runc

runc is a low-level command-line tool that starts and manages Linux containers. If you have used Docker or similar container platforms, runc is the component running underneath them that does the actual work of launching a container process. Docker and other tools call runc behind the scenes, but you can also use it directly if you want fine-grained control over how a container is started.

The tool follows the Open Container Initiative (OCI) specification, which is an industry standard that defines exactly how a container should be set up and run. This means a container image built according to the OCI standard can be started by runc, regardless of which tool was used to build it. The OCI specification covers things like which files the container can see, how its processes are isolated from the rest of the system, and what resources it is allowed to consume.

runc runs only on Linux, because it relies on Linux-specific kernel features like namespaces and control groups to isolate containers from each other and from the host system. It also optionally uses a syscall filtering library called libseccomp to restrict what system calls a container process is allowed to make, which limits what a misbehaving or malicious process inside the container can do.

Building runc from source requires installing a small set of system libraries and the Go programming language toolchain. The project includes a test suite that runs inside Docker to avoid requiring specific system configurations on the developer's machine.

The project has undergone a third-party security audit, and all official releases are cryptographically signed. It is maintained under the Open Containers organization, which is a neutral industry group formed to standardize container formats and runtimes.