Hi, I’m Toru Komatsu(@utam0k), first committer of youki.
This article was written in celebration of youki’s v0.0.1 release
🤔 What is youki?
Youki is a low level container runtime written in Rust that implements the OCI Runtime Specification. Simply put, youki is a commandline tool that can create containers. Other runtimes in the same category you might have heard about are runc and crun. When you create a container using Docker or Podman the actual container creation is delegated to a tool like youki.
Why another container runtime?
Currently many container tools are implemented in Go which requires special handling when it comes to implementing a container runtime. Runc for example embeds a C program into its exectuable that handles setting up the namespaces as this is not possible in Go due to the multithreaded nature of the Go runtime.
On the other hand C could be used as a implementation language but this comes at the cost of memory safety and in addition C lacks high level language constructs that we have come to expect from a modern language.
Therefore while Go and C are perfectly fine languages, for this particular use case we believe that Rust with its cross section of low level control, memory safety and high level abstractions is uniquely suited for implementing a container runtime.
Youki has the potential to be faster and use less memory than runc, and therefore work in environments with tight memory usage requirements. Here is a simple benchmark of a container from creation to deletion. As with all benchmarks, this might not be representative of your own workloads
|Runtime||Time (mean ± σ)||Range (min … max)|
|youki||198.4 ms ± 52.1 ms||97.2 ms … 296.1 ms|
|runc||352.3 ms ± 53.3 ms||248.3 ms … 772.2 ms|
|crun||153.5 ms ± 21.6 ms||80.9 ms … 196.6 ms|
Details about the benchmark
- A command used for the benchmark
$ hyperfine --prepare 'sudo sync; echo 3 | sudo tee /proc/sys/vm/drop_caches' --warmup 10 --min-runs 100 'sudo ./youki create -b tutorial a && sudo ./youki start a && sudo ./youki delete -f a'
$ ./youki info Version 0.0.1 Kernel-Release 5.11.0-41-generic Kernel-Version #45-Ubuntu SMP Fri Nov 5 11:37:01 UTC 2021 Architecture x86_64 Operating System Ubuntu 21.04 Cores 12 Total Memory 32025 Cgroup setup hybrid Cgroup mounts blkio /sys/fs/cgroup/blkio cpu /sys/fs/cgroup/cpu,cpuacct cpuacct /sys/fs/cgroup/cpu,cpuacct cpuset /sys/fs/cgroup/cpuset devices /sys/fs/cgroup/devices freezer /sys/fs/cgroup/freezer hugetlb /sys/fs/cgroup/hugetlb memory /sys/fs/cgroup/memory net_cls /sys/fs/cgroup/net_cls,net_prio net_prio /sys/fs/cgroup/net_cls,net_prio perf_event /sys/fs/cgroup/perf_event pids /sys/fs/cgroup/pids unified /sys/fs/cgroup/unified CGroup v2 controllers cpu detached cpuset detached hugetlb detached io detached memory detached pids detached device attached Namespaces enabled mount enabled uts enabled ipc enabled user enabled pid enabled network enabled cgroup enabled $ ./youki --version youki version 0.0.1 commit: 0.0.1-0-0be33bf $ runc -v runc version 1.0.0-rc93 commit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec spec: 1.0.2-dev go: go1.13.15 libseccomp: 2.5.1 $ crun --version crun version 0.19.1.45-4cc7 commit: 4cc7fa1124cce75dc26e12186d9cbeabded2b710 spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
A container runtime needs to implement many features that users have come to expect from a container runtime, that have not yet been incorporated into the OCI Runtime Specification. Despite this being the first release of youki, many features have already been implemented.
|Docker||Running via Docker||✅|
|Podman||Running via Podman||✅|
|pivot_root||Change the root directory||✅|
|Mounts||Mount files and directories to container||✅|
|Namespaces||Isolation of various resources||✅|
|Capabilities||Limiting root privileges||✅|
|Cgroups v1||Resource limitations, etc||✅|
|Cgroups v2||Improved version of v1||Support is complete except for devices. WIP on #78|
|Systemd cgroup driver||Setting up a cgroup using systemd||✅|
|Seccomp||Filtering system calls||✅|
|Hooks||Add custom processing during container creation||✅|
|Rootless||Running a container without root privileges||✅|
|OCI Compliance||Compliance with OCI Runtime Spec||✅ 50 out of 50 test cases passing|
How to get started
Download youki from the release page and follow the tutorial.
See the mdbook for more details.
Why do we keep implementing youki?
Contribution to the container runtime community
We are trying to provide as much of the crates used to make youki to the community. Currently we are providing containers/oci-spec-rs as a crate, separated from youki’s main code. We have already crates available for cgroups, container creation, seccomp and oci-cli parsing which will be released at a later point in time.
Youki does not provide any support for older kernels. By doing so, it has the potential to use new features such as
We have fun implementing this. In fact, this might be the most important part.
🤝 Join youki!
Youki is always looking for people who want to learn about container runtimes in Rust, and for your input.
We also have good first issue as the first way to participate in development.
If you cannot find a good first issue that fits you, please ask on Discord or Twitter.
👣 A short history of youki
Studied railcar which is implemented by Oracle and already archived
Started implementing the container runtime in Rust, which later became youki
Attracted attention of developers on Reddit and elsewhere
More attention, more developers
Thanks to all the wonderful collaborators.
Thomas Schubart, yihuaf, YJDoc2, tommady, Yukang and Travis Sturzl
Thanks to the members of containers for their cooperation.
Thank you especially to Sascha Grunert, Giuseppe Scrivano and Daniel J Walsh.
Thanks to all the people who already contributed!
This article has been reviewed by Thomas Schubart and some additions have been made. Thank you very much.
We are always eager for new contributers.
We don’t have a sponsor feature on GitHub, so please give us a star to encourage us.