✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.2.2.1 Runc OCI Execution

A focused guide to Runc OCI Execution, connecting core concepts with practical Docker and container operations.

Runc OCI execution is the process by which runc reads a configuration file written according to the Open Container Initiative runtime specification, and uses it to construct and start the precise kernel-level environment — namespaces, cgroups, mounts — that a container needs.

The Configuration File as the Source of Truth

Everything runc needs to know about a container is contained in a single JSON configuration file: which namespaces to create, what the container's root filesystem is, what resource limits apply, and what command to run as the container's main process.

runc spec

This generates a default config.json, which can then be edited to describe exactly the container environment desired before runc is asked to create it.

{
  "process": {
    "args": ["sh"],
    "cwd": "/"
  },
  "root": {
    "path": "rootfs"
  }
}
Creating Namespaces According to the Spec

Based on the namespaces section of the configuration, runc requests the kernel create new PID, network, mount, and other namespaces for the container, isolating its view of processes, network interfaces, and filesystem from the host and from other containers.

runc run mycontainer
Applying Resource Limits

The configuration's resource section is translated by runc into cgroup settings, constraining how much CPU and memory the container's process can consume.

{
  "linux": {
    "resources": {
      "memory": { "limit": 268435456 }
    }
  }
}
Executing the Container's Process

Once the environment is constructed, runc executes the configured process directly inside it, and that process becomes the container — there is no additional wrapper process beyond what the configuration specifies.

runc state mycontainer

This reports the current state of a container runc is managing, including its process ID on the host, since even though the container has its own isolated view, its process is still a regular process from the host kernel's perspective.

Why This Matters

Because runc's behavior is entirely determined by a standard, inspectable configuration file, the exact isolation properties of any container can be understood and verified directly from that specification, independent of whatever higher-level tool generated it.

Related content