.nh .TH ctr(8) .PP ctr is an unsupported debug and administrative client for interacting with the containerd daemon. Because it is unsupported, the commands, options, and operations are not guaranteed to be backward compatible or stable from release to release of the containerd project. .SH .SH NAME .PP ctr .SH SYNOPSIS .PP ctr .PP .RS .nf [--address|-a]=[value] [--connect-timeout]=[value] [--debug] [--namespace|-n]=[value] [--timeout]=[value] .fi .RE .PP \fBUsage\fP: .PP .RS .nf ctr [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] .fi .RE .SH GLOBAL OPTIONS .PP \fB--address, -a\fP="": address for containerd's GRPC server (default: /run/containerd/containerd.sock) .PP \fB--connect-timeout\fP="": timeout for connecting to containerd (default: 0s) .PP \fB--debug\fP: enable debug output in logs .PP \fB--namespace, -n\fP="": namespace to use with commands (default: default) .PP \fB--timeout\fP="": total timeout for ctr commands (default: 0s) .SH COMMANDS .SH plugins, plugin .PP provides information about containerd plugins .SS list, ls .PP lists containerd plugins .PP \fB--detailed, -d\fP: print detailed information about each plugin .PP \fB--quiet, -q\fP: print only the plugin ids .SH version .PP print the client and server versions .SH containers, c, container .PP manage containers .SS create .PP create container .PP \fB--allow-new-privs\fP: turn off OCI spec's NoNewPrivileges feature flag .PP \fB--apparmor-default-profile\fP="": enable AppArmor with the default profile with the specified name, e.g. "cri-containerd.apparmor.d" .PP \fB--apparmor-profile\fP="": enable AppArmor with an existing custom profile .PP \fB--cap-add\fP="": add Linux capabilities (Set capabilities with 'CAP_' prefix) .PP \fB--cap-drop\fP="": drop Linux capabilities (Set capabilities with 'CAP_' prefix) .PP \fB--config, -c\fP="": path to the runtime-specific spec config file .PP \fB--cpu-period\fP="": Limit CPU CFS period (default: 0) .PP \fB--cpu-quota\fP="": Limit CPU CFS quota (default: -1) .PP \fB--cwd\fP="": specify the working directory of the process .PP \fB--device\fP="": file path to a device to add to the container; or a path to a directory tree of devices to add to the container .PP \fB--env\fP="": specify additional container environment variables (e.g. FOO=bar) .PP \fB--env-file\fP="": specify additional container environment variables in a file(e.g. FOO=bar, one per line) .PP \fB--gpus\fP="": add gpus to the container .PP \fB--label\fP="": specify additional labels (e.g. foo=bar) .PP \fB--memory-limit\fP="": memory limit (in bytes) for the container (default: 0) .PP \fB--mount\fP="": specify additional container mount (e.g. type=bind,src=/tmp,dst=/host,options=rbind:ro) .PP \fB--net-host\fP: enable host networking for the container .PP \fB--no-pivot\fP: disable use of pivot-root (linux only) .PP \fB--pid-file\fP="": file path to write the task's pid .PP \fB--privileged\fP: run privileged container .PP \fB--rdt-class\fP="": name of the RDT class to associate the container with. Specifies a Class of Service (CLOS) for cache and memory bandwidth management. .PP \fB--read-only\fP: set the containers filesystem as readonly .PP \fB--rootfs\fP: use custom rootfs that is not managed by containerd snapshotter .PP \fB--rootfs-propagation\fP="": set the propagation of the container rootfs .PP \fB--runtime\fP="": runtime name (default: io.containerd.runc.v2) .PP \fB--runtime-config-path\fP="": optional runtime config path .PP \fB--seccomp\fP: enable the default seccomp profile .PP \fB--seccomp-profile\fP="": file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .PP \fB--snapshotter-label\fP="": labels added to the new snapshot for this container. .PP \fB--tty, -t\fP: allocate a TTY for the container .PP \fB--with-ns\fP="": specify existing Linux namespaces to join at container runtime (format ':\&') .SS delete, del, remove, rm .PP delete one or more existing containers .PP \fB--keep-snapshot\fP: do not clean up snapshot with container .SS info .PP get info about a container .PP \fB--spec\fP: only display the spec .SS list, ls .PP list containers .PP \fB--quiet, -q\fP: print only the container id .SS label .PP set and clear labels for a container .SS checkpoint .PP checkpoint a container .PP \fB--image\fP: include the image in the checkpoint .PP \fB--rw\fP: include the rw layer in the checkpoint .PP \fB--task\fP: checkpoint container task .SS restore .PP restore a container from checkpoint .PP \fB--live\fP: restore the runtime and memory data from the checkpoint .PP \fB--rw\fP: restore the rw layer from the checkpoint .SH content .PP manage content .SS active .PP display active transfers .PP \fB--root\fP="": path to content store root (default: /tmp/content) .PP \fB--timeout, -t\fP="": total timeout for fetch (default: 0s) .SS delete, del, remove, rm .PP permanently delete one or more blobs .SS edit .PP edit a blob and return a new digest .PP \fB--editor\fP="": select editor (vim, emacs, etc.) .PP \fB--validate\fP="": validate the result against a format (json, mediatype, etc.) .SS fetch .PP fetch all content for an image into containerd .PP \fB--all-metadata\fP: Pull metadata for all platforms .PP \fB--all-platforms\fP: pull content from all platforms .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--label\fP="": labels to attach to the image .PP \fB--metadata-only\fP: Pull all metadata including manifests and configs .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--platform\fP="": Pull content from a specific platform .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS fetch-object .PP retrieve objects from a remote .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS get .PP get the data for an object .SS ingest .PP accept content into the store .PP \fB--expected-digest\fP="": verify content against expected digest .PP \fB--expected-size\fP="": validate against provided size (default: 0) .SS list, ls .PP list all blobs in the store .PP \fB--quiet, -q\fP: print only the blob digest .SS push-object .PP push an object to a remote .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS label .PP add labels to content .SS prune .PP prunes content from the content store .SS references .PP prunes preference labels from the content store (layers only by default) .PP \fB--async\fP: allow garbage collection to cleanup asynchronously .PP \fB--dry\fP: just show updates without applying (enables debug logging) .SH events, event .PP display containerd events .SH images, image, i .PP manage images .SS check .PP check existing images to ensure all content is available locally .PP \fB--quiet, -q\fP: print only the ready image refs (fully downloaded and unpacked) .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .SS export .PP export images .PP \fB--all-platforms\fP: exports content from all platforms .PP \fB--platform\fP="": Pull content from a specific platform .PP \fB--skip-manifest-json\fP: do not add Docker compatible manifest.json to archive .PP \fB--skip-non-distributable\fP: do not add non-distributable blobs such as Windows layers to archive .SS import .PP import images .PP \fB--all-platforms\fP: imports content for all platforms, false by default .PP \fB--base-name\fP="": base image name for added images, when provided only images with this name prefix are imported .PP \fB--compress-blobs\fP: compress uncompressed blobs when creating manifest (Docker format only) .PP \fB--digests\fP: whether to create digest images (default: false) .PP \fB--index-name\fP="": image name to keep index as, by default index is discarded .PP \fB--no-unpack\fP: skip unpacking the images, false by default .PP \fB--platform\fP="": imports content for specific platform .PP \fB--skip-digest-for-named\fP: skip applying --digests option to images named in the importing tar (use it in conjunction with --digests) .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .SS list, ls .PP list images known to containerd .PP \fB--quiet, -q\fP: print only the image refs .SS mount .PP mount an image to a target path .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--label\fP="": labels to attach to the image .