github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
8325ba5d36
containerd/docs/RUNC.md
Sebastiaan van Stijn 8325ba5d36
Separate runc binary version from libcontainer version 
Now that the dependency on runc (libcontaienr) code has been reduced
considerably, it is probbaly ok to cut the version dependency between
libcontainer and the runc binary that is supported.

This patch separates the runc binary version from the version of
libcontainer that is defined in go.mod, and updates the documentation
accordingly.

The RUNC_COMMIT variable in the install-runc script is renamed to
RUNC_VERSION to encourage using tagged versions, and the Dockerfile
in contrib is updated to allow building with a custom version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-10 13:41:12 +01:00

2.3 KiB
Raw Blame History

containerd is built with OCI support and with support for advanced features provided by runc.

Development (-dev) and pre-releases of containerd may depend features in runc that have not yet been released, and may require a specific runc build. The version of runc that is tested against in our CI can be found in the RUNC_VERSION variable in the script/setup/install-runc script, which may point to a git-commit (for pre releases) or tag in the runc repository.

For regular (non-pre-)releases of containerd releases, we attempt to use released (tagged) versions of runc. We recommend using a version of runc that's equal to or higher than the version of runc described in script/setup/install-runc.

If you encounter any runtime errors, make sure your runc is in sync with the commit or tag provided in that file.

building

For more information on how to clone and build runc also refer to the runc building documentation.

Before building runc you may need to install additional build dependencies, which will vary by platform. For example, you may need to install libseccomp e.g. libseccomp-dev for Ubuntu.

From within your opencontainers/runc repository run:

make && sudo make install

Starting with runc 1.0.0-rc93, the "selinux" and "apparmor" buildtags have been removed, and runc builds have SELinux, AppArmor, and seccomp support enabled by default. Note that "seccomp" can be disabled by passing an empty BUILDTAGS make variable, but is highly recommended to keep enabled.

By default, runc is compiled with kernel-memory limiting support enabled. This functionality is deprecated in kernel 5.4 and up, and is known to be broken on RHEL7 and CentOS 7 3.10 kernels. For these kernels, we recommend disabling kmem support using the nokmem build-tag. When doing so, be sure to set the seccomp build-tag to enable seccomp support, for example:

make BUILDTAGS='nokmem seccomp' && make install

For details about the nokmem build-tag, refer to the discussion on opencontainers/runc#2594. For further details on building runc, refer to the build instructions in the runc README.