1ctr(8)()                                                              ctr(8)()
2
3
4
5       ctr  is  an unsupported debug and administrative client for interacting
6       with the containerd daemon. Because it is  unsupported,  the  commands,
7       options, and operations are not guaranteed to be backward compatible or
8       stable from release to release of the containerd project.
9
10
11
12
13
14

NAME

16       ctr
17
18
19

SYNOPSIS

21       ctr
22
23
24              [--address|-a]=[value]
25              [--connect-timeout]=[value]
26              [--debug]
27              [--namespace|-n]=[value]
28              [--timeout]=[value]
29
30
31
32       Usage:
33
34
35              ctr [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
36
37
38
39

GLOBAL OPTIONS

41       --address,  -a="":  address  for  containerd's  GRPC  server  (default:
42       /run/containerd/containerd.sock)
43
44
45       --connect-timeout="":  timeout  for  connecting to containerd (default:
46       0s)
47
48
49       --debug: enable debug output in logs
50
51
52       --namespace, -n="": namespace to use with commands (default: default)
53
54
55       --timeout="": total timeout for ctr commands (default: 0s)
56
57
58

COMMANDS

plugins, plugin

61       provides information about containerd plugins
62
63
64   list, ls
65       lists containerd plugins
66
67
68       --detailed, -d: print detailed information about each plugin
69
70
71       --quiet, -q: print only the plugin ids
72
73

version

75       print the client and server versions
76
77

containers, c, container

79       manage containers
80
81
82   create
83       create container
84
85
86       --allow-new-privs: turn off OCI spec's NoNewPrivileges feature flag
87
88
89       --apparmor-default-profile="": enable AppArmor with the default profile
90       with the specified name, e.g. "cri-containerd.apparmor.d"
91
92
93       --apparmor-profile="": enable AppArmor with an existing custom profile
94
95
96       --config, -c="": path to the runtime-specific spec config file
97
98
99       --cpu-period="": Limit CPU CFS period (default: 0)
100
101
102       --cpu-quota="": Limit CPU CFS quota (default: -1)
103
104
105       --cwd="": specify the working directory of the process
106
107
108       --device="":  file  path to a device to add to the container; or a path
109       to a directory tree of devices to add to the container
110
111
112       --env="": specify  additional  container  environment  variables  (e.g.
113       FOO=bar)
114
115
116       --env-file="":  specify additional container environment variables in a
117       file(e.g. FOO=bar, one per line)
118
119
120       --gpus="": add gpus to the container (default: 0)
121
122
123       --label="": specify additional labels (e.g. foo=bar)
124
125
126       --memory-limit="": memory limit (in bytes) for the container  (default:
127       0)
128
129
130       --mount="":     specify     additional     container     mount    (e.g.
131       type=bind,src=/tmp,dst=/host,options=rbind:ro)
132
133
134       --net-host: enable host networking for the container
135
136
137       --no-pivot: disable use of pivot-root (linux only)
138
139
140       --pid-file="": file path to write the task's pid
141
142
143       --privileged: run privileged container
144
145
146       --read-only: set the containers filesystem as readonly
147
148
149       --rootfs: use custom rootfs that is not managed by containerd snapshot‐
150       ter
151
152
153       --runtime="": runtime name (default: io.containerd.runc.v2)
154
155
156       --runtime-config-path="": optional runtime config path
157
158
159       --seccomp: enable the default seccomp profile
160
161
162       --seccomp-profile="": file path to custom seccomp profile. seccomp must
163       be set to true, before using seccomp-profile
164
165
166       --snapshotter="": snapshotter name. Empty value stands for the  default
167       value.
168
169
170       --tty, -t: allocate a TTY for the container
171
172
173       --with-ns="":  specify  existing  Linux namespaces to join at container
174       runtime (format ':')
175
176
177   delete, del, rm
178       delete one or more existing containers
179
180
181       --keep-snapshot: do not clean up snapshot with container
182
183
184   info
185       get info about a container
186
187
188       --spec: only display the spec
189
190
191   list, ls
192       list containers
193
194
195       --quiet, -q: print only the container id
196
197
198   label
199       set and clear labels for a container
200
201
202   checkpoint
203       checkpoint a container
204
205
206       --image: include the image in the checkpoint
207
208
209       --rw: include the rw layer in the checkpoint
210
211
212       --task: checkpoint container task
213
214
215   restore
216       restore a container from checkpoint
217
218
219       --live: restore the runtime and memory data from the checkpoint
220
221
222       --rw: restore the rw layer from the checkpoint
223
224

