Docker vs CRI vs ContainerD vs RunC
A container is created. What term does your mind think instantly? Docker? Perfect!!
We all know that Docker and Kubernetes are the two legendary platforms ruling the term container ecosystem. To make things interoperable, There are several standards followed during the creation of containerized processes.
Whenever you see the containerized process, automatically our mind maps just to Kubernetes and docker. But it is something more than that.
How are Docker and Kubernetes working together? This article is about the underlying things happening behind the scene.
To understand the process following questions have to be answered first.
What is CRI?
ContainerD vs CRI-O?
What is OCI?
What is runc ?
Finally, How containerized processes are created?
What is CRI?
CRI (Container Runtime Interface) is a Kubernetes API. Kubernetes uses CRI to communicate with all the major runtimes. When I say runtime it not only refers to docker engines but any CRI Compatible runtimes like containerd, CRI-O, etc.
ContainerD vs CRI-O?
ContainersD is a CRI Compliant runtime from Docker while CRI-O is a CRI Complaint runtime from Red-hat. When it comes to CPU Usage, Memory Latency containerd has the upper hand while CRI-O wins hands down when it comes to File system operations. Let's discuss more on performance comparison some other time.
What is OCI?
OCI is an abbreviation of Open Container Initiative. It offers specifications and open standards for containers.
What is runc?
runc is a lightweight portable OCI Complaint container runtime tool for spawning and running the containers.
Now let's see how docker works along with Kubernetes to spawn the container.
How containerized processes are created?
When we interact with Docker UI, the docker engine communicates with the containerd (Container-D) which is responsible for the complete container life cycle (Image storage to execution).
At the same time, Kubernetes looks for a CRI Compliant runtime and it chooses a compatible runtime which can be containerD(or CRI-O). Lets focus on containerD here.
Containerd has the responsibility to pull and store the images while the OCI-Compliant runc integrates the required components for docker to interact with the host system. Then runc spawns and runs the containers. Tadaa, Containers are here :) That’s it !!
Runc is a low-level runtime that has native support for Linux security features like AppArmor and also offers full Linux namespace support. Of course, it has windows 10 containers native support as well.
So next time when someone says container, let your mind visualize it as docker daemon + containerd + runc. Perfect?
