2015-06-22 10:31:12 +08:00
|
|
|
## runc
|
|
|
|
|
|
|
|
`runc` is a CLI tool for spawning and running containers according to the OCF specification.
|
|
|
|
|
2015-06-27 02:31:00 +08:00
|
|
|
## State of the project
|
|
|
|
|
|
|
|
Currently `runc` is an implementation of the OCF specification. We are currently sprinting
|
2015-06-29 08:47:00 +08:00
|
|
|
to have a v1 of the spec out within a quick timeframe of a few weeks, ~July 2015,
|
|
|
|
so the `runc` config format will be constantly changing until
|
2015-06-28 09:36:11 +08:00
|
|
|
the spec is finalized. However, we encourage you to try out the tool and give feedback.
|
2015-06-27 02:31:00 +08:00
|
|
|
|
2015-07-03 00:59:30 +08:00
|
|
|
### OCF
|
|
|
|
|
|
|
|
How does `runc` integrate with the Open Container Format? `runc` depends on the types
|
|
|
|
specified in the [specs](https://github.com/opencontainers/specs) repository. Whenever
|
|
|
|
the specification is updated and ready to be versioned `runc` will update it's dependency
|
|
|
|
on the specs repository and support the update spec.
|
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
### Building:
|
|
|
|
|
2015-08-27 15:50:46 +08:00
|
|
|
At the time of writing, runc only builds on the Linux platform.
|
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
```bash
|
2015-07-08 19:10:22 +08:00
|
|
|
# create a 'github.com/opencontainers' in your GOPATH/src
|
2015-06-24 12:25:49 +08:00
|
|
|
cd github.com/opencontainers
|
|
|
|
git clone https://github.com/opencontainers/runc
|
|
|
|
cd runc
|
2015-06-22 10:31:12 +08:00
|
|
|
make
|
|
|
|
sudo make install
|
|
|
|
```
|
|
|
|
|
2015-08-22 06:25:26 +08:00
|
|
|
In order to enable seccomp support you will need to install libseccomp on your platform.
|
|
|
|
If you do not with to build `runc` with seccomp support you can add `BUILDTAGS=""` when running make.
|
|
|
|
|
2015-09-12 03:11:24 +08:00
|
|
|
#### Build Tags
|
|
|
|
|
|
|
|
`runc` supports optional build tags for compiling in support for various features.
|
|
|
|
|
|
|
|
|
|
|
|
| Build Tag | Feature | Dependency |
|
|
|
|
|-----------|------------------------------------|-------------|
|
|
|
|
| seccomp | Syscall filtering | libseccomp |
|
|
|
|
| selinux | selinux process and mount labeling | <none> |
|
|
|
|
| apparmor | apparmor profile support | libapparmor |
|
|
|
|
|
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
### Using:
|
|
|
|
|
2015-08-18 09:30:17 +08:00
|
|
|
To run a container, execute `runc start` in the bundle's root directory:
|
|
|
|
```bash
|
|
|
|
runc start
|
|
|
|
/ $ ps
|
|
|
|
PID USER COMMAND
|
|
|
|
1 daemon sh
|
|
|
|
5 daemon sh
|
|
|
|
/ $
|
|
|
|
```
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2015-08-18 09:30:17 +08:00
|
|
|
Or you can specify the path to a JSON configuration file:
|
2015-06-22 10:31:12 +08:00
|
|
|
```bash
|
2015-08-18 09:30:17 +08:00
|
|
|
runc start config.json
|
2015-06-22 10:31:12 +08:00
|
|
|
/ $ ps
|
|
|
|
PID USER COMMAND
|
|
|
|
1 daemon sh
|
|
|
|
5 daemon sh
|
2015-06-29 08:47:00 +08:00
|
|
|
/ $
|
2015-06-22 10:31:12 +08:00
|
|
|
```
|
2015-08-18 09:30:17 +08:00
|
|
|
Note: the use of the `start` command is required when specifying a
|
|
|
|
configuration file.
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2015-06-23 02:09:41 +08:00
|
|
|
### OCF Container JSON Format:
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2015-06-30 05:29:05 +08:00
|
|
|
Below is a sample `config.json` configuration file. It assumes that
|
2015-06-24 12:25:49 +08:00
|
|
|
the file-system is found in a directory called `rootfs` and there is a
|
2015-08-08 21:32:30 +08:00
|
|
|
user with uid and gid of `0` defined within that file-system.