content

226       manage content
227
228
229   active
230       display active transfers
231
232
233       --root="": path to content store root (default: /tmp/content)
234
235
236       --timeout, -t="": total timeout for fetch (default: 0s)
237
238
239   delete, del, remove, rm
240       permanently delete one or more blobs
241
242
243   edit
244       edit a blob and return a new digest
245
246
247       --editor="": select editor (vim, emacs, etc.)
248
249
250       --validate="": validate the result against a format  (json,  mediatype,
251       etc.)
252
253
254   fetch
255       fetch all content for an image into containerd
256
257
258       --all-metadata: Pull metadata for all platforms
259
260
261       --all-platforms: pull content from all platforms
262
263
264       --hosts-dir="": Custom hosts configuration directory
265
266
267       --http-dump: dump all HTTP request/responses when interacting with con‐
268       tainer registry
269
270
271       --http-trace: enable HTTP tracing for registry interactions
272
273
274       --label="": labels to attach to the image
275
276
277       --metadata-only: Pull all metadata including manifests and configs
278
279
280       --plain-http: allow connections using plain HTTP
281
282
283       --platform="": Pull content from a specific platform
284
285
286       --refresh="": refresh token for authorization server
287
288
289       --skip-verify, -k: skip SSL certificate validation
290
291
292       --tlscacert="": path to TLS root CA
293
294
295       --tlscert="": path to TLS client certificate
296
297
298       --tlskey="": path to TLS client key
299
300
301       --user, -u="": user[:password] Registry user and password
302
303
304   fetch-object
305       retrieve objects from a remote
306
307
308       --hosts-dir="": Custom hosts configuration directory
309
310
311       --http-dump: dump all HTTP request/responses when interacting with con‐
312       tainer registry
313
314
315       --http-trace: enable HTTP tracing for registry interactions
316
317
318       --plain-http: allow connections using plain HTTP
319
320
321       --refresh="": refresh token for authorization server
322
323
324       --skip-verify, -k: skip SSL certificate validation
325
326
327       --tlscacert="": path to TLS root CA
328
329
330       --tlscert="": path to TLS client certificate
331
332
333       --tlskey="": path to TLS client key
334
335
336       --user, -u="": user[:password] Registry user and password
337
338
339   get
340       get the data for an object
341
342
343   ingest
344       accept content into the store
345
346
347       --expected-digest="": verify content against expected digest
348
349
350       --expected-size="": validate against provided size (default: 0)
351
352
353   list, ls
354       list all blobs in the store
355
356
357       --quiet, -q: print only the blob digest
358
359
360   push-object
361       push an object to a remote
362
363
364       --hosts-dir="": Custom hosts configuration directory
365
366
367       --http-dump: dump all HTTP request/responses when interacting with con‐
368       tainer registry
369
370
371       --http-trace: enable HTTP tracing for registry interactions
372
373
374       --plain-http: allow connections using plain HTTP
375
376
377       --refresh="": refresh token for authorization server
378
379
380       --skip-verify, -k: skip SSL certificate validation
381
382
383       --tlscacert="": path to TLS root CA
384
385
386       --tlscert="": path to TLS client certificate
387
388
389       --tlskey="": path to TLS client key
390
391
392       --user, -u="": user[:password] Registry user and password
393
394
395   label
396       add labels to content
397
398
399   prune
400       prunes content from the content store
401
402
403   references
404       prunes preference labels from the content store  (layers  only  by  de‐
405       fault)
406
407
408       --async: allow garbage collection to cleanup asynchronously
409
410
411       --dry: just show updates without applying (enables debug logging)
412
413

