1ctr(8)() ctr(8)()
2
3
4
5 ctr is an unsupported debug and administrative client for interacting
6 with the containerd daemon. Because it is unsupported, the commands,
7 options, and operations are not guaranteed to be backward compatible or
8 stable from release to release of the containerd project.
9
10
11
12
13
14
16 ctr
17
18
19
21 ctr
22
23
24 [--address|-a]=[value]
25 [--connect-timeout]=[value]
26 [--debug]
27 [--namespace|-n]=[value]
28 [--timeout]=[value]
29
30
31
32 Usage:
33
34
35 ctr [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
36
37
38
39
41 --address, -a="": address for containerd's GRPC server (default:
42 /run/containerd/containerd.sock)
43
44
45 --connect-timeout="": timeout for connecting to containerd (default:
46 0s)
47
48
49 --debug: enable debug output in logs
50
51
52 --namespace, -n="": namespace to use with commands (default: default)
53
54
55 --timeout="": total timeout for ctr commands (default: 0s)
56
57
58
61 provides information about containerd plugins
62
63
64 list, ls
65 lists containerd plugins
66
67
68 --detailed, -d: print detailed information about each plugin
69
70
71 --quiet, -q: print only the plugin ids
72
73
75 print the client and server versions
76
77
79 manage containers
80
81
82 create
83 create container
84
85
86 --allow-new-privs: turn off OCI spec's NoNewPrivileges feature flag
87
88
89 --apparmor-default-profile="": enable AppArmor with the default profile
90 with the specified name, e.g. "cri-containerd.apparmor.d"
91
92
93 --apparmor-profile="": enable AppArmor with an existing custom profile
94
95
96 --config, -c="": path to the runtime-specific spec config file
97
98
99 --cpu-period="": Limit CPU CFS period (default: 0)
100
101
102 --cpu-quota="": Limit CPU CFS quota (default: -1)
103
104
105 --cwd="": specify the working directory of the process
106
107
108 --device="": file path to a device to add to the container; or a path
109 to a directory tree of devices to add to the container
110
111
112 --env="": specify additional container environment variables (e.g.
113 FOO=bar)
114
115
116 --env-file="": specify additional container environment variables in a
117 file(e.g. FOO=bar, one per line)
118
119
120 --gpus="": add gpus to the container (default: 0)
121
122
123 --label="": specify additional labels (e.g. foo=bar)
124
125
126 --memory-limit="": memory limit (in bytes) for the container (default:
127 0)
128
129
130 --mount="": specify additional container mount (e.g.
131 type=bind,src=/tmp,dst=/host,options=rbind:ro)
132
133
134 --net-host: enable host networking for the container
135
136
137 --no-pivot: disable use of pivot-root (linux only)
138
139
140 --pid-file="": file path to write the task's pid
141
142
143 --privileged: run privileged container
144
145
146 --read-only: set the containers filesystem as readonly
147
148
149 --rootfs: use custom rootfs that is not managed by containerd snapshot‐
150 ter
151
152
153 --runtime="": runtime name (default: io.containerd.runc.v2)
154
155
156 --runtime-config-path="": optional runtime config path
157
158
159 --seccomp: enable the default seccomp profile
160
161
162 --seccomp-profile="": file path to custom seccomp profile. seccomp must
163 be set to true, before using seccomp-profile
164
165
166 --snapshotter="": snapshotter name. Empty value stands for the default
167 value.
