Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 6. Selecting a container runtime

The runc and crun are container runtimes and can be used interchangeably as both implement the OCI runtime specification. The crun container runtime has a couple of advantages over runc, as it is faster and requires less memory. Due to that, the crun container runtime is the recommended container runtime for use.

6.1. The runc container runtime

The runc container runtime is a lightweight, portable implementation of the Open Container Initiative (OCI) container runtime specification. The runc runtime shares a lot of low-level code with Docker but it is not dependent on any of the components of the Docker platform. The runc supports Linux namespaces, live migration, and has portable performance profiles.

It also provides full support for Linux security features such as SELinux, control groups (cgroups), seccomp, and others. You can build and run images with runc, or you can run OCI-compatible images with runc.

6.2. The crun container runtime

The crun is a fast and low-memory footprint OCI container runtime written in C. The crun binary is up to 50 times smaller and up to twice as fast as the runc binary. Using crun, you can also set a minimal number of processes when running your container. The crun runtime also supports OCI hooks.

Additional features of crun include:

  • Sharing files by group for rootless containers
  • Controlling the stdout and stderr of OCI hooks
  • Running older versions of systemd on cgroup v2
  • A C library that is used by other programs
  • Extensibility
  • Portability

6.3. Running containers with runc and crun

With runc or crun, containers are configured using bundles. A bundle for a container is a directory that includes a specification file named config.json and a root filesystem. The root filesystem contains the contents of the container.

Note

The <runtime> can be crun or runc.

Prerequisites

  • The container-tools module is installed.

Procedure

  1. Pull the registry.access.redhat.com/ubi8/ubi container image:

    # podman pull registry.access.redhat.com/ubi8/ubi
  2. Export the registry.access.redhat.com/ubi8/ubi image to the rhel.tar archive:

    # podman export $(podman create registry.access.redhat.com/ubi8/ubi) > rhel.tar
  3. Create the bundle/rootfs directory:

    # mkdir -p bundle/rootfs
  4. Extract the rhel.tar archive into the bundle/rootfs directory:

    # tar -C bundle/rootfs -xf rhel.tar
  5. Create a new specification file named config.json for the bundle:

    # <runtime> spec -b bundle
    • The -b option specifies the bundle directory. The default value is the current directory.
  6. Optional: Change the settings:

    # vi bundle/config.json
  7. Create an instance of a container named myubi for a bundle:

    # <runtime> create -b bundle/ myubi
  8. Start a myubi container:

    # <runtime> start myubi
Note

The name of a container instance must be unique to the host. To start a new instance of a container: # <runtime> start <container_name>

Verification

  • List containers started by <runtime>:

    # <runtime> list
    ID               PID         STATUS      BUNDLE            CREATED                          OWNER
    myubi            0           stopped     /root/bundle      2021-09-14T09:52:26.659714605Z   root

Additional resources

6.4. Temporarily changing the container runtime

You can use the podman run command with the --runtime option to change the container runtime.

Note

The <runtime> can be crun or runc.

Prerequisites

  • The container-tools module is installed.

Procedure

  1. Pull the registry.access.redhat.com/ubi8/ubi container image:

    $ podman pull registry.access.redhat.com/ubi8/ubi
  2. Change the container runtime using the --runtime option:

    $ podman run --name=myubi -dt --runtime=<runtime> ubi8
    e4654eb4df12ac031f1d0f2657dc4ae6ff8eb0085bf114623b66cc664072e69b
  3. Optional. List all images:

    $ podman ps -a
    CONTAINER ID  IMAGE                                   COMMAND  CREATED        STATUS            PORTS   NAMES
    e4654eb4df12  registry.access.redhat.com/ubi8:latest  bash     4 seconds ago  Up 4 seconds ago          myubi

Verification

  • Ensure that the OCI runtime is set to <runtime> in the myubi container:

    $ podman inspect myubi --format "{{.OCIRuntime}}"
    <runtime>

6.5. Permanently changing the container runtime

You can set the container runtime and its options in the /etc/containers/containers.conf configuration file as a root user or in the $HOME/.config/containers/containers.conf configuration file as a non-root user.

Note

The <runtime> can be crun or runc runtime.

Prerequisites

  • The container-tools module is installed.

Procedure

  1. Change the runtime in the /etc/containers/containers.conf file:

    # vim /etc/containers/containers.conf
    [engine]
    runtime = "<runtime>"
  2. Run the container named myubi:

    # podman run --name=myubi -dt ubi8 bash
    Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf)
    Trying to pull registry.access.redhat.com/ubi8:latest…
    ...
    Storing signatures

Verification

  • Ensure that the OCI runtime is set to <runtime> in the myubi container:

    # podman inspect myubi --format "{{.OCIRuntime}}"
    <runtime>