Chapter 6. Selecting a container runtime
The runc and crun are container runtimes and can be used interchangeably as both implement the OCI runtime specification. The crun container runtime has a couple of advantages over runc, as it is faster and requires less memory. Due to that, the crun container runtime is the recommended container runtime for use.
6.1. The runc container runtime
The runc container runtime is a lightweight, portable implementation of the Open Container Initiative (OCI) container runtime specification. The runc runtime shares a lot of low-level code with Docker but it is not dependent on any of the components of the Docker platform. The runc supports Linux namespaces, live migration, and has portable performance profiles.
It also provides full support for Linux security features such as SELinux, control groups (cgroups), seccomp, and others. You can build and run images with runc, or you can run OCI-compatible images with runc.
6.2. The crun container runtime
The crun is a fast and low-memory footprint OCI container runtime written in C. The crun binary is up to 50 times smaller and up to twice as fast as the runc binary. Using crun, you can also set a minimal number of processes when running your container. The crun runtime also supports OCI hooks.
Additional features of crun include:
- Sharing files by group for rootless containers
- Controlling the stdout and stderr of OCI hooks
-
Running older versions of
systemd
on cgroup v2 - A C library that is used by other programs
- Extensibility
- Portability
Additional resources
6.3. Running containers with runc and crun
With runc or crun, containers are configured using bundles. A bundle for a container is a directory that includes a specification file named config.json
and a root filesystem. The root filesystem contains the contents of the container.
The <runtime>
can be crun or runc.
Prerequisites
-
The
container-tools
module is installed.
Procedure
Pull the
registry.access.redhat.com/ubi8/ubi
container image:# podman pull registry.access.redhat.com/ubi8/ubi
Export the
registry.access.redhat.com/ubi8/ubi
image to therhel.tar
archive:# podman export $(podman create registry.access.redhat.com/ubi8/ubi) > rhel.tar
Create the
bundle/rootfs
directory:# mkdir -p bundle/rootfs
Extract the
rhel.tar
archive into thebundle/rootfs
directory:# tar -C bundle/rootfs -xf rhel.tar
Create a new specification file named
config.json
for the bundle:# <runtime> spec -b bundle
-
The
-b
option specifies the bundle directory. The default value is the current directory.
-
The
Optional: Change the settings:
# vi bundle/config.json
Create an instance of a container named
myubi
for a bundle:# <runtime> create -b bundle/ myubi
Start a
myubi
container:# <runtime> start myubi
The name of a container instance must be unique to the host. To start a new instance of a container: # <runtime> start <container_name>
Verification
List containers started by
<runtime>
:# <runtime> list ID PID STATUS BUNDLE CREATED OWNER myubi 0 stopped /root/bundle 2021-09-14T09:52:26.659714605Z root
Additional resources
-
The
crun
andrunc
man pages on your system - An introduction to crun, a fast and low-memory footprint container runtime
6.4. Temporarily changing the container runtime
You can use the podman run
command with the --runtime
option to change the container runtime.
The <runtime>
can be crun or runc.
Prerequisites
-
The
container-tools
module is installed.
Procedure
Pull the
registry.access.redhat.com/ubi8/ubi
container image:$ podman pull registry.access.redhat.com/ubi8/ubi
Change the container runtime using the
--runtime
option:$ podman run --name=myubi -dt --runtime=<runtime> ubi8 e4654eb4df12ac031f1d0f2657dc4ae6ff8eb0085bf114623b66cc664072e69b
Optional: List all images:
$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e4654eb4df12 registry.access.redhat.com/ubi8:latest bash 4 seconds ago Up 4 seconds ago myubi
Verification
Ensure that the OCI runtime is set to
<runtime>
in the myubi container:$ podman inspect myubi --format "{{.OCIRuntime}}" <runtime>
Additional resources
6.5. Permanently changing the container runtime
You can set the container runtime and its options in the /etc/containers/containers.conf
configuration file as a root user or in the $HOME/.config/containers/containers.conf
configuration file as a non-root user.
The <runtime>
can be crun or runc runtime.
Prerequisites
-
The
container-tools
module is installed.
Procedure
Change the runtime in the
/etc/containers/containers.conf
file:# vim /etc/containers/containers.conf [engine] runtime = "<runtime>"
Run the container named myubi:
# podman run --name=myubi -dt ubi8 bash Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest… ... Storing signatures
Verification
Ensure that the OCI runtime is set to
<runtime>
in themyubi
container:# podman inspect myubi --format "{{.OCIRuntime}}" <runtime>
Additional resources
- An introduction to crun, a fast and low-memory footprint container runtime
-
containers.conf
man page on your system