Understanding Docker, containerd, CRI‑O, OCI and runc: The Container Ecosystem Explained

Since Docker sparked an explosive growth in container usage, many tools and standards have emerged, creating a confusing set of terms. This article introduces Docker, containerd, CRI, CRI‑O, OCI, and runc, and explains how the container ecosystem works together.

Container Ecosystem

The container ecosystem consists of numerous exciting technologies, a plethora of specialized terminology, and competing companies. Occasionally, these companies collaborate to define standards that improve interoperability across platforms and reduce reliance on a single project.

The diagram below shows how Docker, Kubernetes, CRI, OCI, containerd, and runc fit together.

The workflow can be summarized as follows:

Tools such as Docker or Kubernetes invoke a container runtime (CRI) like containerd or CRI‑O.

The runtime performs the actual creation, execution, and destruction of containers.

Docker

Docker is the most popular tool for managing containers, but it is not the only one. Other notable container tools include Podman, LXC, containerd, and Buildah.

Docker consists of several projects:

docker‑cli : a command‑line interface used for commands such as docker pull , build , run , and exec .

containerd : a daemon that manages and runs containers, handling image transfer, storage, networking, and lifecycle management.

runc : a low‑level runtime that creates and runs containers by interacting directly with the kernel.

Docker Images

Docker images are packaged in the Open Container Initiative (OCI) format, meaning they can be used by any OCI‑compatible tool, whether on Docker Hub, Kubernetes, or Podman.

Dockershim

Kubernetes originally included a component called dockershim to support Docker, because Docker pre‑dated the CRI. Starting with Kubernetes 1.24 (April 2022), dockershim was removed, and Kubernetes now prefers runtimes that implement the CRI such as containerd or CRI‑O. This does not prevent Kubernetes from running Docker‑format images, as those runtimes can handle OCI images directly.

Container Runtime Interface (CRI)

CRI is an API that allows Kubernetes to manage containers with different runtimes without needing built‑in support for each one. Any runtime that conforms to the CRI can be used by Kubernetes.

containerd

containerd is a high‑level container runtime originally part of Docker, now donated to the Cloud Native Computing Foundation (CNCF). It implements the CRI and manages the full container lifecycle, from image transfer to execution and monitoring.

CRI‑O

CRI‑O is another CRI‑compatible runtime, created as an alternative to containerd by companies such as Red Hat, IBM, Intel, and SUSE. It uses OCI‑compatible runtimes to start, stop, and restart containers.

Open Container Initiative (OCI)

OCI is a consortium of technology companies that defines open standards for container images and runtimes, ensuring that different implementations can interoperate across Linux, Windows, and other platforms.

runc

runc is a lightweight, generic runtime that implements the OCI specification. It interacts with kernel features like namespaces and cgroups to create and run container processes.

Alternative runtimes include:

crun : a C‑based runtime (runc is written in Go).

kata-runtime : from the Kata Containers project, running containers as lightweight VMs.

gVisor : Google’s sandboxed runtime that implements OCI as runsc .

On Windows, the equivalent of runc is Microsoft’s Host Compute Service (HCS) with the runhcs tool.

Summary

Docker is only a small part of a larger container ecosystem that includes many open standards and interchangeable implementations such as OCI, CRI, containerd, CRI‑O, and runc. These standards enable flexibility and prevent vendor lock‑in across cloud‑native environments.