|
2015-06-24 12:25:49 +08:00
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
```json
|
|
|
|
{
|
2015-07-03 00:59:30 +08:00
|
|
|
"version": "pre-draft",
|
2015-06-30 02:21:05 +08:00
|
|
|
"platform": {
|
|
|
|
"os": "linux",
|
|
|
|
"arch": "amd64"
|
|
|
|
},
|
|
|
|
"process": {
|
2015-06-30 02:50:27 +08:00
|
|
|
"terminal": true,
|
2015-07-02 00:57:26 +08:00
|
|
|
"user": {
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0,
|
|
|
|
"additionalGids": null
|
|
|
|
},
|
2015-06-30 02:21:05 +08:00
|
|
|
"args": [
|
|
|
|
"sh"
|
|
|
|
],
|
|
|
|
"env": [
|
|
|
|
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
|
|
|
"TERM=xterm"
|
|
|
|
],
|
|
|
|
"cwd": ""
|
|
|
|
},
|
2015-06-22 10:31:12 +08:00
|
|
|
"root": {
|
|
|
|
"path": "rootfs",
|
|
|
|
"readonly": true
|
|
|
|
},
|
|
|
|
"hostname": "shell",
|
|
|
|
"mounts": [
|
|
|
|
{
|
|
|
|
"type": "proc",
|
|
|
|
"source": "proc",
|
|
|
|
"destination": "/proc",
|
|
|
|
"options": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "tmpfs",
|
|
|
|
"source": "tmpfs",
|
|
|
|
"destination": "/dev",
|
|
|
|
"options": "nosuid,strictatime,mode=755,size=65536k"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "devpts",
|
|
|
|
"source": "devpts",
|
|
|
|
"destination": "/dev/pts",
|
|
|
|
"options": "nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "tmpfs",
|
|
|
|
"source": "shm",
|
|
|
|
"destination": "/dev/shm",
|
|
|
|
"options": "nosuid,noexec,nodev,mode=1777,size=65536k"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "mqueue",
|
|
|
|
"source": "mqueue",
|
|
|
|
"destination": "/dev/mqueue",
|
|
|
|
"options": "nosuid,noexec,nodev"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "sysfs",
|
|
|
|
"source": "sysfs",
|
|
|
|
"destination": "/sys",
|
|
|
|
"options": "nosuid,noexec,nodev"
|
2015-07-15 09:31:39 +08:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "cgroup",
|
|
|
|
"source": "cgroup",
|
|
|
|
"destination": "/sys/fs/cgroup",
|
|
|
|
"options": "nosuid,noexec,nodev,relatime,ro"
|
2015-06-22 10:31:12 +08:00
|
|
|
}
|
2015-06-30 05:29:05 +08:00
|
|
|
],
|
|
|
|
"linux": {
|
2015-07-03 00:59:30 +08:00
|
|
|
"uidMapping": null,
|
|
|
|
"gidMapping": null,
|
2015-08-25 05:36:57 +08:00
|
|
|
"rlimits": [
|
|
|
|
{
|
|
|
|
"type": 7,
|
|
|
|
"hard": 1024,
|
|
|
|
"soft": 1024
|
|
|
|
}
|
|
|
|
],
|
2015-07-03 00:59:30 +08:00
|
|
|
"systemProperties": null,
|
|
|
|
"resources": {
|
|
|
|
"disableOOMKiller": false,
|
|
|
|
"memory": {
|
|
|
|
"limit": 0,
|
|
|
|
"reservation": 0,
|
|
|
|
"swap": 0,
|
2015-07-14 10:28:21 +08:00
|
|
|
"kernel": 0,
|
|
|
|
"swappiness": -1
|
2015-07-03 00:59:30 +08:00
|
|
|
},
|
|
|
|
"cpu": {
|
|
|
|
"shares": 0,
|
|
|
|
"quota": 0,
|
|
|
|
"period": 0,
|
|
|
|
"realtimeRuntime": 0,
|
|
|
|
"realtimePeriod": 0,
|
|
|
|
"cpus": "",
|
|
|
|
"mems": ""
|
|
|
|
},
|
|
|
|
"blockIO": {
|
|
|
|
"blkioWeight": 0,
|
|
|
|
"blkioWeightDevice": "",
|
|
|
|
"blkioThrottleReadBpsDevice": "",
|
|
|
|
"blkioThrottleWriteBpsDevice": "",
|
|
|
|
"blkioThrottleReadIopsDevice": "",
|
|
|
|
"blkioThrottleWriteIopsDevice": ""
|
|
|
|
},
|
|
|
|
"hugepageLimits": null,
|
|
|
|
"network": {
|
|
|
|
"classId": "",
|
|
|
|
"priorities": null
|
|
|
|
}
|
|
|
|
},
|
2015-06-30 05:29:05 +08:00
|
|
|
"namespaces": [
|
|
|
|
{
|
2015-08-06 02:09:53 +08:00
|
|
|
"type": "pid",
|
2015-07-03 00:59:30 +08:00
|
|
|
"path": ""
|
2015-06-30 05:29:05 +08:00
|
|
|
},
|
|
|
|
{
|
2015-07-03 00:59:30 +08:00
|
|
|
"type": "network",
|
|
|
|
"path": ""
