runc

command module
v1.5.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2026 License: Apache-2.0 Imports: 49 Imported by: 2

README

runc

Go Report Card Go Reference CII Best Practices gha/validate gha/ci CirrusCI

Introduction

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

Releases

You can find official releases of runc on the release page.

All releases are signed by one of the keys listed in the runc.keyring file in the root of this repository.

Security

The reporting process and disclosure communications are outlined here.

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Building

runc only supports Linux. See the header of go.mod for the minimally required Go version.

Pre-Requisites
Utilities and Libraries

In addition to Go, building runc requires multiple utilities and libraries to be installed on your system.

On Ubuntu/Debian, you can install the required dependencies with:

apt update && apt install -y make gcc linux-libc-dev libseccomp-dev pkg-config git

On CentOS/Fedora, you can install the required dependencies with:

yum install -y make gcc kernel-headers libseccomp-devel pkg-config git

On Alpine Linux, you can install the required dependencies with:

apk --update add bash make gcc libseccomp-dev musl-dev linux-headers git

The following dependencies are optional:

  • libseccomp - only required if you enable seccomp support; to disable, see Build Tags
Build
# create a 'github.com/opencontainers' in your GOPATH/src
cd github.com/opencontainers
git clone https://github.com/opencontainers/runc
cd runc

make
sudo make install

You can also use go get to install to your GOPATH, assuming that you have a github.com parent folder already created under src:

go get github.com/opencontainers/runc
cd $GOPATH/src/github.com/opencontainers/runc
make
sudo make install

runc will be installed to /usr/local/sbin/runc on your system.

Version string customization

You can see the runc version by running runc --version. You can append a custom string to the version using the EXTRA_VERSION make variable when building, e.g.:

make EXTRA_VERSION="+build-1"

Bear in mind to include some separator for readability.

Build Tags

runc supports optional build tags for compiling support of various features, with some of them enabled by default (see BUILDTAGS in top-level Makefile).

To change build tags from the default, set the BUILDTAGS variable for make, e.g. to disable seccomp:

make BUILDTAGS=""

To add some more build tags to the default set, use the EXTRA_BUILDTAGS make variable, e.g. to disable checkpoint/restore:

make EXTRA_BUILDTAGS="runc_nocriu"
Build Tag Feature Enabled by Default Dependencies
seccomp Syscall filtering using libseccomp. yes libseccomp
libpathrs Use libpathrs for path safety. yes libpathrs
runc_nocriu Disables runc checkpoint/restore. no criu

The following build tags were used earlier, but are now obsoleted:

  • runc_nodmz (since runc v1.2.1 runc dmz binary is dropped)
  • nokmem (since runc v1.0.0-rc94 kernel memory settings are ignored)
  • apparmor (since runc v1.0.0-rc93 the feature is always enabled)
  • selinux (since runc v1.0.0-rc93 the feature is always enabled)
Running the test suite

runc currently supports running its test suite via Docker. To run the suite just type make test.

make test

There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.

You can run a specific test case by setting the TESTFLAGS variable.

# make test TESTFLAGS="-run=SomeTestFunction"

You can run a specific integration test by setting the TESTPATH variable.

# make test TESTPATH="/checkpoint.bats"

You can run a specific rootless integration test by setting the ROOTLESS_TESTPATH variable.

# make test ROOTLESS_TESTPATH="/checkpoint.bats"

You can run a test using your container engine's flags by setting CONTAINER_ENGINE_BUILD_FLAGS and CONTAINER_ENGINE_RUN_FLAGS variables.

# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"
Go Dependencies Management

runc uses Go Modules for dependencies management. Please refer to Go Modules for how to add or update new dependencies.

# Update vendored dependencies
make vendor
# Verify all dependencies
make verify-dependencies

Using runc

Please note that runc is a low level tool not designed with an end user in mind. It is mostly employed by other higher level container software.

Therefore, unless there is some specific use case that prevents the use of tools like Docker or Podman, it is not recommended to use runc directly.

If you still want to use runc, here's how.

Creating an OCI Bundle

In order to use runc you must have your container in the format of an OCI bundle. If you have Docker installed you can use its export method to acquire a root filesystem from an existing Docker container.

# create the top most bundle directory
mkdir /mycontainer
cd /mycontainer

# create the rootfs directory
mkdir rootfs

# export busybox via Docker into the rootfs directory
docker export $(docker create busybox) | tar -C rootfs -xvf -

After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. runc provides a spec command to generate a base template spec that you are then able to edit. To find features and documentation for fields in the spec please refer to the specs repository.

runc spec
Running Containers

Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.

