Week 2 - The OCI Runtime Spec, `runc`, and `crun`¶

2.1 Conceptual Core¶

A runtime bundle = a directory containing config.json (the runtime spec) + rootfs/ (the filesystem to chroot/pivot_root into).
runc create <id> reads config.json, sets up namespaces, cgroups, mounts, seccomp, capabilities, then waits. runc start <id> runs the configured command. runc state <id> shows status. runc kill <id> SIGTERM signals. runc delete <id> cleans up.
Two production runtimes both implementing the OCI runtime spec:
runc (Go, the reference; what Docker / containerd use by default).
crun (C, faster startup, lower memory, default in Podman on RHEL/Fedora).
youki (Rust, gaining ground; primary Rust implementation).

Generate a default config: runc spec produces config.json.
Build a rootfs: mkdir rootfs && skopeo copy docker://alpine:3.19 oci:./alpine && umoci unpack --image ./alpine:3.19 ./bundle (umoci gives you both rootfs + config in one step). Or do it manually.
Run: sudo runc run mycontainer. You're inside the container.
Modify the config to: drop all capabilities except CAP_NET_BIND_SERVICE, set a memory limit of 64M, mask /proc/sys. Re-run; verify with cat /proc/self/status | grep Cap and pressure tests.
Repeat with crun. Time the startup difference (time runc run vs time crun run)-crun is typically 2–5× faster.

Read the default seccomp profile in runc's libcontainer/seccomp/seccomp_default.go (the equivalent profile is shipped with Docker as default.json). Note which syscalls it blocks. Review the spec's linux.seccomp schema and write a tighter custom profile for a specific service.

Add an automated CI step that lints any custom config.json against the OCI spec schema. Use runc spec --rootless and study the differences vs the privileged config-this is the foundation for Month 3's rootless work.