Axel Curmi - Setting up runc and spawning our first container

What is Runc?

Runc, released by Docker in 2015, is a Linux command-line tool for running containers according to the Open Container Initiative (OCI) specifications and is essentially the integration of Linux features into a unified low-level component. The main features of runc are:

Full support for Linux namespaces
Native support for all security features available to Linux (Apparmor, seccomp, control groups, capability drop, etc..)
A formal and standardised configuration format governed by the Open Container Project - part of the Linux Foundation

Installation

Runc only supports Linux and it must be built using Go version 1.18 or higher. Additionally, to enable seccomp support, we will need to install libseccomp on our machines (i.e., libseccomp-dev for Ubuntu).

To build runc we will need to execute the (taken from runc README on GitHub)

# create a 'github.com/opencontainers' in your GOPATH/src
cd github.com/opencontainers
git clone https://github.com/opencontainers/runc
cd runc

make
sudo make install

Spawning runc containers

Once we have runc installed on our machine, we are ready to start spawning and running runc containers. In order to do this we need to setup an OCI bundle comprising of (i) a root filesystem directory and (ii) an OCI specification file named config.json.

The root filesystem directory can be created via

# Create the top-level directory of the OCI bundle
mkdir /mycontainer
cd /mycontainer

# Create the rootfs directory
mkdir rootfs

# Populate the rootfs directory

However, if you have docker installed on your system, you can use the export command to acquire the root filesystem from an existing Docker container.

docker export $(docker create ubuntu:focal) | tar -C rootfs -xvf -

The OCI specificaion file can be created by executing the command runc spec and then modifying the config.json file as required. To find features and documentation for fields in the spec, you can refer to the specs repository on GitHub.

Once we have the root file system directory and specification file in place, we can spawn a runc container using the command runc run mycontainerid. If you have an unmodified OCI specification file that was obtained via runc spec, this should give you an interactive shell session inside the container.

References

https://www.docker.com/blog/runc
https://github.com/opencontainers/runc