The first way is to use the convenience command run that will handle creating, starting, and deleting the container after it exits.

# run as root
cd /mycontainer
runc run mycontainerid

If you used the unmodified runc spec template this should give you a sh session inside the container.

The second way to start a container is using the specs lifecycle operations. This gives you more power over how the container is created and managed while it is running. This will also launch the container in the background so you will have to edit the config.json to remove the terminal setting for the simple examples below (see more details about runc terminal handling). Your process field in the config.json should look like this below with "terminal": false and "args": ["sleep", "5"].

        "process": {
                "terminal": false,
                "user": {
                        "uid": 0,
                        "gid": 0
                },
                "args": [
                        "sleep", "5"
                ],
                "env": [
                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                        "TERM=xterm"
                ],
                "cwd": "/",
                "capabilities": {
                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "inheritable": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ]
                },
                "rlimits": [
                        {
                                "type": "RLIMIT_NOFILE",
                                "hard": 1024,
                                "soft": 1024
                        }
                ],
                "noNewPrivileges": true
        },

Now we can go through the lifecycle operations in your shell.

# run as root
cd /mycontainer
runc create mycontainerid

# view the container is created and in the "created" state
runc list

# start the process inside the container
runc start mycontainerid

# after 5 seconds view that the container has exited and is now in the stopped state
runc list

# now delete the container
runc delete mycontainerid

This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after create but before start.

Rootless containers

runc has the ability to run containers without root privileges. This is called rootless. You need to pass some parameters to runc in order to run rootless containers. See below and compare with the previous version.

Note: In order to use this feature, "User Namespaces" must be compiled and enabled in your kernel. There are various ways to do this depending on your distribution:

  • Confirm CONFIG_USER_NS=y is set in your kernel configuration (normally found in /proc/config.gz)
  • Arch/Debian: echo 1 > /proc/sys/kernel/unprivileged_userns_clone
  • RHEL/CentOS 7: echo 28633 > /proc/sys/user/max_user_namespaces

Run the following commands as an ordinary user:

# Same as the first example
mkdir ~/mycontainer
cd ~/mycontainer
mkdir rootfs
docker export $(docker create busybox) | tar -C rootfs -xvf -

# The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user.
runc spec --rootless

# The --root parameter tells runc where to store the container state. It must be writable by the user.
runc --root /tmp/runc run mycontainerid
Supervisors

runc can be used with process supervisors and init systems to ensure that containers are restarted when they exit. An example systemd unit file looks something like this.

[Unit]
Description=Start My Container

[Service]
Type=forking
ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid
ExecStopPost=/usr/local/sbin/runc delete mycontainerid
WorkingDirectory=/mycontainer
PIDFile=/run/mycontainerid.pid

[Install]
WantedBy=multi-user.target

More documentation

License

The code and docs are released under the Apache 2.0 license.

Documentation

Overview

runc is a command line client for running applications packaged according to the Open Container Initiative (OCI) format and is a compliant implementation of the Open Container Initiative specification.