events, event

415       display containerd events
416
417

images, image, i

419       manage images
420
421
422   check
423       check that an image has all content available locally
424
425
426       --snapshotter="":  snapshotter name. Empty value stands for the default
427       value.
428
429
430   export
431       export images
432
433
434       --all-platforms: exports content from all platforms
435
436
437       --platform="": Pull content from a specific platform
438
439
440       --skip-manifest-json: do not add Docker compatible manifest.json to ar‐
441       chive
442
443
444       --skip-non-distributable:  do  not  add non-distributable blobs such as
445       Windows layers to archive
446
447
448   import
449       import images
450
451
452       --all-platforms: imports content for all platforms, false by default
453
454
455       --base-name="": base image name for added images,  when  provided  only
456       images with this name prefix are imported
457
458
459       --compress-blobs:  compress  uncompressed  blobs when creating manifest
460       (Docker format only)
461
462
463       --digests: whether to create digest images (default: false)
464
465
466       --index-name="": image name to keep index as, by default index is  dis‐
467       carded
468
469
470       --no-unpack: skip unpacking the images, false by default
471
472
473       --snapshotter="":  snapshotter name. Empty value stands for the default
474       value.
475
476
477   list, ls
478       list images known to containerd
479
480
481       --quiet, -q: print only the image refs
482
483
484   mount
485       mount an image to a target path
486
487
488       --hosts-dir="": Custom hosts configuration directory
489
490
491       --http-dump: dump all HTTP request/responses when interacting with con‐
492       tainer registry
493
494
495       --http-trace: enable HTTP tracing for registry interactions
496
497
498       --label="": labels to attach to the image
499
500
501       --plain-http: allow connections using plain HTTP
502
503
504       --platform="":  Mount  the  image  for the specified platform (default:
505       linux/amd64)
506
507
508       --refresh="": refresh token for authorization server
509
510
511       --rw: Enable write support on the mount
512
513
514       --skip-verify, -k: skip SSL certificate validation
515
516
517       --snapshotter="": snapshotter name. Empty value stands for the  default
518       value.
519
520
521       --tlscacert="": path to TLS root CA
522
523
524       --tlscert="": path to TLS client certificate
525
526
527       --tlskey="": path to TLS client key
528
529
530       --user, -u="": user[:password] Registry user and password
531
532
533   unmount
534       unmount the image from the target
535
536
537       --hosts-dir="": Custom hosts configuration directory
538
539
540       --http-dump: dump all HTTP request/responses when interacting with con‐
541       tainer registry
542
543
544       --http-trace: enable HTTP tracing for registry interactions
545
546
547       --label="": labels to attach to the image
548
549
550       --plain-http: allow connections using plain HTTP
551
552
553       --refresh="": refresh token for authorization server
554
555
556       --rm: remove the snapshot after a successful unmount
557
558
559       --skip-verify, -k: skip SSL certificate validation
560
561
562       --snapshotter="": snapshotter name. Empty value stands for the  default
563       value.
564
565
566       --tlscacert="": path to TLS root CA
567
568
569       --tlscert="": path to TLS client certificate
570
571
572       --tlskey="": path to TLS client key
573
574
575       --user, -u="": user[:password] Registry user and password
576
577
578   pull
579       pull an image from a remote
580
581
582       --all-metadata: Pull metadata for all platforms
583
584
585       --all-platforms: pull content and metadata from all platforms
586
587
588       --hosts-dir="": Custom hosts configuration directory
589
590
591       --http-dump: dump all HTTP request/responses when interacting with con‐
592       tainer registry
593
594
595       --http-trace: enable HTTP tracing for registry interactions
596
597
598       --label="": labels to attach to the image
599
600
601       --max-concurrent-downloads="": Set the  max  concurrent  downloads  for
602       each pull (default: 0)
603
604
605       --plain-http: allow connections using plain HTTP
606
607
608       --platform="": Pull content from a specific platform
609
610
611       --print-chainid: Print the resulting image's chain ID
612
613
614       --refresh="": refresh token for authorization server
615
616
617       --skip-verify, -k: skip SSL certificate validation
618
619
620       --snapshotter="":  snapshotter name. Empty value stands for the default
621       value.
622
623
624       --tlscacert="": path to TLS root CA
625
626
627       --tlscert="": path to TLS client certificate
628
629
630       --tlskey="": path to TLS client key
631
632
633       --user, -u="": user[:password] Registry user and password
634
635
636   push
637       push an image to a remote
638
639
640       --hosts-dir="": Custom hosts configuration directory
641
642
643       --http-dump: dump all HTTP request/responses when interacting with con‐
644       tainer registry
645
646
647       --http-trace: enable HTTP tracing for registry interactions
648
649
650       --manifest="": digest of manifest
651
652
653       --manifest-type="":  media  type  of manifest digest (default: applica‐
654       tion/vnd.oci.image.manifest.v1+json)
655
656
657       --max-concurrent-uploaded-layers="": Set the  max  concurrent  uploaded
658       layers for each push (default: 0)
659
660
661       --plain-http: allow connections using plain HTTP
662
663
664       --platform="": push content from a specific platform
665
666
667       --refresh="": refresh token for authorization server
668
669
670       --skip-verify, -k: skip SSL certificate validation
671
672
673       --tlscacert="": path to TLS root CA
674
675
676       --tlscert="": path to TLS client certificate
677
678
679       --tlskey="": path to TLS client key
680
681
682       --user, -u="": user[:password] Registry user and password
683
684
685   remove, rm
686       remove one or more images by reference
687
688
689       --sync: Synchronously remove image and all associated resources
690
691
692   tag
693       tag an image
694
695
696       --force:  force  target_ref to be created, regardless if it already ex‐
697       ists
698
699
700   label
701       set and clear labels for an image
702
703
704       --replace-all, -r: replace all labels
705
706
707   convert
708       convert an image
709
710
711       --all-platforms: exports content from all platforms
712
713
714       --oci: convert Docker media types to OCI media types
715
716
717       --platform="": Pull content from a specific platform
718
719
720       --uncompress: convert tar.gz layers to uncompressed tar layers
721
722

