K8S 1.20 deprecates the replacement of the Docker CLI evaluated by Docker

This article was last updated on: February 7, 2024 pm

background

In early December 2020, Kubernetes announced in its latest Changelog that it would deprecate Docker as a container runtime after Kubernetes 1.20.

Deprecation of Docker may bring a series of changes, including but not limited to:

  • Container image build tools
  • Container CLI
  • Container image repository
  • Container runtime

The feature article “K8S 1.20 Deprecation of Docker Assessment” will analyze the resulting changes and impacts from many aspects, the previous article:K8S 1.20 Deprecated Docker Evaluation of Differences between Docker and OCI Image Formats Mainly introduce the changes in image format, today we will introduce the alternative products of Docker CLI and personal recommendations.

Introduction to Docker commands

Here is a brief introduction Docker CLI command, to lead to the complete all-in-one toolbox of Docker as a container, including the following categories: containers, images and image repositories, container network capabilities.

Common commands for container classes

  1. Rename:docker rename [CONTAINER_NAME] [NEW_CONTAINER_NAME]
  2. Run:docker run [IMAGE] [COMMAND]
  3. Delete:docker rm [CONTAINER]
  4. Initiate:docker start [CONTAINER]
  5. Stop it:docker stop [CONTAINER]
  6. Reboot:docker restart [CONTAINER]
  7. Kill:docker kill [CONTAINER]
  8. Attach:docker attach [CONTAINER]
  9. Operating status:docker ps
  10. Log:docker logs [CONTAINER]
  11. Inspect:docker inspect [OBJECT_NAME/ID]
  12. Events:docker events [CONTAINER]
  13. Top:docker top [CONTAINER]
  14. Stats:docker stats [CONTAINER]

Common commands for image classes

  1. Construct:docker build [URL]
  2. Hit Tag:docker tag
  3. Log in to DockerHub:docker login
  4. Pull:docker pull [IMAGE]
  5. Push:docker push [IMAGE]
  6. Import the image:docker import [URL/FILE]
  7. Create an image from a container:docker commit [CONTAINER] [NEW_IMAGE_NAME]
  8. To delete an image:docker rmi [IMAGE]
  9. Load the image:docker load [TAR_FILE/STDIN_FILE]
  10. Save the image to the tar package:docker save [IMAGE] > [TAR_FILE]
  11. To list images:docke image ls
  12. Image history:docker history [IMAGE]

Docker configuration class commands

docker config

Common commands for container networking classes

  1. To list networks:docker network ls
  2. Connect:docker network connect [NETWORK] [CONTAINER]
  3. Disconnect:docker network disconnect [NETWORK] [CONTAINER]

Common commands for container volume classes

  1. To list volumes:docker volume ls
  2. Create a volume:docker volume create
  3. To delete a volume:docker volume rm

brief summary

In the K8S scenario, container network operations and container volume operations are basically implemented by kubelets, and we don’t need to pay too much attention to them on a daily basis.

The configuration of container operations and container tools is also implemented by kubelets in K8S, but if we need to test and debug on a personal machine without Docker, then we need to find a replacement.

As for the common commands of the image class, especially the build process, K8S will not involve this piece by default, so if you don’t use Docker, the container building tool also needs to find an alternative.

Docker alternatives

Docker runtime alternatives

There are two main runC implementations:

The current mainstream choice is: containerd, including the K8S community and Rancher. CRI-O was primarily adopted by RedHat’s OpenShift 4.

There are other non-runC runtimes before this, such as:Kata and gVisor etc., less used, but also growing.

Docker CLI alternatives

Docker image build replacement

Docker image build alternatives are optional:

Alternative to the lazy solution - RedHat’s open source 3-piece: Buildah, Podman, and Skopeo

Let’s not mention the replacement of the K8S CRI. To replace Docker, the following scenario is typical:

  • Contributed by Docker: nerdctl + buildkit
  • RedHat open source: Buildah, Podman, and Skopeo

I recommend: RedHat’s open source 3-piece set: Buildah, Podman, and Skopeo for the following reasons:

  • Full-featured and powerfulBuildah, Podman, and Skopeo can completely override Docker’s features, and also provide some additional features that Docker does not have but are very useful, such as docker format image conversion to OCI format.
  • Stable and secure: These 3 sets of tools, as early as 2019, began to be applied to RedHat’s OpenShift 4 on a large scale, after multiple version iterations, security bug fixes are fast, stability and security are guaranteed.
  • Smooth inheritance: The current mainstream enterprise Linux is RHEL and CentOS, their high versions come with these 3 tools, and even map docker commands to these tools by default through alias, which can be smoothly inherited.
  • Can be integrated into existing K8S or CICD systems
  • Runs in rootless mode - Non-rooted containers are more secure because they don’t need to add permissions when they run
  • No daemon is required - These tools have much smaller resource requirements when idle, because when you’re not running containers, Podman isn’t running, while Docker’s daemon is always running.
  • Native systemd integration - Podman allows you to create systemd unit files and run containers as system services

Here are some brief introductions.

Introducing the Buildah Podman Skopeo 3-piece set

RedHat provides a set of command-line tools that can run without a container engine. They are:

  • podman - For direct management of pods and container images (runstopstartpsattachexec etc.)
  • Buildah - Used to build, push, and sign container images
  • Skopeo - Used to copy, check, delete, and sign images

Because these tools are compatible with the Open Container Initiative (OCI), they can be used to manage containers that are used by Docker and other OCI-compatible containers. In addition, they are particularly suitable for single-node use cases running directly in Red Hat Enterprise Linux or CentOS.

The Buildah, Podman, and Skopeo tools are all more lightweight and focused on a set of features.

