Understanding the Removal of Dockershim in Kubernetes v1.24 and Its Alternatives

Kubernetes announced in the v1.20 release that the built‑in dockershim will be removed starting with version v1.24. After removal, the Docker Engine can no longer be used directly as a container runtime; users must install cri-dockerd if they still need Docker compatibility. This article explains the background, reasons, and migration path.

Why dockershim is removed

In early Kubernetes versions (before v1.5) only Docker Engine was supported. To allow other runtimes, Kubernetes introduced the Container Runtime Interface (CRI) in v1.5. Because Docker did not implement CRI, the project added a special shim (dockershim) to bridge the gap. Dockershim became a temporary solution that lengthened the call chain and added maintenance burden, so it is being deprecated.

What replaces Docker

After removal, Kubernetes can use any CRI‑compatible runtime such as containerd or CRI‑O . Major cloud providers have already switched:

AWS EKS: from version 1.24 the AMI ships only containerd as the runtime.

Alibaba Cloud ACK: requires migration to containerd for Kubernetes 1.24 and later.

If you still need Docker, you must install cri-dockerd and configure the kubelet to point to it.

Common questions after deprecation

Existing Docker images continue to work; they are compatible with any CRI implementation.

Private images also work; CRI runtimes support the same pull secrets as Docker.

When switching runtimes, pay attention to log configuration, resource limits, scripts that call Docker directly, registry mirrors, and any external tools that depend on Docker.

Debugging with containerd

Containerd does not provide the Docker CLI, but the crictl and ctr tools offer similar functionality.

Installation of crictl

# ctr is installed automatically with containerd, no extra steps needed.
# Install crictl
VERSION="v1.24.0"
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${VERSION}/crictl-${VERSION}-linux-amd64.tar.gz
sudo tar zxvf crictl-${VERSION}-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-${VERSION}-linux-amd64.tar.gz
# Configure crictl to talk to containerd
crictl config runtime-endpoint unix:///var/run/containerd/containerd.sock

Typical commands:

ctr -n k8s.io images ls | grep -v '@'   # list images (containerd)
crictl images                              # list images (CRI)
ctr -n k8s.io container ls                # list containers (containerd)
crictl ps                                 # list containers (CRI)
crictl pods                               # list pods (CRI only)
crictl exec -it
${CONTAINER_ID}
bash   # exec into a container
ctr -n k8s.io task exec -t --exec-id bash_1
${CONTAINER_ID}
bash   # exec with ctr

Namespace concept in containerd

Containerd introduces a namespace (e.g., k8s.io ) under which images and containers are visible. When Docker Engine is also installed, it uses the moby namespace. Most debugging commands with crictl automatically use the k8s.io namespace, while ctr requires the -n k8s.io flag.

Command comparison

Below is a concise mapping of common Docker commands to their ctr and crictl equivalents:

Function

Docker

ctr (containerd)

crictl (Kubernetes)

List images

docker images

ctr image ls

crictl images

Pull image

docker pull

ctr image pull

crictl pull

Remove image

docker rmi

ctr image rm

crictl rmi

List containers

docker ps

ctr task ls / ctr container ls

crictl ps

Start/stop container

docker start / stop

ctr task start / kill

crictl start / stop

Exec in container

docker exec

(none)

crictl exec

View logs

docker logs

(none)

crictl logs

These tools enable full lifecycle management of containers and pods without Docker after the dockershim deprecation.

References: [1] Standard CRI – https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes [2] cri‑dockerd – https://kubernetes.io/docs/setup/production-environment/container-runtimes [3][6] Dockershim FAQ – https://kubernetes.io/zh-cn/blog/2022/02/17/dockershim-faq/ [4] AWS EKS deprecation – https://docs.aws.amazon.com/zh_cn/eks/latest/userguide/dockershim-deprecation.html [5] Alibaba Cloud migration – https://help.aliyun.com/document_detail/451213.html