Frequently Asked Question

What does runc actually do? How does crun differ?

runc is the reference implementation of the OCI runtime specification, the small Go binary that actually creates the namespaces, sets up the cgroups, pivots the root, drops capabilities, applies the seccomp filter, and exec's the container's first process. It is the piece that Docker, Podman, containerd and CRI-O all eventually shell out to. It takes an unpacked root filesystem and a config.json and produces a running container; everything above it in the stack is build tooling, image management, networking, and orchestration.

crun is an alternative OCI runtime written in C by Red Hat. It does the same job as runc but is roughly an order of magnitude smaller and faster to start, because it avoids the Go runtime entirely and uses the kernel's own clone3 and other modern syscalls directly. Podman and CRI-O can use either; many distributions (Fedora, CentOS Stream, RHEL) ship crun as the default. Because both implement the same OCI spec they are drop-in replacements: the same image and config produce the same container, just slightly faster with crun.