Rkt

Features

Pod-Native Runtimes - Runs containerized applications as isolated pods on Linux to group related processes with shared networking and resources.
Image Management - Fetches and executes standardized container images from remote registries while maintaining compatibility with OCI and Docker specifications.
Cluster Coordination - Coordinates the deployment and scaling of containerized applications across a cluster of machines for high availability.
Container Runtime Interfaces - Implements the Container Runtime Interface to allow cluster orchestrators to manage container lifecycles.
Container Runtime Integrations - Acts as a container runtime for cluster orchestration by connecting to the node agent via a standardized API.
Hypervisor-Based Runtimes - Executes pods within virtual machines using KVM or QEMU for hardware-level isolation.
OCI Container Engines - Implements the Open Container Initiative standards for building and running containers while maintaining legacy compatibility.
Overlay Filesystems - Uses overlay filesystems to render container images from content-addressable storage and manage local caches.
Pod Grouping - Clusters one or more images into a shared execution context with shared networking and resource bounds.
Pod-Native Container Engines - Provides a runtime for executing containerized applications as isolated pods on Linux systems.
Container Lifecycle Management - Launches and manages containerized applications as a single unit with configurable networking and storage.
CNI Implementations - Implements the Container Network Interface specification to manage pod networking and port forwarding.
Pod Network Orchestration - Sets up private or host networking for pods using CNI plugins and custom DNS settings.
Linux Container Managers - Leverages low-level Linux kernel features and systemd integration to manage the lifecycle of isolated processes and images.
QEMU KVM - Executes containers within virtual machines using KVM and QEMU for hardware-level isolation.
Mandatory Access Control - Utilizes SELinux mandatory access control to assign unique security contexts and prevent unauthorized pod interaction.
Secure Deployment Practices - Implements SELinux policies and TPM measurement to verify image integrity and enforce mandatory access control for workloads.
Hardware-Level Isolation - Runs pods within virtual machines to provide a dedicated kernel and hardware-level isolation.
Lifecycle Integration - Binds container execution to systemd unit files to handle automatic restarts and dependency sequencing.
Volume Mounts - Attaches host directories or creates empty volumes to provide persistent or temporary storage to pods.
Remote Image Pulling - Retrieves container images and specific versions from remote registries using content-addressable storage.
Multi-Specification Support - Loads and executes containers using appc, CNI, Docker, and OCI image specifications.
Docker Container Execution - Fetches and executes container images created for the Docker ecosystem within a pod-native architecture.
Distributed Task Orchestration - Executes containerized tasks via external orchestration drivers to manage application placement across a cluster.
Local Image Caching - Implements a local image store using overlay filesystems to fetch, store, and render container images.
Orchestration Integration - Connects the runtime with init systems and cluster orchestrators via a composable design.
Systemd Lifecycle Management - Integrates the lifecycle of containerized applications with systemd unit files for automated restarts and dependency sequencing.
Hardware-Backed Manifest Verification - Records image hashes into a trusted platform module to create a cryptographically verifiable audit trail.
Pluggable Runtimes - Employs a composable design that allows swapping different execution engines for immutable or mutable execution.
Container Image Signatures - Checks cryptographic signatures of image manifests against a trusted keystore to ensure authenticity.
Linux Capability Management - Limits the Linux kernel capabilities granted to applications within a pod to reduce the attack surface.
Container Monitoring - Tracks CPU, memory, and performance metrics for active containers to ensure system health.
Container Resource Constraints - Constrains the hardware resources available to a pod using CPU, memory, and IO limits.
Hardware-Backed Integrity Logs - Records filesystem and manifest hashes into a TPM to create a cryptographically verifiable audit trail.

Open-source alternatives to Rkt

Similar open-source projects, ranked by how many features they share with Rkt.

coreos/rkt
coreos/rkt
8,774View on GitHub
rkt is a secure Linux container engine and pod-native container manager. It provides a composable execution environment for launching and managing isolated application containers on Linux, serving as a runtime designed around open industry standards for image formats and networking interfaces. The system is distinguished by a pod-native execution model that groups multiple containers and shared resources into single, self-contained units. It utilizes pluggable execution engines to provide secure isolation, including the use of hardware-based virtualization to create security boundaries betwee
Go
View on GitHub8,774
p8952/bocker
p8952/bocker
12,657View on GitHub
Bocker is a minimal container management tool written in Bash that implements core container functionality using Linux namespaces and control groups. It serves as a Linux container manager capable of starting and managing isolated processes and images through low-level kernel features. The project includes an OCI image tool for pulling, saving, and building container images compatible with industry standards. It further integrates a cgroup resource controller to restrict CPU and memory consumption for isolated processes. The tool covers the full container lifecycle, including process isolati
Shell
View on GitHub12,657
lxc/incus
lxc/incus
4,893View on GitHub
Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networkin
Gocloudcontainershacktoberfest
View on GitHub4,893
kata-containers/kata-containers
kata-containers/kata-containers
8,106View on GitHub
Kata Containers is an OCI container runtime that launches containers inside lightweight virtual machines to combine hardware-level isolation with container operational speed. It functions as a hardware-isolated container engine and lightweight VM hypervisor, providing a virtual machine monitor interface that abstracts multiple hypervisors to optimize for performance or specific hardware emulation. The project distinguishes itself through a confidential computing runtime that leverages hardware-backed trusted execution environments, such as Intel TDX and AMD SEV-SNP, to protect data in use. It
Rustacrncontainerscri
View on GitHub8,106

See all 30 alternatives to Rkt

rktrktArchived

Features

Open-source alternatives to Rkt

coreos/rkt

p8952/bocker

lxc/incus

kata-containers/kata-containers

Star history

Open-source alternatives to Rkt

coreos/rkt

p8952/bocker

lxc/incus

kata-containers/kata-containers