Introducing Mirantis Container Runtime 25: Enhanced Observability, Extensibility, and Performance
At Mirantis, we’re dedicated to empowering developers and operators with tools that enable seamless containerization and orchestration. Today, we are thrilled to announce the release of Mirantis Container Runtime (MCR) 25, our latest version of the runtime you’ve come to rely on for running containers securely with high performance. Built on the trusted foundation of Docker Moby, MCR 25 introduces critical advancements in observability, extensibility, and performance, ensuring our customers can continue to build, deploy, and manage containers with confidence, whether they use MCR 25 standalone or combine it with Swarm and/or Kubernetes orchestration with the new Mirantis Kubernetes Engine 3.8 release.
Let’s dive into the key features of this release and explore how they can benefit your organization.
Improved Observability: OpenTelemetry Support
As organizations grow, so do the complexity of their applications and the challenges of monitoring them effectively. MCR 25 addresses this need by introducing support for OpenTelemetry, an open-source framework for observability.
OpenTelemetry provides a unified standard for collecting, processing, and exporting telemetry data such as logs, metrics, and traces. MCR 25 can emit traces of Engine API requests using the OpenTelemetry protocol. With MCR 25, users can seamlessly integrate OpenTelemetry into their environments, enabling better visibility into container lifecycle operations for containerized workloads.
For example, teams can now use OpenTelemetry to aggregate data from various microservices and build custom dashboards in a tool like Grafana. This holistic view helps organizations detect anomalies faster, optimize resource utilization, and ensure reliable application performance.
Enhancements for Swarm
MCR 25 includes Swarm-specific enhancements to support more networking topologies and to improve control over security for specific workloads.
Windows - Support Local Network Drivers for Swarm
Local-scope network drivers internal
, l2bridge
, and nat
can now be used on Swarm on Windows for use cases such as running the Swarm host behind a firewall.
Linux - Swarm Seccomp and AppArmor
MCR 25 supports setting custom Seccomp profiles and some AppArmor configuration when creating Swarm Services. These new options enable operators to optimize security for specific workloads and are part of the Privileges
section of the ContainerSpec
. The no-new-privileges
flag has also been added.
Container Device Interface (CDI) Support for AI and Edge
We now live in the world of GPGPU. AI, ML, cryptocurrency, and more all depend on specialized hardware devices. Users expect their containerized services to make use of GPUs, FPGAs, and even exotic devices like LIDARs. Similarly, edge computing and IoT for real-time data processing in manufacturing, healthcare, and other industries also need to integrate with high-speed cameras, sensors, or other hardware peripherals. The Container Device Interface is a standard for container runtimes to make use of third-party devices. It basically provides a way to inject modifications into the OCI spec used to start and run the container. MCR 25 includes CDI support as an experimental feature that must be enabled.
Coming Soon: CRUN for Lightning-Fast Container Performance
In Q1 next year, MCR 25 will introduce support for CRUN, a high-performance OCI runtime built in C. Unlike runtimes written in Go, CRUN boasts lower memory usage and faster execution times, allowing containers to launch more quickly and with greater efficiency, making it possible to reliably host more containers per node than ever before!
Organizations managing large-scale, latency-sensitive applications, such as real-time analytics or e-commerce platforms, will find CRUN invaluable for improving operational efficiency. Faster container start times mean less downtime during scaling events, directly translating to improved customer satisfaction and cost savings.
Healthy Containers, Faster
Health checks are key for self-healing, scalable containerized services. Load balancers only route traffic to healthy containers, so the speed in which a container can be determined to be healthy limits how quickly a service can be scaled up. MCR 25 introduces the --health-start-interval
option to containers and Swarm services to run container health-check probes at a different cadence when a container is first starting up. This makes it possible for containers to reach healthy status more quickly by checking their health at a short interval during startup while using a longer health-check interval at steady state so as not to incur as much overhead.
Coming Soon: Broader Support for OCI-Compliant Runtimes with: Kata Containers and gVisor
In Q2 next year, MCR 25 will also expand its capabilities with enhanced support for Kata Containers and gVisor, two leading OCI-compliant runtimes designed to bolster container security. These runtimes provide robust sandboxing mechanisms that isolate workloads from the host and other containers, offering critical protection against potential breaches.
Kata Containers utilize lightweight virtual machines (VMs) to deliver stronger workload isolation by leveraging hardware virtualization. This approach is particularly useful for organizations running multi-tenant environments, as it prevents a compromised container from impacting other tenants or the host system. Kata Containers also support secure boot and hardware-backed encryption, enabling customers to meet stringent compliance requirements such as HIPAA or PCI-DSS.
gVisor, on the other hand, operates by intercepting syscalls through its user-space kernel, providing a highly secure and resource-efficient way to sandbox applications. It is ideal for scenarios where lightweight isolation is needed without the overhead of full VMs. gVisor integrates seamlessly with Kubernetes, making it an excellent choice for organizations that need granular control over untrusted workloads.
Learn more about MCR 25 in the release notes.