runc — Industry-Standard OCI Container Runtime

Introduction

runc is a lightweight CLI tool for spawning and running containers according to the Open Container Initiative (OCI) specification. Originally extracted from Docker, it serves as the foundational runtime beneath higher-level tools like containerd and CRI-O.

What runc Does

• Creates and runs OCI-compliant containers from a bundle (rootfs + config.json)
• Manages container lifecycle: create, start, pause, resume, kill, delete
• Applies Linux namespaces, cgroups, seccomp, and AppArmor policies
• Supports rootless containers for unprivileged users
• Provides checkpoint and restore via CRIU integration

Architecture Overview

runc operates directly on Linux kernel primitives. Given an OCI bundle directory containing a root filesystem and a config.json specification, it forks a process, sets up the requested namespaces (pid, net, mnt, user, uts, ipc, cgroup), configures cgroup resource limits, applies seccomp filters, pivots into the rootfs, and executes the specified entrypoint. It exits once the container process completes.

Self-Hosting & Configuration

• Install via distro packages, static binaries from GitHub releases, or build with Go
• Create OCI bundles manually or via tools like umoci and skopeo
• Edit config.json to tune namespaces, capabilities, mounts, and resource limits
• Enable rootless mode by setting uid/gid mappings in the user namespace config
• Integrate with containerd or CRI-O as the low-level runtime backend

Key Features

• Reference implementation of the OCI Runtime Specification
• Minimal footprint: single static binary with no daemon
• Rootless container support without requiring root privileges
• CRIU-based checkpoint/restore for live container migration
• Battle-tested foundation powering Docker, Kubernetes, and most container platforms

Comparison with Similar Tools

• crun — C-based OCI runtime optimized for speed and low memory; runc is the Go reference implementation
• youki — Rust-based OCI runtime focusing on safety; runc has broader adoption
• gVisor (runsc) — sandboxed runtime with a user-space kernel; runc uses native Linux namespaces
• Kata Containers — runs each container in a lightweight VM; runc shares the host kernel
• containerd — a higher-level daemon that manages images and calls runc to run containers

FAQ

Q: Is runc the same as Docker? A: No. runc is the low-level runtime that Docker (via containerd) uses to actually create containers. Docker adds image management, networking, and a CLI on top.

Q: Can I use runc directly in production? A: You can, but most production setups use containerd or CRI-O as a management layer that orchestrates runc under the hood.

Q: Does runc work on macOS or Windows? A: runc requires Linux kernel features (namespaces, cgroups). On macOS and Windows, container tools run runc inside a Linux VM.

Q: What is rootless mode? A: Rootless mode lets unprivileged users run containers by leveraging user namespaces, removing the need for root or setuid binaries.

Sources

• https://github.com/opencontainers/runc
• https://opencontainers.org/