basetenlabs/runc

basetenlabs/runc

Description: CLI tool for spawning and running containers according to the OCI specification

License: Apache-2.0

Stars: 0

Forks: 0

Open issues: 0

Created: 2026-06-02T16:22:10Z

Pushed: 2026-06-01T13:08:55Z

Default branch: main

Fork: yes

Parent repository: opencontainers/runc

Archived: no

README:

runc

    

Introduction

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

Releases

You can find official releases of runc on the release page.

All releases are signed by one of the keys listed in the [runc.keyring file in the root of this repository](runc.keyring).

Security

The reporting process and disclosure communications are outlined here.

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Building

runc only supports Linux. See the header of [go.mod](./go.mod) for the minimally required Go version.

Pre-Requisites

Utilities and Libraries

In addition to Go, building runc requires multiple utilities and libraries to be installed on your system.

On Ubuntu/Debian, you can install the required dependencies with:

apt update && apt install -y make gcc linux-libc-dev libseccomp-dev pkg-config git

On CentOS/Fedora, you can install the required dependencies with:

yum install -y make gcc kernel-headers libseccomp-devel pkg-config git

On Alpine Linux, you can install the required dependencies with:

apk --update add bash make gcc libseccomp-dev musl-dev linux-headers git

The following dependencies are optional:

• libseccomp - only required if you enable seccomp support; to disable, see [Build Tags](#build-tags).
• libpathrs - only required if you enable libpathrs support; to disable, see [Build Tags](#build-tags).

For notes on installing libpathrs, see [the next section](#libpathrs).

##### libpathrs

[libpathrs][] is a Rust library runc can optionally use for path safety. As mentioned in [the build tag section](#build-tags), its use is controlled with the libpathrs build tag. runc currently requires at least libpathrs 0.2.4 in order to function properly.

At time of writing, very few distributions have libpathrs packages and so it is usually necessary to build and install it locally. For detailed installation instructions, see [the upstream documentation][libpathrs-install-md], but for development builds the following instructions should be sufficient:

libpathrs requires Rust 1.63+ (which is available on almost any distribution, including Debian oldstable and enterprise distributions like RHEL or SLES). Assuming you already have cargo installed (as well as other libpathrs dependencies like clang and lld), the following steps are all that are really necessary to install libpathrs:

LIBPATHRS_VERSION=0.2.4
curl -o - -sSL https://github.com/cyphar/libpathrs/releases/download/v${LIBPATHRS_VERSION}/libpathrs-${LIBPATHRS_VERSION}.tar.xz | tar xvfJ -
cd libpathrs-${LIBPATHRS_VERSION}/
make release
sudo ./install.sh --prefix=/usr/local
sudo ldconfig

As part of our CI, we make use of a custom [installation script for libpathrs][libpathrs-install-script] which may be useful as a reference for folks with more complicated needs. With script/build-libpathrs.sh the installation of libpathrs becomes as simple as:

sudo ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr/local
sudo ldconfig

However, please note that this installation script is completely unsupported and is not really intended for general use (it includes some workarounds for issues in our CI which will no longer be necessary once libpathrs has distribution packages we can use).

[libpathrs]: https://github.com/cyphar/libpathrs [libpathrs-install-md]: https://github.com/cyphar/libpathrs/blob/main/INSTALL.md [libpathrs-install-script]: ./script/build-libpathrs.sh [gha-test-yml]: ./.github/workflows/test.yml

Build

# create a 'github.com/opencontainers' in your GOPATH/src
cd github.com/opencontainers
git clone https://github.com/opencontainers/runc
cd runc

make
sudo make install

You can also use go get to install to your GOPATH, assuming that you have a github.com parent folder already created under src:

go get github.com/opencontainers/runc
cd $GOPATH/src/github.com/opencontainers/runc
make
sudo make install

runc will be installed to /usr/local/sbin/runc on your system.

Version string customization

You can see the runc version by running runc --version. You can append a custom string to the version using the EXTRA_VERSION make variable when building, e.g.:

make EXTRA_VERSION="+build-1"

Bear in mind to include some separator for readability.

Build Tags

runc supports optional build tags for compiling support of various features, with some of them enabled by default in the top-level Makefile.

The following build tags are currently recognized:

| Build Tag | Feature | Set by Default | Dependencies | |---------------|---------------------------------------|----------------|---------------------| | seccomp | Syscall filtering using libseccomp. | yes | libseccomp | | libpathrs | Use [libpathrs][] for path safety. | yes | [libpathrs][] | | runc_nocriu | Disables runc checkpoint/restore. | no | criu |

[libpathrs]: https://github.com/cyphar/libpathrs

To add or remove build tags from the default set, use the RUNC_BUILDTAGS make or shell variable. Tags prefixed with - are removed from…