upgrade
upgrade

🔄DevOps and Continuous Integration

Key Concepts of Containerization Technologies

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Containerization is the backbone of modern DevOps and CI/CD pipelines—and you'll be tested on understanding why different tools exist, not just what they do. The exam expects you to recognize the tradeoffs between container runtimes, orchestration platforms, and security architectures. When a question asks about scaling applications or ensuring consistent environments, you need to know which technology solves which problem.

These technologies demonstrate core principles: isolation vs. resource efficiency, simplicity vs. enterprise features, and daemon-based vs. daemonless architectures. Don't just memorize that Docker packages applications—understand that it solves the "works on my machine" problem through image-based deployment. Know why Kubernetes exists (orchestration at scale) and why alternatives like Podman emerged (security through rootless operation). Each tool represents a design decision you might need to justify on an FRQ.

Container Runtimes: The Execution Layer

Container runtimes handle the actual work of running containers—pulling images, managing storage, and executing processes in isolated environments. Understanding which runtime fits which use case is essential for architecture decisions.

Docker

  • Industry-standard containerization platform—packages applications with all dependencies into portable images that run identically across environments
  • CLI and GUI management through Docker Desktop, plus a daemon process (dockerd) that handles container operations
  • Foundation for most CI/CD pipelines—integrates with virtually every build tool and orchestration platform

Containerd

  • Lightweight runtime extracted from Docker—handles image transfer, storage, and container execution without Docker's extra tooling
  • Kubernetes' preferred runtime—lower overhead than full Docker installation while maintaining compatibility
  • Industry-standard (CNCF graduated)—designed for production environments where performance matters

CRI-O

  • Purpose-built for Kubernetes—implements the Container Runtime Interface (CRI) with nothing extra
  • Minimal footprint compared to Docker—includes only features Kubernetes actually needs
  • OCI-compliant and supports multiple image formats, making it a drop-in replacement for Docker in K8s clusters

Compare: Containerd vs. CRI-O—both are lightweight Kubernetes runtimes, but containerd is a general-purpose runtime while CRI-O is Kubernetes-specific. If an FRQ asks about optimizing a Kubernetes cluster, CRI-O demonstrates understanding of purpose-built tooling.

Orchestration Platforms: Managing at Scale

Orchestration tools solve the problem of running containers across multiple hosts—handling deployment, scaling, load balancing, and self-healing automatically.

Kubernetes

  • De facto standard for container orchestration—automates deployment, scaling, and management across clusters of machines
  • Declarative configuration via YAML—you define the desired state, and K8s continuously works to maintain it
  • Rolling updates and rollbacks enable zero-downtime deployments, a critical exam concept for production reliability

Docker Swarm

  • Native Docker orchestration—simpler than Kubernetes but with fewer features
  • Built-in load balancing and service discovery—manages multi-container applications across Docker host clusters
  • Lower learning curve than Kubernetes—ideal for smaller deployments or teams already invested in Docker tooling

Compare: Kubernetes vs. Docker Swarm—both orchestrate containers, but Kubernetes offers more sophisticated scaling, self-healing, and ecosystem integration. Swarm wins on simplicity. Know this tradeoff for questions about choosing orchestration tools.

Security-Focused and Daemonless Architectures

Some container technologies prioritize security through architectural decisions—eliminating root requirements, removing background daemons, or adding verification layers.

Podman

  • Daemonless architecture—no background service required, reducing attack surface and resource consumption
  • Rootless containers allow non-privileged users to run containers—major security improvement over traditional Docker
  • Docker CLI-compatible—commands like podman run work identically, easing migration from Docker

rkt (Rocket)

  • Security-first design—features image verification and cryptographic signing by default
  • Pod-native architecture—groups containers into pods (predating Kubernetes' adoption of this concept)
  • No daemon required—each container runs as a direct child process, simplifying debugging and process management

Compare: Podman vs. Docker—both run containers with similar CLIs, but Podman's daemonless, rootless design makes it preferable for security-conscious environments. This is a common exam angle: "Which tool would you choose for a security-hardened deployment?"

System-Level Virtualization: OS Containers

Unlike application containers (Docker, Podman), these technologies provide full operating system environments—closer to traditional VMs but sharing the host kernel.

LXC (Linux Containers)

  • OS-level containers—runs complete Linux distributions, not just single applications
  • Lightweight virtualization using kernel namespaces and cgroups—more efficient than VMs, more isolated than app containers
  • System container use cases—ideal when you need a full Linux environment rather than just an application runtime

OpenVZ

  • Shared kernel architecture—all containers use the host's kernel, maximizing resource efficiency
  • Live migration support—move running containers between physical hosts without downtime
  • Hosting provider favorite—commonly used for VPS services where density and efficiency matter most

Compare: LXC vs. Docker—LXC provides system containers (full OS), while Docker provides application containers (single process). If asked about running multiple services that expect a traditional Linux environment, LXC is the answer.

Quick Reference Table

ConceptBest Examples
Application containerizationDocker, Podman, containerd
Container orchestrationKubernetes, Docker Swarm
Kubernetes-native runtimesCRI-O, containerd
Daemonless/rootless securityPodman, rkt
System-level containersLXC, OpenVZ
Lightweight/minimal runtimescontainerd, CRI-O
Pod-native architectureKubernetes, Podman, rkt
Live migration supportOpenVZ

Self-Check Questions

  1. Which two container runtimes are specifically optimized for Kubernetes, and what distinguishes them from Docker?

  2. Compare Podman and Docker: what architectural difference makes Podman more secure, and why might an organization choose one over the other?

  3. If you needed to run a complete Linux distribution as a container (not just a single application), which technologies would be appropriate and why?

  4. Explain why Kubernetes uses declarative configuration. How does this differ from imperative commands, and what advantage does it provide for CI/CD pipelines?

  5. An FRQ asks you to design a container strategy for a security-sensitive government application. Which runtime would you recommend and what specific features would you cite to justify your choice?