It’s Time to Migrate your Container Runtime, Kubernetes 1.24 is coming

Container Runtime History

Container runtime sits at the bottom of Kubernetes architecture and defines how Pods and its containers run programs.

  • Decouple kubelet and actual container runtime implementation, accelerating iteration
  • Give community developers the right to customize implementations. This culminated in the implementation of the container runtime interface (CRI), letting system components (like the kubelet) talk to container runtimes in a standardized way.

Container Runtime Comparison

A container runtime, also known as container engine, is a software component that can run containers on a host operating system. In a containerized architecture, container runtimes are responsible for loading container images from a repository, monitoring local system resources, isolating system resources for use of a container, and managing container lifecycle. The creation of the OCI specification also provided the freedom to replace the container runtime beyond the Docker Daemon. A container runtime only needs to understand the OCI format to be able to run the container.

Low-Level Container Runtimes/ OCI Runtimes

Low-level runtimes are responsible for the mechanics of actually running a container. They are responsible for creating and running containers. Once the containerized process runs, the container runtime is not required to perform other tasks. This is because low-level runtimes abstract the Linux primitives and are not designed to perform additional tasks. Low level runtimes create and run “the container.”

Native runtimes

The most popular low-level runtimes include:

  • runC — created by Docker and the OCI. It is now the de-facto standard low-level container runtime. runC is written in Go. It is maintained under moby — Docker’s open source project.
  • crun — an OCI implementation led by Redhat. crun is written in C. It is designed to be lightweight and performant, and was among the first runtimes to support cgroups v2.

Sandboxed and virtualized runtimes

In addition to native runtimes, which run the containerized process on the same host kernel, there are some sandboxed and virtualized implementers of the OCI spec:

CRI/High Level Runtime

High-level runtimes are responsible for transport and management of container images, unpacking the image, and passing off to the low-level runtime to run the container. Typically, high-level runtimes provide a daemon application and an API that remote applications can use to logically run containers and monitor them but they sit on top of and delegate to low-level runtimes or other high-level runtimes for the actual work.

  • containerd — Extracted from the early docker source code, it is also the current industry-standard container runtime.
  • CRI-O — an open-source implementation of Kubernetes’ container runtime interface (CRI), offering a lightweight alternative to rkt and Docker.

CRI-O

CRI-O is the CRI implementation provided by Kubernetes.By default, cri-o uses runC as its OCI, but on recent RedHat Fedora installations (with cgroups v2) it will use crun. Since it has full OCI compatibility, cri-o works out of the box with low level runtimes such as Kata without any additional pieces and minimal configuration.

Containerd

Extracted from the early docker source code, it is also the current industry-standard container runtime.By default it uses runC under the hood.Like the rest of the container tools that originated from Docker, it is the current de-facto standard CRI.

Container Engines

You may notice in reading the above that Docker is not a CRI or OCI implementation but uses both (via containerd and runC). In fact, it has additional features like image building and signing that are out of scope of either CRI or OCI specs. So where does this fit in?

  • podman — image running
  • buildah — image building
  • skopeo — image distribution

Summary

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inder Singh

Inder Singh

Enterprise Modernization, Platforms & Cloud | CKA | CKS | 3*AWS | GCP | Vault | Istio | EFK | CICD | https://www.linkedin.com/in/inder-pal-singh-6a203b66/