Demystifying Containers

About Me

saschagrunert

mail@

.de

About the Series

series of blog posts and corresponding talks
all about containers from a historic perspective

Part II: Container Runtimes

historic background

runc

CRI-O

What is a Container Runtime?

systemd-nspawn, NixOS containers

CRI-O, Kata Containers, Firecracker, gVisor, containerd, LXC, runc, Nabla Containers

A brief History

2008

Linux Containers (LXC)

cgroup and namespace technologies for

isolated applications

Let Me Contain That For You

(LMCTFY)

API driven configuration

hiding the internals of cgroups

2013

Docker

package containers into images

containers should be a standard software unit

libcontainer

main container management part of docker

LMCTFY benefits migrated into libcontainer

2015

Kubernetes 1.0

OCI Runtime Specification

API for developing container runtimes

direct interface to libcontainer

used by CRI-O, podman, containerd (Docker), ...

Running Containers

OCI configuration is described as JSON

runc is a low-level container runtime

security features already supported:

AppArmor, seccomp, SELinux

rootless mode possible

The Kubernetes

Container Runtime Interface (CRI)

2016

standard API for container runtimes

Kubelet connects via gRPC to the container runtime

// Runtime service defines the public APIs for remote container runtimes
service RuntimeService {
    rpc CreateContainer (...) returns (...) {}
    rpc ListContainers  (...) returns (...) {}
    rpc RemoveContainer (...) returns (...) {}
    rpc StartContainer  (...) returns (...) {}
    rpc StopContainer   (...) returns (...) {}

    rpc ListPodSandbox  (...) returns (...) {}
    rpc RemovePodSandbox(...) returns (...) {}
    rpc RunPodSandbox   (...) returns (...) {}
    rpc StopPodSandbox  (...) returns (...) {}
}

Workload creation in Kubernetes starts with PodSandbox setup