Demystifying Containers

About Me




About the Series

  • series of blog posts and corresponding talks
  • all about containers from a historic perspective

Part II: Container Runtimes

historic background



What is a Container Runtime?

systemd-nspawn, NixOS containers

CRI-O, Kata Containers, Firecracker, gVisor, containerd, LXC, runc, Nabla Containers

A brief History


Linux Containers (LXC)

cgroup and namespace technologies for

isolated applications

Let Me Contain That For You


API driven configuration

hiding the internals of cgroups



package containers into images

containers should be a standard software unit


main container management part of docker

LMCTFY benefits migrated into libcontainer


Kubernetes 1.0

OCI Runtime Specification

API for developing container runtimes

direct interface to libcontainer

used by CRI-O, podman, containerd (Docker), ...

Running Containers

OCI configuration is described as JSON

runc is a low-level container runtime

security features already supported:

AppArmor, seccomp, SELinux

rootless mode possible

The Kubernetes

Container Runtime Interface (CRI)


standard API for container runtimes

Kubelet connects via gRPC to the container runtime

// Runtime service defines the public APIs for remote container runtimes
service RuntimeService {
    rpc CreateContainer (...) returns (...) {}
    rpc ListContainers  (...) returns (...) {}
    rpc RemoveContainer (...) returns (...) {}
    rpc StartContainer  (...) returns (...) {}
    rpc StopContainer   (...) returns (...) {}
    rpc ListPodSandbox  (...) returns (...) {}
    rpc RemovePodSandbox(...) returns (...) {}
    rpc RunPodSandbox   (...) returns (...) {}
    rpc StopPodSandbox  (...) returns (...) {}

Workload creation in Kubernetes starts with PodSandbox setup

That’s it.


Demystifying Containers - Part II: Container Runtimes

By Sascha Grunert

Demystifying Containers - Part II: Container Runtimes

A series of blog posts and talks about the world of containers

  • 1,464