runc

runc
Name	runc
Title	runc
Developer	Open Container Initiative; originally by Docker, Inc.
Released	2015
Programming language	Go
Operating system	Linux
Platform	Container runtimes, OCI
License	Apache License 2.0

runc runc is a lightweight, portable command-line tool for spawning and running containers according to the Open Container Initiative runtime specification. It provides a minimal, standards-compliant runtime that can be used by higher-level projects such as Docker (software), Kubernetes, Podman, and CRI-O to manage container lifecycles. Designed for use on Linux kernel features like namespaces and control groups, runc focuses on a small trusted codebase and compatibility with OCI images and tooling.

Overview

runc implements the OCI Runtime Specification established by organizations including the Open Container Initiative, the Cloud Native Computing Foundation, and contributors from projects such as Docker, Inc., CoreOS, and Red Hat. It operates as a low-level component invoked by container engines like Docker Engine and orchestration systems like Kubernetes to create, run, and delete containers. runc interacts with kernel primitives including namespaces (operating system), control groups, and seccomp to provide process isolation, resource control, and syscall filtering for containerized workloads. Because runc is intentionally minimal, it is commonly embedded within larger projects such as containerd, cri-o, and buildah.

History and Development

runc originated within Docker, Inc. as part of efforts to standardize container runtimes and was later donated to the Open Container Initiative to foster interoperability among container ecosystems. Major contributors and stakeholders have included teams from Google, IBM, Red Hat, Microsoft, and Amazon Web Services. The project evolved in response to incidents and audits involving container isolation and security, prompting collaboration with researchers from institutions like University of California, Berkeley and University of Washington and companies such as Aqua Security and Sysdig. Over time, runc’s governance and development practices aligned with policies promoted by foundations like the Linux Foundation and tooling maintained by GitHub and GitLab.

Architecture and Implementation

runc is implemented primarily in the Go (programming language) language and follows a process-based architecture that leverages kernel facilities. Its design centers on creating a child process with isolated PID namespace, network namespace, mount namespace, and UTS namespace, applying cgroup constraints and installing seccomp filters before execve of the containerized process. The runtime reads an OCI-compliant JSON configuration (config.json) produced by image tools such as rkt, Podman, or Buildah and performs operations specified by the OCI Runtime Specification. runc delegates low-level filesystem setup (including mount propagation and overlay filesystems like OverlayFS) and uses capabilities defined in POSIX and Linux capabilities to drop privileges. It integrates with kernel features such as user namespaces for UID/GID remapping and uses helpers from projects like libseccomp.

Usage and Commands

runc exposes a concise command-line interface designed for programmatic invocation by container engines. Common operations include create, start, run, exec, kill, state, and delete, each corresponding to lifecycle actions used by orchestrators like Kubernetes and container engines like Docker Engine and containerd. A typical sequence involves generating an OCI bundle with config.json and a root filesystem (which can be assembled by Buildah or unpacked from images from Docker Hub), then invoking runc create and runc start, or using runc run to perform both actions. Integration points include systemd unit files on systemd-based distributions such as Fedora and Ubuntu, and runtime hooks compatible with CRI implementations. Debugging and inspection workflows often combine runc with utilities like strace, gdb, and monitoring agents from Prometheus integrations.

Security and Vulnerabilities

Security considerations for runc revolve around kernel-hardening, correct use of namespaces, and mitigation of syscall-based attacks. Past vulnerabilities discovered in runc and related components led to coordinated disclosures and patches by maintainers and vendors including Docker, Inc., Red Hat, Canonical, and cloud providers such as Google Cloud Platform and Amazon Web Services. Hardening measures include enabling seccomp profiles, applying strict AppArmor or SELinux policies, and using user namespaces where appropriate. Security researchers from organizations like Trail of Bits and CNCF-affiliated auditors have contributed to static analysis, fuzzing campaigns, and incident response playbooks. The minimal codebase of runc reduces attack surface but requires careful configuration when used in multi-tenant environments common to companies such as Netflix, Airbnb, and Stripe.

Integration and Ecosystem

runc sits at the core of a broad ecosystem spanning container image registries, orchestration, and security tooling. Container engines such as containerd, cri-o, and Docker Engine invoke runc as the runtime shim, while orchestration platforms like Kubernetes schedule containers that ultimately run under runc-managed processes. Image builders and packers such as Buildah, Kaniko, and Jib (software) produce filesystem bundles and images compatible with runc’s OCI expectations. Observability and policy tools including Prometheus, Falco, Sysdig, and Aqua Security integrate with runc-based environments to provide metrics, intrusion detection, and compliance. Cloud providers like Google, Amazon Web Services, and Microsoft Azure support runc through managed Kubernetes services and container hosting offerings. The project's governance and community engagement align with standards bodies such as the Open Container Initiative and hosting platforms like GitHub.

Category:Container runtimes