# opencontainers/runc **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/opencontainers-runc).** 13,067 stars · 2,260 forks · Go · apache-2.0 ## Links - GitHub: https://github.com/opencontainers/runc - Homepage: https://www.opencontainers.org/ - awesome-repositories: https://awesome-repositories.com/repository/opencontainers-runc.md ## Topics `containers` `docker` `oci` ## Description runc is a command-line utility for spawning and running containers on Linux systems according to the Open Container Initiative specification. It serves as a low-level container execution engine that interfaces directly with the host operating system to manage the lifecycle of isolated processes. The tool functions as a Linux process containerizer, utilizing kernel features such as namespaces for process isolation and control groups for resource governance. It enforces security by restricting processes to specific directory trees and dropping unnecessary kernel privileges to minimize the attack surface of the host system. By parsing standardized configuration files, the runtime translates high-level specifications into the system calls required to initialize and execute containerized workloads. It replaces the container initialization process with the target application, ensuring the container runs as the primary process on the host. ## Tags ### DevOps & Infrastructure - [Container Runtimes](https://awesome-repositories.com/f/devops-infrastructure/container-runtimes.md) — Provides a low-level tool for spawning and running containers on Linux systems according to the Open Container Initiative specification. ([source](https://github.com/opencontainers/runc/blob/master/docs/Security-Audit.pdf)) - [Container Lifecycle Management](https://awesome-repositories.com/f/devops-infrastructure/container-lifecycle-management.md) — Manages the lifecycle of containerized processes according to standardized Open Container Initiative specifications. - [Container Orchestration Platforms](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration-platforms.md) — Serves as the foundational execution layer for higher-level container management and orchestration platforms. ### Programming Languages & Runtimes - [Execution Engines](https://awesome-repositories.com/f/programming-languages-runtimes/runtime-execution-environments/runtime-environments/execution-engines.md) — Acts as a core execution engine that interfaces directly with the host operating system to run containerized applications. ### Security & Cryptography - [Runtime and Process Isolation](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/sandbox-and-isolation/runtime-process-isolation.md) — Manages the lifecycle of isolated processes by leveraging kernel features like namespaces and control groups. - [Control-Group-Based Resource Management](https://awesome-repositories.com/f/security-cryptography/account-management/hierarchical-grouping/resource-management-groups/control-group-based-resource-management.md) — Organizes container processes into hierarchical control groups to enforce strict CPU, memory, and I/O resource limits. - [Container Privilege Restrictions](https://awesome-repositories.com/f/security-cryptography/security/policies/capability-authorization/capability-based-security/container-privilege-restrictions.md) — Implements granular privilege dropping to minimize the host system attack surface during container execution. ### Operating Systems & Systems Programming - [Namespace-Based Isolation](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/process-isolation/namespace-based-isolation.md) — Uses Linux kernel namespaces to create isolated environments where processes have their own view of system resources. - [Container Initialization Managers](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/process-lifecycle-orchestrators/process-lifecycle-managers/container-initialization-managers.md) — Replaces the container initialization process with the target application to ensure it runs as the primary process. ### Software Engineering & Architecture - [OS-Level Virtualization](https://awesome-repositories.com/f/software-engineering-architecture/sandboxed-execution-environments/kernel-level-virtual-machines/os-level-virtualization.md) — Isolates application processes from the host operating system using kernel features to ensure secure and portable environments. - [Filesystem Root Restrictions](https://awesome-repositories.com/f/software-engineering-architecture/execution-control/namespace-isolation/namespace-provisioners/container-isolation/filesystem-root-restrictions.md) — Restricts processes to specific directory trees using pivot root to ensure the container cannot access host files. ### Web Development - [Specification Parsers](https://awesome-repositories.com/f/web-development/web-standards/standards-compliant-implementations/specification-parsers.md) — Translates standardized JSON configuration files into the system calls required to initialize and execute containerized workloads.