Container Runtimes

A container runtime is a program that runs application containers on a host machine. It is responsible for pulling and creating container images, starting, stopping, and deleting containers, and for isolation using Linux namespaces and control groups (cgroups). Examples of widely used runtimes include containerd, CRI-O, and components of the Docker stack. Docker is a broader container platform: it bundles an API server, a command-line interface (CLI), and a runtime together so you can build, ship, and run containers from one ecosystem.

CRI (Container Runtime Interface)

CRI is an API defined by Kubernetes. It lets Kubernetes stay decoupled from any single container runtime: the control plane talks to runtimes through CRI instead of hard-coding one implementation. Any runtime that implements the CRI can plug into Kubernetes. CRI-O is a runtime that conforms to OCI standards and is built specifically to serve Kubernetes as a lightweight, CRI-focused option.

OCI (Open Container Initiative)

OCI is an industry standard that defines container formats and execution. It specifies two main documents: the image specification, which defines how images are built and represented, and the runtime specification, which defines how a container is unpacked and executed on the host.

Runtime layers

Container software is often split into a high-level and a low-level runtime. High-level runtimes such as containerd and CRI-O manage image transfer, storage, and the overall lifecycle of containers (create, start, stop, delete). Low-level runtimes such as runc actually start processes in the host kernel using namespaces, cgroups, and related isolation and networking primitives. The high-level layer typically delegates the final execution step to an OCI-compliant low-level runtime like runc.