Container Runtime

A container runtime is the software component that actually creates and runs containers from an OCI image. It manages namespaces, cgroups, mount points, capabilities, and the container process lifecycle. Higher-level tools (Docker, Kubernetes) delegate the final "run this container" step to a runtime.

Two levels of runtime

• High-level runtime. Pulls images, manages the local image store and snapshots, exposes an API. Examples: containerd, CRI-O.
• Low-level (OCI) runtime. Implements the OCI Runtime Specification: take a filesystem bundle + config, set up namespaces and cgroups, exec the entrypoint. Examples: runc, crun, youki.

Common runtimes

• runc. Reference OCI runtime; used by containerd and CRI-O.
• crun. Faster C implementation of the OCI spec, used by Podman by default.
• gVisor (runsc). Google's user-space kernel sandbox; stronger isolation, slightly slower.
• Kata Containers. Runs each container in a lightweight VM for kernel-level isolation.
• Firecracker. AWS microVM, used in Lambda and Fargate.
• Wasmtime / wasmer with WASI. Emerging class of WASM runtimes for sandboxed workloads.

Kubernetes CRI

Kubernetes does not call runtimes directly; it speaks the Container Runtime Interface (CRI) to a high-level runtime, which then drives the low-level runtime. The default for most clusters is containerd plus runc.

🔗

Related Terms Docker, Kubernetes, containerd, OCI, Podman.