There's a number of container- and VM-based options for OCI-compliant implementations. We know of runc, which is the standard reference implementation of the OCI runtime. This is what the container uses. There's also the following available:
- projectatomic/bwrap-oci (https://github.com/projectatomic/bwrap-oci): Converts the OCI spec file to a command line for projectatomic/bubblewrap (https://github.com/projectatomic/bubblewrap)
- giuseppe/crun (https://github.com/giuseppe/crun): Runtime implementation in C
There are also VM-based implementations that take a different path towards security:
- hyperhq/runv (https://github.com/hyperhq/runv)—hypervisor-based runtime for OCI
- clearcontainers/runtime (https://github.com/clearcontainers/runtime)—hypervisor-based OCI runtime utilizing containers/virtcontainers (https://github.com/containers/virtcontainers) by Intel
- google/gvisor (https://github.com/google/gvisor)—gVisor is a user-space kernel, which contains runsc to run sandboxed containers
- kata-containers/runtime (https://github.com/kata-containers/runtime)—hypervisor-based OCI runtime combining technology from clearcontainers/runtime (https://github.com/clearcontainers/runtime) and hyperhq/runv (https://github.com/hyperhq/runv)
The most interesting project of these is the last in the list, Kata containers, which combines clear container and runV into a cohesive package. These foundational pieces are already in production use at scale in the enterprises, and Kata is looking to provide a secure, lightweight VM for containerized environments. By utilizing runV, Kata containers can run inside of any KVM-compatible VM, such as Xen, KVM, and vSphere, while still remaining compatible with CRI-O, which is important! Kata hopes to offer the speed of a container with the security surface of a VM.
Here's a diagram from Kata's site, explaining the architecture in visual detail:
