Dockershim Removal – FAQ, Reasons and Migration Options

Docker was default runtime for Kubernetes. Shim allowed kubelet to communicate with Docker Engine. Kubernetes removed dockershim in v1.24. This article explains removal reasons, migration options and best practices.

TL;DR

• Built-in dockershim support retired in Kubernetes v1.24.
• Use containerd or CRI-O via native CRI integration.
• Alternatively install cri-dockerd shim adapter for Docker Engine.
• Update kubeadm and kubelet flags: --container-runtime=remote --container-runtime-endpoint=.
• Test workloads via crictl or kubectl after migration to validate runtime functionality.

Dockershim Removal Overview

Dockershim acted as a compatibility layer between kubelet and Docker Engine. It translated CRI calls into Docker API calls. Maintaining shim diverged from Kubernetes CRI ecosystem goals. Developers built CRI-compliant runtimes like containerd and CRI-O. That removed need to support Docker API directly in kubelet.

Dockershim Removal Timeline

Community announced deprecation in v1.20 release (December 2020). Teams planned three Kubernetes cycles for migration. v1.23 marked the last version shipping dockershim code. v1.24, released in April 2022, dropped dockershim completely. Users must now run workloads on any CRI-compliant runtime.

Impacts of Dockershim Removal

Removing dockershim affects cluster creation and upgrades. kubeadm defaults changed. Flags --container-runtime and --container-runtime-endpoint require explicit settings. Tools that relied on docker CLI inside kubelet contexts break. CI pipelines invoking docker commands inside node images may fail. Monitoring agents using Docker socket also need migration.

Migrating with Dockershim Removal

Follow these steps to migrate a cluster:

1. Choose a CRI runtime: containerd or CRI-O.
2. Install runtime on each node.
3. Configure kubelet to use remote runtime socket.
4. Optionally install cri-dockerd for legacy Docker Engine support.

Example: install containerd on Ubuntu:

sudo apt update
sudo apt install -y containerd
sudo mkdir -p /etc/containerd
toToml
docker systemd enable containerd

Configure kubelet in /var/lib/kubelet/kubeadm-flags.env:

KUBELET_KUBEADM_ARGS="--container-runtime=remote \
  --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock"

Alternatively, install cri-dockerd adapter:

git clone https://github.com/kubernetes-sigs/cri-dockerd.git
cd cri-dockerd
go build -o cri-dockerd main.go
sudo cp cri-dockerd /usr/local/bin/
# Create systemd unit
cat <<EOF | sudo tee /etc/systemd/system/cri-docker.service
[Unit]
Description=cri dockerd service
After=network.target

[Service]
ExecStart=/usr/local/bin/cri-dockerd --container-runtime-endpoint fd://
Restart=always

[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable cri-docker.service
sudo systemctl start cri-docker.service

Troubleshooting Dockershim Removal

If kubelet fails to start, check runtime socket path. Logs often show connection refused errors. Use crictl ps to verify CRI runtime state. Confirm systemd unit status for cri-dockerd if using Docker Engine. Validate containerd version compatibility with Kubernetes version.

Future of Dockershim Removal

With dockershim gone, developers focus on CRI features like extended metrics and sandboxing. New runtimes may emerge, but containerd and CRI-O lead in stability. Kubernetes continues to refine CRI version support.

References

• Updated: Dockershim Removal FAQ
• Dont Panic: Kubernetes and Docker
• cri-dockerd GitHub
• Kubernetes Container Runtimes
• Kubernetes CRI Documentation

Suggested Reading

• Runtime Class in Kubernetes To Pick Container Runtime Per Pod
• Image Volumes graduate to beta in Kubernetes v1.33!
• Docker CMD Command
• How to Override the CMD in a Docker Run Command
• Installing MySQL on Ubuntu: A Step-by-Step Guide

PostHashID: c4c1a701956cad68ffdb50686cc136c6b802be3e5205bc8697596cb3e2d902dd