Digital Garden

OCI Container Runtimes

All these container runtime conform to the OCI runtime Spec

This page mentions how these runtimes are integrated with containerd specifically, although other tools like podman and cri-o can also use any of these runtimes.
You can read the containerd page to know details about containerd’s shim + runtime engine architecture.

runc

https://github.com/opencontainers/runc
First donated by docker to OCI.
runc became the reference implementaion for developing the OCI runtime spec.
Default in docker and containerd

containerd uses the default containerd-shim-runc-v2 “runtime shim” to invoke the runc.
The runc is the “runtime engine”.

crun

https://github.com/containers/crun
developed under “containers” organisation (same as podman) by RedHat
written in C
I am not sure if a containerd shim binary is available to be used with crun.

kata-runtime

https://github.com/kata-containers/kata-containers
For Hypervisor (VM) based containers
They support many Hypervisors such as Firecracker, QEMU, Cloud Hypervisor.

Earlier runv (EOL) , now kata-runtime which is part of the same kata-containers project
See software details and architecture for more details

The kata-runtime is OCI-compatible, CRI-O-compatible, and Containerd-compatible, allowing it to work seamlessly with both Docker and Kubernetes respectively.

Kata Containers 1.5 introduced the shimv2 for containerd 1.2.0, reducing the components required to spawn pods and containers (from 2N + 1 shims to 1 shim per Pod).
Now containerd can invoke kata-runtime containers using the containerd-shim-kata-v2 runtime shim.
Hypervisor acts as the runtime engine.

As of Kata Containers v3.4.0,
The CRI-O + Kata setup for k8s also uses containerd-shim-kata-v2 as runtime path while specifying the runtime type as “vm”.
An equivalent shim implementation for CRI-O is planned.

gVisor

https://github.com/google/gvisor
Provides more isolated environment for containers, than the default shared kernel containerisation
Read docs to know how it is different than VM or SELinux

containerd can invoke gVisor based containers using containerd-shim-runsc-v1 runtime shim.
gVisor uses its own runsc runtime engine.
https://gvisor.dev/docs/user_guide/containerd/quick_start/

Graph View

Backlinks