From cli to kernel:
graph TB
subgraph "User/Orchestration Layer"
Docker[Docker CLI]
K8s[Kubernetes/Nomad]
Podman[Podman CLI]
end
subgraph "Container Runtime Interface - CRI"
CRI[Container Runtime Interface<br/>Kubernetes API Standard]
end
subgraph "High-Level Container Manager Layer"
containerd[containerd<br/>Used by Docker/Kubernetes]
CRIO[CRI-O<br/>Used by OpenShift/Red Hat]
PodmanDirect[Podman + conmon<br/>Daemonless Engine<br/>Direct OCI Invocation]
end
subgraph "OCI Runtime Specification"
OCI[Open Container Initiative<br/>Standard Runtime Interface]
end
subgraph "Standard OCI Runtimes<br/>Namespace Isolation"
runc[runc<br/>Reference Implementation<br/>⚡⚡⚡ Fastest - 🛡️ Basic]
crun[crun<br/>C-based, Lightweight<br/>⚡⚡⚡ Fastest - 🛡️ Basic]
runhcs[runhcs<br/>Windows Containers<br/>⚡⚡⚡ Fast - 🛡️ Basic]
end
subgraph "Sandboxed OCI Runtimes<br/>User-Space Kernel"
gVisor[gVisor runsc<br/>User-space Kernel<br/>⚡⚡ Moderate - 🛡️🛡️ Strong]
nabla[nabla-containers<br/>Unikernel<br/>⚡⚡ Moderate - 🛡️🛡️ Strong]
end
subgraph "VM-Based OCI Runtimes<br/>Hardware Virtualization"
Kata[Kata Containers<br/>OCI-compliant runtime<br/>⚡⚡ Good - 🛡️🛡️🛡️ Highest]
end
subgraph "Kata Hypervisor Backends<br/>Pluggable VMM Layer"
KataQEMU[QEMU<br/>Full-featured hypervisor<br/>All device support<br/>⚡⚡ Good - 🔹 50-100MB]
KataCH[Cloud Hypervisor ⭐<br/>Modern Rust-based VMM<br/>Balanced performance<br/>⚡⚡⚡ Fast - 🔹 20-40MB]
KataFC[Firecracker<br/>Minimal serverless VMM<br/>Limited features<br/>⚡⚡⚡ Fastest - 🔹 5-15MB]
end
subgraph "Alternative: Direct Firecracker<br/>⚠️ Not OCI Runtime"
FCContainerd[firecracker-containerd<br/>containerd shim<br/>AWS Lambda backend<br/>❌ No Podman support]
end
subgraph "Host Kernel / Hypervisor Layer"
HostStd[Linux Kernel<br/>Standard containers]
HostVM[Linux Kernel + KVM<br/>VM-based containers]
end
%% Docker path
Docker -->|uses| containerd
%% Kubernetes paths
K8s -->|CRI API| CRI
CRI -->|implements CRI| containerd
CRI -->|implements CRI| CRIO
%% Podman path (bypasses CRI)
Podman -->|direct| PodmanDirect
%% High-level to OCI
containerd -->|OCI Runtime Spec| OCI
CRIO -->|OCI Runtime Spec| OCI
PodmanDirect -.direct call.-> OCI
%% OCI to standard runtimes
OCI --> runc
OCI --> crun
OCI --> runhcs
%% OCI to sandboxed runtimes
OCI --> gVisor
OCI --> nabla
%% OCI to VM-based runtimes
OCI --> Kata
%% Kata to hypervisor backends
Kata -->|hypervisor=qemu| KataQEMU
Kata -->|hypervisor=clh ⭐| KataCH
Kata -->|hypervisor=fc| KataFC
%% Alternative Firecracker path (not OCI)
containerd -.special shim.-> FCContainerd
%% Standard runtimes to host
runc --> HostStd
crun --> HostStd
runhcs --> HostStd
gVisor --> HostStd
nabla --> HostStd
%% VM-based runtimes to host with KVM
KataQEMU --> HostVM
KataCH --> HostVM
KataFC --> HostVM
FCContainerd --> HostVM
%% Styling
classDef userLayer fill:#FFB366,stroke:#333,stroke-width:2px
classDef criLayer fill:#90EE90,stroke:#333,stroke-width:3px
classDef managerLayer fill:#FF9999,stroke:#333,stroke-width:2px
classDef ociLayer fill:#90EE90,stroke:#333,stroke-width:4px,stroke-dasharray: 5 5
classDef runtimeStd fill:#FFD700,stroke:#333,stroke-width:2px
classDef runtimeSandbox fill:#87CEEB,stroke:#333,stroke-width:2px
classDef runtimeVM fill:#DDA0DD,stroke:#333,stroke-width:2px
classDef vmmLayer fill:#E6B3FF,stroke:#333,stroke-width:2px
classDef vmmRecommended fill:#90EE90,stroke:#333,stroke-width:3px
classDef alternative fill:#FFE4B5,stroke:#333,stroke-width:2px,stroke-dasharray: 3 3
classDef hostLayer fill:#696969,stroke:#333,stroke-width:2px,color:#fff
class Docker,K8s,Podman userLayer
class CRI criLayer
class containerd,CRIO,PodmanDirect managerLayer
class OCI ociLayer
class runc,crun,runhcs runtimeStd
class gVisor,nabla runtimeSandbox
class Kata runtimeVM
class KataQEMU,KataFC vmmLayer
class KataCH vmmRecommended
class FCContainerd alternative
class HostStd,HostVM hostLayer
Leave a Reply