Kubernetes users brace for major change that reduces Docker’s impact

The removal of built-in support for the Docker Engine container runtime in the newest upcoming version of Kubernetes, the popular container-orchestration system, requires users to shift to an alternative runtime to stay up to date with future Kubernetes releases.

Kubernetes logo on a truck

A major change is coming to Kubernetes.

Illustration: Pixabay; Protocol

A major change is coming to Kubernetes, the open-source project at the heart of many modern cloud deployments: a breakup, of sorts, with its legacy Docker container runtime.

Built-in dockershim support for the Docker Engine runtime will be removed from the upcoming new release of Kubernetes, version 1.24, which was supposed to arrive this week but now has May 3 as a scheduled release date. The change requires users who want to be running the latest version of the container-orchestration system to shift to another runtime that’s compatible with Kubernetes’ Container Runtime Interface (CRI) if they haven’t already, or to use dockershim’s external replacement, known as cri-dockerd.

Developers and administrators who fail to make necessary changes could risk breaking their clusters and corresponding apps. But for most users, dockershim’s removal should be relatively straightforward to handle, according to James Laverack, who’s leading the release team for Kubernetes 1.24.

“The major change will be that the Kubernetes nodes themselves — this is a running Kubernetes cluster — will no longer, by default, be able to use Docker as a container runtime,” said Laverack, a senior solutions engineer for Jetstack. “People have done this change a lot before. When we first introduced alternative container runtimes, many operators and users changed to using those runtimes instead of Docker for a variety of reasons, which is why we introduced the change at all.”

Developers use containers to speed up software development because they isolate all that’s needed to build and deploy applications without the overhead of an operating system. Early versions of Kubernetes worked only with Docker Engine as a container runtime, which is software that can execute the containers making up a Kubernetes pod.

The Cloud Native Computing Foundation (CNCF)-hosted Kubernetes project introduced CRI in 2016 as a plug-in interface that enables interoperability between Kubernetes and a variety of container runtimes. Docker Engine itself isn’t CRI-compatible; it is dockershim, a container runtime interface shim, that allows developers to use Docker Engine as if it was compatible.

Alternative CRI-compatible runtimes include the open-source containerd — an underlying component of Docker — and CRI-O, both hosted by the CNCF, among others.

“It's a great time to move on,” said Mrunal Patel, senior principal software engineer for Red Hat OpenShift, a hybrid-cloud, Kubernetes application platform. “These alternative runtimes have been proven in production already, so users shouldn't be afraid of this change. We should usher in this new era of CRI-based runtime that will help us move faster in adopting newer features.”

Red Hat has been using CRI-O in production for nearly three years. The first and subsequent versions of OpenShift shipped with CRI-O, and thousands of customers have been using it in production, Patel said.

Pulling away from the dock

The Kubernetes project deprecated dockershim in December 2020 with Kubernetes 1.20, giving notice that it subsequently would be removed from Kubernetes and lead time to make needed adjustments to avoid breaking clusters. Docker-produced images are Open Container Initiative (OCI)-compliant and will continue to work in clusters with all CRI-compliant runtimes.

Dockershim, which is built into Kubernetes’ kubelet code base, had always been viewed as a temporary solution, and maintaining it has been cited as a burden. A kubelet, which is an agent that runs on each node in a cluster, ensures that containers are running in a pod. The CRI standard allows container runtimes to be decoupled from the kubelet code base for simplified maintenance.

“[Docker] has features for building containers as well as running containers,” Patel said. “When you talk about running containers in production, you don't necessarily need the same privileges as when you are a developer developing an application on your laptop. You need them more locked down. You need a more minimal runtime, which is more suitable for doing just exactly what Kubernetes needs and nothing more.”

The removal of dockershim requires developers and cluster administrators to go through an “inconvenient, but necessary” migration as described by Víctor Jiménez Cerrada, a content manager engineer at container security software vendor Sysdig.

“The community has been very conscious to provide lots of instruction and lots of information and context around this change over the past couple of years,” Laverack said. “[CRI is] an open standard, and there are a number of [runtime] implementations provided by companies and by the wider community as well. Any of those will work and will be supported by Kubernetes in current versions as well as future versions.”

After determining whether a Kubernetes cluster has been using Docker Engine, the mechanics involve changing kubelet configurations so they’re pointed to the sockets of either containerd or CRI-O, for example, so the kubelets will begin talking to those runtimes to start managing one’s containers, Patel said.

“That's the simple part of it,” he said. “And the good thing is Kubernetes upstream already is running end-to-end tests with these runtimes. Whenever new code is added to Kubernetes now, all the tests are done against these runtimes.”

Cluster operators should also determine if they have existing code that’s talking directly to Docker, “behind the back of Kubernetes,” Patel said.

“Kubernetes itself needs to talk to a runtime, and we have CRI as this interface that it's supposed to use, but what if you have some workloads that are directly talking to the Docker socket to say ‘perform builds’ or so on?” he said. “Those are the things that users should be auditing and checking.”

Developers can still use Docker locally to develop or test their containers, no matter which container runtime they use for Kubernetes clusters.

“You can push them to any OCI-compliant registry, and Kubernetes will be able to pull them and run those applications,” Patel said. “That's not going away. With the OCI standardization, all these container runtimes and how those images are stored and distributed … has been standardized.”

Cloudy future

Those using a managed Kubernetes service from a cloud provider likely can just sit back if they haven’t explicitly changed their container runtime, according to Kat Cosgrove, developer advocate for cloud engineering company Pulumi. Amazon Elastic Kubernetes Service, Microsoft’s Azure Kubernetes Service and Google Kubernetes Engine all now default to containerd, “though you should make sure they do not need updating if you have any node customizations,” Cosgrove noted in a recent Kubernetes blog post.

Cluster operators who want to upgrade to Kubernetes 1.24 but maintain compatibility with Docker as a runtime have an option that isn’t as risky as running an old version of Kubernetes, according to Cosgrove.

“Mirantis and Docker have jointly released, and are maintaining, a replacement for dockershim,” she wrote in the blog. “That replacement is called cri-dockerd. If you do need to maintain compatibility with Docker as a runtime, install cri-dockerd following the instructions in the project’s documentation.”

Those who stick with the latest version of Kubernetes with dockershim eventually risk operating without security fixes while also not benefitting from new features, according to Patel.

Under current Kubernetes project policy, support is provided for the most recent three releases. Kubernetes 1.23, the last that supports dockershim, will receive patch support until the release of Kubernetes 1.26, which is currently expected in December.

“When you're running Kubernetes, one thing that should be at the top of your mind is security,” Patel said. “You're living dangerously if you're not moving to one of the recommended CRI runtimes.”


Google TV will gain fitness tracker support, wireless audio features

A closer integration with fitness trackers is part of the company’s goal to make TVs a key pillar of the Android ecosystem.

Making TVs more capable comes with increasing hardware and software requirements, leading Google to advise its partners to build more-capable devices.

Photo: Google

Google wants TV viewers to get off the couch: The company is working on plans to closely integrate its Android TV platform with fitness trackers, which will allow developers to build interactive workout services for the living room.

Google representatives shared those plans at a closed-door partner event last month, where they painted them as part of the company’s “Better Together” efforts to build an ecosystem of closely integrated Android devices. As part of those efforts, Google is also looking to improve the way Android TV and Google TV devices work with third-party audio hardware. (Google launched Android TV as an Android-based smart TV platform in 2014; in 2020, it introduced Google TV as a more content-centric smart TV experience based on Android TV.)

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Sponsored Content

How Global ecommerce benefits American workers and the U.S. economy

New research shows Alibaba’s ecommerce platforms positively impact U.S. employment.

The U.S. business community and Chinese consumers are a powerful combination when it comes to American job creation. In addition to more jobs, the economic connection also delivers enhanced wages and a growing GDP contribution on U.S. soil, according to a recent study produced by NDP Analytics.

Alibaba — a leading global ecommerce company — is a particularly powerful engine in helping American businesses of every size sell goods to more than 1 billion consumers on its digital marketplaces in China. In 2020, U.S. companies completed more than $54 billion of sales to consumers in China through Alibaba’s online platforms.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

What the fate of 9 small tokens means for the crypto industry

The SEC says nine tokens in the Coinbase insider trading case are securities, but they are similar to many other tokens that are already trading on exchanges.

While a number of pieces of crypto legislation have been introduced in Congress, the SEC’s moves in court could become precedent until any legislation is passed or broader executive actions are made.

Illustration: Christopher T. Fong/Protocol

When the SEC accused a former Coinbase employee of insider trading last month, it specifically named nine cryptocurrencies as securities, potentially opening the door to regulation for the rest of the industry.

If a judge agrees with the SEC’s argument, many other similar tokens could be deemed securities — and the companies that trade them could be forced to be regulated as securities exchanges. When Ripple was sued by the SEC in late 2020, for example, Coinbase chose to suspend trading the token rather than risk drawing scrutiny from federal regulators. In this case, however, Coinbase says the nine tokens – seven of which trade on Coinbase — aren’t securities.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.


Werner Vogels: Enterprises are more daring than you might think

The longtime chief technology officer talked with Protocol about the AWS customers that first flocked to serverless, how AI and ML are making life easier for developers and his “primitives, not frameworks” stance.

"We knew that if cloud would really be effective, development would change radically."

Photo: Amazon

When AWS unveiled Lambda in 2014, Werner Vogels thought the serverless compute service would be the domain of young, more tech-savvy businesses.

But it was enterprises that flocked to serverless first, Amazon’s longtime chief technology officer told Protocol in an interview last week.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Dark money is trying to kill the Inflation Reduction Act from the left

A new campaign is using social media to target voters in progressive districts to ask their representatives to vote against the Inflation Reduction Act. But it appears to be linked to GOP operatives.

United for Clean Power's campaign is a symptom of how quickly and easily social media allows interest groups to reach a targeted audience.

Photo: Anna Moneymaker/Getty Images

The social media feeds of progressive voters have been bombarded by a series of ads this past week telling them to urge their Democratic representatives to vote against the Inflation Reduction Act.

The ads aren’t from the Sunrise Movement or other progressive climate stalwarts, though. Instead, they’re being pushed by United for Clean Power, a murky dark money operation that appears to have connections with Republican operatives.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Latest Stories