1crun(1)                     General Commands Manual                    crun(1)
2
3
4

NAME

6       crun - a fast and lightweight OCI runtime
7
8
9

SYNOPSIS

11       crun [global options] command [command options] [arguments...]
12
13
14

DESCRIPTION

16       crun is a command line program for running Linux containers that follow
17       the Open Container Initiative (OCI) format.
18
19
20

COMMANDS

22       create Create a container.  The runtime  detaches  from  the  container
23       process  once the container environment is created.  It is necessary to
24       successively use start for starting the container.
25
26
27       delete Remove definition for a container.
28
29
30       exec Exec a command in a running container.
31
32
33       list List known containers.
34
35
36       kill Send the specified signal to the container init  process.   If  no
37       signal is specified, SIGTERM is used.
38
39
40       ps Show the processes running in a container.
41
42
43       run Create and immediately start a container.
44
45
46       spec Generate a configuration file.
47
48
49       start  Start a container that was previously created.  A container can‐
50       not be started multiple times.
51
52
53       state Output the state of a container.
54
55
56       pause Pause all the processes in the container.
57
58
59       resume Resume the processes in the container.
60
61
62       update Update container resource constraints.
63
64
65       checkpoint Checkpoint a running container using CRIU
66
67
68       restore Restore a container from a checkpoint
69
70
71

STATE

73       By default, when running as root user, crun saves its state  under  the
74       /run/crun directory.  As unprivileged user, instead the XDG_RUNTIME_DIR
75       environment  variable  is  honored,   and   the   directory   $XDG_RUN‐
76       TIME_DIR/crun  is  used.   The global option --root overrides this set‐
77       ting.
78
79
80

GLOBAL OPTIONS

82       --debug Produce verbose output.
83
84
85       --log=LOG-DESTINATION Define the destination for the error and  warning
86       messages generated by crun.  If the error happens late in the container
87       init process, when crun already stopped watching it, then  it  will  be
88       printed to the container stderr.
89
90
91       It is specified in the form BACKEND:SPECIFIER.
92
93
94       These following backends are supported:
95
96
97              • file:PATH
98
99              • journald:IDENTIFIER
100
101              • syslog:IDENTIFIER
102
103
104
105       If no backend is specified, then file: is used by default.
106
107
108       --log-format=FORMAT  Define the format of the log messages.  It can ei‐
109       ther be text, or json.  The default is text.
110
111
112       --no-pivot Use chroot(2) instead of  pivot_root(2)  when  creating  the
113       container.  This option is not safe, and should be avoided.
114
115
116       --root=DIR Defines where to store the state for crun containers.
117
118
119       --systemd-cgroup  Use  systemd  for configuring cgroups.  If not speci‐
120       fied, the cgroup is created directly using the cgroupfs backend.
121
122
123       --cgroup-manager=MANAGER Specify what  cgroup  manager  must  be  used.
124       Permitted values are cgroupfs, systemd and disabled.
125
126
127       -?, --help Print a help list.
128
129
130       --usage Print a short usage message.
131
132
133       -V, --version Print program version
134
135

CREATE OPTIONS

137       crun [global options] create [options] CONTAINER
138
139
140       --bundle=BUNDLE  Path  to  the OCI bundle, by default it is the current
141       directory.
142
143
144       --config=FILE Override the configuration  file  to  use.   The  default
145       value is config.json.
146
147
148       --console-socket=SOCKET  Path  to  a  UNIX socket that will receive the
149       ptmx end of the tty for the container.
150
151
152       --no-new-keyring Keep the same session key
153
154
155       --preserve-fds=N Additional number of FDs to pass into the container.
156
157
158       --pid-file=PATH Path to  the  file  that  will  contain  the  container
159       process PID.
160
161

RUN OPTIONS

163       crun [global options] run [options] CONTAINER
164
165
166       --bundle=BUNDLE  Path  to  the OCI bundle, by default it is the current
167       directory.
168
169
170       --config=FILE Override the configuration  file  to  use.   The  default
171       value is config.json.
172
173
174       --console-socket=SOCKET  Path  to  a  UNIX socket that will receive the
175       ptmx end of the tty for the container.
176
177
178       --no-new-keyring Keep the same session key.
179
180
181       --preserve-fds=N Additional number of FDs to pass into the container.
182
183
184       --pid-file=PATH Path to  the  file  that  will  contain  the  container
185       process PID.
186
187
188       --detach Detach the container process from the current session.
189
190