About Podman

Podman

disposition

Through the configuration file:/etc/containers/registries.conf or $HOME/.config/containers/registries.conf Disposition. Example:

1
2
3
4
5
6
7
8
[registries.search]
registries = ['quay.io', 'docker.io']

[registries.insecure]
registries = ['insecure-registry.example.com']

[registries.block]
registries = []

Mirroring operations

Once configured, you can

  1. Log in to the image repository:podman login docker.io
  2. Search for images:podman search quay.io/postgresql-10
  3. Pull image:podman pull <registry>[:<port>]/[<namespace>/]<name>:<tag>
  4. Push image:podman push registry.example.com:5000/postgresql/postgresql
  5. To list images:podman images
  6. To view the image:podman inspect docker.io/postgresql
  7. Hit Tag:podman tag docker.io/postgresql:10 mypg:10
  8. Save image: podman save -o myrsyslog.tar registry.redhat.io/rhel8/rsyslog:latest
  9. Load image:podman load -i myrsyslog.tar
  10. To delete an image:podman rmi registry.example.com:5000/postgresql/postgresql

Container operations

  1. To list containers:podman ps -a
  2. To stop a container:podman stop mypg
  3. Run the container:podman run [options] image [command [arg ...]]
  4. Start the container:podman start mypg
  5. Inspect container:podman inspect 64ad94586c74
  6. Execute the command in the container:podman exec -it mypg /bin/bash
  7. Attach:podman attach mypg
  8. Export container:podman export -o mypg.tar 64ad94586c74
  9. Import a container:podman import mypg.tar mypg-imported
  10. Kill:podman kill --signal="SIGHUP" 64ad94586c74
  11. Delete:podman rm peaceful_hopper
  12. Top:podman pod top mypod
  13. Stats:podman pod stats -a --no-stream
  14. Inspect:podman pod inspect mypod

Volume operations

  1. Create:podman volume create hostvolume
  2. Inspect:podman volume inspect hostvolume
  3. Mount:podman run -it --name myubi1 -v hostvolume:/containervolume1 registry.access.redhat.com/ubi8/ubi /bin/bash

Buildah operation

Buildah

  1. To build the image:buildah bud -t caseycui/webserver .
  2. Multi-stage build:buildah bud -t multi -f ~/Containerfile.multifrom .

About Skopeo

Skopeo

Skepeo is very powerful, and some of its features are very useful, especially during Docker’s transition to OCI. Illustrate:

Before the image is pulled locally, Inspect the information of the remote mirror:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# skopeo inspect docker://registry.redhat.io/ubi8/ubi-init
{
    "Name": "registry.redhat.io/ubi8/ubi8-init",
    "Digest": "sha256:c6d1e50ab...",
    "RepoTags": [
        "8.2-13-source",
        "8.0-15",
        "8.1-28",
        ...
        "latest"
    ],
   "Created": "2020-12-10T07:16:37.250312Z",
    "DockerVersion": "1.13.1",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2020-12-10T07:16:11.378348",
        "com.redhat.build-host": "cpt-1007.osbs.prod.upshift.rdu2.redhat.com",
        "com.redhat.component": "ubi8-init-container",
        "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
        "description": "The Universal Base Image Init is designed to run an init system as PID 1 for running multi-services inside a container
        ...

Image replication, in addition to replication between local and image repositories, also supports replication to more scenarios (such as S3, etc.):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ skopeo copy \
docker://registry.access.redhat.com/ubi8:8.1-397-source \
dir:$HOME/TEST
...
Copying blob 477bc8106765 done
Copying blob c438818481d3 done
Copying blob 26fe858c966c done
Copying blob ba4b5f020b99 done
Copying blob f7d970ccd456 done
Copying blob ade06f94b556 done
Copying blob cc56c782b513 done
Copying blob dcf9396fdada done
Copying blob feb6d2ae2524 done
Copying config dd4cd669a4 done
Writing manifest to image destination
Storing signatures

To operate with a certification file:skopeo inspect --creds=./auth.json docker://$IMAGE

❗️ Practical features: Docker format images and OCI format images are converted to and from each other:

1
2
3
4
5
skopeo copy oci:/tmp/myimage docker://registry.example.com/myimage
podman run docker://registry.example.com/myimage

skopeo copy docker://registry.example.com/myimage oci:/tmp/myimage 
podman run oci:/tmp/myimage

❗️ Practical features: Tar packages in Docker format or TAR packages in OCI format:

1
2
3
4
5
skopeo copy docker://registry.fedoraproject.org/fedora:latest docker-archive:/tmp/fedora.img
podman run docker-archive:/tmp/fedora.img echo hello

skopeo copy docker-archive:/tmp/fedora.img oci-archive:/tmp/fedora-oci.img
podman run oci-archive:/tmp/fedora-oci.img echo hello

brief summary

As can be seen from the above, Podman can basically replace all commands of Docker, and the parameters, formats, etc. of commands are basically consistent with Docker CLI, and the cost of replacement and learning is not high.

summary

In fact, to be honest, the replacement score of the Docker CLI:

  1. On K8S Node, CRI has been replaced from Docker to containerd or CRI-O, so at this time there is no docker cli on K8S Node, so I recommend you to use:nerdctl + buildkit (Image builds are usually not performed on Node, right?) Image build operations are generally on a CICD machine or in a container) or a Buildah + Podman + Skopeo trio. Among them, Skopeo is still quite useful in the process of replacing Docker with other parts;
  2. On non-K8S nodes such as PCs, development testers, CICD nodes, etc.: Docker is recommended again. Hassle-free and familiar. The typed image K8S can also be used.

👍️ Tip

In addition, whether you choose nerdctl or podman, it is best to disguise it as a docker command through alias to provide a consistent experience for developers and users.

Above.