What is a container runtime?
Software that unpacks a container image and turns it into a running process. Three responsibilities: container lifecycle management, host OS interaction (namespaces + cgroups), resource allocation.
OCI Standard
The Open Container Initiative (OCI, 2015) defines three specs: image format, image distribution, and runtime execution. This is why Docker images run on containerd or CRI-O — they’re OCI images, not Docker-specific.
Types
Low-level — directly implement OCI, closest to the kernel:
runc— de facto standard, created by Docker, donated to OCIcrun— smaller/faster (~300kb)runhcs— Microsoft’s Windows fork
High-level — sit above low-level runtimes, handle image transport:
containerd— used under Docker and directly by KubernetesCRI-O— lightweight, built specifically for KubernetesPodman— daemonless, runs containers as individual processes
Sandboxed / virtualised — stronger isolation at the cost of performance:
gVisor— intercepts syscalls in user-space; used by Google Cloud RunKata Containers— each container runs in a lightweight VM
Runtime vs engine vs orchestrator
| Layer | What it does | Example |
|---|---|---|
| Runtime | Directly operates the container | containerd, runc |
| Engine | User-facing CLI + image building, delegates to runtime | Docker |
| Orchestrator | Manages containers across hosts | Kubernetes |
See also
- cri — how kubelet talks to runtimes via gRPC
- docker-deprecation — why Docker was removed as a K8s runtime