K8S 1.20 deprecates the replacement of the Docker CLI evaluated by Docker
This article was last updated on: July 24, 2024 am
background
In early December 2020, Kubernetes announced in its latest Changelog that it would deprecate Docker as a container runtime after Kubernetes 1.20.
Deprecation of Docker may bring a series of changes, including but not limited to:
- Container image build tools
- Container CLI
- Container image repository
- Container runtime
The feature article “K8S 1.20 Deprecation of Docker Assessment” will analyze the resulting changes and impacts from many aspects, the previous article:K8S 1.20 Deprecated Docker Evaluation of Differences between Docker and OCI Image Formats Mainly introduce the changes in image format, today we will introduce the alternative products of Docker CLI and personal recommendations.
Introduction to Docker commands
Here is a brief introduction Docker CLI command, to lead to the complete all-in-one toolbox of Docker as a container, including the following categories: containers, images and image repositories, container network capabilities.
Common commands for container classes
- Rename:
docker rename [CONTAINER_NAME] [NEW_CONTAINER_NAME]
- Run:
docker run [IMAGE] [COMMAND]
- Delete:
docker rm [CONTAINER]
- Initiate:
docker start [CONTAINER]
- Stop it:
docker stop [CONTAINER]
- Reboot:
docker restart [CONTAINER]
- Kill:
docker kill [CONTAINER]
- Attach:
docker attach [CONTAINER]
- Operating status:
docker ps
- Log:
docker logs [CONTAINER]
- Inspect:
docker inspect [OBJECT_NAME/ID]
- Events:
docker events [CONTAINER]
- Top:
docker top [CONTAINER]
- Stats:
docker stats [CONTAINER]
Common commands for image classes
- Construct:
docker build [URL]
- Hit Tag:
docker tag
- Log in to DockerHub:
docker login
- Pull:
docker pull [IMAGE]
- Push:
docker push [IMAGE]
- Import the image:
docker import [URL/FILE]
- Create an image from a container:
docker commit [CONTAINER] [NEW_IMAGE_NAME]
- To delete an image:
docker rmi [IMAGE]
- Load the image:
docker load [TAR_FILE/STDIN_FILE]
- Save the image to the tar package:
docker save [IMAGE] > [TAR_FILE]
- To list images:
docke image ls
- Image history:
docker history [IMAGE]
Docker configuration class commands
docker config
Common commands for container networking classes
- To list networks:
docker network ls
- Connect:
docker network connect [NETWORK] [CONTAINER]
- Disconnect:
docker network disconnect [NETWORK] [CONTAINER]
Common commands for container volume classes
- To list volumes:
docker volume ls
- Create a volume:
docker volume create
- To delete a volume:
docker volume rm
brief summary
In the K8S scenario, container network operations and container volume operations are basically implemented by kubelets, and we don’t need to pay too much attention to them on a daily basis.
The configuration of container operations and container tools is also implemented by kubelets in K8S, but if we need to test and debug on a personal machine without Docker, then we need to find a replacement.
As for the common commands of the image class, especially the build process, K8S will not involve this piece by default, so if you don’t use Docker, the container building tool also needs to find an alternative.
Docker alternatives
Docker runtime alternatives
There are two main runC implementations:
- containerd: Contributed by Docker’s company
- CRI-O: RedHat dominates
The current mainstream choice is: containerd, including the K8S community and Rancher. CRI-O was primarily adopted by RedHat’s OpenShift 4.
There are other non-runC runtimes before this, such as:Kata and gVisor etc., less used, but also growing.
Docker CLI alternatives
Docker image build replacement
Docker image build alternatives are optional:
Alternative to the lazy solution - RedHat’s open source 3-piece: Buildah, Podman, and Skopeo
Let’s not mention the replacement of the K8S CRI. To replace Docker, the following scenario is typical:
- Contributed by Docker: nerdctl + buildkit
- RedHat open source: Buildah, Podman, and Skopeo
I recommend: RedHat’s open source 3-piece set: Buildah, Podman, and Skopeo for the following reasons:
- Full-featured and powerfulBuildah, Podman, and Skopeo can completely override Docker’s features, and also provide some additional features that Docker does not have but are very useful, such as docker format image conversion to OCI format.
- Stable and secure: These 3 sets of tools, as early as 2019, began to be applied to RedHat’s OpenShift 4 on a large scale, after multiple version iterations, security bug fixes are fast, stability and security are guaranteed.
- Smooth inheritance: The current mainstream enterprise Linux is RHEL and CentOS, their high versions come with these 3 tools, and even map docker commands to these tools by default through alias, which can be smoothly inherited.
- Can be integrated into existing K8S or CICD systems
- Runs in rootless mode - Non-rooted containers are more secure because they don’t need to add permissions when they run
- No daemon is required - These tools have much smaller resource requirements when idle, because when you’re not running containers, Podman isn’t running, while Docker’s daemon is always running.
- Native systemd integration - Podman allows you to create systemd unit files and run containers as system services
Here are some brief introductions.
Introducing the Buildah Podman Skopeo 3-piece set
RedHat provides a set of command-line tools that can run without a container engine. They are:
- podman - For direct management of pods and container images (
run
、stop
、start
、ps
、attach
、exec
etc.) - Buildah - Used to build, push, and sign container images
- Skopeo - Used to copy, check, delete, and sign images
Because these tools are compatible with the Open Container Initiative (OCI), they can be used to manage containers that are used by Docker and other OCI-compatible containers. In addition, they are particularly suitable for single-node use cases running directly in Red Hat Enterprise Linux or CentOS.
The Buildah, Podman, and Skopeo tools are all more lightweight and focused on a set of features.
About Podman
disposition
Through the configuration file:/etc/containers/registries.conf
or $HOME/.config/containers/registries.conf
Disposition. Example:
1 |
|
Mirroring operations
Once configured, you can
- Log in to the image repository:
podman login docker.io
- Search for images:
podman search quay.io/postgresql-10
- Pull image:
podman pull <registry>[:<port>]/[<namespace>/]<name>:<tag>
- Push image:
podman push registry.example.com:5000/postgresql/postgresql
- To list images:
podman images
- To view the image:
podman inspect docker.io/postgresql
- Hit Tag:
podman tag docker.io/postgresql:10 mypg:10
- Save image:
podman save -o myrsyslog.tar registry.redhat.io/rhel8/rsyslog:latest
- Load image:
podman load -i myrsyslog.tar
- To delete an image:
podman rmi registry.example.com:5000/postgresql/postgresql
Container operations
- To list containers:
podman ps -a
- To stop a container:
podman stop mypg
- Run the container:
podman run [options] image [command [arg ...]]
- Start the container:
podman start mypg
- Inspect container:
podman inspect 64ad94586c74
- Execute the command in the container:
podman exec -it mypg /bin/bash
- Attach:
podman attach mypg
- Export container:
podman export -o mypg.tar 64ad94586c74
- Import a container:
podman import mypg.tar mypg-imported
- Kill:
podman kill --signal="SIGHUP" 64ad94586c74
- Delete:
podman rm peaceful_hopper
- Top:
podman pod top mypod
- Stats:
podman pod stats -a --no-stream
- Inspect:
podman pod inspect mypod
Volume operations
- Create:
podman volume create hostvolume
- Inspect:
podman volume inspect hostvolume
- Mount:
podman run -it --name myubi1 -v hostvolume:/containervolume1 registry.access.redhat.com/ubi8/ubi /bin/bash
Buildah operation
- To build the image:
buildah bud -t caseycui/webserver .
- Multi-stage build:
buildah bud -t multi -f ~/Containerfile.multifrom .
About Skopeo
Skepeo is very powerful, and some of its features are very useful, especially during Docker’s transition to OCI. Illustrate:
Before the image is pulled locally, Inspect the information of the remote mirror:
1 |
|
Image replication, in addition to replication between local and image repositories, also supports replication to more scenarios (such as S3, etc.):
1 |
|
To operate with a certification file:skopeo inspect --creds=./auth.json docker://$IMAGE
❗️ Practical features: Docker format images and OCI format images are converted to and from each other:
1 |
|
❗️ Practical features: Tar packages in Docker format or TAR packages in OCI format:
1 |
|
brief summary
As can be seen from the above, Podman can basically replace all commands of Docker, and the parameters, formats, etc. of commands are basically consistent with Docker CLI, and the cost of replacement and learning is not high.
summary
In fact, to be honest, the replacement score of the Docker CLI:
- On K8S Node, CRI has been replaced from Docker to containerd or CRI-O, so at this time there is no docker cli on K8S Node, so I recommend you to use:
nerdctl
+buildkit
(Image builds are usually not performed on Node, right?) Image build operations are generally on a CICD machine or in a container) or a Buildah + Podman + Skopeo trio. Among them, Skopeo is still quite useful in the process of replacing Docker with other parts; - On non-K8S nodes such as PCs, development testers, CICD nodes, etc.: Docker is recommended again. Hassle-free and familiar. The typed image K8S can also be used.
👍️ Tip:
In addition, whether you choose nerdctl or podman, it is best to disguise it as a docker command through alias to provide a consistent experience for developers and users.
Above.