warning icon QCon New York 2020 has been canceled. See our current virtual and in-person events.
You are viewing content from a past/completed QCon

Presentation: CRI Runtimes Deep Dive: Who's Running My Kubernetes Pod!?

Track: Container and Orchestration Platforms in Action

Location: Broadway Ballroom South, 6th fl.

Duration: 1:40pm - 2:30pm

Day of week: Wednesday

Slides: Download Slides

Level: Intermediate - Advanced

Persona: Developer, DevOps Engineer

Share this on:

This presentation is now available to view on InfoQ.com

Watch video

What You’ll Learn

  • Learn about the role of CRI and why you may want to consider it

  • Understand how Kubernetes manages container runtimes.

  • Learn about the tradeoffs present with different container runtimes.


A significant amount of today's focus and activity in the world of container orchestration is happening in the Kubernetes community. A little known fact to some users and practitioners on the platform is that Kubernetes itself has no code in the project that can create or start a Linux or Windows container.

So, what code is running the containers within your Kubernetes pods? As it turns out, since Kubernetes 1.5 a new API definition, called the Container Runtime Interface (CRI), allows any CRI-implementing container runtime to plug into the kubelet configuration and provide container runtime services for Kubernetes.

In this talk we'll deep dive on CRI implementations, and give a hands-on demonstration of how Kubernetes, the CRI, and CRI-supporting runtimes work together to handle the container lifecycle within your K8s pods. Rather than just talk, we'll "black belt" this talk at the command prompt, digging into the useful capabilities of the CRI and how we can understand the inner workings between Kubernetes and the CRI container runtimes that support it.


What do you do at IBM?


I’m a Distinguished Engineer, working as a technical executive for the IBM Watson and Cloud Platform’s CTO office. My key goal as a recently named CTO for container and Linux OS architecture strategy is to connect my years of work in the container open source communities to IBM offerings in our public and private cloud offerings.

I help determine architectural strategy related to our container open source investments, including our work in the Docker engine project, Open Container Initiative (OCI), CNCF (containerd and Kubernetes), Istio, and other related communities.

IBM Cloud, similar to other public clouds, offers Kubernetes as a managed service, as well as on-prem offerings for private cloud. Of course, like other clouds, we are highly dependent on the Linux operating system and its features around networking and containers. Part of my role at IBM is to help standardize the Linux distro (distribution software) choices across our cloud offerings.


What is your talk about?


I am going to start with describing how Kubernetes interfaces to the container runtime layer through an API interface called the Container Runtime Interface (CRI). The CRI allows any container runtime which can implement the API to plug in and provide the container execution layer for Kubernetes pods.

After a brief “state of the world” on which container runtimes have a CRI implementation today, I will discuss the pros and cons of different container runtimes. To make this more accessible, I’ll spend time with a demo Kubernetes cluster, showing a CRI runtime that I help maintain, containerd as the runtime provider. We’ll look at how to use the various available tools to debug, get metrics, events, and to generally understand what is happening in the container runtime and how the container runtime works under Kubernetes.


Why should a developer attend this talk?


The talk will help developers to better understand how Kubernetes actually manages container runtimes and containerized applications at the pod level. They will also learn how operators have tools available to troubleshoot problems in the container runtime environment running under Kubernetes.


Does a developer need to know these details about container runtimes?


All developers need not understand these details, but there are many developers, operators, or architects who help make infrastructure architectural decisions and/or manage the infrastructure as well as develop. The talk will give them a deeper understanding of how things work and the choices available in terms of Kubernetes clusters and container runtimes.


What other container runtimes would you recommend besides Docker and why?


Docker is already a broader platform than just a container runtime. For example, Docker is now a software stack that includes two underlying runtime executors: containerd and the OCI runC project. Docker now has its own orchestration platform built into the Docker engine as well as its own plugin system, networking stack, and so on. Containerd was created by Docker engineers with the focus of being an un-opinionated “boring” and stable container runtime that could be used by Docker (as it is today) as well as Kubernetes and other software platforms that need a stable runtime. It was then contributed to the Cloud Native Computing Foundation (CNCF), the same foundation that manages the Kubernetes open source codebase as well. While containerd is not the only option for Kubernetes, it is becoming an increasingly popular one and definitely viable for production use. During the talk we’ll be looking at current use of containerd and other runtimes in production today and across the public cloud container platforms.


What do you think is the most important trend in software?


Enterprises have raised a lot of questions in the past about security and data protection with respect to containers and public cloud. Notorious breaches have given several well-known companies a black eye in recent years as more and more of our critical software systems, including significant amounts of our personal information, are hosted in data centers worldwide. I think that secure software stacks, and how that integrates with secure hardware platforms, will continue to be a high area of focus for years to come across the cloud-native ecosystem.

Speaker: Phil Estes

Distinguished Engineer for @IBMCloud

Phil is a Distinguished Engineer & CTO, Container and Linux OS Architecture Strategy for the IBM Watson and Cloud Platform division. Phil is currently an OSS maintainer in the Docker (now Moby) engine project, the CNCF containerd project, and is a member of both the Open Container Initiative (OCI) Technical Oversight Board and the Moby Technical Steering Committee. Phil is a long-standing member of the Docker Captains program and has enjoyed a long relationship with key open source contributors and experts in the Docker ecosystem.

Phil is a regular speaker at industry and developer conferences as well as meetups on topics related to open source, Docker, Linux container technology and the broader container ecosystem. Phil is a recognized subject matter expert on Linux container technology and regularly assists IBM's product teams and enterprise customers in their application of container technology for their public and private cloud solutions. Phil blogs regularly on these topics on his personal blog at https://integratedcode.us. He can be found on Twitter as @estesp.

Find Phil Estes at