Partially systematized. Eventually, will include some commentary.
runc - "CLI tool for spawning and running containers according to the OCI specification." The reference implementation of the holly OCI Runtime Specification. Written in Go.
crun - "A fast and lightweight fully featured OCI runtime and C library for running containers" - much like runc but written in C and with a possibility to use as a library.
youki - "A container runtime written in Rust." Same as above, but in Rust.
runj - "An experimental, proof-of-concept OCI-compatible runtime for FreeBSD jails."
runv - "Hypervisor-based Runtime for OCI."
sysbox - "An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs." Started as an independent project but was acquired by Docker Inc. in May 2022.
gVisor - "Application Kernel for Containers." gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
firecracker - "Secure and fast microVMs for serverless computing."
Kata Containers - "An open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs."
libkrun - "A dynamic library providing Virtualization-based process isolation capabilities." Can be used for adding VM-isolation capabilities to an OCI runtime like runc, crun, etc.
footloose - "Container Machines - Containers that look like Virtual Machines." hose containers run systemd as PID 1 and a ssh daemon that can be used to login into the container. Such "machines" behave very much like a VM, it's even possible to run dockerd in them.
bubblewrap - "Unprivileged sandboxing tool."
systemd-nspawn - "Like the chroot command, but it is a chroot on steroids." May be used to run a command or OS in a light-weight namespace container.
containerd - "An open and reliable container runtime."
firecracker-containerd - "enables containerd to manage containers as Firecracker microVMs."
Flintlock - "Lock, Stock, and Two Smoking MicroVMs. Create and manage the lifecycle of MicroVMs backed by containerd." Create and manage the lifecycle of MicroVMs, backed by containerd.
Vorteil - "turn your applications and containers into micro virtual machines."
cri-o - "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface (CRI)."
virtlet - "Kubernetes CRI implementation for running VM workloads."
LXC - "Linux Containers." An alternative (i.e., non-OCI) implementation of containers using Linux OS-level virtualization primitives (namespaces, cgroups, etc). Daemonless, can work as a library or as a CLI tool. Back in 2013, Docker started as UX a layer on top of LXC but eventually moved to its own implementation (known as runc nowadays). Read this alternative story of containers on LWN.net for more.
LXD - "Powerful system container and virtual machine manager." A daughter project of LCX. Like the Docker daemon, LXD is a daemon providing HTTP API to manage containers powered by LXC. LXD comes with a CLI client called lxc (not to be confused with LXC's own CLI clients, though).
rkt - [discontinued] "rkt is a pod-native container engine for Linux. It is composable, secure, and built on standards."
conman - a toy container manager written for educational purposes. Read more about the conman project on iximiuz.com.
Moby - "A collaborative project for the container ecosystem to assemble container-based systems." Docker lives somewhere here.
compose - "Define and run multi-container applications with Docker."
podman - "A tool for managing OCI containers and pods." Daemonless drop-in replacement for Docker (not quite).
Focker - "A FreeBSD image/jail orchestration tool in the vein of Docker."
A Docker-like tool written in Python and using FreeBSD jails instead of Linux namespaces & co.
A piece of software that sits in between a low-level container runtime and a higher-level container runtime.
conmon - "An OCI container runtime monitor."
conmon-rs - conmon, but in Rust.
containerd-runtime-shim - "A first class shim API [and a few implementations] for runtime authors to integrate with containerd."
shimmy - a toy container runtime shim written for educational purposes. Part of the conman project.
cdebug - "a swiss army knife of container debugging."
The cdebug exec
command is a crossbreeding of docker exec
and kubectl debug
commands. You point the tool at a running container, say what toolkit image to use, and it starts a debugging "sidecar" container that feels like a regular docker exec
session (i.e., shares most of the target container's namespaces and has the same rootfs).
The cdebug port-forward
command is another crossbreeding - this time it's kubectl port-forward
and ssh -L|-R
. With cdebug port-forward -L
you can forward traffic destined to a host's port to an arbitrary container port even if it wasn't published or the target container is listening on localhost. With cdebug port-forward -R
(coming soon) you can expose any endpoints accessible from your host back to the container' or Kubernetes network.
debug-ctr - "Commandline tool for interactive container troubleshooting."
A debugger that creates a new container out of the original container with the toolkit mounted in a volume.
docker-debug - "use new container attach on already container go on debug."
Start a new container with an image of choice (nicolaka/netshoot
by default) that shares (some of) the target container's namesapces. Much like cdebug exec
but with no chroot
magic and supports only Docker as a container runtime.
docker-opener - "Shell-in to any docker container easily."
A multi-purpose tool that in particular can run a shell session into your container (and if there is no shell inside, it'll bring its own busybox).
cntr - "A container debugging tool based on FUSE."
"A replacement for docker exec
that brings all your developers tools with you" by mounting the file system from one container (or the host) into the target container and creating a nested container with the help of a FUSE filesystem. Supports a huge range of runtimes (docker, podman, LXC/LXD, rkt, systemd-nspawn, containerd) because it operates directly on the OS level.
kdiag - "Diagnostics and Debug Tooling" for Kubernetes workloads.
A kubectl plugin to get shell access to scratch containers, stream logs from multiple pods simultaneously, and do reverse port forwarding to Kubernetes clusters.
amicontained - "Container introspection tool. Find out what container runtime is being used as well as features available."
tini - "A tiny but valid init
for containers."
Tini is meant to be run in a container - it spawns a single child and waits for it to exit all the while reaping zombies and performing signal forwarding. Written in C, and comes in both, dynamically and statically linked, forms.
dumb-init - "A minimal init system for Linux containers."
A simple process supervisor and init system designed to run as PID 1 inside minimal container environments. It is deployed as a small, statically-linked binary written in C.
pid1 - "Do signal handling and orphan reaping for Unix PID1 init processes."
A Haskell library, and an executable based on that library, for initializing signal handlers, spawning child processes, and reaping orphan processes.
icy/bocker & p8952/bocker - "Docker implemented in around 100 lines of bash."
contained.af - "A stupid game for learning about containers, capabilities, and syscalls."