168
169
170 --tty, -t: allocate a TTY for the container
171
172
173 --with-ns="": specify existing Linux namespaces to join at container
174 runtime (format ':')
175
176
177 delete, del, rm
178 delete one or more existing containers
179
180
181 --keep-snapshot: do not clean up snapshot with container
182
183
184 info
185 get info about a container
186
187
188 --spec: only display the spec
189
190
191 list, ls
192 list containers
193
194
195 --quiet, -q: print only the container id
196
197
198 label
199 set and clear labels for a container
200
201
202 checkpoint
203 checkpoint a container
204
205
206 --image: include the image in the checkpoint
207
208
209 --rw: include the rw layer in the checkpoint
210
211
212 --task: checkpoint container task
213
214
215 restore
216 restore a container from checkpoint
217
218
219 --live: restore the runtime and memory data from the checkpoint
220
221
222 --rw: restore the rw layer from the checkpoint
223
224
226 manage content
227
228
229 active
230 display active transfers
231
232
233 --root="": path to content store root (default: /tmp/content)
234
235
236 --timeout, -t="": total timeout for fetch (default: 0s)
237
238
239 delete, del, remove, rm
240 permanently delete one or more blobs
241
242
243 edit
244 edit a blob and return a new digest
245
246
247 --editor="": select editor (vim, emacs, etc.)
248
249
250 --validate="": validate the result against a format (json, mediatype,
251 etc.)
252
253
254 fetch
255 fetch all content for an image into containerd
256
257
258 --all-metadata: Pull metadata for all platforms
259
260
261 --all-platforms: pull content from all platforms
262
263
264 --hosts-dir="": Custom hosts configuration directory
265
266
267 --http-dump: dump all HTTP request/responses when interacting with con‐
268 tainer registry
269
270
271 --http-trace: enable HTTP tracing for registry interactions
272
273
274 --label="": labels to attach to the image
275
276
277 --metadata-only: Pull all metadata including manifests and configs
278
279
280 --plain-http: allow connections using plain HTTP
281
282
283 --platform="": Pull content from a specific platform
284
285
286 --refresh="": refresh token for authorization server
287
288
289 --skip-verify, -k: skip SSL certificate validation
290
291
292 --tlscacert="": path to TLS root CA
293
294
295 --tlscert="": path to TLS client certificate
296
297
298 --tlskey="": path to TLS client key
299
300
301 --user, -u="": user[:password] Registry user and password
302
303
304 fetch-object
305 retrieve objects from a remote
306
307
308 --hosts-dir="": Custom hosts configuration directory
309
310
311 --http-dump: dump all HTTP request/responses when interacting with con‐
312 tainer registry
313
314
315 --http-trace: enable HTTP tracing for registry interactions
316
317
318 --plain-http: allow connections using plain HTTP
319
320
321 --refresh="": refresh token for authorization server
322
323
324 --skip-verify, -k: skip SSL certificate validation
325
326
327 --tlscacert="": path to TLS root CA
328
329
330 --tlscert="": path to TLS client certificate
331
332
333 --tlskey="": path to TLS client key
334
335
336 --user, -u="": user[:password] Registry user and password
337
338
339 get
340 get the data for an object
341
342
343 ingest
344 accept content into the store
345
346
347 --expected-digest="": verify content against expected digest
348
349
350 --expected-size="": validate against provided size (default: 0)
351
352
353 list, ls
354 list all blobs in the store
355
356
357 --quiet, -q: print only the blob digest
358
359
360 push-object
361 push an object to a remote
362
363
364 --hosts-dir="": Custom hosts configuration directory
365
366
367 --http-dump: dump all HTTP request/responses when interacting with con‐
368 tainer registry
369
370
371 --http-trace: enable HTTP tracing for registry interactions
372
373
374 --plain-http: allow connections using plain HTTP
375
376
377 --refresh="": refresh token for authorization server
378
379
380 --skip-verify, -k: skip SSL certificate validation
381
382
383 --tlscacert="": path to TLS root CA
384
385
386 --tlscert="": path to TLS client certificate
387
388
389 --tlskey="": path to TLS client key
390
391
392 --user, -u="": user[:password] Registry user and password
393
394
395 label
396 add labels to content
397
398
399 prune
400 prunes content from the content store
401
402
403 references
404 prunes preference labels from the content store (layers only by de‐
405 fault)
406
407
408 --async: allow garbage collection to cleanup asynchronously
409
410
411 --dry: just show updates without applying (enables debug logging)
412
413
415 display containerd events
416
417
419 manage images
420
421
422 check
423 check existing images to ensure all content is available locally
424
425
426 --quiet, -q: print only the ready image refs (fully downloaded and un‐
427 packed)
428
429
430 --snapshotter="": snapshotter name. Empty value stands for the default
431 value.
