All Products
Search
Document Center

Container Service for Kubernetes:Compare containerd, Sandboxed-Container, and Docker runtimes

Last Updated:Jun 23, 2026

ACK supports containerd, Sandboxed-Container, and Docker. Compare isolation models, usage limits, and deployment architecture to select the right runtime for your workload.

Important

Docker runtime is discontinued. If your cluster runs Docker, migrate to containerd.

How container runtimes fit into a Kubernetes node

A container runtime manages container lifecycle on each node. kubelet communicates with the runtime through the Container Runtime Interface (CRI). Your runtime choice determines the isolation model, supported node types, and available CLI tools.

ACK supports the following runtimes:

  • containerd — Recommended for most workloads. Lightweight, directly CRI-compliant, no intermediate daemon.

  • Sandboxed-Container — Uses lightweight VMs (runV) to run each pod in an isolated kernel.

  • Docker (discontinued) — Migrate to containerd.

Features and limits

Feature

containerd

Sandboxed-Container

Docker (discontinued maintenance)

Cluster types

  • ACK managed clusters

  • ACK dedicated clusters

  • ACK Edge clusters

  • ACK managed clusters

  • ACK dedicated clusters

All types of ACK clusters

Kubernetes version

1.20 or later

1.16 or later

1.22 and earlier

Node type

  • ECS

  • Self-managed nodes (ACK Edge clusters)

ECS Bare Metal Instance families only

ECS

Node operating system

Container Service for Kubernetes provides public images for operating systems such as Alibaba Cloud Linux 3 container-optimized version, ContainerOS, Alibaba Cloud Linux 3, Ubuntu, and Windows. For more information, see Operating systems.

  • Alibaba Cloud Linux

  • CentOS

Container engine

containerd

containerd

Docker

Monitoring

Supported

Supported

Supported

Container log collection

Supported

Manual sidecar injection. See Use CRDs to collect container text logs in sidecar mode.

Supported

Container stdout collection

Supported

Supported

Supported

RuntimeClass

Not supported

Supported (runV)

Not supported

Pod scheduling

No configuration required.

Add the following configurations:

  • For Kubernetes 1.14.x, add to nodeSelector:

    alibabacloud.com/sandboxed-container: Sandboxed-Container.runv
  • For 1.16.x and later, no additional configuration is required.

No configuration required.

HostNetwork

Supported

Not supported

Supported

Node data disk

Optional

Required. At least 200 GiB.

Optional

Network plug-in

  • Flannel

  • Terway (excluding ACK Edge clusters)

  • Flannel

  • With Terway, exclusive ENI mode and DataPath v2 are not supported.

  • Flannel

  • Terway

kube-proxy mode

  • iptables

  • IPVS

  • iptables

  • IPVS

  • iptables

  • IPVS

Volume plug-in

CSI plug-in (excluding ACK Edge clusters)

CSI plug-in

CSI plug-in

Container root file system

OverlayFS

OverlayFS (with disk quota)

OverlayFS

Note

Docker and Sandboxed-Container cannot share a node. To use both in a cluster, create separate node pools for each runtime.

Note

Sandboxed-Container runs on containerd. When you inspect nodes with kubectl get node or in the ACK console, the runtime displays as containerd.

Deployment architecture

The call chain from kubelet to containers varies by runtime. Fewer layers mean lower overhead and less complexity.

Runtime

Deployment architecture

Docker

kubelet
└── dockerd
    └── containerd
        └── containerd-shim
            └── runC containers

containerd

kubelet
└── containerd
    └── containerd-shim
        └── runC containers

Sandboxed-Container v2

kubelet
├── (CRI) containerd
│   ├── containerd-shim
│   │   └── runC containers
│   └── containerd-shim-runv2
│       └── runV sandboxed containers

containerd removes the dockerd layer, giving kubelet direct CRI access. Sandboxed-Container v2 extends containerd with containerd-shim-runv2, which runs pods in lightweight VMs via runV for kernel-level isolation alongside standard runC containers.

CLI commands for containerd and Docker

containerd and Docker use different CLI tools. crictl is recommended for containerd because it operates at the CRI level. ctr is containerd's lower-level alternative.

Operation

crictl (recommended for containerd)

ctr (containerd lower-level CLI)

docker

List containers

crictl ps

ctr -n k8s.io c ls

docker ps

Inspect containers

crictl inspect <container>

ctr -n k8s.io c info <container>

docker inspect <container>

View container logs

crictl logs <container>

N/A

docker logs <container>

Run commands in containers

crictl exec <container>

N/A

docker exec <container>

Attach to containers

crictl attach <container>

N/A

docker attach <container>

View resource usage

crictl stats <container>

N/A

docker stats <container>

Create containers

crictl create <container>

ctr -n k8s.io c create <container>

docker create <container>

Start containers

crictl start <container>

ctr -n k8s.io run <container>

docker start <container>

Stop containers

crictl stop <container>

ctr -n k8s.io task pause <container>

docker stop <container>

Delete containers

crictl rm <container>

ctr -n k8s.io c del <container>

docker rm <container>

List images

crictl images

ctr -n k8s.io i ls <image>

docker images

Inspect images

crictl inspecti <image>

N/A

docker inspect <image>

Pull images

crictl pull <image>

ctr -n k8s.io i pull <image>

docker pull <image>

Push images

N/A

ctr -n k8s.io i push <image>

docker push <image>

Delete images

crictl rmi <image>

ctr -n k8s.io i rm <image>

docker rmi <image>

List pods

crictl pods

N/A

N/A

Inspect pods

crictl inspectp <pod name>

N/A

N/A

Start pods

crictl runp <pod name>

N/A

N/A

Stop pods

crictl stopp <pod name>

N/A

N/A

Next steps

References