leases

724       manage leases
725
726
727   list, ls
728       list all active leases
729
730
731       --quiet, -q: print only the blob digest
732
733
734   create
735       create lease
736
737
738       --expires, -x="": expiration of lease (0 value will  not  expire)  (de‐
739       fault: 24h0m0s)
740
741
742       --id="": set the id for the lease, will be generated by default
743
744
745   delete, rm
746       delete a lease
747
748
749       --sync: Synchronously remove leases and all unreferenced resources
750
751

namespaces, namespace, ns

753       manage namespaces
754
755
756   create, c
757       create a new namespace
758
759
760   list, ls
761       list namespaces
762
763
764       --quiet, -q: print only the namespace name
765
766
767   remove, rm
768       remove one or more namespaces
769
770
771       --cgroup, -c: delete the namespace's cgroup
772
773
774   label
775       set and clear labels for a namespace
776
777

pprof

779       provide golang pprof outputs for containerd
780
781
782       --debug-socket,  -d="":  socket path for containerd's debug server (de‐
783       fault: /run/containerd/debug.sock)
784
785
786   block
787       goroutine blocking profile
788
789
790   goroutines
791       dump goroutine stack dump
792
793
794   heap
795       dump heap profile
796
797
798   profile
799       CPU profile
800
801
802       --seconds, -s="": duration for collection (seconds) (default: 30s)
803
804
805   threadcreate
806       goroutine thread creating profile
807
808
809   trace
810       collect execution trace
811
812
813       --seconds, -s="": trace time (seconds) (default: 5s)
814
815

run

817       run a container
818
819
820       --allow-new-privs: turn off OCI spec's NoNewPrivileges feature flag
821
822
823       --apparmor-default-profile="": enable AppArmor with the default profile
824       with the specified name, e.g. "cri-containerd.apparmor.d"
825
826
827       --apparmor-profile="": enable AppArmor with an existing custom profile
828
829
830       --cgroup="":  cgroup  path (To disable use of cgroup, set to "" explic‐
831       itly)
832
833
834       --cni: enable cni networking for the container
835
836
837       --config, -c="": path to the runtime-specific spec config file
838
839
840       --cpu-period="": Limit CPU CFS period (default: 0)
841
842
843       --cpu-quota="": Limit CPU CFS quota (default: -1)
844
845
846       --cpus="": set the CFS cpu quota (default: 0.000000)
847
848
849       --cwd="": specify the working directory of the process
850
851
852       --detach, -d: detach from the task after it has started execution
853
854
855       --device="": file path to a device to add to the container; or  a  path
856       to a directory tree of devices to add to the container
857
858
859       --env="":  specify  additional  container  environment  variables (e.g.
860       FOO=bar)
861
862
863       --env-file="": specify additional container environment variables in  a
864       file(e.g. FOO=bar, one per line)
865
866
867       --fifo-dir="": directory used for storing IO FIFOs
868
869
870       --gidmap="": run inside a user namespace with the specified GID mapping
871       range; specified with the format container-gid:host-gid:length
872
873
874       --gpus="": add gpus to the container (default: 0)
875
876
877       --label="": specify additional labels (e.g. foo=bar)
878
879
880       --log-uri="": log uri
881
882
883       --memory-limit="": memory limit (in bytes) for the container  (default:
884       0)
885
886
887       --mount="":     specify     additional     container     mount    (e.g.
888       type=bind,src=/tmp,dst=/host,options=rbind:ro)
889
890
891       --net-host: enable host networking for the container
892
893
894       --no-pivot: disable use of pivot-root (linux only)
895
896
897       --null-io: send all IO to /dev/null
898
899
900       --pid-file="": file path to write the task's pid
901
902
903       --platform="": run image for specific platform
904
905
906       --privileged: run privileged container
907
908
909       --read-only: set the containers filesystem as readonly
910
911
912       --remap-labels: provide the user namespace ID remapping  to  the  snap‐
913       shotter via label options; requires snapshotter support
914
915
916       --rm: remove the container after running
917
918
919       --rootfs: use custom rootfs that is not managed by containerd snapshot‐
920       ter
921
922
923       --runc-binary="": specify runc-compatible binary
924
925
926       --runc-root="": specify runc-compatible root
927
928
929       --runc-systemd-cgroup: start runc with systemd cgroup manager
930
931
932       --runtime="": runtime name (default: io.containerd.runc.v2)
933
934
935       --runtime-config-path="": optional runtime config path
936
937
938       --seccomp: enable the default seccomp profile
939
940
941       --seccomp-profile="": file path to custom seccomp profile. seccomp must
942       be set to true, before using seccomp-profile
943
944
945       --snapshotter="":  snapshotter name. Empty value stands for the default
946       value.
947
948
949       --tty, -t: allocate a TTY for the container
950
951
952       --uidmap="": run inside a user namespace with the specified UID mapping
953       range; specified with the format container-uid:host-uid:length
954
955
956       --with-ns="":  specify  existing  Linux namespaces to join at container
957       runtime (format ':')
958
959

snapshots, snapshot

961       manage snapshots
962
963
964       --snapshotter="": snapshotter name. Empty value stands for the  default
965       value.
966
967
968   commit
969       commit an active snapshot into the provided name
970
971
972   diff
973       get the diff of two snapshots. the default second snapshot is the first
974       snapshot's parent.
975
976
977       --keep: keep diff content. up to creator to delete it.
978
979
980       --label="": labels to attach to the image
981
982
983       --media-type="": media type to use for creating diff (default: applica‐
984       tion/vnd.oci.image.layer.v1.tar+gzip)
985
986
987       --ref="": content upload reference to use
988
989
990   info
991       get info about a snapshot
992
993
994   list, ls
995       list snapshots
996
997
998   mounts, m, mount
999       mount gets mount commands for the snapshots
1000
1001
1002   prepare
1003       prepare a snapshot from a committed snapshot
1004
1005
1006       --mounts: Print out snapshot mounts as JSON
1007
1008
1009       --target, -t="": mount target path, will print mount, if provided
1010
1011
1012   remove, rm
1013       remove snapshots
1014
1015
1016   label
1017       add labels to content
1018
1019
1020   tree
1021       display tree view of snapshot branches
1022
1023
1024   unpack
1025       unpack applies layers from a manifest to a snapshot
1026
1027
1028       --snapshotter="":  snapshotter name. Empty value stands for the default
1029       value.
1030
1031
1032   usage
1033       usage snapshots
1034
1035
1036       -b: display size in bytes
1037
1038
1039   view
1040       create a read-only snapshot from a committed snapshot
1041
1042
1043       --mounts: Print out snapshot mounts as JSON
1044
1045
1046       --target, -t="": mount target path, will print mount, if provided
1047
1048

