1crun(1) General Commands Manual crun(1)
2
6 crun - a fast and lightweight OCI runtime
7
11 crun [global options] command [command options] [arguments...]
12
16 crun is a command line program for running Linux containers that follow
17 the Open Container Initiative (OCI) format.
18
22 create Create a container. The runtime detaches from the container
23 process once the container environment is created. It is necessary to
24 successively use start for starting the container.
25 delete Remove definition for a container.
28 exec Exec a command in a running container.
31 list List known containers.
34 kill Send the specified signal to the container init process. If no
37 signal is specified, SIGTERM is used.
38 ps Show the processes running in a container.
41 run Create and immediately start a container.
44 spec Generate a configuration file.
47 start Start a container that was previously created. A container can‐
50 not be started multiple times.
51 state Output the state of a container.
54 pause Pause all the processes in the container.
57 resume Resume the processes in the container.
60 update Update container resource constraints.
63 checkpoint Checkpoint a running container using CRIU
66 restore Restore a container from a checkpoint
69
73 By default, when running as root user, crun saves its state under the
74 /run/crun directory. As unprivileged user, instead the XDG_RUNTIME_DIR
75 environment variable is honored, and the directory $XDG_RUN‐
76 TIME_DIR/crun is used. The global option --root overrides this set‐
77 ting.
78
82 --debug Produce verbose output.
83 --log=LOG-DESTINATION Define the destination for the error and warning
86 messages generated by crun. If the error happens late in the container
87 init process, when crun already stopped watching it, then it will be
88 printed to the container stderr.
89 It is specified in the form BACKEND:SPECIFIER.
92 These following backends are supported:
95 • file:PATH
98 • journald:IDENTIFIER
100 • syslog:IDENTIFIER
102 If no backend is specified, then file: is used by default.
106 --log-format=FORMAT Define the format of the log messages. It can ei‐
109 ther be text, or json. The default is text.
110 --no-pivot Use chroot(2) instead of pivot_root(2) when creating the
113 container. This option is not safe, and should be avoided.
114 --root=DIR Defines where to store the state for crun containers.
117 --systemd-cgroup Use systemd for configuring cgroups. If not speci‐
120 fied, the cgroup is created directly using the cgroupfs backend.
121 --cgroup-manager=MANAGER Specify what cgroup manager must be used.
124 Permitted values are cgroupfs, systemd and disabled.
125 -?, --help Print a help list.
128 --usage Print a short usage message.
131 -V, --version Print program version
134
137 crun [global options] create [options] CONTAINER
138 --bundle=PATH Path to the OCI bundle, by default it is the current di‐
141 rectory.
142 --config=FILE Override the configuration file to use. The default
145 value is config.json.
146 --console-socket=SOCKET Path to a UNIX socket that will receive the
149 ptmx end of the tty for the container.
150 --no-new-keyring Keep the same session key
153 --preserve-fds=N Additional number of FDs to pass into the container.
156 --pid-file=PATH Path to the file that will contain the container
159 process PID.
160
163 crun [global options] run [options] CONTAINER
164 --bundle=BUNDLE Path to the OCI bundle, by default it is the current
167 directory.
168 --config=FILE Override the configuration file to use. The default
171 value is config.json.
172 --console-socket=SOCKET Path to a UNIX socket that will receive the
175 ptmx end of the tty for the container.
176 --no-new-keyring Keep the same session key.
179 --preserve-fds=N Additional number of FDs to pass into the container.
182 --pid-file=PATH Path to the file that will contain the container
185 process PID.
186 --detach Detach the container process from the current session.
189
192 crun [global options] delete [options] CONTAINER
193 --force Delete the container even if it is still running.
196 --regex=REGEX Delete all the containers that satisfy the specified
199 regex.
200
203 crun [global options] exec [options] CONTAINER CMD
204 --apparmor=PROFILE Set the apparmor profile for the process.
207 --console-socket=SOCKET Path to a UNIX socket that will receive the
210 ptmx end of the tty for the container.
211 --cwd=PATH Set the working directory for the process to PATH.
214 --cap=CAP Specify an additional capability to add to the process.
217 --detach Detach the container process from the current session.
