|author||Brian Goff <email@example.com>||Wed Jan 11 04:32:35 2017|
|committer||Brian Goff <firstname.lastname@example.org>||Wed Jan 11 15:22:17 2017|
Set init process as non-dumpable Backports fix from 2f7393a47307a16f8cee44a37b262e8b81021e3e to 1.11.x Resolves CVE-2016-9962 for Docker 1.11.x. Signed-off-by: Brian Goff <email@example.com>
[![Build Status](https://jenkins.dockerproject.org/buildStatus/icon?job=runc Master)](https://jenkins.dockerproject.org/job/runc Master)
runc is a CLI tool for spawning and running containers according to the OCF specification.
runc is an implementation of the OCI specification. We are currently sprinting to have a v1 of the spec out. So the
runc config format will be constantly changing until the spec is finalized. However, we encourage you to try out the tool and give feedback.
runc integrate with the Open Container Initiative Specification?
runc depends on the types specified in the specs repository. Whenever the specification is updated and ready to be versioned
runc will update its dependency on the specs repository and support the update spec.
At the time of writing, runc only builds on the Linux platform.
# create a 'github.com/opencontainers' in your GOPATH/src cd github.com/opencontainers git clone https://github.com/opencontainers/runc cd runc make sudo make install
In order to enable seccomp support you will need to install libseccomp on your platform. If you do not want to build
runc with seccomp support you can add
BUILDTAGS="" when running make.
runc supports optional build tags for compiling in support for various features.
|selinux||selinux process and mount labeling|
|apparmor||apparmor profile support||libapparmor|
You can run tests for runC by using command:
# make test
Note that test cases are run in Docker container, so you need to install
docker first. And test requires mounting cgroups inside container, it's done by docker now, so you need a docker version newer than 1.8.0-rc2.
You can also run specific test cases by:
# make test TESTFLAGS="-run=SomeTestFunction"
To run a container with the id “test”, execute
runc start with the containers id as arg one in the bundle's root directory:
runc start test / $ ps PID USER COMMAND 1 daemon sh 5 daemon sh / $
OCI container JSON format is based on OCI specs. You can generate JSON files by using
runc spec. It assumes that the file-system is found in a directory called
rootfs and there is a user with uid and gid of
0 defined within that file-system.
To test using Docker's
busybox image follow these steps:
dockerand download the
docker pull busybox
docker export $(docker create busybox) > busybox.tar
mkdir rootfs tar -C rootfs -xf busybox.tar
runc startand you should be placed into a shell where you can run
$ runc start test / # ps PID USER COMMAND 1 root sh 9 root ps
To use runc with systemd, you can create a unit file
/usr/lib/systemd/system/minecraft.service as below (edit your own Description or WorkingDirectory or service name as you need).
[Unit] Description=Minecraft Build Server Documentation=http://minecraft.net After=network.target [Service] CPUQuota=200% MemoryLimit=1536M ExecStart=/usr/local/bin/runc start minecraft Restart=on-failure WorkingDirectory=/containers/minecraftbuild [Install] WantedBy=multi-user.target
Make sure you have the bundle's root directory and JSON configs in your WorkingDirectory, then use systemd commands to start the service:
systemctl daemon-reload systemctl start minecraft.service
Note that if you use JSON configs by
runc spec, you need to modify
config.json and change
process.terminal to false so runc won‘t create tty, because we can’t set terminal from the stdin when using systemd service.