What is runc

runc is the reference implementation of the OCI Runtime Specification. It is the low-level container runtime that Docker, Podman, containerd, and CRI-O all use by default to create and run containers.

How it works

runc takes an OCI bundle — a directory containing a root filesystem and a config.json file — and creates a running container. The config.json specifies namespaces, cgroup limits, mount points, Linux capabilities, seccomp profiles, and the process to execute.

runc performs the container creation steps: clone() with namespace flags, cgroup directory creation, root filesystem pivot, capability dropping, and exec() of the entrypoint. After the process starts, runc exits — the container is a normal Linux process managed by the kernel.

Alternatives to runc: crun (written in C, lower memory, faster startup), youki (written in Rust), gVisor's runsc (intercepts syscalls for stronger isolation), Kata Containers (launches a lightweight VM per container).

Why it matters

runc is the foundation that every major container platform builds on. Understanding runc means understanding what happens at the lowest level when a container starts. It is swappable — changing the runtime from runc to crun or gVisor changes the isolation model without changing the image format or orchestration layer.

See How Containers Work for the full startup sequence.