Home

containerruntime

Container runtime, or containerruntime, is the software layer responsible for running containers on a host. It handles the creation, execution, and lifecycle of containers, providing isolation through Linux namespaces, cgroups, and other kernel features, and it coordinates access to container images and storage. A container runtime is typically used as part of a larger container platform or orchestration system such as Kubernetes or Docker Swarm, and it relies on standard interfaces and formats defined by the Open Container Initiative (OCI).

Architecturally, most runtimes separate the low-level execution engine from higher-level management. The low-level OCI runtime (for

Kubernetes uses the Container Runtime Interface (CRI) to interact with supported runtimes. Popular CRI implementations include

Common runtimes and components include runC (the reference OCI runtime), containerd (a daemon that manages images,

Security and compliance are shaped by OCI standards, container isolation features (namespaces, cgroups, seccomp), and configuration

example
runC)
actually
starts
and
manages
a
container
process.
A
daemon
such
as
containerd
or
CRI-O
handles
image
pulling,
snapshot
management,
and
container
lifecycle,
and
it
communicates
with
the
orchestration
layer
via
a
runtime
API.
A
shim
process
may
exist
to
detach
the
container
process
from
the
daemon,
allowing
clean
restarts
and
resource
accounting.
containerd
and
CRI-O.
Docker
Engine
used
to
be
a
default
runtime
and,
after
the
deprecation
and
removal
of
the
legacy
dockershim
in
recent
Kubernetes
releases,
is
no
longer
recommended
for
Kubernetes
clusters;
users
migrate
to
containerd
or
CRI-O.
containers,
and
snapshots),
and
CRI-O
(a
lightweight,
Kubernetes-oriented
runtime
that
delegates
execution
to
an
OCI
runtime
such
as
runC
or
crun).
Some
environments
also
use
sandboxing
alternatives
like
gVisor
for
enhanced
isolation,
or
microVM-based
options
in
specialized
workloads.
policies.
Performance
and
reliability
considerations
include
startup
time,
resource
accounting,
and
compatibility
with
container
images
and
storage
backends.