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--platform\fP="": Mount the image for the specified platform (default: linux/amd64) .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--rw\fP: Enable write support on the mount .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS unmount .PP unmount the image from the target .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--label\fP="": labels to attach to the image .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--rm\fP: remove the snapshot after a successful unmount .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS pull .PP pull an image from a remote .PP \fB--all-metadata\fP: Pull metadata for all platforms .PP \fB--all-platforms\fP: pull content and metadata from all platforms .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--label\fP="": labels to attach to the image .PP \fB--max-concurrent-downloads\fP="": Set the max concurrent downloads for each pull (default: 0) .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--platform\fP="": Pull content from a specific platform .PP \fB--print-chainid\fP: Print the resulting image's chain ID .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS push .PP push an image to a remote .PP \fB--allow-non-distributable-blobs\fP: Allow pushing blobs that are marked as non-distributable .PP \fB--hosts-dir\fP="": Custom hosts configuration directory .PP \fB--http-dump\fP: dump all HTTP request/responses when interacting with container registry .PP \fB--http-trace\fP: enable HTTP tracing for registry interactions .PP \fB--manifest\fP="": digest of manifest .PP \fB--manifest-type\fP="": media type of manifest digest (default: application/vnd.oci.image.manifest.v1+json) .PP \fB--max-concurrent-uploaded-layers\fP="": Set the max concurrent uploaded layers for each push (default: 0) .PP \fB--plain-http\fP: allow connections using plain HTTP .PP \fB--platform\fP="": push content from a specific platform .PP \fB--refresh\fP="": refresh token for authorization server .PP \fB--skip-verify, -k\fP: skip SSL certificate validation .PP \fB--tlscacert\fP="": path to TLS root CA .PP \fB--tlscert\fP="": path to TLS client certificate .PP \fB--tlskey\fP="": path to TLS client key .PP \fB--user, -u\fP="": user[:password] Registry user and password .SS delete, del, remove, rm .PP remove one or more images by reference .PP \fB--sync\fP: Synchronously remove image and all associated resources .SS tag .PP tag an image .PP \fB--force\fP: force target_ref to be created, regardless if it already exists .SS label .PP set and clear labels for an image .PP \fB--replace-all, -r\fP: replace all labels .SS convert .PP convert an image .PP \fB--all-platforms\fP: exports content from all platforms .PP \fB--oci\fP: convert Docker media types to OCI media types .PP \fB--platform\fP="": Pull content from a specific platform .PP \fB--uncompress\fP: convert tar.gz layers to uncompressed tar layers .SH leases .PP manage leases .SS list, ls .PP list all active leases .PP \fB--quiet, -q\fP: print only the blob digest .SS create .PP create lease .PP \fB--expires, -x\fP="": expiration of lease (0 value will not expire) (default: 24h0m0s) .PP \fB--id\fP="": set the id for the lease, will be generated by default .SS delete, del, remove, rm .PP delete a lease .PP \fB--sync\fP: Synchronously remove leases and all unreferenced resources .SH namespaces, namespace, ns .PP manage namespaces .SS create, c .PP create a new namespace .SS list, ls .PP list namespaces .PP \fB--quiet, -q\fP: print only the namespace name .SS remove, rm .PP remove one or more namespaces .PP \fB--cgroup, -c\fP: delete the namespace's cgroup .SS label .PP set and clear labels for a namespace .SH pprof .PP provide golang pprof outputs for containerd .PP \fB--debug-socket, -d\fP="": socket path for containerd's debug server (default: /run/containerd/debug.sock) .SS block .PP goroutine blocking profile .SS goroutines .PP dump goroutine stack dump .SS heap .PP dump heap profile .SS profile .PP CPU profile .PP \fB--seconds, -s\fP="": duration for collection (seconds) (default: 30s) .SS threadcreate .PP