OCI(Open Container Initiative)
是由 Docker
、CoreOS
等共同创建的开源容器标准。
OCI
OCI 由以下部分组成:
它们之间通过 OCI runtime filesytem bundle
标准格式连接在一起:
OCI image <--download and unpack--> OCI runtime filesytem bundle <--run--> OCI Runtime
runtime spec
runtime spec
主要提供容器的运行状态,和 runtime
需要提供的命令,容器状态定义:
- creating: the container is being created
- created: the runtime has finished the create operation, and the container process has neither exited nor executed the user-specified program
- running: the container process has executed the user-specified program but has not exited
- stopped: the container process has exited
容器运行时主要有两个级别:
- Low-Level Runtime
- High-Level Runtime
图片来源
Low-Level Runtime
参考国外文章,概括 Low-Level Runtime
的实现运行容器的过程,步骤为:
Create CGroup
Running commands in CGroup
Use unshare to move it to its own namespace
Clean up CGroup after command completion (running processes will be automatically deleted when they do not reference a namespace)
实现代表:lmctfy
、runc
、rkt
High-Level Runtimes
High-Level Runtimes
包括镜像管理(如镜像下载)和 Low-Level Runtime
,并对外提供 RPC
接口。如下图:
图片引用自
实现代表:Docker
、containerd
、cri-o
,其中 kubernetes v1.22 后,只支持 dockershim
、containerd
和 cri-o
三种 High-Level Runtimes
常见 runtime 的关系
runc
是 docker
公司捐献给社区的一个 OCI 容器实现,从 docker
中拆分出来的
containerd
也是从 docker
中拆分出来的。containerd
提供的功能包括:
- 镜像下载
- 镜像管理
- 创建管理容器(调用
Low-Level
的 runc
来完成),当从镜像创建容器时,首先将镜像解开成 OCI runtime bundle
,然后调用 runc
来运行容器
CRI(Container Runtime Interface)
是 High-Level Runtimes
和 k8s 之间的接口(通过 kubelet 实现交互),也就是说一个 runtime
如果要对接 k8s
,必须提供 CRI
,其中该 runtime
除了实现 High-Level Runtimes
功能外,还需要能支持 k8s 的 pods,如 cri-o
。见K8s CRI
image spec
The high-level components of the spec include:
- Image Manifest - a document describing the components that make up a container image
- Image Index - an annotated index of image manifests
- Image Layout - a filesystem layout representing the contents of an image
- Filesystem Layer - a changeset that describes a container’s filesystem
- Image Configuration - a document determining layer ordering and configuration of the image suitable for translation into a [runtime bundle][runtime-spec]
- Conversion - a document describing how this translation should occur
- Descriptor - a reference that describes the type, metadata and content address of referenced content
参考:https://github.com/opencontainers/image-spec/blob/main/spec.md#understanding-the-specification