Think of "container" as just another packaging format.
.iso files for disk images,
.rpm for linux packages, or
.tgz for binary or arbitrary files.
The ecosystem is more than just a format, it includes:
Unlike traditional virtualization, containerization takes place at the kernel level. Most modern operating system kernels now support the primitives necessary for containerization, including Linux with
vserver and more recently
Read more: Containers vs VMs
Defines important specs, so different tools can be used to pack/unpack and run by different runtimes:
- the Runtime Specification(runtime-spec)
- the Image Specification(image-spec)
- the Distribution Specification(distribution-spec)
runc (https://github.com/opencontainers/runc) is a CLI tool for spawning and running containers according to the OCI specification.
Defines an API between Kubernetes and the container runtime (defined by OCI).
- Docker: an open source Linux containerization technology. Package, distribute and runtime solution.
containerd: Container daemon. Docker spun out the container runtime and donated it to CNCF. Now containerd is a graduated CNCF project. Using
runcas runtime. Used by Docker, Kubernetes, AWS ECS, etc.
- cgroup: limits and isolates resources(CPU, memory, disk I/O, network, etc)
- gVisor: a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. It leverages existing host kernel functionality and runs as a normal user-space process. For running untrusted workloads. Lower memory and startup overhead compared to a full VM.
In 2020, Kubernetes deprecated Docker as a container runtime after version 1.20, in favor of runtimes that use the Container Runtime Interface (CRI):
CRI-O. (Note that Docker is still a useful tool for building containers, and the images that result from running docker build can still run in your Kubernetes cluster.)
runc: This is the low-level container runtime (the thing that actually creates and runs containers). It includes
libcontainer, a native Go-based implementation for creating containers. Docker donated
containerd: CNCF graduated project, contributers: Google, Microsoft, Alibaba, etc, came from docker and made CRI compliant.
- CRI-O: CNCF incubating project, contributers: RedHat, IBM, Intel etc, created from the ground up for K8s.
Docker's default runtime:
$ docker run --runtime=runc ...
gVisor can be integrated with Docker by changing
runsc("run sandboxed container)
$ docker run --runtime=runsc ...
gVisor runs slower than default docker runtime due to the "sandboxing": https://github.com/google/gvisor/issues/102
Orchestration tools: handle containers running stateless applications. The applications may be terminated at any time, and / or restarted from a different machine. (which means production db should not run in containers.)
- Linux Containers (LXC): on top of
cgroups, operating system–level virtualization technology for running multiple isolated Linux systems (containers) on a single control host.
cgroups: provides namespace isolation and abilities to limit, account and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups
- LXD: similar to LXC, but a REST API on top of
- Docker: application container; LXC/LXD: system container; Docker initially used
liblxcbut later changed to
Well it is gaining momentum and popularity. Many companies are adopting it.
Two notable exceptions are: Google and Facebook
Google has its own packaging format: MPM. MPM on Borg is similar to container on Kubernetes, and Kubernetes is the open-source version of Borg.
Facebook use Tupperware. Why not docker? They didn't exist then.