For a great comparison, see https://tin6150.github.io/psg/blogger_container_hpc.html
privileged user running support daemon
Docker images are comprised of multiple layers managed by the Docker system
The docker daemon making calls to containerd, which in turn calls runc.
- containerd is the new high-level daemon for image management
- runc is the low-level container runtime. previous name was libcontainer. Managed by Open Container Initiative (OCI) cite
https://linuxcontainers.org/lxc/introduction/
- https://sylabs.io/singularity/
- https://singularity-hub.org/
- https://sylabs.io/guides/3.5/user-guide/index.html
Singularity stores a container image in a single file.
Singularity defines its own image format Singularity Image Format (SIF)
Singularity is compatible with Docker/OCI images
"Singularity: Scientific containers for mobility of compute" (2017) https://doi.org/10.1371/journal.pone.0177459
https://github.com/NERSC/shifter
requires hosting a registry service and a Shifter Image Gateway.
cite
run and build containers without root access or setuid.
cite
"Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. Simply put: alias docker=podman
."
cite
- https://github.com/kata-containers
- https://katacontainers.io/
- formerly Intel Clear Containers: https://clearlinux.org/news-blogs/intel-clear-containers-now-part-kata-containers
Kata Containers runtime uses a hypervisor to provide isolation when spawning containers. It creates lightweight VMs and puts containers inside. Each container runs on its own kernel eliminating security limitations of the traditional runC runtime. cite
led by the OpenStack Foundation
- Univa Grid Engine (UGE) Container
- rkt = https://www.openshift.com/learn/topics/rkt
- End-of-Life announcement March 2020: rkt/rkt#4024
- did not rely on a daemon but rather worked with the
rkt run
command directly, which made it easier to use rkt in combination with systemd.