crun

crun [GLOBAL_OPTIONS] COMMAND [COMMAND_OPTIONS] [ARGUMENTS...]

Common commands:
run Create and run a container
create Create a container
start Start a created container
state Query the state of a container
kill Send a signal to a container
delete Delete a container
exec Execute a command in a running container
update Update container resources
checkpoint Checkpoint a container
restore Restore a container from checkpoint
spec Create a new bundle specification file

--root
    Specify the root directory for crun state and storage.

--log
    Set the path to the log file for crun operations.

--log-format
    Define the format for log output, e.g., json or text.

--systemd-cgroup
    Enable the systemd cgroup driver for container management.

--no-pivot
    Do not use pivot_root system call for container filesystem setup.

--debug
    Enable verbose debug logging for troubleshooting.

--version
    Display the crun version information and exit.

--help
    Show the main help message for crun.

crun is an OCI (Open Container Initiative) compliant container runtime implemented in C. It serves as a high-performance, resource-efficient alternative to other runtimes like runc.

Designed with speed and a minimal memory footprint in mind, crun excels in environments where resource optimization is crucial, such as high-density container deployments or embedded systems. It fully adheres to the OCI Runtime Specification, enabling seamless integration with container orchestrators and managers like Podman, Buildah, and CRI-O.

Key features include comprehensive support for Linux namespaces and cgroups (both v1 and v2), along with robust security mechanisms such as seccomp, AppArmor, and SELinux. Its native C implementation contributes to faster container startup times and reduced overhead compared to runtimes written in higher-level languages. This makes crun a preferred choice for users prioritizing performance and efficiency in their containerized workloads.

crun requires a relatively recent Linux kernel for full functionality, especially concerning cgroupv2 and advanced security features.

While highly optimized, direct interaction with crun should always be done with an understanding of container security best practices, ensuring containers are run with the principle of least privilege. Although largely OCI compliant, subtle differences in implementation or specific feature support might exist compared to other runtimes like runc, which might affect highly specialized or legacy container configurations.

crun fully adheres to the Open Container Initiative Runtime Specification, ensuring broad compatibility and interoperability with all OCI-compliant container orchestrators and tools. This commitment guarantees that container bundles created according to the OCI spec can be reliably executed by crun.

A primary strength of crun is its exceptional performance. Benchmarks often show significantly faster container startup times and a lower memory footprint compared to other runtimes, especially when managing a large number of containers. This efficiency is largely attributed to its optimized C codebase.

crun seamlessly integrates with core Linux security features to provide robust container isolation. It supports seccomp for system call filtering, AppArmor and SELinux for mandatory access control, and leverages Linux namespaces and cgroups for process and resource isolation.

Developed by Giuseppe Scrivano, crun emerged as a powerful alternative to the widely used runc container runtime. Its development was driven by the goal of creating a faster and more resource-efficient OCI runtime, particularly beneficial for scenarios demanding high performance and low overhead, such as cloud-native applications and embedded systems.

Written entirely in C, crun leverages the language's efficiency to achieve its performance targets. It has gained significant traction within the Linux container ecosystem, being adopted by projects like Podman as a default or preferred runtime on various distributions (e.g., Fedora), owing to its superior startup times and reduced memory consumption.

runc(8), podman(1), buildah(1), crictl(8), oci-runtime-spec(7)