# runc — Industry-Standard OCI Container Runtime

> The reference implementation of the OCI runtime specification, runc spawns and manages containers at the lowest level for Docker, containerd, Podman, and CRI-O.

## Install

Save as a script file and run:

# runc — Industry-Standard OCI Container Runtime

## Quick Use
```bash
# Install from package manager or build from source
sudo apt install runc
# Create an OCI bundle and run it
mkdir -p mycontainer/rootfs
docker export $(docker create alpine) | tar -C mycontainer/rootfs -xf -
cd mycontainer && runc spec
runc run my-container
```

## Introduction
runc is a lightweight CLI tool for spawning and running containers according to the Open Container Initiative (OCI) specification. Originally extracted from Docker, it serves as the foundational runtime beneath higher-level tools like containerd and CRI-O.

## What runc Does
- Creates and runs OCI-compliant containers from a bundle (rootfs + config.json)
- Manages container lifecycle: create, start, pause, resume, kill, delete
- Applies Linux namespaces, cgroups, seccomp, and AppArmor policies
- Supports rootless containers for unprivileged users
- Provides checkpoint and restore via CRIU integration

## Architecture Overview
runc operates directly on Linux kernel primitives. Given an OCI bundle directory containing a root filesystem and a config.json specification, it forks a process, sets up the requested namespaces (pid, net, mnt, user, uts, ipc, cgroup), configures cgroup resource limits, applies seccomp filters, pivots into the rootfs, and executes the specified entrypoint. It exits once the container process completes.

## Self-Hosting & Configuration
- Install via distro packages, static binaries from GitHub releases, or build with Go
- Create OCI bundles manually or via tools like umoci and skopeo
- Edit config.json to tune namespaces, capabilities, mounts, and resource limits
- Enable rootless mode by setting uid/gid mappings in the user namespace config
- Integrate with containerd or CRI-O as the low-level runtime backend

## Key Features
- Reference implementation of the OCI Runtime Specification
- Minimal footprint: single static binary with no daemon
- Rootless container support without requiring root privileges
- CRIU-based checkpoint/restore for live container migration
- Battle-tested foundation powering Docker, Kubernetes, and most container platforms

## Comparison with Similar Tools
- **crun** — C-based OCI runtime optimized for speed and low memory; runc is the Go reference implementation
- **youki** — Rust-based OCI runtime focusing on safety; runc has broader adoption
- **gVisor (runsc)** — sandboxed runtime with a user-space kernel; runc uses native Linux namespaces
- **Kata Containers** — runs each container in a lightweight VM; runc shares the host kernel
- **containerd** — a higher-level daemon that manages images and calls runc to run containers

## FAQ
**Q: Is runc the same as Docker?**
A: No. runc is the low-level runtime that Docker (via containerd) uses to actually create containers. Docker adds image management, networking, and a CLI on top.

**Q: Can I use runc directly in production?**
A: You can, but most production setups use containerd or CRI-O as a management layer that orchestrates runc under the hood.

**Q: Does runc work on macOS or Windows?**
A: runc requires Linux kernel features (namespaces, cgroups). On macOS and Windows, container tools run runc inside a Linux VM.

**Q: What is rootless mode?**
A: Rootless mode lets unprivileged users run containers by leveraging user namespaces, removing the need for root or setuid binaries.

## Sources
- https://github.com/opencontainers/runc
- https://opencontainers.org/

---
Source: https://tokrepo.com/en/workflows/asset-67dfd682
Author: Script Depot