How Alibaba Achieved 100% Containerization with PouchContainer

Introduction

Alibaba needed to containerize millions of online services for large‑scale events such as Double‑11, requiring a runtime that would not disrupt existing development or operations workflows. PouchContainer was created to meet these requirements.

History and Evolution

Development began in 2011 using LXC, Cgroup, and Namespace technologies. In 2015 Alibaba integrated Docker image capabilities, merging LXC and Docker to form PouchContainer, which was open‑sourced in 2017. All source code and feature changes are publicly available on GitHub.

Architecture Overview

The architecture consists of three vertical layers: the scheduling layer (including Kubernetes and CRI), the engine layer, and the runtime layer (runc, runlxc, kata‑container). The container manager controls networking and storage, while the top layer hosts Pods or containers.

Rich Container Features

PouchContainer packages all operational tools (systemd, syslogd, SSHD, etc.) inside the container, ensuring zero intrusion for developers and operators. This “rich container” approach enables seamless adoption across heterogeneous applications.

Full compatibility with existing container images.

Preserves existing operational tooling without modification.

Enhanced Isolation

Systemd inside the container provides fine‑grained process management, handling zombie processes and allowing control of services like syslogd and SSHD. Hook mechanisms (pre‑start, post‑stop) support custom initialization and cleanup.

Resource visibility isolation is achieved with lxcfs, which presents accurate cgroup limits (e.g., memory) to applications such as Java, preventing OOM errors caused by incorrect /proc/meminfo values.

Disk quota and inode isolation prevent one container from exhausting shared filesystem resources, protecting co‑located containers.

P2P Image Distribution

To avoid bottlenecks when thousands of machines pull large images during peak events, Alibaba uses Dragonfly, a P2P‑based smart file distribution system, improving download efficiency, flow control, and security.

In‑Place Upgrade for Stateful Applications

PouchContainer exposes an Upgrade interface that swaps the container’s image while preserving stateful data, enabling seamless upgrades without downtime. This capability is integrated into Alibaba’s internal scheduler (Sigma).

Native Kubernetes Support

By implementing the Container Runtime Interface (CRI), PouchContainer can be used as a drop‑in runtime for Kubernetes, passing all production‑grade features (including LXCFS support) to the orchestration layer.

Conclusion

Through rich containers, strong isolation, P2P image distribution, in‑place upgrades, and native Kubernetes integration, PouchContainer allows Alibaba to achieve 100% containerization of its online business with minimal disruption.