Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreif2i4sjon7lrxcqgcndkwhqznc4clhlyw5yyx4xpp6ji5ux2mcfs4",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mlogud7biiv2"
  },
  "description": "A container runtime is the software component that actually creates and runs containers from an OCI image. It manages namespaces, cgroups, mount points, capabilities, and the container process lifecycle. Higher-level tools (Docker, Kubernetes) delegate the final \"run this container\" step to a runtime.\n\n\nTwo levels of runtime\n\n * High-level runtime. Pulls images, manages the local image store and snapshots, exposes an API. Examples: containerd, CRI-O.\n * Low-level (OCI) runtime. Implements the OC",
  "path": "/engineering-glossary/container-runtime-execution/",
  "publishedAt": "2026-05-12T18:40:41.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "Docker",
    "Kubernetes",
    "containerd",
    "OCI",
    "Podman"
  ],
  "textContent": "**A container runtime** is the software component that actually creates and runs containers from an OCI image. It manages namespaces, cgroups, mount points, capabilities, and the container process lifecycle. Higher-level tools (Docker, Kubernetes) delegate the final \"run this container\" step to a runtime.\n\n## Two levels of runtime\n\n  * **High-level runtime.** Pulls images, manages the local image store and snapshots, exposes an API. Examples: containerd, CRI-O.\n  * **Low-level (OCI) runtime.** Implements the OCI Runtime Specification: take a filesystem bundle + config, set up namespaces and cgroups, exec the entrypoint. Examples: runc, crun, youki.\n\n\n\n## Common runtimes\n\n  * **runc.** Reference OCI runtime; used by containerd and CRI-O.\n  * **crun.** Faster C implementation of the OCI spec, used by Podman by default.\n  * **gVisor (runsc).** Google's user-space kernel sandbox; stronger isolation, slightly slower.\n  * **Kata Containers.** Runs each container in a lightweight VM for kernel-level isolation.\n  * **Firecracker.** AWS microVM, used in Lambda and Fargate.\n  * **Wasmtime / wasmer with WASI.** Emerging class of WASM runtimes for sandboxed workloads.\n\n\n\n## Kubernetes CRI\n\nKubernetes does not call runtimes directly; it speaks the Container Runtime Interface (CRI) to a high-level runtime, which then drives the low-level runtime. The default for most clusters is containerd plus runc.\n\n🔗\n\n**Related Terms**\nDocker, Kubernetes, containerd, OCI, Podman.",
  "title": "Container Runtime",
  "updatedAt": "2026-05-13T19:14:43.687Z"
}