1crun(1) General Commands Manual crun(1)
2
6 crun - a fast and lightweight OCI runtime
7
11 crun [global options] command [command options] [arguments...]
12
16 crun is a command line program for running Linux containers that follow
17 the Open Container Initiative (OCI) format.
18
22 create Create a container. The runtime detaches from the container
23 process once the container environment is created. It is necessary to
24 successively use start for starting the container.
25 delete Remove definition for a container.
28 exec Exec a command in a running container.
31 list List known containers.
34 kill Send the specified signal to the container init process. If no
37 signal is specified, SIGTERM is used.
38 ps Show the processes running in a container.
41 run Create and immediately start a container.
44 spec Generate a configuration file.
47 start Start a container that was previously created. A container can‐
50 not be started multiple times.
51 state Output the state of a container.
54 pause Pause all the processes in the container.
57 resume Resume the processes in the container.
60 update Update container resource constraints.
63 checkpoint Checkpoint a running container using CRIU
66 restore Restore a container from a checkpoint
69
73 By default, when running as root user, crun saves its state under the
74 /run/crun directory. As unprivileged user, instead the XDG_RUNTIME_DIR
75 environment variable is honored, and the directory $XDG_RUN‐
76 TIME_DIR/crun is used. The global option --root overrides this set‐
77 ting.
78
82 --debug Produce verbose output.
83 --log=LOG-DESTINATION Define the destination for the error and warning
86 messages generated by crun. If the error happens late in the container
87 init process, when crun already stopped watching it, then it will be
88 printed to the container stderr.
89 It is specified in the form BACKEND:SPECIFIER.
92 These following backends are supported:
95 · file:PATH
98 · journald:IDENTIFIER
100 · syslog:IDENTIFIER
102 If no backend is specified, then file: is used by default.
106 --log-format=FORMAT Define the format of the log messages. It can
109 either be text, or json. The default is text.
110 --no-pivot Use chroot(2) instead of pivot_root(2) when creating the
113 container. This option is not safe, and should be avoided.
114 --root=DIR Defines where to store the state for crun containers.
117 --systemd-cgroup Use systemd for configuring cgroups. If not speci‐
120 fied, the cgroup is created directly using the cgroupfs backend.
121 --cgroup-manager=MANAGER Specify what cgroup manager must be used.
124 Permitted values are cgroupfs, systemd and disabled.
125 -?, --help Print a help list.
128 --usage Print a short usage message.
131 -V, --version Print program version
134
137 crun [global options] create [options] CONTAINER
138 --bundle=BUNDLE Path to the OCI bundle, by default it is the current
141 directory.
142 --config=FILE Override the configuration file to use. The default
145 value is config.json.
146 --console-socket=SOCKET Path to a UNIX socket that will receive the
149 ptmx end of the tty for the container.
150 --no-new-keyring Keep the same session key
153 --preserve-fds=N Additional number of FDs to pass into the container.
156 --pid-file=PATH Path to the file that will contain the container
159 process PID.
160
163 crun [global options] run [options] CONTAINER
164 --bundle=BUNDLE Path to the OCI bundle, by default it is the current
167 directory.
168 --config=FILE Override the configuration file to use. The default
171 value is config.json.
172 --console-socket=SOCKET Path to a UNIX socket that will receive the
175 ptmx end of the tty for the container.
176 --no-new-keyring Keep the same session key.
179 --preserve-fds=N Additional number of FDs to pass into the container.
182 --pid-file=PATH Path to the file that will contain the container
185 process PID.
186 --detach Detach the container process from the current session.
189
192 crun [global options] delete [options] CONTAINER
193 --force Delete the container even if it is still running.
196 --regex=REGEX Delete all the containers that satisfy the specified
199 regex.
200
203 crun [global options] exec [options] CONTAINER CMD
204 --console-socket=SOCKET Path to a UNIX socket that will receive the
207 ptmx end of the tty for the container.
208 --cwd=PATH Set the working directory for the process to PATH.
211 --cap=CAP Specify an additional capability to add to the process.
214 --detach Detach the container process from the current session.
217 --env=ENV Specify an environment variable.
220 --preserve-fds=N Additional number of FDs to pass into the container.
223 --process=FILE Path to a file containing the process JSON configura‐
226 tion.
227 --pid-file=PATH Path to the file that will contain the new process PID.
230 -t --tty Allocate a pseudo TTY.
233 -u USERSPEC --user=USERSPEC Specify the user in the form UID[:GID].
236
239 crun [global options] list [options]
240 -q --quiet Show only the container ID.
243
246 crun [global options] kill [options] CONTAINER SIGNAL
247 --all Kill all the processes in the container.
250 --regex=REGEX Kill all the containers that satisfy the specified regex.
253
256 crun [global options] ps [options]
257 --format=FORMAT Specify the output format. It must be either table or
260 json. By default table is used.
261
264 crun [global options] spec [options]
265 --rootless Generate a config.json file that is usable by an unprivi‐
268 leged user.
269
272 crun [global options] update [options] CONTAINER
273 --blkio-weight=VALUE Specifies per cgroup weight.
276 --cpu-period=VALUE CPU CFS period to be used for hardcapping.
279 --cpu-quota=VALUE** CPU CFS hardcap limit.
282 --cpu-rt-period=VALUE CPU realtime period to be used for hardcapping.
285 --cpu-rt-runtime=VALUE CPU realtime hardcap limit.
288 --cpu-share=VALUE CPU shares.
291 --cpuset-cpus=VALUE CPU(s) to use.
294 --cpuset-mems=VALUE Memory node(s) to use.
297 --kernel-memory=VALUE Kernel memory limit.
300 --kernel-memory-tcp=VALUE Kernel memory limit for TCP buffer.
303 --memory=VALUE Memory limit.
306 --memory-reservation=VALUE Memory reservation or soft_limit.
309 --memory-swap=VALUE Total memory usage.
312 --pids-limit=VALUE Maximum number of pids allowed in the container.
315 -r, --resources=FILE Path to the file containing the resources to
318 update.
319
322 crun [global options] checkpoint [options] CONTAINER
323 --image-path=DIR Path for saving CRIU image files
326 --work-path=DIR Path for saving work files and logs
329 --leave-running Leave the process running after checkpointing
332 --tcp-established Allow open TCP connections
335 --ext-unix-sk Allow external UNIX sockets
338 --shell-job Allow shell jobs
341
344 crun [global options] restore [options] CONTAINER
345 -b DIR --bundle=DIR Container bundle directory (default ".")
348 --image-path=DIR Path for saving CRIU image files
351 --work-path=DIR Path for saving work files and logs
354 --tcp-established Allow open TCP connections
357 --ext-unix Allow external UNIX sockets
360 --shell-job Allow shell jobs
363 --detach Detach from the container's process
366 --pid-file=FILE Where to write the PID of the container
369
374 If the annotation run.oci.seccomp.receiver=PATH is specified, the sec‐
375 comp listener is sent to the UNIX socket listening on the specified
376 path. It can also set with the RUN_OCI_SECCOMP_RECEIVER environment
377 variable. It is an experimental feature, and the annotation will be
378 removed once it is supported in the OCI runtime specs. It must be an
379 absolute path.
380
383 If the annotation run.oci.seccomp.plugins=PLUGIN1[:PLUGIN2]... is spec‐
384 ified, the seccomp listener fd is handled through the specified plug‐
385 ins. The plugin must either be an absolute path or a file name that is
386 looked up by ldopen(3). More information on how the lookup is per‐
387 formed are available on the ld.so(8) man page.
388
391 If the annotation run.oci.seccomp_fail_unknown_syscall is present, then
392 crun will fail when an unknown syscall is encountered in the seccomp
393 configuration.
394
397 If the annotation run.oci.seccomp_bpf_data is present, then crun
398 ignores the seccomp section in the OCI configuration file and use the
399 specified data as the raw data to the seccomp(SECCOMP_SET_MODE_FILTER)
400 syscall. The data must be encoded in base64.
401 It is an experimental feature, and the annotation will be removed once
404 it is supported in the OCI runtime specs.
405
408 If the annotation run.oci.keep_original_groups is present, then crun
409 will skip the setgroups syscall that is used to either set the addi‐
410 tional groups specified in the OCI configuration, or to reset the list
411 of additional groups if none is specified.
412
415 If the annotation run.oci.systemd.force_cgroup_v1=/PATH is present,
416 then crun will override the specified mount point /PATH with a cgroup
417 v1 mount made of a single hierarchy none,name=systemd. It is useful to
418 run on a cgroup v2 system containers using older versions of systemd
419 that lack support for cgroup v2.
420
423 Specify the offset to be written to /proc/self/timens_offsets when cre‐
424 ating a time namespace.
425
428 Override the name for the systemd sub cgroup created under the systemd
429 scope, so the final cgroup will be like:
430 /sys/fs/cgroup/$PATH/$SUBGROUP
433 When it is set to the empty string, a sub cgroup is not created.
437 If not specified, it defaults to container on cgroup v2, and to "" on
440 cgroup v1.
