Foundation
OCI: Open Container Initiativefounded by Docker, CoreOS, and othersimage-specruntime-specCRI: Container Runtime Interface enables kubelet to use different runtimesCNI: Container Network Interface
Container Runtimes
high-level runtimes often incorporate low-level runtimes that are otherwise standalone projects.
If tomorrow you get the urge to add your own container project to the ever-growing jungle, you should make it OCI-, CRI- and CNI-compliant
![](https://t3735202.p.clickup-attachments.com/t3735202/ae6744f8-648a-48ac-bc38-b3304d5fe120/image.png)
Figure 1: Docker vs. containerd in a Kubernetes context. The dockershim and cri-containerd implementations make the respective APIs CRI-compliant by translating calls back and forth.
![](https://t3735202.p.clickup-attachments.com/t3735202/87264a3f-bf61-4060-9abf-c4c6442973e8/image.png)
Figure 2: containerd allows for the usage of multiple low-level container runtimes, which can be used in Kubernetes interchangeably based on the requirements for a specific application. In this case, Kata is used to run untrusted containers.cri-o
![](https://t3735202.p.clickup-attachments.com/t3735202/ef578bd5-1808-44e3-a65e-63a79d194386/image.png)
runc = libcontainer + ..runc runs OCI open container image directly(high level) rkt (obsolete) did not rely on daemonlxc: virtual env that does not emulate the hardware. he focus of Linux Containers are base images (e. g. Ubuntu) rather than application-tailored images.singularity focuses on High Performance Computing. Uses Singularity Image Format (SIF), but also supports OCI/CRI
VM-like Container Runtimes
Unikernels only contain the parts of the OS they need and get deployed on top of a hypervisor/VMM. Monitoring and debugging capabilities are very limited. No toolchains officially available.Nabla Container 7 syscalls used, not OCI compliant, CRI compliant (runnc)
![](https://t3735202.p.clickup-attachments.com/t3735202/b74b1bbc-d8c0-4f9d-8c80-a9ec88fc9061/image.png)
Kata ContainersOpenStack project, OCI compilant, CRI compliant, CNI compliant As every container is started inside a new VM (managed by QEMU), Kata provides an optimized base VM image to speed up boot times for them
![](https://t3735202.p.clickup-attachments.com/t3735202/af5f3a44-0065-4c90-9141-4bb3caa6db00/image.png)
FirecrackerAmazon project, FaaS, VMM that uses KVM to create microVM.Efforts:
- Firecracker instead of QEMU as VMM for Kata Containers
- firecracker-containerd mapper allows containerd to run containers as microVMs
gVisorGoogle, runsc, OCI compilant, Sentry, GoferSentry is the central user-space OS kernel that the untrusted application uses.Not every system call, /proc or /sys file is implemented.
Source:
and other opensource sites.