- Notifications
You must be signed in to change notification settings - Fork0
A fast and lightweight fully featured OCI runtime and C library for running containers
License
CaptainVincent/crun
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A fast and low-memory footprint OCI Container Runtime fully written inC.
crun conforms to the OCI Container Runtime specifications(https://github.com/opencontainers/runtime-spec).
The user documentation is availablehere.
While most of the tools used in the Linux containers ecosystem arewritten in Go, I believe C is a better fit for a lower level tool like acontainer runtime. runc, the most used implementation of the OCI runtimespecs written in Go, re-execs itself and use a module written in C forsetting up the environment before the container process starts.
crun aims to be also usable as a library that can be easily included inprograms without requiring an external process for managing OCIcontainers.
crun is faster than runc and has a much lower memory footprint.
This is the elapsed time on my machine for running sequentially 100containers, the containers run/bin/true:
| crun | runc | % | |
|---|---|---|---|
| 100 /bin/true | 0:01.69 | 0:3.34 | -49.4% |
crun requires fewer resources, so it is also possible to set stricterlimits on the memory allowed in the container:
#podman --runtime /usr/bin/runc run --rm --memory 4M fedoraecho it worksError: container_linux.go:346: starting container process caused "process_linux.go:327: getting pipe fds for pid 13859 caused \"readlink /proc/13859/fd/0: no such file or directory\"": OCI runtime command not found error#podman --runtime /usr/bin/crun run --rm --memory 4M fedoraecho it worksit works
crun could go much lower than that, and require < 1M. The used 4MB is ahard limit set directly in Podman before calling the OCI runtime.
These dependencies are required for the build:
$sudo dnf install -y make python git gcc automake autoconf libcap-devel \ systemd-devel yajl-devel libseccomp-devel pkg-config libgcrypt-devel \ go-md2man glibc-static python3-libmount libtool
$sudo yum --enablerepo='*' --disablerepo='media-*' install -y make automake \ autoconf gettext \ libtool gcc libcap-devel systemd-devel yajl-devel libgcrypt-devel \ glibc-static libseccomp-devel python36 git
go-md2man is not available on RHEL/CentOS 8, so if you'd like to buildthe man page, you also need to manually install go-md2man. It can beinstalled with:
$sudo yum --enablerepo='*' install -y golang$export GOPATH=$HOME/go$go get github.com/cpuguy83/go-md2man$export PATH=$PATH:$GOPATH/bin
$sudo apt-get install -y make git gcc build-essential pkgconf libtool \ libsystemd-dev libprotobuf-c-dev libcap-dev libseccomp-dev libyajl-dev \ libgcrypt20-dev go-md2man autoconf python3 automake
#apk add gcc automake autoconf libtool gettext pkgconf git make musl-dev \ python3 libcap-dev libseccomp-dev yajl-dev argp-standalone go-md2man
#zypper install make automake autoconf gettext libtool gcc libcap-devel \systemd-devel libyajl-devel libseccomp-devel python3 go-md2man \glibc-static;
Note that Tumbleweed requires you to specify libseccomp's header file locationas a compiler flag.
#./autogen.sh#./configure CFLAGS='-I/usr/include/libseccomp'#make
Unless you are also building the Python bindings, Python is needed onlyby libocispec to generate the C parser at build time, it won't be usedafterwards.
Once all the dependencies are installed:
$./autogen.sh$./configure$make
To install into default PREFIX (/usr/local):
$sudo make installThe previous build instructions do not enable shared libraries, therefore you will be unable to use libcrun. If you wish to build the shared libraries you can change the previous./configure statement to./configure --enable-shared.
It is possible to build a statically linked binary of crun by using theofficially providednixpackage and the derivation of itwithin this repository. Thebuilds are completely reproducible and will create a x86_64/amd64stripped ELF binary forglibc.
To build the binaries by locally installing the nix package manager:
$curl -L https://nixos.org/nix/install| sh$git clone --recursive https://github.com/containers/crun.git&&cd crun$nix build -f nix/$./result/bin/crun --version
AnAnsible Role isalso available to automate the installation of the above staticallylinked binary on its supported OS:
$sudo su -#mkdir -p~/.ansible/roles#cd~/.ansible/roles#git clone https://github.com/alvistack/ansible-role-crun.git crun#cd~/.ansible/roles/crun#pip3 install --upgrade --ignore-installed --requirement requirements.txt#molecule converge#molecule verify
A Lua binding is available. Seethe README for more information.