DELETE OPTIONS

192       crun [global options] delete [options] CONTAINER
193
194
195       --force Delete the container even if it is still running.
196
197
198       --regex=REGEX  Delete  all  the  containers  that satisfy the specified
199       regex.
200
201

EXEC OPTIONS

203       crun [global options] exec [options] CONTAINER CMD
204
205
206       --apparmor=PROFILE Set the apparmor profile for the process.
207
208
209       --console-socket=SOCKET Path to a UNIX socket  that  will  receive  the
210       ptmx end of the tty for the container.
211
212
213       --cwd=PATH Set the working directory for the process to PATH.
214
215
216       --cap=CAP Specify an additional capability to add to the process.
217
218
219       --detach Detach the container process from the current session.
220
221
222       --env=ENV Specify an environment variable.
223
224
225       --no-new-privs Set the no new privileges value for the process.
226
227
228       --preserve-fds=N Additional number of FDs to pass into the container.
229
230
231       --process=FILE  Path  to  a file containing the process JSON configura‐
232       tion.
233
234
235       --process-label=VALUE Set the asm process label for  the  process  com‐
236       monly used with selinux.
237
238
239       --pid-file=PATH Path to the file that will contain the new process PID.
240
241
242       -t --tty Allocate a pseudo TTY.
243
244
245       -u USERSPEC --user=USERSPEC Specify the user in the form UID[:GID].
246
247

LIST OPTIONS

249       crun [global options] list [options]
250
251
252       -q --quiet Show only the container ID.
253
254

KILL OPTIONS

256       crun [global options] kill [options] CONTAINER SIGNAL
257
258
259       --all Kill all the processes in the container.
260
261
262       --regex=REGEX Kill all the containers that satisfy the specified regex.
263
264

PS OPTIONS

266       crun [global options] ps [options]
267
268
269       --format=FORMAT  Specify the output format.  It must be either table or
270       json.  By default table is used.
271
272

SPEC OPTIONS

274       crun [global options] spec [options]
275
276
277       -b DIR --bundle=DIR Path to the root of the bundle dir (default ".").
278
279
280       --rootless Generate a config.json file that is usable  by  an  unprivi‐
281       leged user.
282
283

UPDATE OPTIONS

285       crun [global options] update [options] CONTAINER
286
287
288       --blkio-weight=VALUE Specifies per cgroup weight.
289
290
291       --cpu-period=VALUE CPU CFS period to be used for hardcapping.
292
293
294       --cpu-quota=VALUE** CPU CFS hardcap limit.
295
296
297       --cpu-rt-period=VALUE CPU realtime period to be used for hardcapping.
298
299
300       --cpu-rt-runtime=VALUE CPU realtime hardcap limit.
301
302
303       --cpu-share=VALUE CPU shares.
304
305
306       --cpuset-cpus=VALUE CPU(s) to use.
307
308
309       --cpuset-mems=VALUE Memory node(s) to use.
310
311
312       --kernel-memory=VALUE Kernel memory limit.
313
314
315       --kernel-memory-tcp=VALUE Kernel memory limit for TCP buffer.
316
317
318       --memory=VALUE Memory limit.
319
320
321       --memory-reservation=VALUE Memory reservation or soft_limit.
322
323
324       --memory-swap=VALUE Total memory usage.
325
326
327       --pids-limit=VALUE Maximum number of pids allowed in the container.
328
329
330       -r,  --resources=FILE  Path to the file containing the resources to up‐
331       date.
332
333

CHECKPOINT OPTIONS

335       crun [global options] checkpoint [options] CONTAINER
336
337
338       --image-path=DIR Path for saving CRIU image files
339
340
341       --work-path=DIR Path for saving work files and logs
342
343
344       --leave-running Leave the process running after checkpointing
345
346
347       --tcp-established Allow open TCP connections
348
349
350       --ext-unix-sk Allow external UNIX sockets
351
352
353       --shell-job Allow shell jobs
354
355

RESTORE OPTIONS

357       crun [global options] restore [options] CONTAINER
358
359
360       -b DIR --bundle=DIR Container bundle directory (default ".")
361
362
363       --image-path=DIR Path for saving CRIU image files
364
365
366       --work-path=DIR Path for saving work files and logs
367
368
369       --tcp-established Allow open TCP connections
370
371
372       --ext-unix Allow external UNIX sockets
373
374
375       --shell-job Allow shell jobs
376
377
378       --detach Detach from the container's process
379
380
381       --pid-file=FILE Where to write the PID of the container
382
383
384

Extensions to OCI

run.oci.seccomp.receiver=PATH

387       If the annotation run.oci.seccomp.receiver=PATH is specified, the  sec‐
388       comp  listener  is  sent  to the UNIX socket listening on the specified
389       path.  It can also set with  the  RUN_OCI_SECCOMP_RECEIVER  environment
390       variable.   It  is  an experimental feature, and the annotation will be
391       removed once it is supported in the OCI runtime specs.  It must  be  an
392       absolute path.
393
394

run.oci.seccomp.plugins=PATH

396       If the annotation run.oci.seccomp.plugins=PLUGIN1[:PLUGIN2]... is spec‐
397       ified, the seccomp listener fd is handled through the  specified  plug‐
398       ins.  The plugin must either be an absolute path or a file name that is
399       looked up by ldopen(3).  More information on how  the  lookup  is  per‐
400       formed are available on the ld.so(8) man page.
401
402

run.oci.seccomp_fail_unknown_syscall=1

404       If the annotation run.oci.seccomp_fail_unknown_syscall is present, then
405       crun will fail when an unknown syscall is encountered  in  the  seccomp
406       configuration.
407
408

run.oci.seccomp_bpf_data=PATH

410       If  the  annotation  run.oci.seccomp_bpf_data is present, then crun ig‐
411       nores the seccomp section in the OCI configuration  file  and  use  the
412       specified  data as the raw data to the seccomp(SECCOMP_SET_MODE_FILTER)
413       syscall.  The data must be encoded in base64.
414
415
416       It is an experimental feature, and the annotation will be removed  once
417       it is supported in the OCI runtime specs.
418
419

run.oci.keep_original_groups=1

421       If  the  annotation  run.oci.keep_original_groups is present, then crun
422       will skip the setgroups syscall that is used to either  set  the  addi‐
423       tional  groups specified in the OCI configuration, or to reset the list
424       of additional groups if none is specified.
425
426

run.oci.systemd.force_cgroup_v1=/PATH

428       If the  annotation  run.oci.systemd.force_cgroup_v1=/PATH  is  present,
429       then  crun  will override the specified mount point /PATH with a cgroup
430       v1 mount made of a single hierarchy none,name=systemd.  It is useful to
431       run  on  a  cgroup v2 system containers using older versions of systemd
432       that lack support for cgroup v2.
433
434

run.oci.timens_offset=ID SEC NSEC

436       Specify the offset to be written to /proc/self/timens_offsets when cre‐
437       ating a time namespace.
438
439

run.oci.systemd.subgroup=SUBGROUP

441       Override  the name for the systemd sub cgroup created under the systemd
442       scope, so the final cgroup will be like:
443
444
445              /sys/fs/cgroup/$PATH/$SUBGROUP
446
447
448
449       When it is set to the empty string, a sub cgroup is not created.
450
451
452       If not specified, it defaults to container on cgroup v2, and to  ""  on
453       cgroup v1.
454
455
456       e.g.
457
458
459              /sys/fs/cgroup//system.slice/foo-352700.scope/container
460
461
462

run.oci.delegate-cgroup=DELEGATED-CGROUP

464       If  the  run.oci.systemd.subgroup  annotation is specified, yet another
465       sub-cgroup is created and the container process is moved here.
466
467
468              /sys/fs/cgroup/$PATH/$SUBGROUP/$DELEGATED-CGROUP
469
470
471
472       The  runtime  doesn't  apply  any  limit   to   the   $DELEGATED-CGROUP
473       sub-cgroup, the runtime uses only $PATH/$SUBGROUP.
474
475
476       The  container  payload  fully manages $DELEGATE-CGROUP, the limits ap‐
477       plied to $PATH/$SUBGROUP still applies to $DELEGATE-CGROUP.
478
479
480       Since cgroup delegation is not safe on cgroup v1, this option  is  sup‐
481       ported only on cgroup v2.
482
483

run.oci.hooks.stdout=FILE

485       If  the annotation run.oci.hooks.stdout is present, then crun will open
486       the specified file and use it as the stdout  for  the  hook  processes.
487       The  file  is opened in append mode and it is created if it doesn't al‐
488       ready exist.
489
490

run.oci.hooks.stderr=FILE

492       If the annotation run.oci.hooks.stderr is present, then crun will  open
493       the  specified  file  and  use it as the stderr for the hook processes.
494       The file is opened in append mode and it is created if it  doesn't  al‐
495       ready exist.
496
497

run.oci.handler=HANDLER

499       It is an experimental feature.
500
501
502       If specified, run the specified handler for execing the container.  The
503       only supported value is krun.  When krun is specified,  the  libkrun.so
504       shared  object  is  loaded and it is used to launch the container using
505       libkrun.
506
507

tmpcopyup mount options

509       If the tmpcopyup option is specified for a tmpfs, then the path that is
510       shadowed  by  the tmpfs mount is recursively copied up to the tmpfs it‐
511       self.
512
513

Automatically create user namespace

515       When running as user different than root, an user namespace is automat‐
516       ically  created  even  if  it is not specified in the config file.  The
517       current user is mapped to the ID 0 in the container, and any additional
518       id  specified in the files /etc/subuid and /etc/subgid is automatically
519       added starting with ID 1.
520
521

Intermediate user namespace

523       If the configuration specifies a new user namespace made  of  a  single
524       mapping to the root user, but either the UID or the GID are set as non‐
525       zero then crun automatically creates another user namespace to map  the
526       root user to the specified UID and GID.
527
528
529       It  enables  running unprivileged containers with UID and GID different
530       than zero, even when a single UID and GID are available, e.g.  rootless
531       users on a system without newuidmap/newgidmap.
532
533
534

CGROUP v2

536       If  the  cgroup  configuration  found is for cgroup v1, crun attempts a
537       conversion when running on a cgroup v2 system.
538
539
540       These are the OCI resources currently supported with cgroup v2 and  how
541       they are converted when needed from the cgroup v1 configuration.
542
543

Memory controller

545       ┌────────────┬────────────────────┬────────────┬─────────┐
546OCI (x)     cgroup 2 value (y) conversion comment 
547       ├────────────┼────────────────────┼────────────┼─────────┤
548       │limit       │ memory.max         │ y = x      │ swap    │
549       ├────────────┼────────────────────┼────────────┼─────────┤
550       │reservation │ memory.low         │ y = x      │         │
551       └────────────┴────────────────────┴────────────┴─────────┘
552

PIDs controller

554       ┌────────┬────────────────────┬────────────┬─────────┐
555OCI (x) cgroup 2 value (y) conversion comment 
556       ├────────┼────────────────────┼────────────┼─────────┤
557       │limit   │ pids.max           │ y = x      │         │
558       └────────┴────────────────────┴────────────┴─────────┘
559

CPU controller

561       ┌────────┬────────────────────┬──────────────────┬──────────────────┐
562OCI (x) cgroup 2 value (y) conversion       comment          
563       ├────────┼────────────────────┼──────────────────┼──────────────────┤
564       │shares  │ cpu.weight         │ y  =  (1 + ((x - │                  │
565       │        │                    │ 2)  *  9999)   / │                  │
566       │        │                    │ 262142)          │                  │
567       ├────────┼────────────────────┼──────────────────┼──────────────────┤
568       │        │ convert       from │                  │                  │
569       │        │ [2-262144]      to │                  │                  │
570       │        │ [1-10000]          │                  │                  │
571       ├────────┼────────────────────┼──────────────────┼──────────────────┤
572       │period  │ cpu.max            │ y = x            │ period and quota │
573       │        │                    │                  │ are written  to‐ │
574       │        │                    │                  │ gether           │
575       ├────────┼────────────────────┼──────────────────┼──────────────────┤
576       │quota   │ cpu.max            │ y = x            │ period and quota │
577       │        │                    │                  │ are written  to‐ │
578       │        │                    │                  │ gether           │
579       ├────────┼────────────────────┼──────────────────┼──────────────────┤
580       │        │                    │                  │                  │
581       └────────┴────────────────────┴──────────────────┴──────────────────┘
582

blkio controller

584       ┌────────┬────────────────────┬────────────┬───────────────┐
585OCI (x) cgroup 2 value (y) conversion comment       
586       ├────────┼────────────────────┼────────────┼───────────────┤
587       │weight  │ io.bfq.weight      │ y = x      │ weight_device │
588       └────────┴────────────────────┴────────────┴───────────────┘
589

cpuset controller

591       ┌────────┬────────────────────┬────────────┬─────────┐
592OCI (x) cgroup 2 value (y) conversion comment 
593       ├────────┼────────────────────┼────────────┼─────────┤
594       │cpus    │ cpuset.cpus        │ y = x      │ mems    │
595       └────────┴────────────────────┴────────────┴─────────┘
596

hugetlb controller

598       ┌────────────────┬────────────────────┬────────────┬─────────┐
599OCI (x)         cgroup 2 value (y) conversion comment 
600       ├────────────────┼────────────────────┼────────────┼─────────┤
601       │.limit_in_bytes │ hugetlb..max       │ y = x      │         │
602       └────────────────┴────────────────────┴────────────┴─────────┘
603
604
605                                 User Commands                         crun(1)
Impressum