|
2015-06-30 05:29:05 +08:00
|
|
|
},
|
|
|
|
{
|
2015-07-03 00:59:30 +08:00
|
|
|
"type": "ipc",
|
|
|
|
"path": ""
|
2015-06-30 05:29:05 +08:00
|
|
|
},
|
|
|
|
{
|
2015-07-03 00:59:30 +08:00
|
|
|
"type": "uts",
|
|
|
|
"path": ""
|
2015-06-30 05:29:05 +08:00
|
|
|
},
|
|
|
|
{
|
2015-07-03 00:59:30 +08:00
|
|
|
"type": "mount",
|
|
|
|
"path": ""
|
2015-06-30 05:29:05 +08:00
|
|
|
}
|
|
|
|
],
|
|
|
|
"capabilities": [
|
|
|
|
"AUDIT_WRITE",
|
|
|
|
"KILL",
|
|
|
|
"NET_BIND_SERVICE"
|
|
|
|
],
|
|
|
|
"devices": [
|
2015-08-23 23:52:50 +08:00
|
|
|
{
|
|
|
|
"type": 99,
|
|
|
|
"path": "/dev/null",
|
|
|
|
"major": 1,
|
|
|
|
"minor": 3,
|
|
|
|
"permissions": "rwm",
|
|
|
|
"fileMode": 438,
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": 99,
|
|
|
|
"path": "/dev/random",
|
|
|
|
"major": 1,
|
|
|
|
"minor": 8,
|
|
|
|
"permissions": "rwm",
|
|
|
|
"fileMode": 438,
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": 99,
|
|
|
|
"path": "/dev/full",
|
|
|
|
"major": 1,
|
|
|
|
"minor": 7,
|
|
|
|
"permissions": "rwm",
|
|
|
|
"fileMode": 438,
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": 99,
|
|
|
|
"path": "/dev/tty",
|
|
|
|
"major": 5,
|
|
|
|
"minor": 0,
|
|
|
|
"permissions": "rwm",
|
|
|
|
"fileMode": 438,
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": 99,
|
|
|
|
"path": "/dev/zero",
|
|
|
|
"major": 1,
|
|
|
|
"minor": 5,
|
|
|
|
"permissions": "rwm",
|
|
|
|
"fileMode": 438,
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": 99,
|
|
|
|
"path": "/dev/urandom",
|
|
|
|
"major": 1,
|
|
|
|
"minor": 9,
|
|
|
|
"permissions": "rwm",
|
|
|
|
"fileMode": 438,
|
|
|
|
"uid": 0,
|
|
|
|
"gid": 0
|
|
|
|
}
|
|
|
|
],
|
2015-06-30 05:29:05 +08:00
|
|
|
}
|
2015-06-22 10:31:12 +08:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
### Examples:
|
|
|
|
|
2015-06-29 15:08:16 +08:00
|
|
|
#### Using a Docker image (requires version 1.3 or later)
|
2015-06-24 12:25:49 +08:00
|
|
|
|
|
|
|
To test using Docker's `busybox` image follow these steps:
|
2015-06-29 08:47:00 +08:00
|
|
|
* Install `docker` and download the `busybox` image: `docker pull busybox`
|
2015-06-24 12:25:49 +08:00
|
|
|
* Create a container from that image and export its contents to a tar file:
|
|
|
|
`docker export $(docker create busybox) > busybox.tar`
|
|
|
|
* Untar the contents to create your filesystem directory:
|
|
|
|
```
|
|
|
|
mkdir rootfs
|
|
|
|
tar -C rootfs -xf busybox.tar
|
|
|
|
```
|
2015-07-28 22:27:09 +08:00
|
|
|
* Create a file called `config.json` using the example from above. You can also
|
|
|
|
generate a spec using `runc spec`, redirecting the output into `config.json`
|
2015-08-18 09:30:17 +08:00
|
|
|
* Execute `runc start` and you should be placed into a shell where you can run `ps`:
|
2015-06-24 12:25:49 +08:00
|
|
|
```
|
2015-08-18 09:30:17 +08:00
|
|
|
$ runc start
|
2015-06-24 12:25:49 +08:00
|
|
|
/ # ps
|
|
|
|
PID USER COMMAND
|
|
|
|
1 root sh
|
|
|
|
9 root ps
|
|
|
|
```
|
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
#### Using runc with systemd
|
|
|
|
|
|
|
|
```service
|
|
|
|
[Unit]
|
|
|
|
Description=Minecraft Build Server
|
|
|
|
Documentation=http://minecraft.net
|
|
|
|
After=network.target
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
CPUQuota=200%
|
|
|
|
MemoryLimit=1536M
|
|
|
|
ExecStart=/usr/local/bin/runc
|
|
|
|
Restart=on-failure
|
|
|
|
WorkingDirectory=/containers/minecraftbuild
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
```
|