Docker vs containerd vs CRI-O: An In-Depth Comparison

March 10, 2022

Introduction

Container deployment is a practical method for ensuring portability, scalability, and agility in the DevOps world. From testing to production, containers facilitate the entire software development process.

Platforms for container management and orchestration are designed to be intuitive and straightforward for the end-user. However, the platforms themselves are complex and consist of multiple coordinated projects.

This article will explain the differences between three important parts of the container management ecosystem - Docker, containerd, and CRI-O.

Docker vs containerd vs CRI-O: An In-Depth Comparison.

The Container Ecosystem

Docker and Kubernetes are two leading platforms in the container ecosystem. To ensure interoperability, the community agreed on several standards.

Two most important standards are:

  • CRI - Container Runtime Interface. It allows Kubernetes to be compatible with different container runtimes, including Docker's containerd.
  • OCI - Open Container Initiative. It standardizes container images and runtimes.

The infographic below shows how CRI and OCI help connect Kubernetes with Docker:

An infographic illustrating the container ecosystem.

Docker

Docker is a set of container management projects ran by the company called Docker. These projects work together to provide a comprehensive platform for container deployment.

The most important projects are:

  • docker CLI - A command line interface program. Users create and manage Docker containers by issuing docker CLI commands.
  • containerd - A daemon that listens to the user commands. It pulls and stores the requested images, and controls the container lifecycle.
  • runC - A lightweight, portable container runtime. runC is a low-level component that integrates components necessary for Docker to interact with the local system. The containers this tools creates are OCI compatible.
An infographic explaining how Docker works.

Note: Podman is one of the main Docker's competitors. Read about the differences in the Podman vs Docker article. And to start using Podman, check out our guides such as How to Install Podman on macOS.

Docker Images

A Docker image is a read-only template that contains the application code, along with the libraries, tools and other dependencies necessary for the application to work properly. When a user issues the run command in Docker, the image template is used to deploy an app container.

Docker images are created using Dockerfile, a text document that contains necessary image information. The build command uses Dockerfile and a context to create the image.

Docker for Kubernetes

Container Runtime Interface is a plugin that enables Kubernetes to communicate with other container runtimes. However, since Docker does not implement CRI, Kubernetes introduced a compatibility layer called dockershim. This layer bridges the two APIs.

As of version 1.23, Kubernetes requires runtimes to be CRI compatible. It means that dockershim is now deprecated, and Docker Engine is no longer supported as a runtime. However, Kubernetes can still communicate with Docker via containerd, which can be CRI compliant with a plugin.

Container Runtime Interface (CRI)

Although Kubernetes is a container orchestration platform, at the lowest level, it also needs to create and manage containers. To achieve this, Kubernetes uses container runtimes.

In the beginning, Docker Engine was the only available runtime on the platform. But the popularity of containerization resulted in competing solutions and the need for Kubernetes to support them all. With the Container Runtime Interface plugin, Kubernetes can communicate with all major runtimes.

An infographic explaining how Container Runtime Interface helps Kubernetes communicate with runtimes.

containerd

containerd is a Docker-made runtime solution. This daemon is available for Linux and Windows OSes. As part of the Docker project, containerd manages image transfer and storage, as well as container creation, execution and supervision.

Kubernetes does not need the entire Docker platform to use containerd. With the CRI compatibility plugin, Kubernetes and containerd can communicate directly.

CRI-O

CRI-O is an OCI-compatible lightweight implementation of the CRI. It was created as an alternative to Docker Engine.

With CRI-O, you can start Kubernetes pods and pull necessary images. However, it is not a runtime. Instead, it is used to launch other low-level OCI-compatible runtimes, such as runC or Kata.

Open Container Initiative (OCI)

Docker and other important container industry actors established the Open Container Initiative (OCI) in 2015. The OCI aims to create standards for container formats and runtimes. Currently, the OCI has two specifications:

  • image-spec - the image specification that outlines how to create an OCI-compliant image.
  • runtime-spec - the runtime specification for unpacking the filesystem bundle.

runC

runC is a universal container runtime created by Docker. Although it is a part of the Docker set of tools, it does not require Docker platform to run.

Some important features of runC are:

  • Full Linux namespaces support.
  • Native support for Linux security features, such as AppArmor, SELinux, etc.
  • Windows 10 containers native support.
  • Containers that runC creates and manages are OCI compliant.

Note: Bare Metal Cloud supports complex Kubernetes workloads and offers flexible packages for easy scaling of applications.

Conclusion

After reading this article, you should have a clearer understanding of the container ecosystem. The article focused on untangling differences between Docker, containerd, and CRI-O.

If you are interested in reading about Kubernetes architecture, read Understanding Kubernetes Architecture with Diagrams.

Was this article helpful?
YesNo
Marko Aleksic
Marko Aleksić is a Technical Writer at phoenixNAP. His innate curiosity regarding all things IT, combined with over a decade long background in writing, teaching and working in IT-related fields, led him to technical writing, where he has an opportunity to employ his skills and make technology less daunting to everyone.
Next you should read
Podman vs Docker: Everything You Need to Know
December 12, 2023

This article will compare two container management engines - Docker and Podman.
Read more
Kubernetes vs. Docker: Differences and Similarities Explained
October 13, 2022

If you are just getting acquainted with containers and container orchestration tools, you may find yourself thinking about the difference between Kubernetes and Docker.
Read more
What is Container Orchestration?
March 10, 2022

Container orchestration refers to a process that deals with managing the lifecycles of containers in large, dynamic environments.
Read more
Building Optimized Containers for Kubernetes
December 18, 2019

This article explores the most practical ways to create and optimize containers for a Kubernetes cluster.
Read more