Containers have become a popular method to build out fully independent and tightly controlled applications that essentially act as if they’re running on their own computer. Container runtimes are the software that executes these containerized applications using container images. Such runtimes require standard operating procedures to initiate containers, as well as a careful design that protects the launch process and retains isolation.
The container runtime element is an essential component of the larger cloud-native ecosystem, and thus much development has gone into this area. Docker is the most widely known container runtime; however, its core competencies have been donated to open source bodies. Other options are available in the market, such as CRI-O, which appeal to the Kubernetes paradigm. Other container runtimes approach security differently with unique features.
The Linux Foundation-supported Cloud Native Computing Foundation (CNCF) has become a locus of significant, influential new cloud-native projects, housing service mesh tools, observability packages and security and compliance solutions, among many other areas. Below, we’ll take a look at four container runtime projects hosted under the CNCF umbrella. Most are OCI-compliant, but each carries nuances. These are some of the top projects to stay aware of in the burgeoning container field.
An industry-standard container runtime
containerd is a very popular container runtime package in the field. Its origins are with Docker, which donated the OCI Specification and
runc to The Linux Foundation in 2015. containerd is implemented as a daemon for Linux and Windows and can be used to manage the complete container life cycle of its host system. According to the documentation, these features comprise “image transfer and storage, container execution and supervision, low-level storage and network attachments.”
Maintainers of containerd cite an emphasis on simplicity, robustness and portability. The runtime supports the image, distribution and specs as outlined by the Open Container Initiative (OCI), another Linux standards body. Following these standards means containers can be based on these images; containerd provides default settings to get started quickly, or engineers can reuse a pre-existing specification. OCI compliance also means interoperability for container registries.
containerd is relatively easy to integrate into projects with its simple client packages. It’s also adopted by managed Kubernetes services, such as Amazon EKS and Google’s Kubernetes Engine and many other container projects in the ecosystem. In February 2019 containerd became a graduated project with CNCF.
A lightweight container runtime for Kubernetes
CRI-O is a container runtime specifically optimized for Kubernetes. CRI-O is an OCI-based implementation of the Kubernetes Container Runtime Interface, a standard API that enables
kubelet to support multiple container runtimes simultaneously.
CRI-O boasts a broad range of contributors, making it very open. It’s also more lightweight than Docker Engine, and its structure better promotes the inclusion of additional security protection layers, as the Kubic team, who now use CRI-O as their default, found. At the time of writing, CRI-O is in incubating status with CNCF.
3. Inclavare Containers
A novel container runtime for cloud-native confidential computing
A more use case-specific option is Inclavare Containers. Inclavare stems from Latin etymology of the word enclave. And, just like its derivation, Inclavare emphasizes having shut-in, locked-up container runtimes. The open source Inclavare container runtime brings a nuanced security architecture for confidential computing scenarios.
According to the Inclavare documentation, other container runtimes rely too heavily on cloud service provider privileges—this causes a vulnerability that could allow a malicious party to obtain credentials from a qualified guest and use them to access confidential data. Inclavare focuses on hardware isolation, removing reliances on CSP privileges and other means of separation to avoid these security pitfalls.
Thus, Inclavare brings a “novel approach for launching protected containers in hardware-assisted trusted execution environment (TEE) technology.” Explicitly designed with confidentiality in mind, Inclavare may be appealing to health care applications requiring HIPAA-compliance or financial scenarios, blockchain, e-learning and other areas.
Those familiar with containerd will notice similarities to the Incalvare container runtime’s design. It is made of three main components: a rune CLI tool, a rune-shim and the enclave runtime. Inclavare Containers is currently in sandbox mode with the CNCF at the time of writing.
4. WasmEdge Runtime
A cloud-native WebAssembly runtime for edge computing
Last on the list of CNCF-hosted runtime projects is WasmEdge. The package is described as a “lightweight, high-performance and extensible WebAssembly runtime for cloud-native, edge and decentralized applications.” This makes the project a good fit for edge computing use cases like IoT, automobiles, as well as Jamstack and blockchain.
Compared to others on this list, WasmEdge is unique, as it’s a runtime intended for executing WebAssembly bytecode programs. Due to its compatibility with WebAssemnbly, WasmEdge can support all WebAssembly features and extensions.
WasmEdge can be started from a CLI or programmed to run inside an existing process. One great strength and use case of WasmEdge is for plugins. The tool can “safely execute user-defined or community-contributed code as plugins in a software product.” Thus, this could assist third-party developers in extending core functions. At the time of writing, WasmEdge is a sandbox project with the CNCF.
Comparing Container Runtimes
Of course, the Docker runtime is well-established, and many developers will be satisfied with its capabilities. However, greenfield development may opt for alternative container runtime to satisfy particular needs.
To review, containerd is a mature open container runtime alternative to Docker. There’s CRI-O for shops that want a runtime tightly knit to Kubernetes. Inclavare may appeal to those for whom confidentiality is top-of-mind. Lastly, WasmEdge is a specialized runtime for executing WebAssembly code on the edge.
In addition, there are plenty of other non-CNCF container runtimes. For example, Kata can enable containers to be executed as VMs. The container runtime category also includes Firecracker, gVisor, lxd, SmartOS and Singularity.