LinuxCommandLibrary

crun

Run OCI containers

SYNOPSIS

crun [GLOBAL-OPTIONS...] COMMAND [COMMAND-OPTIONS] [ARGS...]
bundle-path container-id [COMMAND]

PARAMETERS

-h, --help
    Print help and exit

--version
    Print version information and exit

--rootless
    Force rootless mode (auto-detected by default)

--systemd-cgroup
    Use systemd for cgroup v2 management

--cgroup-manager MGR
    Cgroup manager: cgroupfs|systemd

--debug
    Enable verbose debug logging

--log LEVEL
    Log level: panic|fatal|error|warn|info|debug

--log-file FILE
    Write logs to specified file

-r, --root PATH
    Root directory for container state (default: /run/crun)

--preserve-fds N
    Preserve N extra FDs across exec

--file-lock METHOD
    Locking: llapi|flock|auto

--no-pid-ns
    Skip PID namespace setup

--no-new-keyring
    Don't create new session keyring

--user-uid-map MAPPING
    UID map: UID:LOWER:COUNT for rootless

DESCRIPTION

Crun is a high-performance, OCI Runtime Specification-compliant implementation for Linux containers. Written in C, it offers dramatically faster startup times and lower memory usage compared to the Go-based runc, often achieving 10x speedups. It supports rootless execution, cgroup v2 via systemd, seccomp profiles, and checkpoint/restore with CRIU.

As a drop-in replacement, crun integrates seamlessly with container tools like Podman, Buildah, LXC, and containerd (used by Docker). It handles namespace setup, capability drops, pivot_root, and mounts efficiently. Ideal for high-density workloads, edge computing, and environments prioritizing low latency and resource efficiency.

Crun emphasizes security with fine-grained AppArmor/SELinux support and avoids dynamic linking for a smaller attack surface.

CAVEATS

Requires Linux kernel ≥ 3.10 with user namespaces for rootless; cgroup v2 recommended. CRIU checkpoint/restore needs kernel support and may fail with complex mounts. Not for non-Linux hosts.

MAIN SUBCOMMANDS

run: Execute container from config.json
spec: Generate runtime config.json
exec: Run process in running container
state: Inspect container state
list|ps: List containers/processes
pause|resume|kill: Control running containers
checkpoint|restore: CRIU support

BASIC USAGE

crun spec --root /path/to/rootfs --id mycontainer --bundle /path/to/bundle > config.json
crun run --rootless config.json

HISTORY

Created by Giuseppe Scrivano in 2019 as a performant C alternative to runc(8). Passed OCI conformance tests quickly; adopted by Podman/Libpod. Versions post-1.0 added cgroup v2, CRIU restore, slirp4netns integration. Actively maintained with focus on speed/security.

SEE ALSO

runc(8), podman(1), buildah(1), lxc(1), containerd(8)

Copied to clipboard