CONTAINer Runtimes
Draw Some Lines
Devconf.IN 2019 Bangalore, IN
Vincent Batts @vbatts
$> finger $(whoami)
Login: vbatts Name: Vincent Batts
Directory: /home/vbatts Shell: /bin/bash
Such mail.
Plan:
OHMAN
$> id -Gn
devel opencontainers docker appc redhat golang slackwareContainers
Containers
Container Runtimes
chroot + unshare (mnt ns) + cgroups
a history
LXC
- first release Aug 2008
- alive and well today
- https://linuxcontainers.org/
systemd-nspawn
- first commit in 2011
- alive and well today
- originally just a simple test and debug utility
Container Runtimes
a history
Docker
- all the things
- 2013 python script became golang
- (not a single good link to the source)
- 2013
- academic offering
- dead, but still a good example of form over function
- Dec 2014
- spec-first design (appC spec)
Container Runtimes
a history
- 2014
- to have something golang native, rather than shell-out to lxc
- (eventually meant more shelling-out)
- the original OCI runtime
- 2014
- container manager built on lxc
- (came after Docker made asks of lxc, then abandoned it for libcontainer)
- from odis/openVZ folks
- C library of container helpers (not docker or lxc related)
Container Runtimes
a history
OCI Specification
- 2015
- (image and runtime) v1.0.0 in 2017
- distribution-spec began 2018 (formerly docker registry API)
Container Runtime Interface
Kubernetes
- 2014
- was (is?) entirely too docker-centric
- with rkt it was clear there were big changes needed
- Enter CRI (2016)
- gRPC interface for ImageService and RuntimeService
migration via dockershim
- completely switched to docker via CRI in v1.8
(source)
Container Runtime Interface
cri-o (originally oci-d)
- kubernetes only use-case
- OCI images and runtime
- primarily called runc, but is flexible to call other runtimes
- primarily docker use-case, but includes a CRI shim
- OCI and Docker images
- swiss arm knife of sorts
- uses kvm pieces
- supports 2.6.32+ kernel
- imports from runc, docker, p2p backend, and expose a CRI socket
Container Runtime Interface
- `crictl`
- the cli for working or debugging directly with CRI layer
OCI RUNTIMES
- 2017
- an OCI runtime
- written in rust
kata-containers (formerly clear containers and hyperV)
- mixed years
- an OCI runtime
- thinVM (qemu with custom machine type)
- 2014
- to have something golang native, rather than shell-out to lxc
- (eventually meant more shelling-out)
- the original OCI runtime
OCI RUNTIMES
- inherently an OCI runtime
- exposes GPU specific configuration
google/gvisor (`runsc`)
- has an OCI runtime
- syscall emulation layer
- uses a bit of kvm
- feels a bit like thrown over the wall
windows/hcsshim (`runhcs`)
- has an OCI runtime
- windows native container API
nabla-containers (IBM research)
- has an OCI runtime
- unikernel approach
- requires tailored container images with their executor
OCI RUNTIMES
-
giuseppe/crun
- thin OCI runtime written in C
-
projectatomic/bwrap-oci
- OCI runtime wrapper around bubblewrap
-
vbatts/nspawn-oci
- OCI runtime wrapper around systemd-nspawn
-
wking/ccon
- OCI pet project of community member
systemd-nspawn native support (pr9762)
- preferable than wrapper
- still has a couple of pieces missing like hooks and compatible cli
non-docker options
- easy alias for `docker`
- direct invocation
- now supports non-root
- drop-in for `docker build`, as well as shell subcommands
- direct invocation
- now supports non-root builds
- utility for working with OCI container images
- unpack, modify, repack
- initially just remote inspect images
- now copies (local <=> remote) and translates formats