Container deployment is a practical method for ensuring portability, scalability, and agility in the DevOps world. From testing to production, containers facilitate the entire software development process.
Platforms for container management and orchestration are designed to be intuitive and straightforward for the end-user. However, the platforms themselves are complex and consist of multiple coordinated projects.
This article will explain the differences between three important parts of the container management ecosystem - Docker, containerd, and CRI-O.
The Container Ecosystem
Two most important standards are:
- CRI - Container Runtime Interface. It allows Kubernetes to be compatible with different container runtimes, including Docker's containerd.
- OCI - Open Container Initiative. It standardizes container images and runtimes.
The infographic below shows how CRI and OCI help connect Kubernetes with Docker:
Docker is a set of container management projects ran by the company called Docker. These projects work together to provide a comprehensive platform for container deployment.
The most important projects are:
- docker CLI - A command line interface program. Users create and manage Docker containers by issuing docker CLI commands.
- containerd - A daemon that listens to the user commands. It pulls and stores the requested images, and controls the container lifecycle.
- runC - A lightweight, portable container runtime. runC is a low-level component that integrates components necessary for Docker to interact with the local system. The containers this tools creates are OCI compatible.
A Docker image is a read-only template that contains the application code, along with the libraries, tools and other dependencies necessary for the application to work properly. When a user issues the run command in Docker, the image template is used to deploy an app container.
Docker images are created using Dockerfile, a text document that contains necessary image information. The
build command uses Dockerfile and a context to create the image.
Docker for Kubernetes
Container Runtime Interface is a plugin that enables Kubernetes to communicate with other container runtimes. However, since Docker does not implement CRI, Kubernetes introduced a compatibility layer called dockershim. This layer bridges the two APIs.
As of version 1.23, Kubernetes requires runtimes to be CRI compatible. It means that dockershim is now deprecated, and Docker Engine is no longer supported as a runtime. However, Kubernetes can still communicate with Docker via containerd, which can be CRI compliant with a plugin.
Container Runtime Interface (CRI)
Although Kubernetes is a container orchestration platform, at the lowest level, it also needs to create and manage containers. To achieve this, Kubernetes uses container runtimes.
In the beginning, Docker Engine was the only available runtime on the platform. But the popularity of containerization resulted in competing solutions and the need for Kubernetes to support them all. With the Container Runtime Interface plugin, Kubernetes can communicate with all major runtimes.
containerd is a Docker-made runtime solution. This daemon is available for Linux and Windows OSes. As part of the Docker project, containerd manages image transfer and storage, as well as container creation, execution and supervision.
Kubernetes does not need the entire Docker platform to use containerd. With the CRI compatibility plugin, Kubernetes and containerd can communicate directly.
CRI-O is an OCI-compatible lightweight implementation of the CRI. It was created as an alternative to Docker Engine.
With CRI-O, you can start Kubernetes pods and pull necessary images. However, it is not a runtime. Instead, it is used to launch other low-level OCI-compatible runtimes, such as runC or Kata.
Open Container Initiative (OCI)
Docker and other important container industry actors established the Open Container Initiative (OCI) in 2015. The OCI aims to create standards for container formats and runtimes. Currently, the OCI has two specifications:
- image-spec - the image specification that outlines how to create an OCI-compliant image.
- runtime-spec - the runtime specification for unpacking the filesystem bundle.
runC is a universal container runtime created by Docker. Although it is a part of the Docker set of tools, it does not require Docker platform to run.
Some important features of runC are:
- Full Linux namespaces support.
- Native support for Linux security features, such as AppArmor, SELinux, etc.
- Windows 10 containers native support.
- Containers that runC creates and manages are OCI compliant.
Note: Bare Metal Cloud supports complex Kubernetes workloads and offers flexible packages for easy scaling of applications.
After reading this article, you should have a clearer understanding of the container ecosystem. The article focused on untangling differences between Docker, containerd, and CRI-O.
If you are interested in reading about Kubernetes architecture, read Understanding Kubernetes Architecture with Diagrams.