✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.2.2.2 Runc Process Creation

A focused guide to Runc Process Creation, connecting core concepts with practical Docker and container operations.

Runc process creation is the specific sequence runc follows to bring a container's main process into existence: preparing the root filesystem, constructing the requested namespaces, and finally executing the configured command inside that newly isolated environment.

Preparing the Root Filesystem

Before the container's process starts, runc sets up the root filesystem it will see — typically a directory already assembled from an image's layers by a higher-level tool such as containerd — and configures any additional mounts specified in the configuration.

{
  "root": { "path": "rootfs", "readonly": false },
  "mounts": [
    { "destination": "/proc", "type": "proc", "source": "proc" }
  ]
}

This mounts configuration ensures the container has a working /proc filesystem, among other standard mounts a typical Linux environment expects.

Constructing Namespaces

runc calls into the kernel to create new namespaces as specified in the configuration — process, network, mount, UTS, and others — each isolating a different aspect of the container's view of the system from the host.

unshare --pid --net --mount --fork bash

Although runc does this through direct system calls rather than the unshare command, this command demonstrates conceptually the same kernel mechanism being invoked: creating new namespaces before running a process inside them.

Pivoting Into the New Root

Once namespaces are set up, runc changes the process's root filesystem to the container's prepared root, so that from inside the container, the filesystem appears to start at what is actually a subdirectory of the host's filesystem.

chroot rootfs sh

This is a simplified illustration of the same underlying idea — runc uses a more robust mechanism (pivot_root) for this in practice, but the goal is the same: confining the process's filesystem view.

Executing the Container's Process

With the environment fully prepared, runc finally executes the process named in the configuration, which becomes the container's main process — the point at which the container is considered "running."

runc run mycontainer
Why This Sequence Matters

Each step in this sequence corresponds to a distinct kernel mechanism being engaged in the correct order — filesystem preparation before namespace creation, namespace creation before process execution — and understanding this order clarifies why certain container configuration mistakes (such as missing mounts) manifest as failures at a very specific, identifiable stage of startup.

Related content