IT Get in touch

containerd and CRI-O: the runtimes succeeding Docker in Kubernetes

containerd donated to CNCF (March 2017) and CRI-O (Red Hat, 2016-2017): container runtimes extracted from Docker and designed for Kubernetes via Container Runtime Interface (CRI). The market shift beyond docker-in-k8s.

Open SourceWeb
Open SourceWeb containerdCRI-OContainer RuntimeKubernetesCNCFDockerOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, PEC, email infrastructure, network services and Linux systems. Open Source infrastructure support and management.

Discover →

Separating runtime from client

Docker won the first phase of the container movement (2013-2016), but its monolithic design (CLI + daemon + image management + runtime + networking) creates friction as Kubernetes grows as orchestrator. The low-level components actually running containers can be extracted and standardised.

In March 2017 Docker donates containerd to the CNCF as Incubating project. containerd is Docker’s core runtime: manages container lifecycle (create, start, stop, exec, filesystem snapshot), OCI image pull, without the Docker CLI or high-level features.

In parallel Red Hat and a consortium (Intel, SUSE, Hyper) develop CRI-O as a Kubernetes-specific runtime: a clean implementation of K8s’s Container Runtime Interface (CRI), without broader ambitions. First 1.0.0 release in October 2017.

Container Runtime Interface (CRI)

Kubernetes 1.5 (2016) introduced CRI: a standard gRPC API between kubelet and container runtime. Enables the pluggable runtime model:

  • kubelet speaks CRI
  • The runtime (containerd, CRI-O, docker-shim bridge to Docker) implements CRI
  • K8s no longer tied to Docker

containerd — from Docker to standalone

containerd 1.0 (December 2017) is a Go binary with:

  • gRPC API with built-in CRI plugin
  • OCI image pull/push
  • Snapshot plugins (overlayfs, btrfs, zfs, native)
  • ctr minimal debug CLI
  • Plugin architecture for extensions

containerd is bound to become the default runtime in many managed Kubernetes distributions over the following years.

CRI-O — designed for K8s

CRI-O is smaller than containerd, designed to do only what K8s asks via CRI:

  • Image pull/unpack
  • Pod sandbox management
  • Container lifecycle
  • Streaming server for kubectl exec/attach/logs

It is the default runtime of OpenShift 4 and Fedora CoreOS. Apache 2.0 licence.

In the Italian context

Italian teams adopting K8s are watching the runtime direction: many recent deployments still start with Docker via dockershim, but CNCF’s orientation pushes toward containerd/CRI-O over the medium term.

References: containerd donated to CNCF (March 2017). CRI-O 1.0 (October 2017), Red Hat-led. Kubernetes CRI (1.5, 2016).

Need support? Under attack? Service Status
Need support? Under attack? Service Status