432
433
434 export
435 export images
436
437
438 --all-platforms: exports content from all platforms
439
440
441 --platform="": Pull content from a specific platform
442
443
444 --skip-manifest-json: do not add Docker compatible manifest.json to ar‐
445 chive
446
447
448 --skip-non-distributable: do not add non-distributable blobs such as
449 Windows layers to archive
450
451
452 import
453 import images
454
455
456 --all-platforms: imports content for all platforms, false by default
457
458
459 --base-name="": base image name for added images, when provided only
460 images with this name prefix are imported
461
462
463 --compress-blobs: compress uncompressed blobs when creating manifest
464 (Docker format only)
465
466
467 --digests: whether to create digest images (default: false)
468
469
470 --index-name="": image name to keep index as, by default index is dis‐
471 carded
472
473
474 --no-unpack: skip unpacking the images, false by default
475
476
477 --snapshotter="": snapshotter name. Empty value stands for the default
478 value.
479
480
481 list, ls
482 list images known to containerd
483
484
485 --quiet, -q: print only the image refs
486
487
488 mount
489 mount an image to a target path
490
491
492 --hosts-dir="": Custom hosts configuration directory
493
494
495 --http-dump: dump all HTTP request/responses when interacting with con‐
496 tainer registry
497
498
499 --http-trace: enable HTTP tracing for registry interactions
500
501
502 --label="": labels to attach to the image
503
504
505 --plain-http: allow connections using plain HTTP
506
507
508 --platform="": Mount the image for the specified platform (default:
509 linux/amd64)
510
511
512 --refresh="": refresh token for authorization server
513
514
515 --rw: Enable write support on the mount
516
517
518 --skip-verify, -k: skip SSL certificate validation
519
520
521 --snapshotter="": snapshotter name. Empty value stands for the default
522 value.
523
524
525 --tlscacert="": path to TLS root CA
526
527
528 --tlscert="": path to TLS client certificate
529
530
531 --tlskey="": path to TLS client key
532
533
534 --user, -u="": user[:password] Registry user and password
535
536
537 unmount
538 unmount the image from the target
539
540
541 --hosts-dir="": Custom hosts configuration directory
542
543
544 --http-dump: dump all HTTP request/responses when interacting with con‐
545 tainer registry
546
547
548 --http-trace: enable HTTP tracing for registry interactions
549
550
551 --label="": labels to attach to the image
552
553
554 --plain-http: allow connections using plain HTTP
555
556
557 --refresh="": refresh token for authorization server
558
559
560 --rm: remove the snapshot after a successful unmount
561
562
563 --skip-verify, -k: skip SSL certificate validation
564
565
566 --snapshotter="": snapshotter name. Empty value stands for the default
567 value.
568
569
570 --tlscacert="": path to TLS root CA
571
572
573 --tlscert="": path to TLS client certificate
574
575
576 --tlskey="": path to TLS client key
577
578
579 --user, -u="": user[:password] Registry user and password
580
581
582 pull
583 pull an image from a remote
584
585
586 --all-metadata: Pull metadata for all platforms
587
588
589 --all-platforms: pull content and metadata from all platforms
590
591
592 --hosts-dir="": Custom hosts configuration directory
593
594
595 --http-dump: dump all HTTP request/responses when interacting with con‐
596 tainer registry
597
598
599 --http-trace: enable HTTP tracing for registry interactions
600
601
602 --label="": labels to attach to the image
603
604
605 --max-concurrent-downloads="": Set the max concurrent downloads for
606 each pull (default: 0)
607
608
609 --plain-http: allow connections using plain HTTP
610
611
612 --platform="": Pull content from a specific platform
613
614
615 --print-chainid: Print the resulting image's chain ID
616
617
618 --refresh="": refresh token for authorization server
619
620
621 --skip-verify, -k: skip SSL certificate validation
622
623
624 --snapshotter="": snapshotter name. Empty value stands for the default
625 value.
