Using OCI to create and manage containers require many process invocations to start a Pod. It also requires many satellite processes to be running: one runsc wait process for every container, another runsc exec for every exec invocation, runsc events --stats to capture stats. Using processes also makes it hard to distinguish between command errors and errors coming from the container, e.g. runsc exec may fail because there is an invalid parameter, or because the application being executed failed with an invalid parameter.

Many of these problems go away if we had an RPC interface that gvisor-containerd-shim can call directly. The proposal is to create a client library that talks directly to the sandbox using the urpc endpoint that is already exposed. This would be a full replacement of OCI, requiring no extra process invocation to create and manage pod, including terminal support.

gvisor-containerd-shim would use this new API exclusively, leaving the OCI implementation to be used by docker and other users of runsc. Multi-container support, and gVisor specific annotations can be removed from the command-line interface.