220 --cgroup=PATH Specify a sub-cgroup path inside the container cgroup.
223 The path must already exist in the container cgroup.
224 --env=ENV Specify an environment variable.
227 --no-new-privs Set the no new privileges value for the process.
230 --preserve-fds=N Additional number of FDs to pass into the container.
233 --process=FILE Path to a file containing the process JSON configura‐
236 tion.
237 --process-label=VALUE Set the asm process label for the process com‐
240 monly used with selinux.
241 --pid-file=PATH Path to the file that will contain the new process PID.
244 -t --tty Allocate a pseudo TTY.
247 **-u USERSPEC --user=USERSPEC Specify the user in the form UID[:GID].
250
253 crun [global options] list [options]
254 -q --quiet Show only the container ID.
257
260 crun [global options] kill [options] CONTAINER SIGNAL
261 --all Kill all the processes in the container.
264 --regex=REGEX Kill all the containers that satisfy the specified regex.
267
270 crun [global options] ps [options]
271 --format=FORMAT Specify the output format. It must be either table or
274 json. By default table is used.
275
278 crun [global options] spec [options]
279 -b DIR --bundle=DIR Path to the root of the bundle dir (default ".").
282 --rootless Generate a config.json file that is usable by an unprivi‐
285 leged user.
286
289 crun [global options] update [options] CONTAINER
290 --blkio-weight=VALUE Specifies per cgroup weight.
293 --cpu-period=VALUE CPU CFS period to be used for hardcapping.
296 --cpu-quota=VALUE CPU CFS hardcap limit.
299 --cpu-rt-period=VALUE CPU realtime period to be used for hardcapping.
302 --cpu-rt-runtime=VALUE CPU realtime hardcap limit.
305 --cpu-share=VALUE CPU shares.
308 --cpuset-cpus=VALUE CPU(s) to use.
311 --cpuset-mems=VALUE Memory node(s) to use.
314 --kernel-memory=VALUE Kernel memory limit.
317 --kernel-memory-tcp=VALUE Kernel memory limit for TCP buffer.
320 --memory=VALUE Memory limit.
323 --memory-reservation=VALUE Memory reservation or soft_limit.
326 --memory-swap=VALUE Total memory usage.
329 --pids-limit=VALUE Maximum number of pids allowed in the container.
332 -r, --resources=FILE Path to the file containing the resources to up‐
335 date.
336
339 crun [global options] checkpoint [options] CONTAINER
340 --image-path=DIR Path for saving CRIU image files
343 --work-path=DIR Path for saving work files and logs
346 --leave-running Leave the process running after checkpointing
349 --tcp-established Allow open TCP connections
352 --ext-unix-sk Allow external UNIX sockets
355 --shell-job Allow shell jobs
358 --pre-dump Only checkpoint the container's memory without stopping the
361 container. It is not possible to restore a container from a pre-dump.
362 A pre-dump always needs a final checkpoint (without --pre-dump). It is
363 possible to make as many pre-dumps as necessary. For a second pre-dump
364 or for a final checkpoint it is necessary to use --parent-path to point
365 crun (and thus CRIU) to the pre-dump.
366 --parent-path=DIR Doing multiple pre-dumps or the final checkpoint af‐
369 ter one or multiple pre-dumps requires that crun (and thus CRIU) knows
370 the location of the pre-dump. It is important to use a relative path
371 from the actual checkpoint directory specified via --image-path. It
372 will fail if an absolute path is used.
373 --manage-cgroups-mode=MODE Specify which CRIU manage cgroup mode should
376 be used. Permitted values are soft, ignore, full or strict. Default is
377 soft.
378
381 crun [global options] restore [options] CONTAINER
382 -b DIR --bundle=DIR Container bundle directory (default ".")
385 --image-path=DIR Path for saving CRIU image files
388 --work-path=DIR Path for saving work files and logs
391 --tcp-established Allow open TCP connections
394 --ext-unix Allow external UNIX sockets
397 --shell-job Allow shell jobs
400 --detach Detach from the container's process
403 --pid-file=FILE Where to write the PID of the container
406 --manage-cgroups-mode=MODE Specify which CRIU manage cgroup mode should
409 be used. Permitted values are soft, ignore, full or strict. Default is
410 soft.
411
416 Set the mount context type on volumes mounted with SELinux labels.
417 Valid context types are:
420 context (default)
421 fscontext
422 defcontext
423 rootcontext
424 More information on how the context mount flags works see the mount(8)
427 man page.
428
431 If the annotation run.oci.seccomp.receiver=PATH is specified, the sec‐
432 comp listener is sent to the UNIX socket listening on the specified
433 path. It can also set with the RUN_OCI_SECCOMP_RECEIVER environment
434 variable. It is an experimental feature, and the annotation will be
435 removed once it is supported in the OCI runtime specs. It must be an
436 absolute path.
437
440 If the annotation run.oci.seccomp.plugins=PLUGIN1[:PLUGIN2]... is spec‐
441 ified, the seccomp listener fd is handled through the specified plug‐
442 ins. The plugin must either be an absolute path or a file name that is
443 looked up by dlopen(3). More information on how the lookup is per‐
444 formed are available on the ld.so(8) man page.
445
448 If the annotation run.oci.seccomp_fail_unknown_syscall is present, then
449 crun will fail when an unknown syscall is encountered in the seccomp
450 configuration.
451
454 If the annotation run.oci.seccomp_bpf_data is present, then crun ig‐
455 nores the seccomp section in the OCI configuration file and use the
456 specified data as the raw data to the seccomp(SECCOMP_SET_MODE_FILTER)
457 syscall. The data must be encoded in base64.
458 It is an experimental feature, and the annotation will be removed once
461 it is supported in the OCI runtime specs.
462
465 If the annotation run.oci.keep_original_groups is present, then crun
466 will skip the setgroups syscall that is used to either set the addi‐
467 tional groups specified in the OCI configuration, or to reset the list
468 of additional groups if none is specified.
469
472 It is an experimental feature and will be removed once the feature is
473 in the OCI runtime specs.
474 If present, specify the path to the UNIX socket that will receive the
477 pidfd for the container process.
478
481 If the annotation run.oci.systemd.force_cgroup_v1=/PATH is present,
482 then crun will override the specified mount point /PATH with a cgroup
483 v1 mount made of a single hierarchy none,name=systemd. It is useful to
484 run on a cgroup v2 system containers using older versions of systemd
485 that lack support for cgroup v2.
486 Note: Your container host has to have the cgroup v1 mount already
489 present, otherwise this will not work. If you want to run the container
490 rootless, the user it runs under has to have permissions to this mount‐
491 point.
492 For example, as root:
495 mkdir /sys/fs/cgroup/systemd
498 mount cgroup -t cgroup /sys/fs/cgroup/systemd -o none,name=systemd,xattr
499 chown -R the_user.the_user /sys/fs/cgroup/systemd
500
504 Override the name for the systemd sub cgroup created under the systemd
505 scope, so the final cgroup will be like:
506 /sys/fs/cgroup/$PATH/$SUBGROUP
509 When it is set to the empty string, a sub cgroup is not created.
513 If not specified, it defaults to container on cgroup v2, and to "" on
516 cgroup v1.
517 e.g.
520 /sys/fs/cgroup//system.slice/foo-352700.scope/container
523
527 If the run.oci.systemd.subgroup annotation is specified, yet another
528 sub-cgroup is created and the container process is moved here.
529 If a cgroup namespace is used, the cgroup namespace is created before
532 moving the container to the delegated cgroup.
533 /sys/fs/cgroup/$PATH/$SUBGROUP/$DELEGATED-CGROUP
536 The runtime doesn't apply any limit to the $DELEGATED-CGROUP sub-
540 cgroup, the runtime uses only $PATH/$SUBGROUP.
541 The container payload fully manages $DELEGATE-CGROUP, the limits ap‐
544 plied to $PATH/$SUBGROUP still applies to $DELEGATE-CGROUP.
545 Since cgroup delegation is not safe on cgroup v1, this option is sup‐
548 ported only on cgroup v2.
549
552 If the annotation run.oci.hooks.stdout is present, then crun will open
553 the specified file and use it as the stdout for the hook processes.
554 The file is opened in append mode and it is created if it doesn't al‐
555 ready exist.
556
559 If the annotation run.oci.hooks.stderr is present, then crun will open
560 the specified file and use it as the stderr for the hook processes.
561 The file is opened in append mode and it is created if it doesn't al‐
562 ready exist.
563
566 It is an experimental feature.
567 If specified, run the specified handler for execing the container. The
570 only supported values are krun and wasm.
571 • krun: When krun is specified, the libkrun.so shared object is
574 loaded and it is used to launch the container using libkrun.
575 • wasm: If specified, run the wasm handler for container. Allows
577 running wasm workload natively. Accepts a .wasm binary as in‐
578 put and if .wat is provided it will be automatically compiled
579 into a wasm module. Stdout of wasm module is relayed back via
580 crun.
581
585 If the tmpcopyup option is specified for a tmpfs, then the path that is
586 shadowed by the tmpfs mount is recursively copied up to the tmpfs it‐
587 self.
588
591 If the copy-symlink option is specified, if the source of a bind mount
592 is a symlink, the symlink is recreated at the specified destination in‐
593 stead of attempting a mount that would resolve the symlink itself. If
594 the destination already exists and it is not a symlink with the ex‐
595 pected content, crun will return an error.
596
599 If a r$FLAG mount option is specified then the flag $FLAG is set recur‐
600 sively for each children mount.
601 These flags are supported:
604 • "rro"
607 • "rrw"
609 • "rsuid"
611 • "rnosuid"
613 • "rdev"
615 • "rnodev"
617 • "rexec"
619 • "rnoexec"
621 • "rsync"
623 • "rasync"
625 • "rdirsync"
627 • "rmand"
629 • "rnomand"
631 • "ratime"
633 • "rnoatime"
635 • "rdiratime"
637 • "rnodiratime"
639 • "rrelatime"
641 • "rnorelatime"
643 • "rstrictatime"
645 • "rnostrictatime"
647
651 If the idmap option is specified then the mount is ID mapped using the
652 container target user namespace. This is an experimental feature and
653 can change at any time without notice.
654 The idmap option supports a custom mapping that can be different than
657 the user namespace used by the container.
658 The mapping can be specified after the idmap option like:
661 idmap=uids=0-1-10#10-11-10;gids=0-100-10.
662 For each triplet, the first value is the start of the backing file sys‐
665 tem IDs that are mapped to the second value on the host. The length of
666 this mapping is given in the third value.
667 Multiple ranges are separated with #.
670 These values are written to the /proc/$PID/uid_map and
673 /proc/$PID/gid_map files to create the user namespace for the idmapped
674 mount.
675 The only two options that are currently supported after idmap are uids
678 and gids.
679 When a custom mapping is specified, a new user namespace is created for
682 the idmapped mount.
683 If no option is specified, then the container user namespace is used.
686 If the specified mapping is prepended with a '@' then the mapping is
689 considered relative to the container user namespace. The host ID for
690 the mapping is changed to account for the relative position of the con‐
691 tainer user in the container user namespace.
692 For example, the mapping: uids=@1-3-10, given a configuration like
695 "uidMappings": [
698 {
699 "containerID": 0,
700 "hostID": 0,
701 "size": 1
702 },
703 {
704 "containerID": 1,
705 "hostID": 2,
706 "size": 1000
707 }
708 ]
709 will be converted to the absolute value uids=1-4-10, where 4 is calcu‐
713 lated by adding 3 (container ID in the uids= mapping) and 1 (hostID -
714 containerID for the user namespace mapping where containerID = 1 is
715 found).
716 The current implementation doesn't take into account multiple user
719 namespace ranges, so it is the caller's responsibility to split a map‐
720 ping if it overlaps multiple ranges in the user namespace. In such a
721 case, there won't be any error reported.
722
725 When running as user different than root, an user namespace is automat‐
726 ically created even if it is not specified in the config file. The
727 current user is mapped to the ID 0 in the container, and any additional
728 id specified in the files /etc/subuid and /etc/subgid is automatically
729 added starting with ID 1.
730
734 Note: cgroup v2 does not yet support control of realtime processes and
735 the cpu controller can only be enabled when all RT processes are in the
736 root cgroup. This will make crun fail while running alongside RT pro‐
737 cesses.
738 If the cgroup configuration found is for cgroup v1, crun attempts a
741 conversion when running on a cgroup v2 system.
742 These are the OCI resources currently supported with cgroup v2 and how
745 they are converted when needed from the cgroup v1 configuration.
746
749 ┌────────────┬────────────────────┬──────────────────────┬──────────────────┐
750 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
751 ├────────────┼────────────────────┼──────────────────────┼──────────────────┤
752 │limit │ memory.max │ y = x │ │
753 ├────────────┼────────────────────┼──────────────────────┼──────────────────┤
754 │swap │ memory.swap.max │ y = x - memory_limit │ the swap limit │
755 │ │ │ │ on cgroup v1 in‐ │
756 │ │ │ │ cludes the mem‐ │
757 │ │ │ │ ory usage too │
758 ├────────────┼────────────────────┼──────────────────────┼──────────────────┤
759 │reservation │ memory.low │ y = x │ │
760 └────────────┴────────────────────┴──────────────────────┴──────────────────┘
761
763 ┌────────┬────────────────────┬────────────┬─────────┐
764 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
765 ├────────┼────────────────────┼────────────┼─────────┤
766 │limit │ pids.max │ y = x │ │
767 └────────┴────────────────────┴────────────┴─────────┘
768
770 ┌────────┬────────────────────┬──────────────────┬──────────────────┐
771 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
772 ├────────┼────────────────────┼──────────────────┼──────────────────┤
773 │shares │ cpu.weight │ y = (1 + ((x - │ │
774 │ │ │ 2) * 9999) / │ │
775 │ │ │ 262142) │ │
776 ├────────┼────────────────────┼──────────────────┼──────────────────┤
777 │ │ convert from │ │ │
778 │ │ [2-262144] to │ │ │
779 │ │ [1-10000] │ │ │
780 ├────────┼────────────────────┼──────────────────┼──────────────────┤
781 │period │ cpu.max │ y = x │ period and quota │
782 │ │ │ │ are written to‐ │
783 │ │ │ │ gether │
784 ├────────┼────────────────────┼──────────────────┼──────────────────┤
785 │quota │ cpu.max │ y = x │ period and quota │
786 │ │ │ │ are written to‐ │
787 │ │ │ │ gether │
788 └────────┴────────────────────┴──────────────────┴──────────────────┘
789
791 ┌──────────────┬──────────────────────┬─────────────────────────┬──────────────────┐
792 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
793 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
794 │weight │ io.bfq.weight │ y = x │ │
795 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
796 │weight_device │ io.bfq.weight │ y = x │ │
797 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
798 │weight │ io.weight (fallback) │ y = 1 + (x-10)*9999/990 │ convert linearly │
799 │ │ │ │ from [10-1000] │
800 │ │ │ │ to [1-10000] │
801 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
802 │weight_device │ io.weight (fallback) │ y = 1 + (x-10)*9999/990 │ convert linearly │
803 │ │ │ │ from [10-1000] │
804 │ │ │ │ to [1-10000] │
805 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
806 │rbps │ io.max │ y=x │ │
807 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
808 │wbps │ io.max │ y=x │ │
809 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
810 │riops │ io.max │ y=x │ │
811 ├──────────────┼──────────────────────┼─────────────────────────┼──────────────────┤
812 │wiops │ io.max │ y=x │ │
813 └──────────────┴──────────────────────┴─────────────────────────┴──────────────────┘
814
816 ┌────────┬────────────────────┬────────────┬─────────┐
817 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
818 ├────────┼────────────────────┼────────────┼─────────┤
819 │cpus │ cpuset.cpus │ y = x │ │
820 ├────────┼────────────────────┼────────────┼─────────┤
821 │mems │ cpuset.mems │ y = x │ │
822 └────────┴────────────────────┴────────────┴─────────┘
823
825 ┌────────────────┬────────────────────┬────────────┬─────────┐
826 │OCI (x) │ cgroup 2 value (y) │ conversion │ comment │
827 ├────────────────┼────────────────────┼────────────┼─────────┤
828 │.limit_in_bytes │ hugetlb..max │ y = x │ │
829 └────────────────┴────────────────────┴────────────┴─────────┘
830 User Commands crun(1)