626
627
628 --tlscacert="": path to TLS root CA
629
630
631 --tlscert="": path to TLS client certificate
632
633
634 --tlskey="": path to TLS client key
635
636
637 --user, -u="": user[:password] Registry user and password
638
639
640 push
641 push an image to a remote
642
643
644 --hosts-dir="": Custom hosts configuration directory
645
646
647 --http-dump: dump all HTTP request/responses when interacting with con‐
648 tainer registry
649
650
651 --http-trace: enable HTTP tracing for registry interactions
652
653
654 --manifest="": digest of manifest
655
656
657 --manifest-type="": media type of manifest digest (default: applica‐
658 tion/vnd.oci.image.manifest.v1+json)
659
660
661 --max-concurrent-uploaded-layers="": Set the max concurrent uploaded
662 layers for each push (default: 0)
663
664
665 --plain-http: allow connections using plain HTTP
666
667
668 --platform="": push content from a specific platform
669
670
671 --refresh="": refresh token for authorization server
672
673
674 --skip-verify, -k: skip SSL certificate validation
675
676
677 --tlscacert="": path to TLS root CA
678
679
680 --tlscert="": path to TLS client certificate
681
682
683 --tlskey="": path to TLS client key
684
685
686 --user, -u="": user[:password] Registry user and password
687
688
689 remove, rm
690 remove one or more images by reference
691
692
693 --sync: Synchronously remove image and all associated resources
694
695
696 tag
697 tag an image
698
699
700 --force: force target_ref to be created, regardless if it already ex‐
701 ists
702
703
704 label
705 set and clear labels for an image
706
707
708 --replace-all, -r: replace all labels
709
710
711 convert
712 convert an image
713
714
715 --all-platforms: exports content from all platforms
716
717
718 --oci: convert Docker media types to OCI media types
719
720
721 --platform="": Pull content from a specific platform
722
723
724 --uncompress: convert tar.gz layers to uncompressed tar layers
725
726
728 manage leases
729
730
731 list, ls
732 list all active leases
733
734
735 --quiet, -q: print only the blob digest
736
737
738 create
739 create lease
740
741
742 --expires, -x="": expiration of lease (0 value will not expire) (de‐
743 fault: 24h0m0s)
744
745
746 --id="": set the id for the lease, will be generated by default
747
748
749 delete, rm
750 delete a lease
751
752
753 --sync: Synchronously remove leases and all unreferenced resources
754
755
757 manage namespaces
758
759
760 create, c
761 create a new namespace
762
763
764 list, ls
765 list namespaces
766
767
768 --quiet, -q: print only the namespace name
769
770
771 remove, rm
772 remove one or more namespaces
773
774
775 --cgroup, -c: delete the namespace's cgroup
776
777
778 label
779 set and clear labels for a namespace
780
781
783 provide golang pprof outputs for containerd
784
785
786 --debug-socket, -d="": socket path for containerd's debug server (de‐
787 fault: /run/containerd/debug.sock)
788
789
790 block
791 goroutine blocking profile
792
793
794 goroutines
795 dump goroutine stack dump
796
797
798 heap
799 dump heap profile
800
801
802 profile
803 CPU profile
804
805
806 --seconds, -s="": duration for collection (seconds) (default: 30s)
807
808
809 threadcreate
810 goroutine thread creating profile
811
812
813 trace
814 collect execution trace
815
816
817 --seconds, -s="": trace time (seconds) (default: 5s)
818
819
821 run a container
822
823
824 --allow-new-privs: turn off OCI spec's NoNewPrivileges feature flag
825
826
827 --apparmor-default-profile="": enable AppArmor with the default profile
828 with the specified name, e.g. "cri-containerd.apparmor.d"
829
830
831 --apparmor-profile="": enable AppArmor with an existing custom profile
832
833
834 --cgroup="": cgroup path (To disable use of cgroup, set to "" explic‐
835 itly)
836
837
838 --cni: enable cni networking for the container
839
840
841 --config, -c="": path to the runtime-specific spec config file
842
843
844 --cpu-period="": Limit CPU CFS period (default: 0)
845
846
847 --cpu-quota="": Limit CPU CFS quota (default: -1)
848
849
850 --cpus="": set the CFS cpu quota (default: 0.000000)
851
852
853 --cwd="": specify the working directory of the process
854
855
856 --detach, -d: detach from the task after it has started execution
857
858
859 --device="": file path to a device to add to the container; or a path
860 to a directory tree of devices to add to the container
861
862
863 --env="": specify additional container environment variables (e.g.
