high-tech-engineer:Karim Harouat

Karim Harouat
CTR - containerd tips cheat commands

Knowledge sharing

Containerd aka CTR command tips

Do not forget to add sudo before each command if needed.
Import a docker image
    Within docker :
  • docker save TagName > myDockerImage.tar
  • Within ctr :
  • ctr image import myDockerImage.tar
  • In the return you will see image tag.
    List all images
  • ctr image ls

Run container
  • ctr run --rm --privileged -t tagName IDTogive CMD
    • the privileged option makes your container having right to access to the host ressources
    • rm will make container kill itself once it stops
    • t will make ctr having its own terminal (a prompt will be shown), a must to have
    • CMD can be 'bash' for example
  • ctr run --rm --privileged -t centos7:latest v0 bash

  • Share a file/folder inside your container:
  • ctr run --rm --privileged -t --mount type=bind,src=/tmp/mykey.pem,dst=/tmp/mykey.pem,options=rbind:ro tagName IDTogive CMD # share a dedicated file
  • ctr run --rm --privileged -t --mount type=bind,src=/opt/python/3.6/,dst=/host/opt/,options=rbind:ro tagName IDTogive CMD #share a path
  • Share a host device to the container
  • ctr run --rm --privileged -t --device /dev/sda01 tagName IDContTogive CMD #share a device, for container it will be inside /dev too and privileged is required here
List containers which are currently running
  • ctr container ls
Attach to a container
    Attach a container (to compare within lxc container) means more execute a command inside an existing task for ctr.
    So if you want to login to running container you have to list task and not container, then execute bash to do what you need.
  • ctr task ls
  • the task id is the same as the id you gave to your container at start (ctr run), so if it still running it will appear in previous return.
  • ctr task exec --exec-id anId -t IDContTogive bash
  • ctr task exec --exec-id anId -t IDContTogive bash -c 'ls /'
  • Example (exec id is whatever you want)
  • ctr task exec --exec-id t1 -t v0 bash

Snapshot the container
    To access to the all system image just run something like that, create on host a dedicated path
  • mkdir /tmp/mycontsnap/
  • do
  • ctr snapshots mounts /tmp/mycontsnap/ IDContTogive | sudo sh
  • Example
  • ctr snapshots mounts /tmp/mycontsnap/ v0 | sudo sh
  • And then doing on host ls /tmp/myconstnap, you can parse the container system image

Kill Stop a container
    Check the id you give to the run command is still running in task list
  • ctr task ls
  • If yes
  • ctr task kill -s SIGKILL IDContTogive
  • Example
  • ctr task kill -s SIGKILL v0
  • or (simple stop)
  • ctr task kill v0

Use GDB inside your container based on Linux
    To be able to use gdb inside your container you have to set ptrace_scope to 0 at startup, in an usual machine you could do sysctl kernel.yama.ptrace_scope=0 but for a container you have to set it during the docker image creation:
    RUN sed -i 's/^kernel.yama.ptrace = 1$/^kernel.yama.ptrace = 0/g ' /etc/systcl.d/10-ptrace.conf
    If using gdb returned an error message telling ptrace_scope still to 1, it means you have to run your image within --seccomp and/or --allow-new-privs
  • ctr run --seccomp --allow-new-privs tagName IDContTogive CMD