Source Files

View all Source files

Directories

Path Synopsis
internal
linux
Package linux provides minimal wrappers around Linux system calls, primarily to provide support for automatic EINTR-retries.
 Package linux provides minimal wrappers around Linux system calls, primarily to provide support for automatic EINTR-retries.
pathrs
Package pathrs provides wrappers around filepath-securejoin to add the minimum set of features needed from libpathrs that are not provided by filepath-securejoin, with the eventual goal being that these can be used to ease the transition by converting them stubs when enabling libpathrs builds.
 Package pathrs provides wrappers around filepath-securejoin to add the minimum set of features needed from libpathrs that are not provided by filepath-securejoin, with the eventual goal being that these can be used to ease the transition by converting them stubs when enabling libpathrs builds.
sys
Package sys is an internal package that contains helper methods for dealing with Linux that are more complicated than basic wrappers.
 Package sys is an internal package that contains helper methods for dealing with Linux that are more complicated than basic wrappers.
third_party/systemd/activation
Package activation implements primitives for systemd socket activation.
 Package activation implements primitives for systemd socket activation.
Package libcontainer provides a native Go implementation for creating containers with namespaces, cgroups, capabilities, and filesystem access controls.
 Package libcontainer provides a native Go implementation for creating containers with namespaces, cgroups, capabilities, and filesystem access controls.
apparmor
Package apparmor provides a minimal set of helpers to configure the AppArmor profile of the current process, effectively acting as a very stripped-down version of libapparmor.
 Package apparmor provides a minimal set of helpers to configure the AppArmor profile of the current process, effectively acting as a very stripped-down version of libapparmor.
capabilities
Package capabilities provides helpers for managing Linux capabilities.
 Package capabilities provides helpers for managing Linux capabilities.
configs
Package configs provides various container-related configuration types used by libcontainer.
 Package configs provides various container-related configuration types used by libcontainer.
configs/validate
Package validate provides helpers for validating configuration.
 Package validate provides helpers for validating configuration.
devices
Package devices provides some helper functions for constructing device configurations for runc.
 Package devices provides some helper functions for constructing device configurations for runc.
exeseal
Package exeseal provides mechanisms for sealing /proc/self/exe and thus protecting the runc binary against CVE-2019-5736-style attacks.
 Package exeseal provides mechanisms for sealing /proc/self/exe and thus protecting the runc binary against CVE-2019-5736-style attacks.
integration
Package integration is used for integration testing of libcontainer.
 Package integration is used for integration testing of libcontainer.
intelrdt
internal/userns
Package userns provides helpers for interacting with Linux user namespaces.
 Package userns provides helpers for interacting with Linux user namespaces.
keys
Package keys provides helpers for Linux keyrings.
 Package keys provides helpers for Linux keyrings.
logs
Package logs provides helpers for logging used within runc (specifically for forwarding logs from "runc init" to the main runc process).
 Package logs provides helpers for logging used within runc (specifically for forwarding logs from "runc init" to the main runc process).
nsenter
Package nsenter implements the namespace creation and joining logic of runc.
 Package nsenter implements the namespace creation and joining logic of runc.
nsenter/test
Package escapetest is part of the escape_json_string unit test.
 Package escapetest is part of the escape_json_string unit test.
seccomp
Package seccomp provides runc-specific helpers for loading and managing seccomp profiles.
 Package seccomp provides runc-specific helpers for loading and managing seccomp profiles.
seccomp/patchbpf
Package patchbpf provides utilities for patching libseccomp-generated cBPF programs in order to handle unknown syscalls and ENOSYS more gracefully.
 Package patchbpf provides utilities for patching libseccomp-generated cBPF programs in order to handle unknown syscalls and ENOSYS more gracefully.
specconv
Package specconv implements conversion of specifications to libcontainer configurations
 Package specconv implements conversion of specifications to libcontainer configurations
system
Package system provides wrappers for Linux system operations.
 Package system provides wrappers for Linux system operations.
system/kernelversion
Package kernelversion provides a method to check whether the running kernel version is at least a minimum kernel version.
 Package kernelversion provides a method to check whether the running kernel version is at least a minimum kernel version.
utils
Package utils provides general helper utilities used in libcontainer.
 Package utils provides general helper utilities used in libcontainer.
tests
cmd/fs-idmap command
fs-idmap is a command-line tool to detect if a filesystem associated with a given path supports id-mapped mounts.
 fs-idmap is a command-line tool to detect if a filesystem associated with a given path supports id-mapped mounts.
cmd/key_label command
key_label is a simple program to print the current session keyring name and its security label, to be run inside container (see selinux.bats).
 key_label is a simple program to print the current session keyring name and its security label, to be run inside container (see selinux.bats).
cmd/pidfd-kill command
pidfd-kill is a command-line tool to send signals to processes using pidfds passed through a unix socket.
 pidfd-kill is a command-line tool to send signals to processes using pidfds passed through a unix socket.
cmd/recvtty command
recvtty is a sample implementation of the consumer side of the --console-socket interface for runc.
 recvtty is a sample implementation of the consumer side of the --console-socket interface for runc.
cmd/remap-rootfs command
remap-rootfs is a command-line tool to remap the ownership of an OCI bundle's rootfs to match the user namespace id-mapping of the bundle's config.json.
 remap-rootfs is a command-line tool to remap the ownership of an OCI bundle's rootfs to match the user namespace id-mapping of the bundle's config.json.
cmd/sd-helper command
sd-helper is a command-line tool to provide some very minimal helpers to communicate with systemd.
 sd-helper is a command-line tool to provide some very minimal helpers to communicate with systemd.
cmd/seccompagent command
Package types defines the types used for the cgroup-related events APIs provided by "runc events".
 Package types defines the types used for the cgroup-related events APIs provided by "runc events".
features
Package features provides the annotations for github.com/opencontainers/runtime-spec/specs-go/features.
 Package features provides the annotations for github.com/opencontainers/runtime-spec/specs-go/features.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.