Red Hat SummitChapter 6. Selecting a container runtime
The runc and crun are container runtimes and can be used interchangeably as both implement the OCI runtime specification. The crun container runtime has a couple of advantages over runc, as it is faster and requires less memory. Due to that, the crun container runtime is the recommended container runtime for use.
6.1. The runc container runtime
The runc container runtime is a lightweight, portable implementation of the Open Container Initiative (OCI) container runtime specification. The runc runtime shares a lot of low-level code with Docker but it is not dependent on any of the components of the Docker platform. The runc supports Linux namespaces, live migration, and has portable performance profiles.
It also provides full support for Linux security features such as SELinux, control groups (cgroups), seccomp, and others. You can build and run images with runc, or you can run OCI-compatible images with runc.
6.2. The crun container runtime
The crun is a fast and low-memory footprint OCI container runtime written in C. The crun binary is up to 50 times smaller and up to twice as fast as the runc binary. Using crun, you can also set a minimal number of processes when running your container. The crun runtime also supports OCI hooks.
Additional features of crun include:
- Sharing files by group for rootless containers
- Controlling the stdout and stderr of OCI hooks
-
Running older versions of
systemdon cgroup v2 - A C library that is used by other programs
- Extensibility
- Portability
6.3. Running containers with runc and crun
With runc or crun, containers are configured using bundles. A bundle for a container is a directory that includes a specification file named config.json and a root filesystem. The root filesystem contains the contents of the container.
The <runtime> can be crun or runc.
Prerequisites
-
The
container-toolsmodule is installed.
Procedure
Pull the
registry.access.redhat.com/ubi8/ubicontainer image:podman pull registry.access.redhat.com/ubi8/ubi
# podman pull registry.access.redhat.com/ubi8/ubiCopy to Clipboard Copied! Toggle word wrap Toggle overflow Export the
registry.access.redhat.com/ubi8/ubiimage to therhel.tararchive:podman export $(podman create registry.access.redhat.com/ubi8/ubi) > rhel.tar
# podman export $(podman create registry.access.redhat.com/ubi8/ubi) > rhel.tarCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create the
bundle/rootfsdirectory:mkdir -p bundle/rootfs
# mkdir -p bundle/rootfsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Extract the
rhel.tararchive into thebundle/rootfsdirectory:tar -C bundle/rootfs -xf rhel.tar
# tar -C bundle/rootfs -xf rhel.tarCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create a new specification file named
config.jsonfor the bundle:<runtime> spec -b bundle
# <runtime> spec -b bundleCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
The
-boption specifies the bundle directory. The default value is the current directory.
-
The
Optional: Change the settings:
vi bundle/config.json
# vi bundle/config.jsonCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create an instance of a container named
myubifor a bundle:<runtime> create -b bundle/ myubi
# <runtime> create -b bundle/ myubiCopy to Clipboard Copied! Toggle word wrap Toggle overflow Start a
myubicontainer:<runtime> start myubi
# <runtime> start myubiCopy to Clipboard Copied! Toggle word wrap Toggle overflow
The name of a container instance must be unique to the host. To start a new instance of a container: # <runtime> start <container_name>
Verification
List containers started by
<runtime>:<runtime> list
# <runtime> list ID PID STATUS BUNDLE CREATED OWNER myubi 0 stopped /root/bundle 2021-09-14T09:52:26.659714605Z rootCopy to Clipboard Copied! Toggle word wrap Toggle overflow
6.4. Temporarily changing the container runtime
You can use the podman run command with the --runtime option to change the container runtime.
The <runtime> can be crun or runc.
Prerequisites
-
The
container-toolsmodule is installed.
Procedure
Pull the
registry.access.redhat.com/ubi8/ubicontainer image:podman pull registry.access.redhat.com/ubi8/ubi
$ podman pull registry.access.redhat.com/ubi8/ubiCopy to Clipboard Copied! Toggle word wrap Toggle overflow Change the container runtime using the
--runtimeoption:podman run --name=myubi -dt --runtime=<runtime> ubi8
$ podman run --name=myubi -dt --runtime=<runtime> ubi8 e4654eb4df12ac031f1d0f2657dc4ae6ff8eb0085bf114623b66cc664072e69bCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: List all images:
podman ps -a
$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e4654eb4df12 registry.access.redhat.com/ubi8:latest bash 4 seconds ago Up 4 seconds ago myubiCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Ensure that the OCI runtime is set to
<runtime>in the myubi container:podman inspect myubi --format "{{.OCIRuntime}}"$ podman inspect myubi --format "{{.OCIRuntime}}" <runtime>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.5. Permanently changing the container runtime
You can set the container runtime and its options in the /etc/containers/containers.conf configuration file as a root user or in the $HOME/.config/containers/containers.conf configuration file as a non-root user.
The <runtime> can be crun or runc runtime.
Prerequisites
-
The
container-toolsmodule is installed.
Procedure
Change the runtime in the
/etc/containers/containers.conffile:vim /etc/containers/containers.conf
# vim /etc/containers/containers.conf [engine] runtime = "<runtime>"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Run the container named myubi:
podman run --name=myubi -dt ubi8 bash
# podman run --name=myubi -dt ubi8 bash Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest… ... Storing signaturesCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Ensure that the OCI runtime is set to
<runtime>in themyubicontainer:podman inspect myubi --format "{{.OCIRuntime}}"# podman inspect myubi --format "{{.OCIRuntime}}" <runtime>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}