Skip to content
/ anocir Public

🍪 An OCI spec-compliant Linux container runtime, written in Go.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nixpig/anocir

BranchesTags

Repository files navigation

build

🍪 anocir

[an-oh-cheer] Another OCI Runtime.

An experimental Linux container runtime, implementing the OCI Runtime Spec.

The process of building this is being documented in a series of blog posts which you can read here: Building a container runtime from scratch in Go.

docker hello-world with anocir runtime

This is a personal project for me to explore and better understand the OCI Runtime Spec. It's not production-ready, and it probably never will be, but feel free to look around! If you're looking for a production-ready alternative to runc, take a look at youki, which I think is pretty cool.

anocir passes all passable tests in the opencontainers OCI runtime test suite. That doesn't mean that anocir is feature-complete...yet. See below for outstanding items.

🗒️ To do (items remaining for me to consider this 'complete')

  • Unit tests Integration tests seem to be sufficing
  • Implement optional Seccomp
  • Implement optional AppArmor

Installation

Caution

Some features may require sudo and make changes to your system.

Given this is an experimental project, take appropriate precautions.

Download pre-built binary

  1. Go to Releases and download the tarball for your architecture, e.g. anocir_0.0.1_linux_amd64.tar.gz.
  2. Extract the anocir binary from the tarball and put somewhere in $PATH, e.g. ~/.local/bin.

Build from source

Prerequisite: Compiler for Go installed (instructions).

git clone git@github.com:nixpig/anocir.git
cd anocir
make build
mv tmp/bin/anocir ~/.local/bin

I'm developing anocir on the following environment. Even with the same set up, YMMV.

  • Linux vagrant 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • go version go1.23.4 linux/amd64
  • Docker version 27.3.1, build ce12230

You can spin up this VM from the included Vagrantfile, just run vagrant up.

Usage

Docker

By default, the Docker daemon uses the runc container runtime. anocir can be used as a drop-in replacement for runc.

You can find detailed instructions on how to configure alternative runtimes in the Docker docs. If you just want to quickly experiment, the following should suffice:

# 1. Stop any running Docker service
sudo systemctl stop docker.service

# 2. Start the Docker Daemon with added anocir runtime
sudo dockerd --add-runtime anocir=PATH_TO_ANOCIR_BINARY

# 3. Run a container using the anocir runtime
docker run -it --runtime anocir busybox sh

CLI

The anocir CLI implements the OCI Runtime Command Line Interface spec.

View full docs by running anocir --help or anocir COMMAND --help.

Progress

My goal is for anocir to (eventually) pass all tests in the opencontainers OCI Runtime Spec tests. Below is progress against that goal.

✅ Passing

Tests are run on every build in this Github Action.

  • default
  • ___
  • config_updates_without_affect
  • create
  • delete
  • hooks
  • hooks_stdin
  • hostname
  • kill
  • killsig
  • kill_no_effect
  • linux_devices
  • linux_masked_paths
  • linux_mount_label
  • linux_ns_itype
  • linux_ns_nopath
  • linux_ns_path
  • linux_ns_path_type
  • linux_readonly_paths
  • linux_rootfs_propagation
  • linux_sysctl
  • misc_props (flaky due to test suite trying to delete container before process has exiting and status updated to stopped)
  • mounts
  • poststart
  • poststop
  • prestart
  • prestart_fail
  • process
  • process_capabilities
  • process_capabilities_fail
  • process_oom_score_adj
  • ❌ process_rlimits
  • process_rlimits_fail
  • process_user
  • root_readonly_true
  • start
  • state
  • linux_uid_mappings

⚠️ Unsupported tests

cgroups v1 & v2 support

The OCI Runtime Spec test suite provided by opencontainers does not support cgroup v2.

The OCI Runtime Spec test suite provided by opencontainers does support cgroup v1.

anocir currently implements both cgroup v1 and v2. However, like runc and other container runtimes, the find x cgroup tests pass and the get x cgroup data tests fail.

Full list of cgroups tests
  • linux_cgroups_blkio
  • linux_cgroups_cpus
  • linux_cgroups_devices
  • linux_cgroups_hugetlb
  • linux_cgroups_memory
  • linux_cgroups_network
  • linux_cgroups_pids
  • linux_cgroups_relative_blkio
  • linux_cgroups_relative_cpus
  • linux_cgroups_relative_devices
  • linux_cgroups_relative_hugetlb
  • linux_cgroups_relative_memory
  • linux_cgroups_relative_network
  • linux_cgroups_relative_pids
  • delete_resources
  • delete_only_create_resources

Broken tests

Tests failed by runc and other container runtimes. In some cases the tests may be broken; in others, who knows. Either way, for my purposes, parity with other runtimes is more important than passing the tests.

  • pidfile
  • poststart_fail
  • poststop_fail

Tests that 'pass' (seemingly) regardless of whether the feature has been implemented. May indicate a bad test.

  • linux_process_apparmor_profile
  • linux_seccomp

Contributing

Feel free to leave any comments/suggestions/feedback in issues.

Inspiration

While this project was built entirely from scratch, inspiration was taken from existing runtimes, in no particular order:

License

MIT

About

🍪 An OCI spec-compliant Linux container runtime, written in Go.

Topics

go golang containers container-runtime oci-runtime

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

0.0.3 Latest
Feb 2, 2025
+ 2 releases

Languages