Comparing 3 Docker container runtimes - Runc, gVisor and Kata Containers

This page summarizes the projects mentioned and recommended in the original post on dev.to

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • runc

    CLI tool for spawning and running containers according to the OCI specification

    Previously I wrote about the multiple variants of Docker and also the dependencies behind the Docker daemon. One of the dependencies was the container runtime called runc. That is what creates the usual containers we are all familiar with. When you use Docker, this is the default runtime, which is understandable since it was started by Docker, Inc.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • gvisor

    Application Kernel for Containers

    Although the documentation also mentions "youki", that is mentioned as a "drop-in replacement" of the default runtime basically doing the same, so let's stick with runc. The second runtime will be Kata runtime from Kata containers, since it runs small virtual machines which is good for showing how differently it uses the CPU and memory. This also adds a higher level of isolation with some downsides as well. And the third runtime will be runsc from gVisor which is a perfect third runtime to see how we can run containers and still have a little more secure isolation. I will show how we can recognize the differences by running commands from the isolated environments and from the host.

  • kata-containers

    Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

    I bet the first thing you think that it is a bug. There is an issue on GitHub where someone thought the same. The fact is that Kata containers are different and there are Limitations. The first I noticed too, that there is no way to share process or network namespaces between Docker containers. The fact that you cannot use the process namespace or network namespace of the host is easily understandable because we have a VM and not just a host kernel isolating our processes.

  • Moby

    The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

    Originally Docker created only containers. In fact, it used LXC as an "exec driver" which is basically what we call runtime today or at least the closest thing to it. It was deprecated in Docker 1.8.0.

  • nvidia-container-runtime

    Discontinued NVIDIA container runtime

    Now you can even choose a runtime which creates a virtual machine or a container with a more secure isolation. Once there was a runtime for using an NVIDIA GPU called nvidia-container-runtime. That project is now deprecated and Docker has the "--gpus" option instead. Talking about GPUs is not the scope of this blogpost, but it is a good example of a special runtime that gave additional capabilities to containers.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • You run containers, not dockers - Discussing Docker variants, components and versioning

    9 projects | dev.to | 27 Oct 2024
  • 5 Alternatives to Docker Desktop

    7 projects | dev.to | 24 Jul 2024
  • Syd the perhaps most sophisticated sandbox for Linux

    1 project | news.ycombinator.com | 17 Jul 2024
  • Top 5 Docker Alternatives for Software Developers in 2024

    6 projects | dev.to | 20 Jun 2024
  • We Improved the Performance of a Userspace TCP Stack in Go by 5X

    4 projects | news.ycombinator.com | 5 Jun 2024

Did you konow that Go is
the 4th most popular programming language
based on number of metions?