Containers Cheatsheet
Last Updated: 2023-09-18
Container Lifecycle
- Build (OCI Image spec): code => images
docker build: based on Dockerfile- buildah: can build with or without a Dockerfile
- Run (OCI Runtime spec): images => containers
- Runtime: containerd / dockerd / CRI-O
docker run
- Distribute (OCI Distribution spec): Images <=> Registries
- Registries: docker registry / Harbor
docker pull/docker push
High level comparison
| docker | crictl | podman | |
|---|---|---|---|
| Build images | Yes | No | Yes |
| Run / Inspect | Yes | Yes | Yes |
| Talk to daemon | Yes (dockerd) |
Yes | No |
| Privilege | root / rootless | rootless | |
| Run Pods | No | Yes | Yes |
| Used by | k8s | kind |
Notes:
- All compatible with OCI specs.
- "Talk to daemon":
dockertalks todockerd;crictltalks to any CRI-compatible runtime; podman is daemonless. podman builduses code sourced from the Buildah project to build container images. Both podman and Buildah are from RedHat.- Other tools:
buildxis a Docker CLI plugin for extended build capabilities with BuildKit.runc: the low-level runtime, usually we do not need to work with directly.
Commands
Inpect Images / Containers:
| docker | crictl | |
|---|---|---|
| List images | docker images |
crictl images |
| List containers | docker ps |
crictl ps |
| Attach to a running container | docker attach |
crictl attach |
| Run a command in a container | docker exec |
crictl exec |
| Show system-wide info | docker info |
crictl info |
| Show container, image info | docker inspect |
crictl inspect |
| Get logs of a container | docker logs |
crictl logs |
| Show resource usage stats | docker stats |
crictl stats |
| Show rutime version | docker version |
crictl version |
Image / Container Lifecycle:
| docker | crictl | |
|---|---|---|
| Pull an image | docker pull |
crictl pull |
| Create a container | docker create |
crictl create |
| Run commands | docker run |
crictl run |
| Start containers | docker start |
crictl start |
| Stop containers | docker stop |
crictl stop |
| Update configs | docker update |
crictl update |
| Remove containers | docker rm |
crictl rm |
| Remove images | docker rmi |
crictl rmi |
| Kill containers | docker kill |
crictl stop |
Pod Lifecycle:
| crictl | |
|---|---|
| List pods | crictl pods |
| Run a pod | crictl runp |
| Remove pods | crictl rmp |
| Stop pods | crictl stopp |
| Show status of the pods | crictl inspectp |
| Forward local port to a pod | crictl port-forward |
skopeo inspect = docker inspect
Build
Choose image format
# Build OCI images (default for podman)
$ podman build --format=oci
# Build Docker images instead
$ podman build --format=docker
# Similarly in `docker buildx`
$ docker buildx build --output type=oci
$ docker buildx build --output type=docker
Runtime
High-level container runtime: containerd / CRI-O
Responsibilities: pull container images from registries; manage images on disk; launche a lower-level runtime to run container processes.
containerd: born from parts of the original Docker project.- has its own CLI (
ctr) in addition tocrictl. - config:
/etc/containerd
- has its own CLI (
- CRI-O: created by RedHat
- CRI-O stands for "Container Runtime Interface - OpenShift".
- depend on other RedHat container tools: podman, buildah, skopeo.
- no separate CLI.
- config:
/etc/containers/etc/crio/crio.conf/etc/containers/registries.conf
- images stored in
/var/lib/containers - https://github.com/containers
Low-level container runtime: runc, crun
runc: the "reference implementation" of OCI. Written in Go. Both containerd and CRI-O useruncby default.runsc: gVisor from Google, which creates containers that have their own kernel. Also compliant with OCI spec.crun: written in C.
Most likely you do not need to use runc directly, but you can get more info about the running containers:
$ runc list
$ ls /run/runc
$ cat /run/runc/$NAME/state.json
containerd
# containerd view logs
$ journalctl -u containerd
ctr vs crictl:
ctr: containerd CLI, not related to k8s.crictl: CRI Compatible container runtime command line interface, related to k8s.
crictl image = ctr -n=k8s.io images ls
kind load uses "ctr", "--namespace=k8s.io", "images", "import", "--digests", "--snapshotter="+snapshotter, "-"
Registry
Config: /etc/containerd/config.toml
version = 2
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
Per registry config:
$ tree /etc/containerd/certs.d
/etc/containerd/certs.d
└── docker.io
└── hosts.toml
Versus
buildah run vs podman run
buildah runcommand emulates theRUNcommand in a Dockerfilepodman runcommand emulates thedocker runcommand in functionality.
podman vs docker
- Podman containers are rootless; docker supports both root and rootless mode.
- Podman uses
systemdto make updates and keep containers running in the background. By integratingsystemdand Podman, you can generate control units for your containers and run them with systemd automatically enabled.
- Podman uses
- Docker is all-in-one; podman work with buildah, skopeo, etc.