A recent K8s host‑level deployment triggered massive service timeouts because runc 1.1.5 passed incorrect CPU‑binding masks to systemd, causing containers to share cores, inflating load and starving workloads, a problem uncovered with Perfetto, BPF tracing and a targeted bug‑fix upgrade.
This article provides a comprehensive overview of the core container technologies—Docker, containerd, runc, and Kubernetes—explaining their evolution, relationships, component roles, runtime layers, security options, and practical recommendations for choosing the right runtime in development and production environments.
Docker containers often stop right after starting because the foreground process (PID 1) exits, and without a persistent daemon the container shuts down, a behavior explained by Linux init mechanics, process tables, and the Docker runtime architecture.
The article outlines a comprehensive, bottom‑up learning path for containers, covering Linux container fundamentals, images, runtimes, managers, orchestrators, and non‑Linux implementations, while clarifying common misconceptions, explaining how runtimes like runc work, and comparing Docker, containerd, and Kubernetes.
This article walks through diagnosing and resolving two common Kubernetes issues—node memory leaks caused by kmem accounting and expired cluster certificates—by showing how to detect the problems, rebuild runc and kubelet, and extend certificate validity using kubeadm and manifest edits.
The article explains the runc 1.1.11 container‑escape vulnerability (CVE‑2024‑21626), how it allows attackers to break out of containers and gain host privileges, details Huawei Cloud’s reproduction steps, and provides mitigation guidance including upgrading to runc 1.1.12 and using HSS scanning and intrusion‑detection features.
This article explains why Docker containers often stop right after starting, covering the role of PID 1, Linux init processes, daemonized services, and the container runtime architecture that determines container lifecycle.
This article explains why Docker containers often stop right after starting by examining the Linux PID 1 init process, the behavior of foreground versus daemonized commands in Dockerfiles, and how container runtimes like containerd‑shim and runc manage the container’s main process.
This article walks through diagnosing and resolving two frequent Kubernetes problems—memory‑leak errors that cause "cannot allocate memory" or "no space left on device" messages, and expired cluster certificates—by checking cgroup stats, recompiling runc and kubelet, and renewing certificates with kubeadm for long‑term validity.
This article explains the key components and standards of the container ecosystem—including Docker, containerd, CRI‑O, OCI and runc—detailing how they interact, the role of the Container Runtime Interface, and why Docker is only a small part of a broader, interoperable cloud‑native landscape.
This guide walks through a real‑world Docker exec failure, explains the relationship between kubelet, docker‑shim, containerd, and runc, shows step‑by‑step commands to isolate the faulty component, and reveals that a resource‑limit (pids) exhaustion in the container caused the runc exec error.
This article explains the relationship between kubelet, Docker, containerd, and runc, walks through a real‑world exec failure logged by dockerd, and shows how to pinpoint the faulty component, identify resource‑limit causes, and understand runc’s execution workflow.
RunC, the OCI‑compliant low‑level container runtime originally derived from Docker’s libcontainer, works alongside high‑level runtimes like containerd and cri‑o, and this article explains its origins, lifecycle states, usage commands, and how it fits into the broader cloud‑native container ecosystem.
The article recounts a real‑world incident where a container engine restart broke a FIFO, causing a Java service to stop responding, and walks through the step‑by‑step debugging process, explains the underlying stdio forwarding mechanism in container runtimes, and shows how a simple flag change fixes the bug.
This article provides a detailed overview of Docker’s evolution, the role of containerd, runc, and CRI in modern container runtimes, explains how Docker delegates container lifecycle management to containerd‑shim, and offers step‑by‑step instructions for installing, configuring, and using containerd with its CLI tools on Linux.
Many Docker beginners encounter containers that stop immediately after launch, often due to the CMD process exiting as PID 1; this article explains Linux PID 1 behavior, process tables, zombie and orphan processes, and how Docker’s namespace and runtime components like containerd‑shim and runc affect container lifecycles.
An Alibaba Cloud expert walks through a rare Kubernetes node NotReady issue, detailing how PLEG failures, Docker daemon stack traces, runC’s D‑Bus interactions, and a systemd cookie overflow combine to stall nodes, and explains the debugging steps and eventual fix.
A critical CVE‑2019‑5736 vulnerability in the runc container runtime lets a malicious container overwrite the host’s runc binary, granting attackers root‑level code execution that can compromise other containers, the host system, and the network, with a CVSS 3.0 score of 7.2, affecting runc, Apache Mesos and LXC, and requiring prompt updates.
This article explains Alibaba's approach to migrating stateful containers at massive scale, covering the challenges of pod identity, resource duplication, hot versus cold migration, limitations of RunC and CRIU, and the opportunities presented by new container runtimes and process‑level virtualization.
The article examines how CaaS providers are replacing Docker with RunC‑based solutions such as CRI‑O, Unified Containerizer, and Garden, outlines the evolution of the container ecosystem, discusses the strategic implications for production environments, and forecasts future trends and community contributions.
