What's Running My Containers? A review of runtimes and standards.
0 likes449 views
The document discusses the evolution of container runtimes and the importance of standards in their development, emphasizing the collaborative nature of technological progress. It covers the establishment of the Open Container Initiative (OCI), the various implementations of container runtimes, and the role of Kubernetes in managing them. The ongoing work towards interoperability and standardization in container technology aims to provide a stable foundation for future advancements.
![Runtime specification
Image specification
runC implementation
Garden-runC
Guardian project
K8sCRI
*[0.2.x branch]
*[1.0 branch]
2013 2014 2015 2016 2017](https://image.slidesharecdn.com/oslscontainerruntimesandstandards-190318174326/85/What-s-Running-My-Containers-A-review-of-runtimes-and-standards-5-320.jpg)
What's Running My Containers? A review of runtimes and standards.
- 1. Phil Estes, Distinguished Engineer, IBM Cloud, @estesp What’s Running My Containers? A review of runtimes & standards
- 2. @estesp Where Wizards Stay Up Late THE ORIGINS OF THE INTERNET Katie Hafner and Matthew Lyon
- 3. @estesp Standards But the less formal meaning seemed even more fitting. “The other definition of protocol is that it’s a handwritten agreement between parties, typically worked out on the back of a lunch bag,” Cerf remarked, “which describes pretty accurately how most of the protocol designs were done.” Proclamations of officialness didn’t further the Net nearly so much as throwing technology out onto the Net to see what worked. And when something worked, it was adopted. “Standards should be discovered, not decreed,” said one computer scientist in the TCP/IP faction. Seldom has it worked any other way.
- 4. @estesp Unix/chroot BSD 1982 2000 Today2008200720062005 FreeBSD jails/Solaris zones OpenVZ Parallels Cgroups/Process Containers IBM/Google AIX Wpars IBM LXC A Brief Container History
- 5. Runtime specification Image specification runC implementation Garden-runC Guardian project K8sCRI *[0.2.x branch] *[1.0 branch] 2013 2014 2015 2016 2017
- 6. > Announced June 20th, 2015 > Charter signed on December 8th, 2015 > 37 member companies > Initial specifications reached 1.0 in June 2017 https://opencontainers.org https://github.com/opencontainers • A Linux Foundation Collaborative Project • Free from specific vendor control / an open ecosystem • Includes: ○ a runtime specification ○ reference runtime* (runc) ○ an image format specification ○ an image distribution spec (2019) *seeded with runc + libcontainer by Docker
- 7. runc Created in June 2015 > 18 releases (1.0.0-rc6 : Nov 2018) > 246 contributors > OCI maintained/governance > Used by Docker, containerd, cri-o, garden-runc, cycle.io, among others • Runc is a client wrapper around the pre-existing libcontainer library project • Runc is one implementation of the OCI runtime specification • Scope of runc is clearly limited by OCI charter: no networking, image handling/resolution, storage support • Enablement of low-level OS features happen here: ambient caps, rootless containers, new cgroup support, and so on • Daemon-less operation; wrapping code must handle any broader node and cluster level container management
- 8. @estesp A Standard Container Substrate OCI specifications Linux kernel Windows kernel Container registries Container runtimes Docker, containerd, cri-o, Kata, Firecracker, gVisor, Nabla, Singularity, ... DockerHub, OSS distribution project, Cloud registries, JFrog, ...
- 9. @estesp kubelet dockershim dockerd containerd runc https://github.com/kubernetes/kubernetes/tree/release-1.4/pkg/kubelet/dockershim Kubernetes doesn’t run containers
- 11. @estesp kubelet dockershim dockerd kubelet cri-containerd containerd kubelet cri-o runc kubelet containerd Kata Firecracker kubelet --container-runtime {string} --container-runtime-endpoint {string} What CRI Runtimes Exist? kubelet singularity-cri singularity
- 12. @estesp • A stable, core, performant core container runtime for the cloud • Has a CRI implementation, and is a CNCF graduated project CRI Implementations • “all the runtime Kubernetes needs and nothing more”; RH created • CRI implementation over runc and 2 open libraries; K8s incubator • Intel Clear Containers + Hyper.sh combined project • Lightweight virtualization (KVM/qemu) under cri-o and containerd • Amazon open source project announced Nov 2018; lightweight virt. • Uses Rust-based VMM instead of qemu; plugs into containerd • CRI implementation over Sylabs Singularity runtime project • Userbase traditionally from academia/HPC use cases
- 14. @estesp CRI Product Landscape • GKE: containerd-based K8s clusters in beta/selectable; default is Docker • IBM Cloud: containerd-based clusters in production (all versions) • Azure: OSS acs-engine includes containerd; AKS uses Docker; (but CRI-O for OpenShift deployment) • Amazon: EKS uses Docker by default; Firecracker using containerd • CloudFoundry: Eirini project (CF on K8s) using containerd; pre-Eirini (non-K8s-based) used runc, now containerd • OpenShift: prior versions used RHEL-Docker (1.12/13); cri-o GA in OpenShift during 2018 • ICP: IBM private cloud offering defaults to Docker; containerd in tech preview
- 15. @estesp OCI Network Effect Singularity - Added full OCI support in v3.1.0 of Singularity (Feb 2019) - Can import/run OCI images/specs using singularity project LXC - Added OCI support in v3.0.0 of LXC (May 2018) - Can download/run OCI format containers with LXC runtime
- 16. @estesp • Positive outcomes • OCI created a level playing field whereby implementers of runtimes and higher-layer stacks could have complete interoperability via OCI standards • Good cross-industry collaboration has delivered on stable, “boring” container runtime technology; higher layers can provide choice in implementations • Network effects driving OCI interoperability to “non-Docker” use cases • CRI makes runtime choice a reality for Kubernetes as a common substrate • Work in progress • Choice can be confusing to those outside our bubble • Common tooling choices/strategies • Keeping the momentum; OCI now standardizing image distribution (registry API) Summary
- 17. @estesp “The process of technological development is like building a cathedral,” remarked Baran years later. “Over the course of several hundred years new people come along and each lays down a block on top of the old foundations, each saying, ‘I built a cathedral.’Next month another block is placed atop the previous one. Then comes along an historian who asks, ‘Well, who built the cathedral?’ Peter added some stones here, and Paul added a few more. If you are not careful, you can con yourself into believing that you did the most important part. But the reality is that each contribution has to follow onto previous work. Everything is tied to everything else.”