Benefits of Sandboxed-Container containers - Container Service for Kubernetes

This topic compares runC and Sandboxed-Container (runV) performance and pod creation methods so you understand sandbox benefits and use Sandboxed-Container effectively.

Comparison between runC and runV

Configuration	runC	runV
Container engine	Docker and containerd	containerd
Node type	Elastic Compute Service (ECS) and ECS Bare Metal (EBM) instances	EBM instances
Container kernel	Shares the host kernel	Uses a dedicated kernel
Container isolation	Control groups (cgroups) and namespaces	Lightweight VMs
Rootfs Graph Driver	OverlayFS	OverlayFS
RootFS I/O throttling	cgroups	Not supported
NAS mounting	Not supported	Supported
Disk mounting	Not supported	Not supported
Container log collection	Logtail collects logs directly from the node	Logtail Sidecar
Pod overhead	N/A	Memory = 64 MiB + (pod memory request × 2%). Maximum: 512 MiB. Minimum: 64 MiB.

Pod overhead in runV

Each runV pod incurs memory overhead for the lightweight VM and guest components.

Formula: pod overhead memory = 64 MiB + pod memory request × 2%, capped at 512 MiB and floored at 64 MiB.

Total visible memory = pod memory request + pod overhead, minus a small system reservation. The CPU count also differs from the host.

Limitations of runV

runV does not support the following features:

RootFS I/O throttling: cgroup-based throttling is unavailable for rootfs.
Disk mounting: Persistent disks cannot be mounted directly.
Direct log collection: Logtail cannot collect logs directly from the node. Use Logtail Sidecar.

Create a pod that uses runC

Prerequisites

Connected to the cluster using kubectl

Create the pod

Create a pod that uses runC:

Note

Setting runtimeClassName: runc is optional. runC is the default runtime.

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: busybox-runc
  labels:
    app: busybox-runc
spec:
  containers:
  - name: busybox
    image: registry.cn-hangzhou.aliyuncs.com/acs/busybox:v1.29.2
    command:
    - tail
    - -f
    - /dev/null
    resources:
      limits:
        cpu: 1000m
        memory: 512Mi
      requests:
        cpu: 1000m
        memory: 512Mi
EOF

Create a pod that uses runV

Prerequisites

Connected to the cluster using kubectl

Create the pod

(Optional) Verify the runv RuntimeClass exists in the cluster:
```
kubectl get runtimeclass runv -o yaml
```
Note
A runv RuntimeClass is automatically created in ACK clusters with Sandboxed-Container.

Create a pod that uses runV:

Important

The nodeSelector field is required for Kubernetes versions earlier than 1.16, and optional for 1.16 and later.

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: busybox-runv
  labels:
    app: busybox-runv
spec:
  runtimeClassName: runv
  nodeSelector:
    alibabacloud.com/container-runtime: Sandboxed-Container.runv
  containers:
  - name: busybox
    image: registry.cn-hangzhou.aliyuncs.com/acs/busybox:v1.29.2
    command:
    - tail
    - -f
    - /dev/null
    resources:
      limits:
        cpu: 1000m
        memory: 512Mi
      requests:
        cpu: 1000m
        memory: 512Mi
EOF

Verify that the pod is running in a sandbox:
```
kubectl get pod busybox-runv -o jsonpath={.spec.runtimeClassName}
```
If the output shows runv, the pod runs in a sandbox.

kubectl exec -ti pod busybox-runv /bin/sh
/ # cat /proc/meminfo | head -n1
MemTotal:        1130692 kB
/ # cat /proc/cpuinfo | grep processor
processor    : 0

The CPU count differs from the host. Total memory = pod memory + overhead, minus system usage.

Next steps

Check pod field compatibility in Sandboxed-Container compatibility notes.
See RuntimeClass for runtime selection.