X

Proactive insights, news and tips from Oracle WebLogic Server Support. Learn Oracle from Oracle.

WebLogic announces support for CRI-O container runtime

Mark Nelson
Architect

At Oracle OpenWorld, we announced that we will now support WebLogic Server on additional container runtimes with Kubernetes.  Up to now we have supported only Docker as the container runtime.  Starting today, we will support both Docker and CRI-O.  We will continue to evaluate and update our position based on customer demand and industry trends.  

Why are we making this change?  

There are several trends driving this change:  

  • CRI-O is now part of Kubernetes and is very lightweight. 

  • CRI-O is runtime agnostic - it is a framework that permits the implementation of different deployment options for containers.  Because it is fully integrated with Kubernetes, such implementations can be done with limited user impact.  For example, Oracle Linux supports runC and Kata Containers today.  In the future it would be possible to support emerging projects like firecracker if that became desirable. 

  • We currently support and certify WebLogic on OpenShift 3.11.  OpenShift 4 has moved to Red Hat Enterprise Linux 8/Red Hat CoreOS, and these operating systems have deprecated Docker support [9] and replaced it with CRI-O [1] and runc as the container runtime, along with tools including Podman [2] (replacing the docker CLI), Buildah [3] (for building images) and Skopeo [4] (for copying images and interacting with registries).  In order to support/certify WebLogic on OpenShift 4, we need to also support CRI-O. 

  • Oracle Linux 8 has also added support for Podman, Buildah and Skopeo container tools [8], as RHEL8 is its upstream distribution. 

  • Kata Containers [6] with CRI-O is generally considered to provide better isolation and address the main security concerns that have been expressed with Docker’s daemon-based architecture. 

  • CRI-O is a CNCF project, and Oracle is a Platinum member of CNCF.  Docker is a private company who have commercial and open source offerings.  The Open Container Initiative (OCI) [5] is hosted by the Linux Foundation and manages the specification for containers.  Adding support for CRI-O is a continuation of Oracle’s support of open standards managed by CNCF and Linux Foundation and reinforces our commitment to open standards and open source in general.  

Docker is still widely popular.  We are not dropping support for Docker.  We are simply adding support for CRI-O in addition to Docker. 

What is CRI-O?  

From their site:  

  • CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. It is a lightweight alternative to using Docker as the runtime for Kubernetes. It allows Kubernetes to use any OCI-compliant runtime as the container runtime for running pods. Today it supports runc and Kata Containers as the container runtimes but any OCI-conformant runtime can be plugged in principle. 

  • CRI-O supports OCI container images and can pull from any container registry. It is a lightweight alternative to using Docker, Moby or rkt as the runtime for Kubernetes. 

To a large extent, this means that CRI-O is a drop in replacement for Docker.  From the point of view of a Kubernetes operator/application workload, there is almost no discernible difference between Kubernetes running with Docker and Kubernetes running with CRI-O.  All of the Kubernetes functions work the same.   

We have completed all of our testing and certification testing for WebLogic Kubernetes Operator 2.3.0 and WebLogic 12.2.1.3.0 on Kubernetes with Kata and CRI-O, including running our full integration test suite successfully.  There was literally no code change required.    

The creation and management of Docker/OCI images would be done with different tools.  The images and containers these tools create/manipulate are 100% compatible with those created by Docker.  In fact they are interchangeable.  Most of these tools also try to have the same command line options as the Docker CLI to ease migration.  

  • Podman replaces Docker CLI for running containers, etc. 

  • Buildah replaces Docker build for creating images 

  • Skopeo provides tooling to search and manage docker registries (which Docker is weak at) 

  • crictl replaces Docker pull for pulling images from remote Docker registries 

At the lower level, each pod/container is run in a very lightweight QEMU VM by Kata Containers.  The Docker daemon (which runs as root and is the main security issue cited with Docker) is completely removed from the picture.   

It is important to note that you do not need to create new images - the existing Docker images work as-is with CRI-O. 

So the overall layering looks like this: 
 

Existing supported stack 

New additionally supported stack 

Kubernetes/Docker 

Kubernetes 

containerd 

CRI-O 

runC 

kata 

container-kernel 

container-kernel 

On the left we have the currently supported runtime stack.  On the right is the stack that we will start to support in addition to the one on the left.  In addition to the runtime, there are the tools mentioned above to build, tag, push/pull images, etc. 

Several references are included below if you want to learn more.  If you want to get into the real nitty gritty detail - this is an excellent read: https://bit.ly/2mcJd1n 

References 

[1] CRI-Oo https://cri-o.io/ 

[2] Podman https://podman.io 

[3] Buildah https://buildah.io 

[4] Skopeo https://github.com/containers/skopeo 

[5] Open Container Initiative https://www.opencontainers.org/ 

[6] Kata https://github.com/kata-containers 

[7] Docker security https://superuser.openstack.org/articles/how-kata-containers-boost-security-in-docker-containers/ 

[8] Oracle Linux support statement https://docs.oracle.com/cd/F12552_01/F12584/html/ol8-features-container.html 

[9] RedHat support statement https://access.redhat.com/solutions/3696691 

[10] runC, containerd and Docker Engine architecture https://www.slideshare.net/PhilEstes/diving-through-the-layers-investigating-runc-containerd-and-the-docker-engine-architecture 

[11] What is containerd? https://blog.docker.com/2017/08/what-is-containerd-runtime/ 

[12] CRI-O vs containerd http://crunchtools.com/competition-heats-up-between-cri-o-and-containerd-actually-thats-not-a-thing/ 

 

 
 

 

 

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.