LLMpediaThe first transparent, open encyclopedia generated by LLMs

crun

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Open Container Initiative Hop 5
Expansion Funnel Raw 56 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted56
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
crun
Namecrun
DeveloperRed Hat, LXC, Canonical (company)
Initial release2018
Written inC (programming language)
Operating systemLinux
LicenseGPL

crun is a lightweight OCI and container (virtualization) runtime implemented in C (programming language). It aims to provide a small, fast, and standards-compliant alternative to runtimes such as runc and containerd's components, focusing on tight integration with systemd, low memory usage, and efficient process isolation on Linux. crun has been adopted in several Linux distributions and container orchestration environments and is noted for its performance in constrained-resource contexts.

Overview

crun implements the Open Container Initiative (OCI) runtime specification and supports runtime hooks, namespaces, and cgroup controllers as defined by OCI and Linux kernel features. It is designed to operate with container managers like podman, Docker (software), and Kubernetes, enabling workloads created by Dockerfile-based images or OCI images. The project interacts with projects and organizations including Red Hat, Canonical (company), Debian, Fedora, and Alpine Linux for packaging, distribution, and upstream contributions. crun complements other runtimes such as runc, runj, gVisor, and kata-containers by targeting minimal footprint and close-to-kernel semantics.

Design and Features

crun's architecture centers on a small C codebase that directly interfaces with Linux kernel APIs for namespaces, capabilities, and seccomp filters, avoiding large language runtimes such as Go (programming language). It supports key OCI features including rootless containers via user namespaces (aligning with subuid and subgid allocations used by Fedora, Debian, and Ubuntu), seccomp profiles compatible with CIS recommendations, and systemd cgroup v2 integration used by systemd-based distributions. Additional capabilities include NUMA-aware CPU binding useful on Intel and AMD platforms, CPUset management familiar to Kubernetes's CPU manager, and checkpoint/restore hooks enabling integration with CRIU. crun also supports advanced Linux features such as eBPF-based seccomp on kernels that provide BPF seccomp, and file descriptor passing compatible with D-Bus patterns when used by higher-level container engines.

Installation and Usage

Packages for crun are maintained in repositories for Fedora, Debian, Ubuntu, Arch Linux, and Alpine Linux, and can be built from source hosted in upstream repositories maintained by contributors associated with Red Hat and independent maintainers. Typical installation paths involve distribution package managers like dnf (software), apt (software), and pacman (package manager), or building with toolchains such as gcc and meson. crun integrates with container frontends: it can be selected as the runtime for podman via configuration, invoked by systemd unit files for per-service containers, or used as an alternative runtime in cri-o integrations for Kubernetes clusters. Command-line usage mirrors OCI runtime patterns, and configuration includes settings for log handling compatible with journald, storage options interoperable with OverlayFS, and cgroup v2 policies used by systemd.

Performance and Benchmarks

Benchmarks comparing crun with runtimes such as runc, gVisor, and kata-containers highlight crun's low memory footprint and fast container start times on Linux kernel versions with full namespace support. Independent tests by community members and distribution maintainers measure cold start latency, steady-state memory use, and syscall overhead, showing crun often outperforms Go-based runtimes for simple process startup and small-footprint workloads on x86_64 and aarch64 hardware. Performance profiles vary with workload: microbenchmarks for process spawning, network namespace setup with iptables or nftables, and filesystem mount operations using OverlayFS illustrate strengths in fast namespace creation, while complex I/O-bound or kernel-bottleneck workloads depend more on underlying storage drivers and Kubernetes scheduling policies.

Security and Sandboxing

crun leverages Linux kernel primitives for isolation, including PID, network, mount, UTS, IPC, and user namespaces, enabling rootless operation compatible with unshare and setns semantics. It integrates seccomp filtering and capability bounding to restrict syscalls and privileges, aligning with container hardening guidance from projects such as CIS and distributions like Debian and Fedora. crun can be combined with namespace-based sandboxing tools and projects including firejail concepts and seccomp policies used in Kubernetes Pod Security Policies-style enforcement. The project also tracks kernel CVEs affecting namespace or cgroup behaviors and coordinates with distribution security teams at Red Hat and Canonical (company) for timely patches.

Development and Community

crun development is driven by a mix of distribution maintainers, company engineers, and independent contributors, with code review and issue tracking handled in upstream repositories. Contributors include engineers from Red Hat, advocates from the OCI community, and packaging maintainers for Debian and Fedora. The community engages through mailing lists, issue trackers, and collaborative events such as KubeCon and distribution-specific conferences like FOSDEM and Open Source Summit. Documentation, bug reports, and pull requests are coordinated with container ecosystem projects including podman, cri-o, containerd, and Kubernetes to ensure compatibility and drive adoption.

Category:Container runtimes