864 FOO=bar)
865
866
867 --env-file="": specify additional container environment variables in a
868 file(e.g. FOO=bar, one per line)
869
870
871 --fifo-dir="": directory used for storing IO FIFOs
872
873
874 --gidmap="": run inside a user namespace with the specified GID mapping
875 range; specified with the format container-gid:host-gid:length
876
877
878 --gpus="": add gpus to the container (default: 0)
879
880
881 --label="": specify additional labels (e.g. foo=bar)
882
883
884 --log-uri="": log uri
885
886
887 --memory-limit="": memory limit (in bytes) for the container (default:
888 0)
889
890
891 --mount="": specify additional container mount (e.g.
892 type=bind,src=/tmp,dst=/host,options=rbind:ro)
893
894
895 --net-host: enable host networking for the container
896
897
898 --no-pivot: disable use of pivot-root (linux only)
899
900
901 --null-io: send all IO to /dev/null
902
903
904 --pid-file="": file path to write the task's pid
905
906
907 --platform="": run image for specific platform
908
909
910 --privileged: run privileged container
911
912
913 --read-only: set the containers filesystem as readonly
914
915
916 --remap-labels: provide the user namespace ID remapping to the snap‐
917 shotter via label options; requires snapshotter support
918
919
920 --rm: remove the container after running
921
922
923 --rootfs: use custom rootfs that is not managed by containerd snapshot‐
924 ter
925
926
927 --runc-binary="": specify runc-compatible binary
928
929
930 --runc-root="": specify runc-compatible root
931
932
933 --runc-systemd-cgroup: start runc with systemd cgroup manager
934
935
936 --runtime="": runtime name (default: io.containerd.runc.v2)
937
938
939 --runtime-config-path="": optional runtime config path
940
941
942 --seccomp: enable the default seccomp profile
943
944
945 --seccomp-profile="": file path to custom seccomp profile. seccomp must
946 be set to true, before using seccomp-profile
947
948
949 --snapshotter="": snapshotter name. Empty value stands for the default
950 value.
951
952
953 --tty, -t: allocate a TTY for the container
954
955
956 --uidmap="": run inside a user namespace with the specified UID mapping
957 range; specified with the format container-uid:host-uid:length
958
959
960 --with-ns="": specify existing Linux namespaces to join at container
961 runtime (format ':')
962
963
965 manage snapshots
966
967
968 --snapshotter="": snapshotter name. Empty value stands for the default
969 value.
970
971
972 commit
973 commit an active snapshot into the provided name
974
975
976 diff
977 get the diff of two snapshots. the default second snapshot is the first
978 snapshot's parent.
979
980
981 --keep: keep diff content. up to creator to delete it.
982
983
984 --label="": labels to attach to the image
985
986
987 --media-type="": media type to use for creating diff (default: applica‐
988 tion/vnd.oci.image.layer.v1.tar+gzip)
989
990
991 --ref="": content upload reference to use
992
993
994 info
995 get info about a snapshot
996
997
998 list, ls
999 list snapshots
1000
1001
1002 mounts, m, mount
1003 mount gets mount commands for the snapshots
1004
1005
1006 prepare
1007 prepare a snapshot from a committed snapshot
1008
1009
1010 --mounts: Print out snapshot mounts as JSON
1011
1012
1013 --target, -t="": mount target path, will print mount, if provided
1014
1015
1016 remove, rm
1017 remove snapshots
1018
1019
1020 label
1021 add labels to content
1022
1023
1024 tree
1025 display tree view of snapshot branches
1026
1027
1028 unpack
1029 unpack applies layers from a manifest to a snapshot
1030
1031
1032 --snapshotter="": snapshotter name. Empty value stands for the default
1033 value.
