2.2.2 Runc Role
A focused guide to Runc Role, connecting core concepts with practical Docker and container operations.
The runc role is to take a fully specified OCI runtime configuration and a root filesystem, and create the actual isolated Linux process that becomes a running container — it is the lowest-level component in Docker's container stack, directly responsible for the kernel-level mechanics of isolation.
A Minimal, Focused Tool
runc does one thing: given a configuration describing namespaces, cgroups, mounts, and the command to execute, it sets up that environment using Linux kernel features and then executes the specified process inside it.
runc run mycontainer
This command, run against a properly prepared root filesystem and configuration, creates and starts an isolated container process directly, without any of the higher-level image management or networking convenience that Docker or containerd provide on top.
Implementing the OCI Runtime Specification
runc is the reference implementation of the OCI runtime specification, meaning the configuration format it consumes is a published, vendor-neutral standard, not something specific to Docker.
runc spec
cat config.json
runc spec generates a default configuration file in this standard format, which can be inspected and modified directly to understand exactly what a container's isolation settings consist of.
Direct Kernel Interaction
runc is the component that actually calls into Linux kernel features — creating namespaces, configuring cgroups, setting up mounts — to assemble the isolated environment a container runs inside.
strace -f -e trace=clone,unshare runc run mycontainer
Tracing runc's system calls reveals the underlying kernel primitives (such as clone with namespace flags) it uses to construct container isolation.
Why runc's Narrow Scope Matters
Because runc does only this one job, and does it according to a published specification, it can be reused by any system that needs to create OCI-compliant containers, which is exactly why it sits underneath both Docker (via containerd) and many other container ecosystems without those systems needing to reimplement process isolation themselves.
runc list
This lists containers runc itself is aware of on the current host, distinct from, but consistent with, what higher-level tools like docker ps report.