441 e.g.
444 /sys/fs/cgroup//system.slice/foo-352700.scope/container
447
451 If the annotation run.oci.hooks.stdout is present, then crun will open
452 the specified file and use it as the stdout for the hook processes.
453 The file is opened in append mode and it is created if it doesn't
454 already exist.
455
458 If the annotation run.oci.hooks.stderr is present, then crun will open
459 the specified file and use it as the stderr for the hook processes.
460 The file is opened in append mode and it is created if it doesn't
461 already exist.
462
465 It is an experimental feature.
466 If specified, run the specified handler for execing the container. The
469 only supported value is krun. When krun is specified, the libkrun.so
470 shared object is loaded and it is used to launch the container using
471 libkrun.
472
475 If the tmpcopyup option is specified for a tmpfs, then the path that is
476 shadowed by the tmpfs mount is recursively copied up to the tmpfs
477 itself.
478
481 When running as user different than root, an user namespace is automat‐
482 ically created even if it is not specified in the config file. The
483 current user is mapped to the ID 0 in the container, and any additional
484 id specified in the files /etc/subuid and /etc/subgid is automatically
485 added starting with ID 1.
486
489 If the configuration specifies a new user namespace made of a single
490 mapping to the root user, but either the UID or the GID are set as
491 nonzero then crun automatically creates another user namespace to map
492 the root user to the specified UID and GID.
493 It enables running unprivileged containers with UID and GID different
496 than zero, even when a single UID and GID are available, e.g. rootless
497 users on a system without newuidmap/newgidmap.
498
502 If the cgroup configuration found is for cgroup v1, crun attempts a
503 conversion when running on a cgroup v2 system.
504 These are the OCI resources currently supported with cgroup v2 and how
507 they are converted when needed from the cgroup v1 configuration.
508
511 ┌────────────┬────────────────────┬────────────┬─────────┐
512 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
513 ├────────────┼────────────────────┼────────────┼─────────┤
514 │limit │ memory.max │ y = x │ swap │
515 ├────────────┼────────────────────┼────────────┼─────────┤
516 │reservation │ memory.low │ y = x │ │
517 └────────────┴────────────────────┴────────────┴─────────┘
518
520 ┌────────┬────────────────────┬────────────┬─────────┐
521 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
522 ├────────┼────────────────────┼────────────┼─────────┤
523 │limit │ pids.max │ y = x │ │
524 └────────┴────────────────────┴────────────┴─────────┘
525
527 ┌────────┬────────────────────┬──────────────────┬──────────────────┐
528 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
529 ├────────┼────────────────────┼──────────────────┼──────────────────┤
530 │shares │ cpu.weight │ y = (1 + ((x - │ │
531 │ │ │ 2) * 9999) / │ │
532 │ │ │ 262142) │ │
533 ├────────┼────────────────────┼──────────────────┼──────────────────┤
534 │ │ convert from │ │ │
535 │ │ [2-262144] to │ │ │
536 │ │ [1-10000] │ │ │
537 ├────────┼────────────────────┼──────────────────┼──────────────────┤
538 │period │ cpu.max │ y = x │ period and quota │
539 │ │ │ │ are written │
540 │ │ │ │ together │
541 ├────────┼────────────────────┼──────────────────┼──────────────────┤
542 │quota │ cpu.max │ y = x │ period and quota │
543 │ │ │ │ are written │
544 │ │ │ │ together │
545 ├────────┼────────────────────┼──────────────────┼──────────────────┤
546 │ │ │ │ │
547 └────────┴────────────────────┴──────────────────┴──────────────────┘
548
550 ┌────────┬────────────────────┬────────────┬───────────────┐
551 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
552 ├────────┼────────────────────┼────────────┼───────────────┤
553 │weight │ io.bfq.weight │ y = x │ weight_device │
554 └────────┴────────────────────┴────────────┴───────────────┘
555
557 ┌────────┬────────────────────┬────────────┬─────────┐
558 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
559 ├────────┼────────────────────┼────────────┼─────────┤
560 │cpus │ cpuset.cpus │ y = x │ mems │
561 └────────┴────────────────────┴────────────┴─────────┘
562
564 ┌────────────────┬────────────────────┬────────────┬─────────┐
565 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
566 ├────────────────┼────────────────────┼────────────┼─────────┤
567 │.limit_in_bytes │ hugetlb..max │ y = x │ │
568 └────────────────┴────────────────────┴────────────┴─────────┘
569 User Commands crun(1)