goroutine thread creating profile .SS trace .PP collect execution trace .PP \fB--seconds, -s\fP="": trace time (seconds) (default: 5s) .SH run .PP run a container .PP \fB--allow-new-privs\fP: turn off OCI spec's NoNewPrivileges feature flag .PP \fB--apparmor-default-profile\fP="": enable AppArmor with the default profile with the specified name, e.g. "cri-containerd.apparmor.d" .PP \fB--apparmor-profile\fP="": enable AppArmor with an existing custom profile .PP \fB--cap-add\fP="": add Linux capabilities (Set capabilities with 'CAP_' prefix) .PP \fB--cap-drop\fP="": drop Linux capabilities (Set capabilities with 'CAP_' prefix) .PP \fB--cgroup\fP="": cgroup path (To disable use of cgroup, set to "" explicitly) .PP \fB--cni\fP: enable cni networking for the container .PP \fB--config, -c\fP="": path to the runtime-specific spec config file .PP \fB--cpu-period\fP="": Limit CPU CFS period (default: 0) .PP \fB--cpu-quota\fP="": Limit CPU CFS quota (default: -1) .PP \fB--cpu-shares\fP="": set the cpu shares (default: 1024) .PP \fB--cpus\fP="": set the CFS cpu quota (default: 0.000000) .PP \fB--cwd\fP="": specify the working directory of the process .PP \fB--detach, -d\fP: detach from the task after it has started execution .PP \fB--device\fP="": file path to a device to add to the container; or a path to a directory tree of devices to add to the container .PP \fB--env\fP="": specify additional container environment variables (e.g. FOO=bar) .PP \fB--env-file\fP="": specify additional container environment variables in a file(e.g. FOO=bar, one per line) .PP \fB--fifo-dir\fP="": directory used for storing IO FIFOs .PP \fB--gidmap\fP="": run inside a user namespace with the specified GID mapping range; specified with the format \fB\fCcontainer-gid:host-gid:length\fR .PP \fB--gpus\fP="": add gpus to the container .PP \fB--label\fP="": specify additional labels (e.g. foo=bar) .PP \fB--log-uri\fP="": log uri .PP \fB--memory-limit\fP="": memory limit (in bytes) for the container (default: 0) .PP \fB--mount\fP="": specify additional container mount (e.g. type=bind,src=/tmp,dst=/host,options=rbind:ro) .PP \fB--net-host\fP: enable host networking for the container .PP \fB--no-pivot\fP: disable use of pivot-root (linux only) .PP \fB--null-io\fP: send all IO to /dev/null .PP \fB--pid-file\fP="": file path to write the task's pid .PP \fB--platform\fP="": run image for specific platform .PP \fB--privileged\fP: run privileged container .PP \fB--rdt-class\fP="": name of the RDT class to associate the container with. Specifies a Class of Service (CLOS) for cache and memory bandwidth management. .PP \fB--read-only\fP: set the containers filesystem as readonly .PP \fB--remap-labels\fP: provide the user namespace ID remapping to the snapshotter via label options; requires snapshotter support .PP \fB--rm\fP: remove the container after running .PP \fB--rootfs\fP: use custom rootfs that is not managed by containerd snapshotter .PP \fB--rootfs-propagation\fP="": set the propagation of the container rootfs .PP \fB--runc-binary\fP="": specify runc-compatible binary .PP \fB--runc-root\fP="": specify runc-compatible root .PP \fB--runc-systemd-cgroup\fP: start runc with systemd cgroup manager .PP \fB--runtime\fP="": runtime name (default: io.containerd.runc.v2) .PP \fB--runtime-config-path\fP="": optional runtime config path .PP \fB--seccomp\fP: enable the default seccomp profile .PP \fB--seccomp-profile\fP="": file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .PP \fB--snapshotter-label\fP="": labels added to the new snapshot for this container. .PP \fB--tty, -t\fP: allocate a TTY for the container .PP \fB--uidmap\fP="": run inside a user namespace with the specified UID mapping range; specified with the format \fB\fCcontainer-uid:host-uid:length\fR .PP \fB--with-ns\fP="": specify existing Linux namespaces to join at container runtime (format ':\&') .SH snapshots, snapshot .PP manage snapshots .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .SS commit .PP commit an active snapshot into the provided name .SS diff .PP get the diff of two snapshots. the default second snapshot is the first snapshot's parent. .PP \fB--keep\fP: keep diff content. up to creator to delete it. .PP \fB--label\fP="": labels to attach to the image .PP \fB--media-type\fP="": media type to use for creating diff (default: application/vnd.oci.image.layer.v1.tar+gzip) .PP \fB--ref\fP="": content upload reference to use .SS info .PP get info about a snapshot .SS list, ls .PP list snapshots .SS mounts, m, mount .PP mount gets mount commands for the snapshots .SS prepare .PP prepare a snapshot from a committed snapshot .PP \fB--mounts\fP: Print out snapshot mounts as JSON .PP \fB--target, -t\fP="": mount target path, will print mount, if provided .SS delete, del, remove, rm .PP remove snapshots .SS label .PP add labels to content .SS tree .PP display tree view of snapshot branches .SS unpack .PP unpack applies layers from a manifest to a snapshot .PP \fB--snapshotter\fP="": snapshotter name. Empty value stands for the default value. .SS usage .PP usage snapshots .PP \fB-b\fP: display size in bytes .SS view .PP create a read-only snapshot from a committed snapshot .PP \fB--mounts\fP: Print out snapshot mounts as JSON .PP \fB--target, -t\fP="": mount target path, will print mount, if provided .SH tasks, t, task .PP manage tasks .SS attach .PP attach to the IO of a running container .SS checkpoint .PP checkpoint a container .PP \fB--exit\fP: stop the container after the checkpoint .PP \fB--image-path\fP="": path to criu image files .PP \fB--work-path\fP="": path to criu work files and logs .SS delete, del, remove, rm .PP delete one or more tasks .PP \fB--exec-id\fP="": process ID to kill .PP \fB--force, -f\fP: force delete task process .SS exec .PP execute additional processes in an existing container .PP \fB--cwd\fP="": working directory of the new process .PP \fB--detach, -d\fP: detach from the task after it has started execution .PP \fB--exec-id\fP="": exec specific id for the process .PP \fB--fifo-dir\fP="": directory used for storing IO FIFOs .PP \fB--log-uri\fP="": log uri for custom shim logging .PP \fB--tty, -t\fP: allocate a TTY for the container .PP \fB--user\fP="": user id or name .SS list, ls .PP list tasks .PP \fB--quiet, -q\fP: print only the task id .SS kill .PP signal a container (default: SIGTERM) .PP \fB--all, -a\fP: send signal to all processes inside the container .PP \fB--exec-id\fP="": process ID to kill .PP \fB--signal, -s\fP="": signal to send to the container .SS pause .PP pause an existing container .SS ps .PP list processes for container .SS resume .PP resume a paused container .SS start .PP start a container that has been created .PP \fB--detach, -d\fP: detach from the task after it has started execution .PP \fB--fifo-dir\fP="": directory used for storing IO FIFOs .PP \fB--log-uri\fP="": log uri .PP \fB--null-io\fP: send all IO to /dev/null .PP \fB--pid-file\fP="": file path to write the task's pid .SS metrics, metric .PP get a single data point of metrics for a task with the built-in Linux runtime .PP \fB--format\fP="": "table" or "json" (default: table) .SH install .PP install a new package .PP \fB--libs, -l\fP: install libs from the image .PP \fB--path\fP="": set an optional install path other than the managed opt directory .PP \fB--replace, -r\fP: replace any binaries or libs in the opt directory .SH oci .PP OCI tools .SS spec .PP see the output of the default OCI spec .SH shim .PP interact with a shim directly .PP \fB--id\fP="": container id .SS delete .PP delete a container with a task .SS exec .PP exec a new process in the task's container .PP \fB--attach, -a\fP: stay attached to the container and open the fifos .PP \fB--cwd\fP="": current working directory .PP \fB--env, -e\fP="": add environment vars .PP \fB--spec\fP="": runtime spec .PP \fB--stderr\fP="": specify the path to the stderr fifo .PP \fB--stdin\fP="": specify the path to the stdin fifo .PP \fB--stdout\fP="": specify the path to the stdout fifo .PP \fB--tty, -t\fP: enable tty support .SS start .PP start a container with a task .SS state .PP get the state of all the processes of the task