Container Runtime Implementation Projects

Moby is an OCI container engine and runtime manager designed for building, running, and managing isolated containers based on Open Container Initiative standards. It functions as a container daemon and image builder, providing a core engine to orchestrate the full lifecycle of containers and the packaging of source code into portable images. The project provides a standardized HTTP interface that allows for programmatic container management, enabling external clients to control daemon settings and container operations. It supports a rootless security model, allowing the engine daemon to execute without root privileges to reduce the security risk to the host system. Its broader capabilities cover container image packaging using declarative configurations, the execution of isolated processes with specific resource constraints, and cross-platform binary compilation for multiple target architectures. It also includes functionality for transferring images between local environments and remote registries.

Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isolation and support for diverse environments. Furthermore, it employs content-addressable storage for efficient image management and provides a gRPC-based interface for programmatic control by external infrastructure applications. Beyond its core execution duties, the project covers a broad capability surface including comprehensive filesystem management, secure resource isolation, and advanced observability. It supports complex deployment requirements through features like container checkpointing, hardware resource exposure, and flexible network configuration. Security is enforced through image verification, kernel-level isolation policies, and support for unprivileged container execution. The project provides extensive documentation and tooling, including command-line utilities with shell completion and automated test suites for validating runtime interface compliance.

runc is a command-line utility for spawning and running containers on Linux systems according to the Open Container Initiative specification. It serves as a low-level container execution engine that interfaces directly with the host operating system to manage the lifecycle of isolated processes. The tool functions as a Linux process containerizer, utilizing kernel features such as namespaces for process isolation and control groups for resource governance. It enforces security by restricting processes to specific directory trees and dropping unnecessary kernel privileges to minimize the attack surface of the host system. By parsing standardized configuration files, the runtime translates high-level specifications into the system calls required to initialize and execute containerized workloads. It replaces the container initialization process with the target application, ensuring the container runs as the primary process on the host.

This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an independent userspace network stack and proxy-based filesystem access. These mechanisms ensure that containerized applications remain isolated from the host, even when requiring access to specialized hardware like GPUs, which are handled through secure passthrough proxies. Additionally, the runtime supports state serialization, allowing for the checkpointing and restoration of running container states to facilitate migration and persistence across different host environments. Beyond its core isolation capabilities, the project provides a comprehensive suite of tools for managing container lifecycles, resource accounting, and observability. It includes features for filesystem virtualization, such as writable overlays and read-only image support, alongside telemetry interfaces for monitoring performance and security events. The runtime is designed to operate across diverse Linux environments, including bare-metal and virtual machines, without requiring specialized virtualization hardware. The project is distributed as an open-source runtime that integrates directly into existing container management workflows.

Kata Containers is an OCI container runtime that launches containers inside lightweight virtual machines to combine hardware-level isolation with container operational speed. It functions as a hardware-isolated container engine and lightweight VM hypervisor, providing a virtual machine monitor interface that abstracts multiple hypervisors to optimize for performance or specific hardware emulation. The project distinguishes itself through a confidential computing runtime that leverages hardware-backed trusted execution environments, such as Intel TDX and AMD SEV-SNP, to protect data in use. It further enhances performance and security via direct-device hardware passthrough for GPUs and high-performance networking using SR-IOV and vhost-user. The runtime covers a broad range of capabilities, including guest operating system image engineering, the coordination of sandbox resources, and advanced monitoring and observability via distributed request tracing and guest console access. It also implements performance optimizations such as template-based VM cloning for accelerated boot times and memory access optimization through direct access filesystem features. The system supports cross-architecture execution across x86, ARM, Power, and IBM Z hardware, with configuration managed through TOML files.

Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networking is handled through OVN-based virtual networks with built-in ACLs and BGP route advertisement, while storage uses a driver abstraction layer that supports Btrfs, ZFS, LVM, Ceph, LINSTOR, and directory backends. Clustering is built on Raft consensus for high availability, and containers use user-namespace isolation with non-overlapping UID/GID maps to prevent privilege escalation. Authentication supports TLS client certificates, OpenID Connect, PKI, and ACME certificate issuance, with fine-grained authorization via role-based access control and OpenFGA integration. The platform also provides comprehensive image management, backup and recovery workflows, real-time monitoring and metrics export to Prometheus and Grafana, and integration with infrastructure-as-code tools such as Terraform and Ansible. Cluster operations include automatic rebalancing, live migration, and rolling upgrades.

Podman is a container engine designed for managing containerized applications and images without the need for a persistent background daemon. By utilizing a fork-exec process model, it executes container management commands as direct child processes of the host system, ensuring that container lifecycles are handled through standard host-level process control. The project distinguishes itself through a focus on rootless security and cross-platform compatibility. It employs user namespace mapping to allow unprivileged users to manage isolated workloads without requiring administrative system access. On non-Linux operating systems, it integrates with lightweight virtual machines to provide a native command-line experience for container development. The engine supports the full container lifecycle, including image management, registry interaction, and orchestration of background or interactive services. It adheres to open industry standards for container runtimes and includes capabilities for checkpointing and restoring the memory and process state of running containers to facilitate workload migration.