tasks, t, task

1050       manage tasks
1051
1052
1053   attach
1054       attach to the IO of a running container
1055
1056
1057   checkpoint
1058       checkpoint a container
1059
1060
1061       --exit: stop the container after the checkpoint
1062
1063
1064       --image-path="": path to criu image files
1065
1066
1067       --work-path="": path to criu work files and logs
1068
1069
1070   delete, rm
1071       delete one or more tasks
1072
1073
1074       --exec-id="": process ID to kill
1075
1076
1077       --force, -f: force delete task process
1078
1079
1080   exec
1081       execute additional processes in an existing container
1082
1083
1084       --cwd="": working directory of the new process
1085
1086
1087       --detach, -d: detach from the task after it has started execution
1088
1089
1090       --exec-id="": exec specific id for the process
1091
1092
1093       --fifo-dir="": directory used for storing IO FIFOs
1094
1095
1096       --log-uri="": log uri for custom shim logging
1097
1098
1099       --tty, -t: allocate a TTY for the container
1100
1101
1102       --user="": user id or name
1103
1104
1105   list, ls
1106       list tasks
1107
1108
1109       --quiet, -q: print only the task id
1110
1111
1112   kill
1113       signal a container (default: SIGTERM)
1114
1115
1116       --all, -a: send signal to all processes inside the container
1117
1118
1119       --exec-id="": process ID to kill
1120
1121
1122       --signal, -s="": signal to send to the container
1123
1124
1125   pause
1126       pause an existing container
1127
1128
1129   ps
1130       list processes for container
1131
1132
1133   resume
1134       resume a paused container
1135
1136
1137   start
1138       start a container that has been created
1139
1140
1141       --detach, -d: detach from the task after it has started execution
1142
1143
1144       --fifo-dir="": directory used for storing IO FIFOs
1145
1146
1147       --log-uri="": log uri
1148
1149
1150       --null-io: send all IO to /dev/null
1151
1152
1153       --pid-file="": file path to write the task's pid
1154
1155
1156   metrics, metric
1157       get a single data point of metrics for a task with the  built-in  Linux
1158       runtime
1159
1160
1161       --format="": "table" or "json" (default: table)
1162
1163

install

1165       install a new package
1166
1167
1168       --libs, -l: install libs from the image
1169
1170
1171       --path="":  set an optional install path other than the managed opt di‐
1172       rectory
1173
1174
1175       --replace, -r: replace any binaries or libs in the opt directory
1176
1177

oci

1179       OCI tools
1180
1181
1182   spec
1183       see the output of the default OCI spec
1184
1185

shim

1187       interact with a shim directly
1188
1189
1190       --id="": container id
1191
1192
1193   delete
1194       delete a container with a task
1195
1196
1197   exec
1198       exec a new process in the task's container
1199
1200
1201       --attach, -a: stay attached to the container and open the fifos
1202
1203
1204       --cwd="": current working directory
1205
1206
1207       --env, -e="": add environment vars
1208
1209
1210       --spec="": runtime spec
1211
1212
1213       --stderr="": specify the path to the stderr fifo
1214
1215
1216       --stdin="": specify the path to the stdin fifo
1217
1218
1219       --stdout="": specify the path to the stdout fifo
1220
1221
1222       --tty, -t: enable tty support
1223
1224
1225   start
1226       start a container with a task
1227
1228
1229   state
1230       get the state of all the processes of the task
1231
1232
1233
1234                                                                      ctr(8)()
Impressum