What is a Container Runtime

A container runtime is the software that creates and manages containers. It translates a container specification (image, configuration, resource limits) into a running process with the correct namespaces, cgroups, and filesystem.

How it works

The container runtime stack has two levels:

Low-level runtime (runc, crun, youki) — takes an OCI bundle (a rootfs directory and config.json) and creates a container. It calls clone() to create namespaces, configures cgroup limits, sets up the root filesystem mount, drops capabilities, and exec()s the container process. runc is the reference implementation, written in Go.

High-level runtime (containerd, CRI-O) — manages the full container lifecycle: pulling images from registries, unpacking layers, creating the OCI bundle, calling the low-level runtime, managing container state, and handling logs and events. containerd speaks the Kubernetes CRI (Container Runtime Interface) protocol.

Docker is not a runtime — it is a CLI and daemon that calls containerd, which calls runc. Podman is similar but daemonless.

Why it matters

Understanding the runtime stack explains what Docker actually does (it calls containerd, which calls runc), why Kubernetes replaced Docker with containerd directly (Docker was an unnecessary middle layer), and why runtimes are swappable (any OCI-compliant runtime works).

See How Containers Work for the full runtime startup sequence.

This concept appears in

How Containers Work — Process Isolation, Not Virtual Machines

What is a Container Runtime

How it works

Why it matters

Related

This concept appears in

Referenced by