IT Get in touch

containerd and CRI-O: the runtimes succeeding Docker in Kubernetes

containerd donated to CNCF (March 2017) and CRI-O (Red Hat, 2016-2017): container runtimes extracted from Docker and designed for Kubernetes via Container Runtime Interface (CRI). The market shift beyond docker-in-k8s.

Open SourceWeb
Open SourceWeb containerdCRI-OContainer RuntimeKubernetesCNCFDockerOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, certified email, email infrastructure, network services and Linux systems. Open Source infrastructure support and management.

Discover →

Separating runtime from client

Docker won the first phase of the container movement (2013-2016), but its monolithic design (CLI + daemon + image management + runtime + networking) creates friction as Kubernetes grows as orchestrator. The low-level components actually running containers can be extracted and standardised.

In March 2017 Docker donates containerd to the CNCF as Incubating project (Graduated 2019). containerd is Docker’s core runtime: manages container lifecycle (create, start, stop, exec, filesystem snapshot), OCI image pull, without the Docker CLI or high-level features.

In parallel Red Hat and a consortium (Intel, SUSE, Hyper) develop CRI-O as a Kubernetes-specific runtime: a clean implementation of K8s’s Container Runtime Interface (CRI), without broader ambitions. First 1.0.0 release in October 2017.

Container Runtime Interface (CRI)

Kubernetes 1.5 (2016) introduced CRI: a standard gRPC API between kubelet and container runtime. Enables the pluggable runtime model:

  • kubelet speaks CRI
  • The runtime (containerd, CRI-O, docker-shim bridge to Docker) implements CRI
  • K8s no longer tied to Docker

containerd — from Docker to standalone

containerd 1.0 (December 2017) is a Go binary with:

  • gRPC API with built-in CRI plugin
  • OCI image pull/push
  • Snapshot plugins (overlayfs, btrfs, zfs, native)
  • ctr minimal debug CLI
  • Plugin architecture for extensions

containerd becomes the default runtime in many managed Kubernetes distributions (GKE, AKS, EKS, OpenShift 4.x) progressively through 2020-2022.

CRI-O — designed for K8s

CRI-O is smaller than containerd, designed to do only what K8s asks via CRI:

  • Image pull/unpack
  • Pod sandbox management
  • Container lifecycle
  • Streaming server for kubectl exec/attach/logs

It is the default runtime of OpenShift 4 and Fedora CoreOS. Apache 2.0 licence.

”dockershim deprecation”

In December 2020 Kubernetes announces removal of dockershim (the bridge allowing Docker as runtime) in K8s 1.24 (April 2022). The message: Kubernetes 1.24+ no longer uses Docker directly. Must use containerd, CRI-O, or another CRI implementation. Practical impact for end users is minimal (docker build still works, OCI images are identical) but symbolically marks the end of the “docker in K8s” era.

In the Italian context

Adoption followed managed K8s distributions: for those using GKE, AKS, EKS, OpenShift — the switch was silent. For self-hosted K8s deployments, the Docker → containerd or CRI-O migration was planned in 2021-2022.

References: containerd donated to CNCF (March 2017), Graduated (2019). CRI-O 1.0 (October 2017), Red Hat-led. Kubernetes CRI (1.5, 2016). Dockershim deprecation (announced December 2020, removed in K8s 1.24 April 2022). OpenShift 4 uses CRI-O.

Need support? Under attack? Service Status
Need support? Under attack? Service Status