various backward compatibility issues of dockershim, there're also various issues of CRI itself, e.g.

- CRI is still alpha, and it doesn't provide any backward compatibility today.
- Though CRI provides most APIs for container runtimes, the streaming APIs (e.g. exec, portforward and logs) are still provided as a Go library.
- Runtimes need to handle networking themselves, but actually, almost all runtimes are using CNI.

So, before separating dockershim, we'd probably move CRI itself to GA first.

On Wednesday, February 20, 2019 at 6:30:02 AM UTC+8, Yu-Ju Hong wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to

Davanum Srinivas

읽지 않음,
2019. 2. 20. 오후 5:43:3519. 2. 20.
받는사람 Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,

right, we are at the exploratory "should this be an eventual goal" stage.

Next step would be a KEP. @resouer indicated that he will help with starting one. We have the previous patterns from CNI/CSI/Cloud-provider etc to help with transitioning to look for guidance from. 


Rostislav Georgiev

읽지 않음,
2019. 2. 21. 오전 8:22:0519. 2. 21.
받는사람 Davanum Srinivas, Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,



For several versions now, Docker ships with containerd. In theory we can use containerd’s CRI plugin to connect to it directly (instead of going through docker shim, dockerd and then reach containerd).

My proposition is to connect to containerd on newer Docker versions and keep the shim as long as we support old Docker versions.

I don’t have a strong opinion on how the shim is going to be nursed until it’s removed (could be a separate binary or remain in kubelet).



  • We get to remove a couple of hops until we reach containerd (which we are going to do either way) and thus reduce latency and chances for error.
  • We can drop the shim earlier and even avoid moving it out of kubelet.



  • containerd is relatively separate and working with standard socket and config file paths since Docker 18.09.
  • The CRI plugin of containerd is disabled by default, when it’s bundled with Docker. This requires one extra step by the user – to enable it in the config file and to restart the containerd service.
  • Docker and the containerd CRI plugins work in different containerd namespaces. Therefore resources cannot be shared between them (“docker ps” and “crictl ps” will show different results). This may be inconvenient for some users, but it may actually be perceived as a plus by others.


Have a wonderful day!


Rostislav (Ross) M. Georgiev

VMware Open Source Technology Center


From: <> On Behalf Of Davanum Srinivas
Sent: Thursday, February 21, 2019 12:43 AM
To: Brian Grant <>
Cc: kubernetes-sig-cluster-lifecycle <>; kubernetes-sig-node <>; kubernetes-sig-architecture <>;
Subject: Re: Thoughts on separating a CRI for docker from Kubelet



You received this message because you are subscribed to the Google Groups "kubernetes-sig-cluster-lifecycle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit

Fox, Kevin M

읽지 않음,
2019. 2. 21. 오전 11:59:3319. 2. 21.
받는사람 Rostislav Georgiev, Davanum Srinivas, Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,
Might be interesting to get Docker Inc's view too, as they are supporting Kubernetes on Docker. If they plan on supporting Kubernetes using the containerd route, then the plan below might be a better path. If they would like it to go through dockerd still, then maybe splitting out the code to its own cri module would be best? They would have incentive to help with the migration in that case.


From: 'Rostislav Georgiev' via kubernetes-sig-cluster-lifecycle []
Sent: Thursday, February 21, 2019 5:22 AM
To: Davanum Srinivas; Brian Grant
Cc: kubernetes-sig-cluster-lifecycle; kubernetes-sig-node; kubernetes-sig-architecture;
Subject: RE: Thoughts on separating a CRI for docker from Kubelet

Deep Debroy

읽지 않음,
2019. 2. 21. 오후 12:23:4419. 2. 21.
받는사람 Rostislav Georgiev, Davanum Srinivas, Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,
From the SIG Windows perspective, I wanted to point out that in the immediate timeframe, Windows support on Kubernetes is going to be depend on dockershim => docker engine with built-in support for Windows HCS. The containerd.exe => runhcs.exe route for Windows is still maturing as certain features like GMSA support is not plumbed in through the containerd.exe => runhcs.exe path yet. 

As Windows support on Kubernetes marches towards GA, in terms of specific timelines, feature parity between dockershim => docker engine and CRI => containerd => HCS is worth considering in the context of this discussion.


You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit

Dawn Chen

읽지 않음,
2019. 2. 26. 오전 4:13:5319. 2. 26.
받는사람 Deep Debroy, Rostislav Georgiev, Davanum Srinivas, Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,
Thanks everyone for participating in this thread !

SIG Node is going to discuss this topic at tomorrow's meeting (Tues 10:00am PST). I invited folks from Docker Inc. to attend tomorrow meeting too. In the past, the folks from Docker Inc. also express the strong interest to maintain docker-shim for Kubernetes users too. 

Please note that we are at the exploratory "should this be an eventual goal" stage, no decision and action items yet. We understand that many production users are still depending on docker-shim, and WIP Windows Containers are depending on it too. We also worked very closely with containerd / dockerd folks to come 
up a smooth transition plan for K8s users, for example, merging CRI-containerd to containerd, and having dockerd (since 18.06 release) built on the top of (cri-)containerd, etc. 

See you tomorrow !

Dawn Chen

읽지 않음,
2019. 2. 28. 오후 8:12:5819. 2. 28.
받는사람 Deep Debroy, Rostislav Georgiev, Davanum Srinivas, Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,
As a follow-up, we spent half hour at Tue's SIG meeting on this topic, and the detail meeting note is at here. Thanks our note taker: Haiyan and Lantao.

Davanum, unfortunately you didn't attend the meeting. Hope the meeting notes can answer some of your questions. We also recorded the meeting and would upload them soon. 

In a summary, many productions are depending on docker-shim today even both containerd and cri-o are productionized; SIG Node would like to kick out the process to define dockershim deprecation criteria, and Harry Zhang (@resour) agreed to take the action of drafting the KEP. We plan to come back to this topic one month after the KEP was uploaded.



Davanum Srinivas

읽지 않음,
2019. 2. 28. 오후 8:38:0819. 2. 28.
받는사람 Dawn Chen, Deep Debroy, Rostislav Georgiev, Brian Grant, kubernetes-sig-cluster-lifecycle, kubernetes-sig-node, kubernetes-sig-architecture,

Sounds great! 

작성자에게 답글
새 메시지 0개