explaingit

opencontainers/runc

13,219GoAudience · ops devopsComplexity · 4/5Setup · hard

TLDR

runc is the low-level Linux tool that actually starts and manages containers, the engine Docker calls behind the scenes, which you can also use directly for fine-grained control over how containers run.

Mindmap

mindmap
  root((runc))
    What it does
      Starts containers
      Manages lifecycle
      OCI compliant
    Linux features
      Namespaces
      Control groups
      Syscall filtering
    Security
      libseccomp filter
      Signed releases
      Security audited
    Use cases
      Run containers directly
      Build a runtime
      Debug container behavior
    Setup
      Go toolchain
      Linux only
      System libraries
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run OCI-compliant containers directly without Docker for minimal overhead on Linux servers

USE CASE 2

Build a custom container platform or runtime on top of the industry-standard OCI specification

USE CASE 3

Debug or audit container behavior at the kernel level with direct control over namespaces, cgroups, and syscall filtering

Tech stack

GoLinuxOCIlibseccompcgroups

Getting it running

Difficulty · hard Time to first run · 1h+

Linux-only, requires Go toolchain and system libraries (libseccomp-dev) to build from source.

In plain English

runc is a low-level command-line tool that starts and manages Linux containers. If you have used Docker or similar container platforms, runc is the component running underneath them that does the actual work of launching a container process. Docker and other tools call runc behind the scenes, but you can also use it directly if you want fine-grained control over how a container is started. The tool follows the Open Container Initiative (OCI) specification, which is an industry standard that defines exactly how a container should be set up and run. This means a container image built according to the OCI standard can be started by runc, regardless of which tool was used to build it. The OCI specification covers things like which files the container can see, how its processes are isolated from the rest of the system, and what resources it is allowed to consume. runc runs only on Linux, because it relies on Linux-specific kernel features like namespaces and control groups to isolate containers from each other and from the host system. It also optionally uses a syscall filtering library called libseccomp to restrict what system calls a container process is allowed to make, which limits what a misbehaving or malicious process inside the container can do. Building runc from source requires installing a small set of system libraries and the Go programming language toolchain. The project includes a test suite that runs inside Docker to avoid requiring specific system configurations on the developer's machine. The project has undergone a third-party security audit, and all official releases are cryptographically signed. It is maintained under the Open Containers organization, which is a neutral industry group formed to standardize container formats and runtimes.

Copy-paste prompts

Prompt 1
Show me how to create an OCI bundle manually and use runc to start a container without Docker on Linux.
Prompt 2
How do I use runc to run a container with a custom seccomp profile that restricts which system calls the process can make?
Prompt 3
What is the difference between runc and containerd, and when would I use runc directly instead of going through Docker?
Prompt 4
Walk me through building runc from source on Ubuntu and running the test suite inside Docker.
Open on GitHub → Explain another repo

← opencontainers on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.