OCI, containerd & Container Runtimes
OCI (Open Container Initiative) defines the standard for container images and runtimes. containerd is the industry-standard container runtime; runc is the low-level runtime that actually creates containers.
OCI = the universal power outlet standard. containerd = the electrician who wires everything. runc = the actual outlet that delivers current. Docker = the fancy smart-home app you use to flip switches.
Docker originally included everything in one daemon. It has since donated containerd to CNCF — containerd manages image pulls, storage, and container lifecycle. runc (also donated by Docker) implements the OCI runtime spec and is what actually calls Linux kernel APIs to create namespaces/cgroups. Kubernetes uses containerd or CRI-O directly (Dockershim was removed in K8s 1.24).
The stack: Docker CLI → dockerd → containerd → containerd-shim → runc → container process. The shim decouples container processes from containerd — containerd can restart without killing containers. CRI (Container Runtime Interface) is the Kubernetes API for container runtimes. CRI-O is a lightweight alternative to containerd, purpose-built for Kubernetes. Image format: OCI image = manifest (metadata) + config (env, entrypoint) + layers (tar archives). An OCI image is just a tarball of tarballs with a JSON manifest.
OCI standardizes how container images are built and how runtimes run them — so an image built with Docker runs on containerd, podman, or any OCI-compliant runtime. containerd is the runtime Kubernetes uses today (Docker's runtime, donated to CNCF). runc is the low-level OCI runtime that actually makes the syscalls to create namespaces and cgroups. Knowing this matters because Kubernetes 1.24 removed dockershim — clusters now talk directly to containerd via CRI.
Docker and containerd are not the same. Docker is a developer UX tool (CLI, build, compose). containerd is the runtime that actually manages containers. In production Kubernetes clusters, Docker the tool is often not installed at all.