Skip to content

Primary OCI runtimes used with container engines

The OCI runtime (https://opencontainers.org) is the executable launched by container engines used to configure the Linux kernel and subsystems to run the kernel, it’s last step is to launch the container. The OCI runtime reads the OCI runtime-specification JSON file and then configures the namespaces, security controls, and cgroups, and eventually starts the container process.

runc

runc is the original OCI runtime (https://github.com/opencontainers/runc). When the OCI originally formed, Docker donated the runc to the OCI to serve as the default implementation of an OCI runtime.

CommandDescription
checkpointCheckpoint a running container
createCreates a container
deleteDeletes any resources held by the container often used with detached containers.
eventsDisplays container events such as OOM notifications, CPU, memory, and IO usage statistics.
initInitializes the namespaces and launches the process.
killSends the specified signal (default: SIGTERM) to the container’s init process.
ListLists containers started by runc with the given root.
pauseSuspends all processes inside the container.
psDisplays the processes running inside a container.
restoreRestores a container from a previous checkpoint.
resumeResumes all processes that have been previously paused.
runCreates and runs a container.
specCreates a new specification file.
startExecutes the user defined process in a created container
stateOutputs the state of a container.
updateUpdates container resource constraints.

crun

crun describes itself as a fast and lightweight OCI runtime (https://github.com/containers/crun). crun supports all of the same commands and options as runc. crun executable is many times smaller than runc.

kata

kata Containers is an open source container runtime (https://katacontainers.io), building lightweight virtual machines that seamlessly plug into the container’s ecosystem.

gVisor

The gVisor website advertises itself as an application kernel for containers that provides efficient defense-in-depth anywhere. gVisor is a sandboxed container runtime (https://gvisor.dev), which is a sandboxed container runtime that implements the OCI runtime specification.

Reference

  • Podman in Action The next generation of container engines (Dan Walsh)

Disclaimer
  1. License under CC BY-NC 4.0
  2. Copyright issue feedback: dig +short txt issue.imzye.com
  3. Not all the commands and scripts are tested in production environment, use at your own risk
  4. No privacy information is collected here
Buy Me a Coffee