ACK supports containerd, Sandboxed-Container, and Docker. Compare isolation models, usage limits, and deployment architecture to select the right runtime for your workload.
Docker runtime is discontinued. If your cluster runs Docker, migrate to containerd.
How container runtimes fit into a Kubernetes node
A container runtime manages container lifecycle on each node. kubelet communicates with the runtime through the Container Runtime Interface (CRI). Your runtime choice determines the isolation model, supported node types, and available CLI tools.
ACK supports the following runtimes:
-
containerd — Recommended for most workloads. Lightweight, directly CRI-compliant, no intermediate daemon.
-
Sandboxed-Container — Uses lightweight VMs (runV) to run each pod in an isolated kernel.
-
Docker (discontinued) — Migrate to containerd.
Features and limits
|
Feature |
containerd |
Sandboxed-Container |
Docker (discontinued maintenance) |
|
Cluster types |
|
|
All types of ACK clusters |
|
Kubernetes version |
1.20 or later |
1.16 or later |
1.22 and earlier |
|
Node type |
|
ECS |
|
|
Node operating system |
Container Service for Kubernetes provides public images for operating systems such as Alibaba Cloud Linux 3 container-optimized version, ContainerOS, Alibaba Cloud Linux 3, Ubuntu, and Windows. For more information, see Operating systems. |
|
|
|
Container engine |
containerd |
containerd |
Docker |
|
Monitoring |
Supported |
Supported |
Supported |
|
Container log collection |
Supported |
Manual sidecar injection. See Use CRDs to collect container text logs in sidecar mode. |
Supported |
|
Container stdout collection |
Supported |
Supported |
Supported |
|
RuntimeClass |
Not supported |
Supported (runV) |
Not supported |
|
Pod scheduling |
No configuration required. |
Add the following configurations:
|
No configuration required. |
|
HostNetwork |
Supported |
Not supported |
Supported |
|
Node data disk |
Optional |
Required. At least 200 GiB. |
Optional |
|
Network plug-in |
|
|
|
|
kube-proxy mode |
|
|
|
|
Volume plug-in |
CSI plug-in (excluding ACK Edge clusters) |
CSI plug-in |
CSI plug-in |
|
Container root file system |
OverlayFS |
OverlayFS (with disk quota) |
OverlayFS |
Docker and Sandboxed-Container cannot share a node. To use both in a cluster, create separate node pools for each runtime.
Sandboxed-Container runs on containerd. When you inspect nodes with kubectl get node or in the ACK console, the runtime displays as containerd.
Deployment architecture
The call chain from kubelet to containers varies by runtime. Fewer layers mean lower overhead and less complexity.
|
Runtime |
Deployment architecture |
|
Docker |
|
|
containerd |
|
|
Sandboxed-Container v2 |
|
containerd removes the dockerd layer, giving kubelet direct CRI access. Sandboxed-Container v2 extends containerd with containerd-shim-runv2, which runs pods in lightweight VMs via runV for kernel-level isolation alongside standard runC containers.
CLI commands for containerd and Docker
containerd and Docker use different CLI tools. crictl is recommended for containerd because it operates at the CRI level. ctr is containerd's lower-level alternative.
|
Operation |
crictl (recommended for containerd) |
ctr (containerd lower-level CLI) |
docker |
|
List containers |
|
|
|
|
Inspect containers |
|
|
|
|
View container logs |
|
N/A |
|
|
Run commands in containers |
|
N/A |
|
|
Attach to containers |
|
N/A |
|
|
View resource usage |
|
N/A |
|
|
Create containers |
|
|
|
|
Start containers |
|
|
|
|
Stop containers |
|
ctr -n k8s.io task pause <container> |
|
|
Delete containers |
|
|
|
|
List images |
|
|
|
|
Inspect images |
|
N/A |
|
|
Pull images |
|
|
|
|
Push images |
N/A |
|
|
|
Delete images |
|
|
|
|
List pods |
|
N/A |
N/A |
|
Inspect pods |
|
N/A |
N/A |
|
Start pods |
|
N/A |
N/A |
|
Stop pods |
|
N/A |
N/A |