Primary OCI runtimes used with container engines
The OCI runtime (https://opencontainers.org) is the executable launched by container engines used to configure the Linux kernel and subsystems to run the kernel, it’s last step is to launch the container. The OCI runtime reads the OCI runtime-specification JSON file and then configures the namespaces, security controls, and cgroups, and eventually starts the container process.
runc
runc is the original OCI runtime (
https://github.com/opencontainers/runc). When the OCI originally formed, Docker donated the runc to the OCI to serve as the default implementation of an OCI runtime.
| Command | Description |
|---|---|
| checkpoint | Checkpoint a running container |
| create | Creates a container |
| delete | Deletes any resources held by the container often used with detached containers. |
| events | Displays container events such as OOM notifications, CPU, memory, and IO usage statistics. |
| init | Initializes the namespaces and launches the process. |
| kill | Sends the specified signal (default: SIGTERM) to the container’s init process. |
| List | Lists containers started by runc with the given root. |
| pause | Suspends all processes inside the container. |
| ps | Displays the processes running inside a container. |
| restore | Restores a container from a previous checkpoint. |
| resume | Resumes all processes that have been previously paused. |
| run | Creates and runs a container. |
| spec | Creates a new specification file. |
| start | Executes the user defined process in a created container |
| state | Outputs the state of a container. |
| update | Updates container resource constraints. |
crun
crun describes itself as a fast and lightweight OCI runtime (
https://github.com/containers/crun). crun supports all of the same commands and options as runc. crun executable is many times smaller than runc.
kata
kata Containers is an open source container runtime (
https://katacontainers.io), building lightweight virtual machines that seamlessly plug into the container’s ecosystem.
gVisor
The gVisor website advertises itself as an application kernel for containers that provides efficient defense-in-depth anywhere. gVisor is a sandboxed container runtime (
https://gvisor.dev), which is a sandboxed container runtime that implements the OCI runtime specification.
Reference
- Podman in Action The next generation of container engines (Dan Walsh)
Disclaimer
- License under
CC BY-NC 4.0 - Copyright issue feedback
me#imzye.me, replace # with @ - Not all the commands and scripts are tested in production environment, use at your own risk
- No privacy information is collected here