开源容器标准 OCI 专题

发布时间: 更新时间: 总字数:819 阅读时间:2m 作者: IP上海 分享 网址

OCI(Open Container Initiative) 是由 DockerCoreOS 等共同创建的开源容器标准。

OCI

OCI 由以下部分组成:

它们之间通过 OCI runtime filesytem bundle 标准格式连接在一起:

OCI image <--download and unpack--> OCI runtime filesytem bundle <--run--> OCI Runtime

runtime spec

runtime spec 主要提供容器的运行状态,和 runtime 需要提供的命令,容器状态定义:

  • creating: the container is being created
  • created: the runtime has finished the create operation, and the container process has neither exited nor executed the user-specified program
  • running: the container process has executed the user-specified program but has not exited
  • stopped: the container process has exited

容器运行时主要有两个级别:

  • Low-Level Runtime
  • High-Level Runtime
low and high level runtimes

图片来源

Low-Level Runtime

参考国外文章,概括 Low-Level Runtime 的实现运行容器的过程,步骤为:

Create CGroup
Running commands in CGroup
Use unshare to move it to its own namespace
Clean up CGroup after command completion (running processes will be automatically deleted when they do not reference a namespace)

实现代表:lmctfyruncrkt

High-Level Runtimes

High-Level Runtimes 包括镜像管理(如镜像下载)和 Low-Level Runtime,并对外提供 RPC 接口。如下图:

oci high level runtimes

图片引用自

实现代表:Dockercontainerdcri-o,其中 kubernetes v1.22 后,只支持 dockershimcontainerdcri-o 三种 High-Level Runtimes

常见 runtime 的关系

  • runcdocker 公司捐献给社区的一个 OCI 容器实现,从 docker 中拆分出来的
  • containerd 也是从 docker 中拆分出来的。containerd 提供的功能包括:
    • 镜像下载
    • 镜像管理
    • 创建管理容器(调用 Low-Levelrunc 来完成),当从镜像创建容器时,首先将镜像解开成 OCI runtime bundle,然后调用 runc 来运行容器
  • CRI(Container Runtime Interface)High-Level Runtimes 和 k8s 之间的接口(通过 kubelet 实现交互),也就是说一个 runtime 如果要对接 k8s,必须提供 CRI,其中该 runtime 除了实现 High-Level Runtimes 功能外,还需要能支持 k8s 的 pods,如 cri-o。见K8s CRI

image spec

The high-level components of the spec include:

  • Image Manifest - a document describing the components that make up a container image
  • Image Index - an annotated index of image manifests
  • Image Layout - a filesystem layout representing the contents of an image
  • Filesystem Layer - a changeset that describes a container’s filesystem
  • Image Configuration - a document determining layer ordering and configuration of the image suitable for translation into a [runtime bundle][runtime-spec]
  • Conversion - a document describing how this translation should occur
  • Descriptor - a reference that describes the type, metadata and content address of referenced content

参考:https://github.com/opencontainers/image-spec/blob/main/spec.md#understanding-the-specification

参考

  1. https://opencontainers.org/
  2. https://containerd.io
Home Archives Categories Tags Statistics