{"id":43573541,"url":"https://github.com/projectatomic/runc","last_synced_at":"2026-02-03T22:39:07.170Z","repository":{"id":41423661,"uuid":"66305060","full_name":"projectatomic/runc","owner":"projectatomic","description":"runc container cli tools","archived":false,"fork":false,"pushed_at":"2024-03-31T10:36:56.000Z","size":13890,"stargazers_count":16,"open_issues_count":9,"forks_count":19,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-06-19T00:25:53.208Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/projectatomic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-08-22T20:19:53.000Z","updated_at":"2022-06-01T13:35:46.000Z","dependencies_parsed_at":"2024-06-19T00:06:18.556Z","dependency_job_id":"f80ceff5-34a3-41b5-8ecb-c27bce184ffb","html_url":"https://github.com/projectatomic/runc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/projectatomic/runc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectatomic%2Frunc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectatomic%2Frunc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectatomic%2Frunc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectatomic%2Frunc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/projectatomic","download_url":"https://codeload.github.com/projectatomic/runc/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectatomic%2Frunc/sbom","scorecard":{"id":746407,"data":{"date":"2025-08-11","repo":{"name":"github.com/projectatomic/runc","commit":"e45dd70447fb72ee4e1f6989173aa6c5dd492d87"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.8,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 1/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating golang:1.7.1 to golang:1.7.1@sha256:97bb851c6df77ecd9f1b8cfae437829155783828d0de116d82212e9d989acd69","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T18:54:36.515Z","repository_id":41423661,"created_at":"2025-08-22T18:54:36.515Z","updated_at":"2025-08-22T18:54:36.515Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29060580,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T22:28:58.191Z","status":"ssl_error","status_checked_at":"2026-02-03T22:28:56.515Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-03T22:39:06.578Z","updated_at":"2026-02-03T22:39:07.163Z","avatar_url":"https://github.com/projectatomic.png","language":"Go","readme":"[![Build Status](https://jenkins.dockerproject.org/buildStatus/icon?job=runc Master)](https://jenkins.dockerproject.org/job/runc Master)\n\n## runc\n\n`runc` is a CLI tool for spawning and running containers according to the OCI specification.\n\n## Releases\n\n`runc` depends on and tracks the [runtime-spec](https://github.com/opencontainers/runtime-spec) repository.\nWe will try to make sure that `runc` and the OCI specification major versions stay in lockstep.\nThis means that `runc` 1.0.0 should implement the 1.0 version of the specification.\n\nYou can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.\n\n## Building\n\n`runc` currently supports the Linux platform with various architecture support. \nIt must be built with Go version 1.6 or higher in order for some features to function properly.\n\n```bash\n# create a 'github.com/opencontainers' in your GOPATH/src\ncd github.com/opencontainers\ngit clone https://github.com/opencontainers/runc\ncd runc\n\nmake\nsudo make install\n```\n\n`runc` will be installed to `/usr/local/sbin/runc` on your system.\n\nIn order to enable seccomp support you will need to install libseccomp on your platform.\nIf you do not want to build `runc` with seccomp support you can add `BUILDTAGS=\"\"` when running make.\n\n#### Build Tags\n\n`runc` supports optional build tags for compiling support of various features.\nTo add build tags to the make option the `BUILDTAGS` variable must be set.\n\n```bash\nmake BUILDTAGS='seccomp apparmor'\n```\n\n| Build Tag | Feature                            | Dependency  |\n|-----------|------------------------------------|-------------|\n| seccomp   | Syscall filtering                  | libseccomp  |\n| selinux   | selinux process and mount labeling | \u003cnone\u003e      |\n| apparmor  | apparmor profile support           | libapparmor |\n\n\n### Running the test suite\n\n`runc` currently supports running its test suite via Docker.\nTo run the suite just type `make test`.\n\n```bash\nmake test\n```\n\nThere are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.\n\nYou can run a specific test case by setting the `TESTFLAGS` variable.\n\n```bash\n# make test TESTFLAGS=\"-run=SomeTestFunction\"\n```\n\n## Using runc\n\n### Creating an OCI Bundle\n\nIn order to use runc you must have your container in the format of an OCI bundle.\nIf you have Docker installed you can use its `export` method to acquire a root filesystem from an existing Docker container.\n\n```bash\n# create the top most bundle directory\nmkdir /mycontainer\ncd /mycontainer\n\n# create the rootfs directory\nmkdir rootfs\n\n# export busybox via Docker into the rootfs directory\ndocker export $(docker create busybox) | tar -C rootfs -xvf -\n```\n\nAfter a root filesystem is populated you just generate a spec in the format of a `config.json` file inside your bundle.\n`runc` provides a `spec` command to generate a base template spec that you are then able to edit.\nTo find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.\n\n```bash\nrunc spec\n```\n\n### Running Containers\n\nAssuming you have an OCI bundle from the previous step you can execute the container in two different ways.\n\nThe first way is to use the convenience command `run` that will handle creating, starting, and deleting the container after it exits.\n\n```bash\ncd /mycontainer\n\nrunc run mycontainerid\n```\n\nIf you used the unmodified `runc spec` template this should give you a `sh` session inside the container.\n\nThe second way to start a container is using the specs lifecycle operations.\nThis gives you move power of how the container is created and managed while it is running.\nThis will also launch the container in the background so you will have to edit the `config.json` to remove the `terminal` setting for the simple examples here.\nYour process field in the `config.json` should look like this below with `\"terminal\": false` and `\"args\": [\"sleep\", \"5\"]`.\n\n\n```json\n        \"process\": {\n                \"terminal\": false,\n                \"user\": {\n                        \"uid\": 0,\n                        \"gid\": 0\n                },\n                \"args\": [\n                        \"sleep\", \"5\"\n                ],\n                \"env\": [\n                        \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\n                        \"TERM=xterm\"\n                ],\n                \"cwd\": \"/\",\n                \"capabilities\": [\n                        \"CAP_AUDIT_WRITE\",\n                        \"CAP_KILL\",\n                        \"CAP_NET_BIND_SERVICE\"\n                ],\n                \"rlimits\": [\n                        {\n                                \"type\": \"RLIMIT_NOFILE\",\n                                \"hard\": 1024,\n                                \"soft\": 1024\n                        }\n                ],\n                \"noNewPrivileges\": true\n        },\n```\n\nNow we can go though the lifecycle operations in your shell.\n\n\n```bash\ncd /mycontainer\n\nrunc create mycontainerid\n\n# view the container is created and in the \"created\" state\nrunc list\n\n# start the process inside the container\nrunc start mycontainerid\n\n# after 5 seconds view that the container has exited and is now in the stopped state\nrunc list\n\n# now delete the container\nrunc delete mycontainerid\n```\n\nThis adds more complexity but allows higher level systems to manage runc and provides points in the containers creation to setup various settings after the container has created and/or before it is deleted.\nThis is commonly used to setup the container's network stack after `create` but before `start` where the user's defined process will be running.\n\n#### Supervisors\n\n`runc` can be used with process supervisors and init systems to ensure that containers are restarted when they exit.\nAn example systemd unit file looks something like this.\n\n```systemd\n[Unit]\nDescription=Start My Container\n\n[Service]\nType=forking\nExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid\nExecStopPost=/usr/local/sbin/runc delete mycontainerid\nWorkingDirectory=/mycontainer\nPIDFile=/run/mycontainerid.pid\n\n[Install]\nWantedBy=multi-user.target\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprojectatomic%2Frunc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprojectatomic%2Frunc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprojectatomic%2Frunc/lists"}