1034
1035
1036 usage
1037 usage snapshots
1038
1039
1040 -b: display size in bytes
1041
1042
1043 view
1044 create a read-only snapshot from a committed snapshot
1045
1046
1047 --mounts: Print out snapshot mounts as JSON
1048
1049
1050 --target, -t="": mount target path, will print mount, if provided
1051
1052
1054 manage tasks
1055
1056
1057 attach
1058 attach to the IO of a running container
1059
1060
1061 checkpoint
1062 checkpoint a container
1063
1064
1065 --exit: stop the container after the checkpoint
1066
1067
1068 --image-path="": path to criu image files
1069
1070
1071 --work-path="": path to criu work files and logs
1072
1073
1074 delete, rm
1075 delete one or more tasks
1076
1077
1078 --exec-id="": process ID to kill
1079
1080
1081 --force, -f: force delete task process
1082
1083
1084 exec
1085 execute additional processes in an existing container
1086
1087
1088 --cwd="": working directory of the new process
1089
1090
1091 --detach, -d: detach from the task after it has started execution
1092
1093
1094 --exec-id="": exec specific id for the process
1095
1096
1097 --fifo-dir="": directory used for storing IO FIFOs
1098
1099
1100 --log-uri="": log uri for custom shim logging
1101
1102
1103 --tty, -t: allocate a TTY for the container
1104
1105
1106 --user="": user id or name
1107
1108
1109 list, ls
1110 list tasks
1111
1112
1113 --quiet, -q: print only the task id
1114
1115
1116 kill
1117 signal a container (default: SIGTERM)
1118
1119
1120 --all, -a: send signal to all processes inside the container
1121
1122
1123 --exec-id="": process ID to kill
1124
1125
1126 --signal, -s="": signal to send to the container
1127
1128
1129 pause
1130 pause an existing container
1131
1132
1133 ps
1134 list processes for container
1135
1136
1137 resume
1138 resume a paused container
1139
1140
1141 start
1142 start a container that has been created
1143
1144
1145 --detach, -d: detach from the task after it has started execution
1146
1147
1148 --fifo-dir="": directory used for storing IO FIFOs
1149
1150
1151 --log-uri="": log uri
1152
1153
1154 --null-io: send all IO to /dev/null
1155
1156
1157 --pid-file="": file path to write the task's pid
1158
1159
1160 metrics, metric
1161 get a single data point of metrics for a task with the built-in Linux
1162 runtime
1163
1164
1165 --format="": "table" or "json" (default: table)
1166
1167
1169 install a new package
1170
1171
1172 --libs, -l: install libs from the image
1173
1174
1175 --path="": set an optional install path other than the managed opt di‐
1176 rectory
1177
1178
1179 --replace, -r: replace any binaries or libs in the opt directory
1180
1181
1183 OCI tools
1184
1185
1186 spec
1187 see the output of the default OCI spec
1188
1189
1191 interact with a shim directly
1192
1193
1194 --id="": container id
1195
1196
1197 delete
1198 delete a container with a task
1199
1200
1201 exec
1202 exec a new process in the task's container
1203
1204
1205 --attach, -a: stay attached to the container and open the fifos
1206
1207
1208 --cwd="": current working directory
1209
1210
1211 --env, -e="": add environment vars
1212
1213
1214 --spec="": runtime spec
1215
1216
1217 --stderr="": specify the path to the stderr fifo
1218
1219
1220 --stdin="": specify the path to the stdin fifo
1221
1222
1223 --stdout="": specify the path to the stdout fifo
1224
1225
1226 --tty, -t: enable tty support
1227
1228
1229 start
1230 start a container with a task
1231
1232
1233 state
1234 get the state of all the processes of the task
1235
1236
1237
1238 ctr(8)()