Photo by Braden Collum on Unsplash
Alternative container runtimes thanks to the Open Container Initiative
Power Runners
Even though containers in the Linux environment are not new and have been available in the form of Linux Containers (LXC) for more than a decade, the big hype about containers only started with the release of Docker in 2013. Docker was the first comprehensive solution for operating application containers. The engine was implemented as a comprehensive API daemon with many tasks. Of course, its primary job is to start and stop containers, but part of the scope is also the management of the images, which are necessary for the operation of the containers.
Cryptographic verification of container images was added to the list of the Docker engine's tasks in version 1.10. Because containers have an IP address, the daemon needs its own network segment from which IP addresses can be assigned to the containers. If you want to manage the containers and images with the docker command-line tool, you also have to communicate with the Docker daemon. If the service is not available at some point, the requests do not receive responses.
All this already shows the big problem with the initial implementations of the Docker engine. It couldn't do anything without the Docker service. Even if this central approach might still seem sensible for the deployment of containers, it no longer meets modern requirements, in which issues such as process isolation or privilege separation also play a major role.
The problem was identified at an early stage, and various projects have been developed to establish alternative container runtimes. Docker itself has also gone through a certain development process, driven by the Open Container Initiative (OCI) [1] under the auspices of the Linux Foundation. This is a merger of well-known companies from the container environment, including Docker Inc., the company behind Docker. OCI has developed two specifications that define the exact tasks of the container runtime
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
CRI-O and Kubernetes Security
The crictl troubleshooting tool and runc container runtime pair up to help identify and diagnose issues with Kubernetes Pods and clusters. -
Managing containers with Podman
The Podman container management tool does not use a daemon in the background, like its counterpart Docker, and can operate in non-privileged mode. -
OCI containers with Podman
The Podman alternative to Docker is a daemonless container engine with a run time that executes on request in root or user mode. -
Securing the container environment
Implement a good, robust defense with an in-depth strategy of applying multiple layers of security to all components, including the human factor. -
Kubernetes containers, fleet management, and applications
Kubernetes is all the rage, but many admins find themselves struggling to get started. We present the basic architecture and the most important components and terms.