I am a little bit confused about the difference between podman, CRI-O and RunC.
I do apprecaite if you could simply clarify the difference between them and how they are related to each others especially in Openshift 4.
Let me, from my short knowledge, try to differentiate those concepts.
- Podman is just a program that is able to create containers in a host, given a container image. It creates the necessary filesystem views, virtual networks and processes for the container to run in a secure way. It is based, IIRC in `containerlib` library.
- RunC is another program able to create containers. like `containerlib` does. This is the one Docker uses to create containers in a linux host.
- CRI-O stands for "Container Runtime Interface - OpenShift". It is just an interface, that is, an API anyone can use from a program to communicate with a CRI-O compatible server. It is actually an extension of the "CRI" interface defined by Kubernetes. IIRC, Podman implements CRI-O, while Docker implements "CRI".
About its relation with OpenShift: OpenShift expects its nodes have some server that satisfies "CRI" in order to orchestrate containers on those nodes. It is desirable that the server satisfies "CRI-O", but AFAIK it is not mandatory (yet).
That's why OCP nodes usually contain a Docker daemon in order to respond OpenShift CRI requests. If the nodes contain a Podman server, OCP will use the CRI-O interface.
Hope that helps a bit!
Allow me to ellaborate over the answer from Jordi:
Runc is a small container runtime, originated from the Moby project, the open source project that provides the essential capabilities of Docker. It starts and stops containers but is not designed to be used as an end-user tool.
Podman and CRI-O are container engines. They are front-ends to manage local containers. Podman is designed with system administrators and developers in mind, while CRI-O is designed to satisfity the requirements of Kubernetes alone, implementing the CRI specification.
Both Podman and CRI-O could use different container runtimes that compliant with the Open Container Initiative (OCI) specifications, but at this point Runc is the only alternative supported by RHEL and OpenShift from a product perspective.
are you saying that podman is using runc? and is it right to call podman as a local container run time? if not what differenties an engine from a runtime?
Yes, podman from RHEL uses runc. As well as CRI-O from OpenShift 3 and 4. Both podman and CRI-O are able to use container runtimes other than runc but Red Hat currently does not support that on its products.
In a nutshell, a container engine is a end-user and sysadmin tool to manage containers. Some engines, such as podman, are also developer tools to build containers. CRI-O does not provide features to build containers because Kubernetes doesn't need them.
A container runtime is a low-level helper tool to setup containers using Linux Kernel primitives such as namespaces and cgroups. You can think about a container runtime as a chroot command on steroids. It just creates a stronger sandbox than a chroot jail and does that using features from a standard Linux Kernel.
This post provides more details about terminology and concepts related to containers: