Sign in Subscribe
By Sahil Kapoor -

Container Runtime

A container runtime is the software component that actually creates and runs containers from an OCI image. It manages namespaces, cgroups, mount points, capabilities, and the container process lifecycle. Higher-level tools (Docker, Kubernetes) delegate the final "run this container" step to a runtime.

Two levels of runtime

  • High-level runtime. Pulls images, manages the local image store and snapshots, exposes an API. Examples: containerd, CRI-O.
  • Low-level (OCI) runtime. Implements the OCI Runtime Specification: take a filesystem bundle + config, set up namespaces and cgroups, exec the entrypoint. Examples: runc, crun, youki.

Common runtimes

  • runc. Reference OCI runtime; used by containerd and CRI-O.
  • crun. Faster C implementation of the OCI spec, used by Podman by default.
  • gVisor (runsc). Google's user-space kernel sandbox; stronger isolation, slightly slower.
  • Kata Containers. Runs each container in a lightweight VM for kernel-level isolation.
  • Firecracker. AWS microVM, used in Lambda and Fargate.
  • Wasmtime / wasmer with WASI. Emerging class of WASM runtimes for sandboxed workloads.

Kubernetes CRI

Kubernetes does not call runtimes directly; it speaks the Container Runtime Interface (CRI) to a high-level runtime, which then drives the low-level runtime. The default for most clusters is containerd plus runc.

🔗
Related Terms
Docker, Kubernetes, containerd, OCI, Podman.

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon