Skip to content

Instantly share code, notes, and snippets.

Last active April 14, 2024 08:26
Show Gist options
  • Save miguelmota/8082507590d55c400c5dc520a43e14a1 to your computer and use it in GitHub Desktop.
Save miguelmota/8082507590d55c400c5dc520a43e14a1 to your computer and use it in GitHub Desktop.
runc vs gvisor (runsc) vs rkt vs KataContainers vs NablaContainers
knowledge dump on container runtimes
- image coupled with kernel
- light vm layer
- can run in nested virturalization environments if hardware supports and you can enable it in bios (ex. only bare metal EC2 instances, limits many cloud providers)
- slower startup time
- OCI compliant
- previously known as ClearContainers by Intel
- kernel implemented in userspace
- layer between container and kernel, intercepts syscalls
- quicker to cover kernel vulnerabilities as soon they discovered
- 211 of the 319 x86-64 system calls implemented, using only 64 system calls in the host system
- limited syscall implementations (relying on community)
- faster startup time than kata
- OCI compliant
- By google, used in production for a few years
- usually the default container runtime
- relies on seccomp, selinux, or apparmor for security policies (syscall filtering, difficult to get it right)
- first runtime to be OCI compliant
- docker built an abstraction layer over `lxc` called `libcontainer` which now it’s called `runc`
rkt (rocket)
- a layer on top runc (more user-friendly)
- non OCI compliant
- by CoreOS
- competitor to gvisor
- Uses only 9 syscalls (blocks all others with seccomp policy)
- uses the solo5 project which implements syscall functionality
- can't run linux containers out of the box
- claims to be more secure than gvisor
- by IBM
containerd (container daemon)
- container runtime that manages container lifecycle (image transfer/pull/push, supervision, networking, etc)
- default to runc runtime
- runs OCI compliant images
cri-o (Container Runtime Interface)
- runtime created specifically for kubernetes (like containerd)
- defaults to runc runtime
- runs OCI compliant images
- containerd daemon which implemented the cri-o interface (can use containerd with kubernetes)
Copy link

arno01 commented Jul 12, 2021

great summary, thank you!

Copy link

Thank you! Maybe firecracker deserves to be on the list.

Copy link

qpwo commented Feb 2, 2023

New thoughts 4 years later?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment