runC – Open Container Initiative
3 likes1,341 views
This document discusses runC, the reference implementation of the Open Container Initiative (OCI) runtime specification. It provides an overview of OCI and runC, including how runC uses an OCI configuration file and filesystem bundle to launch and run containers. It also demonstrates how to install, build, and run runC containers on Linux, including creating OCI bundles from Docker containers and using features like rootless containers, mounting host directories, and hooks.
![OCI Scope [1/4]
• Runtime executable reference
• OCI Base Layer
• RunC - reference implementation
• https://github.com/opencontainers/runc
• Runtime Spec
• OCI Base Layer
• https://github.com/opencontainers/runtime-spec
• Defines the parameters needed to run the container](https://image.slidesharecdn.com/ocirunc-170826094112/85/runC-Open-Container-Initiative-5-320.jpg)
![OCI Scope [2/4]
• Bundle Format
• OCI Base Layer
• https://github.com/opencontainers/image-spec
• Defines the filesystem layout
• Standardization needed for various runtimes
• Hashing for Content Integrity
• OCI Base Layer
• https://github.com/opencontainers/go-digest
• Ensure content integrity](https://image.slidesharecdn.com/ocirunc-170826094112/85/runC-Open-Container-Initiative-6-320.jpg)
![OCI Scope [3/4]
• Content Addressable name
• OCI Base Layer
• Using hash as address for immutable containers
• Early stage of discussion
• Archival Format
• OCI Base Layer
• Serialization of filesystem bundle
• Yet to start](https://image.slidesharecdn.com/ocirunc-170826094112/85/runC-Open-Container-Initiative-7-320.jpg)
![OCI Scope [4/4]
• Compliance Test Suite
• OCI Base Layer
• Test cases and tools to ensure the implementations comply with the
specs
• OCI Optional Layers
• Signature
• DNS based naming](https://image.slidesharecdn.com/ocirunc-170826094112/85/runC-Open-Container-Initiative-8-320.jpg)
runC – Open Container Initiative
- 1. runC – Open Container Initiative Jeeva S. Chelladhurai https://www.linkedin.com/in/jeevachelladhurai/ @Docker Meetup #34 Author of Learning Docker https://www.packtpub.com/networking-and-servers/learning-docker-second-edition
- 3. About OCI • Open Container Initiative • Open Industry Standard • Common, minimal, open standards and specification • Container Format and Runtime • Linux Foundation Collaborative Project • Launched June 22 2015 • Docker, CoreOS and etc. • Docker donated libcontainer • https://github.com/opencontainers/runc
- 4. Why OCI • Removes vendor lock-in • Portability • Interoperability • Agility • Rootless container • Init system & Cron integration
- 5. OCI Scope [1/4] • Runtime executable reference • OCI Base Layer • RunC - reference implementation • https://github.com/opencontainers/runc • Runtime Spec • OCI Base Layer • https://github.com/opencontainers/runtime-spec • Defines the parameters needed to run the container
- 6. OCI Scope [2/4] • Bundle Format • OCI Base Layer • https://github.com/opencontainers/image-spec • Defines the filesystem layout • Standardization needed for various runtimes • Hashing for Content Integrity • OCI Base Layer • https://github.com/opencontainers/go-digest • Ensure content integrity
- 7. OCI Scope [3/4] • Content Addressable name • OCI Base Layer • Using hash as address for immutable containers • Early stage of discussion • Archival Format • OCI Base Layer • Serialization of filesystem bundle • Yet to start
- 8. OCI Scope [4/4] • Compliance Test Suite • OCI Base Layer • Test cases and tools to ensure the implementations comply with the specs • OCI Optional Layers • Signature • DNS based naming
- 9. runC • Client wrapper around libcontainer • libcontainer is OS interface • runC requires • OCI config (json) • OCI bundle (filesystem)
- 10. Environment • Vagrant https://www.vagrantup.com • VirtualBox https://www.virtualbox.org • Vagrant Box used: ubuntu/xenial64 • vagrant flow create a directory in the host system, and from that directory run below vagrant commands vagrant init ubuntu/xenial64 vagrant ssh
- 11. Installing runC thru docker • Docker uses runC as its runtime • It is shipped with docker as docker-runc ubuntu@ubuntu-xenial:~$ docker --version Docker version 17.06.0-ce, build 02c1d87 ubuntu@ubuntu-xenial:~$ docker-runc --version runc version 1.0.0-rc3 commit: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4 spec: 1.0.0-rc5
- 12. Installing runC from Release • Release binary can be downloaded from https://github.com/opencontainers/runc/releases/
- 13. Installing runC from source • install go lang 1.8.3 (might work with older versions too) • set GOROOT & GOPATH path • also install libseccomp-dev, gcc, make, pkg-config • cd $GOPATH/src/github.com/opencontainers • git clone https://github.com/opencontainers/runc • cd runc && make && sudo make install ubuntu@ubuntu-xenial:~$ runc --version runc version 1.0.0-rc4+dev commit: ae2948042b08ad3d6d13cd09f40a50ffff4fc688 spec: 1.0.0
- 14. runc CLI
- 15. docker-runc CLI
- 16. OCI runC flow nnkn Config.json -platform -env -user -hostname -root + r rootfs / bin/ etc/ home/ opt/ …… Container Runtime ContainerContainer Filesystem Bundle
- 17. Creating an OCI Bundle 1. Choose a directory $ cd ${HOME}/myalpine 2. Create rootfs $ mkdir rootfs 3. Create a docker container $ docker create --name myalpine alpine 4. Export the container to a tar file $ docker container export myalpine -o myalpine.tar 5. Untar the file into rootfs $ tar -C rootfs -xvf myalpine.tar 6. Generate config.json spec $ runc spec
- 18. Create a bundle in a single stroke 1. Choose a directory $ cd ${HOME}/myalpine2 2. Create rootfs $ mkdir rootfs 3. Create bundle with chain of commands $ docker export $(docker create alpine) | tar -C rootfs -xvf - 4. Generate config.json spec $ runc spec
- 19. Running your first runc container 1. Change to the OCI Bundle directory $ cd ${HOME}/myalpine 2. Run the alpine bundle as root $ sudo runc run myalpine
- 21. Working with spec false “ip”, “addr” Remove netwrok namespace for host network
- 22. runc on host network config.json https://gist.github.com/sjeeva/903de797838882082af7921bac5fbfd4
- 23. rootless containers • Running container as non-root user • runc binary should be owned by root • Create a spec for rootless container • runc spec --rootless • Launch runc with --root option • runc --root /tmp/runc run myalpine
- 24. Mounting host directories • Edit the config.json spec and added the mount point to the mounts section • Example:
- 25. Hooks • Supports three hooks to perform specific action • prestart – before launching the container • poststart – after launching the user process inside the container • poststop – after stopping the user process inside the container