crun VS rules_docker

Yep pretty much.

The executables bundle crun (a container runtime)[0], and a fuse implementation of squashfs and overlayfs. Appended to that is a squashfs of the image.

At runtime the squashfs and overlayfs are mounted and the container is started.

[0]: https://github.com/containers/crun

cpu: 4 disk: 60 memory: 12 arch: host hostname: colima autoActivate: true forwardAgent: false # I only tested this with 'docker', not 'containerd': runtime: docker kubernetes: enabled: false version: v1.24.3+k3s1 k3sArgs: [] network: address: true dns: [] dnsHosts: host.docker.internal: host.lima.internal # Added: # - containerd-snapshotter: true (meaning containerd will be used for pulling images) # - default-runtime / runtimes: crun (instead of the default 'runc') docker: default-runtime: crun features: buildkit: true containerd-snapshotter: true runtimes: crun: path: /usr/local/bin/crun vmType: vz rosetta: true mountType: virtiofs mountInotify: false cpuType: host # This provisioning script installs WasmEdge and builds crun with wasmedge support: provision: - mode: system script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Install system updates:" apt-get update -y apt-get upgrade -y echo "Install WasmEdge and crun dependencies:" # NOTE: packages curl git python3 already installed: apt-get install -y make gcc build-essential pkgconf libtool libsystemd-dev libprotobuf-c-dev libcap-dev libseccomp-dev libyajl-dev libgcrypt20-dev go-md2man autoconf automake criu apt-get clean -y - mode: user script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Installing WasmEdge:" curl -sSf https://raw.githubusercontent.com/WasmEdge/WasmEdge/master/utils/install.sh | sudo bash -s -- -p /usr/local echo echo "`wasmedge -v` installed!" # NOTE: I failed to Configure Wasmtime properly - turned off for now: #echo "Installing Wasmtime:" #curl -sSf https://wasmtime.dev/install.sh | bash #sudo cp .wasmtime/bin/* /usr/local/bin/ #rm -rf .wasmtime #echo "`wasmtime -V` installed!" echo "Install crun:" git clone https://github.com/containers/crun cd crun ./autogen.sh #./configure --with-wasmedge --with-wasmtime ./configure --with-wasmedge make sudo make install crun -v echo "crun installed! Replacing runc with crun:" # NOTE: replacing runc with runc is to simplify containerd config TRC=`which runc` sudo rm -rf $TRC sudo cp `which crun` $TRC echo "Configuring containerd:" sudo mkdir -p /etc/containerd/ containerd config default | sudo tee /etc/containerd/config.toml >/dev/null echo "Restarting/reloading docker/containerd services:" sudo systemctl daemon-reload sudo systemctl restart containerd # As soon as Colima writes its /etc/docker/daemon.json file (right after this provisioning script), # it will also start the Docker daemon. If we stop Docker here, the changes will actually take effect: sudo systemctl stop docker sshConfig: true mounts: [] env: {}

On this note, I was really surprised to find Red Hat's OCI runtime is written in C: https://github.com/containers/crun

Is anyone working on a Rust version?

It's interesting that, in light of things like this, you still see large software companies adding support for new components written in non-memory safe languages (e.g. C)

As an example Red Hat OpenShift added support for crun(https://github.com/containers/crun) this year(https://cloud.redhat.com/blog/whats-new-in-red-hat-openshift...), which is written in C as an alternative to runc, which is written in Go(https://github.com/opencontainers/runc)...

Kubernetes needs an OCI runtime to run containers with. Crun is one implementation it can use.

Docker also appears to be able to use crun for it's engine as well. https://github.com/containers/crun/issues/37

crun

Looks like https://github.com/containers/crun/issues/255 - start there.

My company uses Bazel's rules docker to build our images: https://github.com/bazelbuild/rules_docker

They're pretty great and have a lot of the caching and parallelism benefits mentioned in the post for free out of the box, along with determinism (which Docker files don't have because you can run arbitrary shell commands). Our backend stack is also built with Bazel so we get a nice tight integration to build our images that is pretty straightforward.

We've also built some nice tooling around this to automatically put our maven dependencies into different layers using Bazel query and buildozer. Since maven deps don't change often we get a lot of nice caching advantages.

I've seen rules_docker is looking for maintainers here ; Does this mean it doesn't use it that much internally? If so, how do they go about using other services e.g docker-compose for running external services e.g database?

Did you mean this one? https://github.com/bazelbuild/rules_docker

I was very interested in this Bazel-based way of building containers but its README page says "it is on minimal life support," which does not inspire confidence. How's your experience using it?

As others have said docker in docker or a separate build server are your best options using docker. You can also use Bazel (which doesn't require the docker daemon) to build docker images which will build deterministic images every time due to not incorporating the timestamp: https://github.com/bazelbuild/rules_docker

There's some BazelCon talks about people doing similar stuff but not actually open sourcing their code.

P.S. if you use rules_docker please feel free to open a PR to add your company to our README: https://github.com/bazelbuild/rules_docker/#adopters

The docker utility isn't the only way to build and run containers. There's also cri-o, podman, and crun among others for running containers. For building there is podman again, Jib for Java applications, and bazel plus many others. The docker approach of using a client to connect to a daemon required to run as root has turned out to be slow and insecure.

During the last 3 years I've had the pleasure of using Bazel's rules_docker to generate all my container images (https://github.com/bazelbuild/rules_docker).

In a nutshell, rules_docker is a set of build rules for the Bazel build system (https://bazel.build). What's pretty nice about these rules is that they don't rely on a Docker daemon. They are rules that directly construct image tarballs that you can either load into your local Docker daemon or push to a registry.

What's nice about this approach is that image generation works on any operating system. For example, even on a Mac or Windows system that doesn't have Docker installed, you're able to build Linux containers. They are also fully reproducible, meaning that you often don't need to upload layers when pushing (either because they haven't changed, or because some colleague/CI job already pushed those layers).

I guess rules_docker works fine for a variety of programming languages. I've mainly used it with Go, though.