github.com/containerd/Containerd@v1.4.13/RUNC.md (about)

     1  containerd is built with OCI support and with support for advanced features
     2  provided by [runc](https://github.com/opencontainers/runc).
     3  
     4  Development (`-dev`) and pre-releases of containerd may depend features in `runc`
     5  that have not yet been released, and may require a specific runc build. The version
     6  of runc that is tested against in our CI can be found in the [`script/setup/runc-version`](../script/setup/runc-version)
     7  file, which may point to a git-commit (for pre releases) or tag in the runc
     8  repository.
     9  
    10  For regular (non-pre-)releases of containerd releases, we attempt to use released
    11  (tagged) versions of runc. We recommend using a version of runc that's equal to
    12  or higher than the version of runc described in [`script/setup/runc-version`](../script/setup/runc-version).
    13  
    14  If you encounter any runtime errors, make sure your runc is in sync with the
    15  commit or tag provided in that file.
    16  
    17  ## building
    18  
    19  > For more information on how to clone and build runc also refer to the runc
    20  > building [documentation](https://github.com/opencontainers/runc#building).
    21  
    22  Before building runc you may need to install additional build dependencies, which
    23  will vary by platform. For example, you may need to install `libseccomp` e.g.
    24  `libseccomp-dev` for Ubuntu.
    25  
    26  From within your `opencontainers/runc` repository run:
    27  
    28  ```bash
    29  make && sudo make install
    30  ```
    31  
    32  Starting with runc 1.0.0-rc93, the "selinux" and "apparmor" buildtags have been
    33  removed, and runc builds have SELinux, AppArmor, and seccomp support enabled
    34  by default. Note that "seccomp" can be disabled by passing an empty `BUILDTAGS`
    35  make variable, but is highly recommended to keep enabled.
    36  
    37  By default, runc is compiled with kernel-memory limiting support enabled. This
    38  functionality is deprecated in kernel 5.4 and up, and is known to be broken on
    39  RHEL7 and CentOS 7 3.10 kernels. For these kernels, we recommend disabling kmem
    40  support using the `nokmem` build-tag. When doing so, be sure to set the `seccomp`
    41  build-tag to enable seccomp support, for example:
    42  
    43  ```sh
    44  make BUILDTAGS='nokmem seccomp' && make install
    45  ```
    46  
    47  For details about the `nokmem` build-tag, refer to the discussion on [opencontainers/runc#2594](https://github.com/opencontainers/runc/pull/2594).
    48  For further details on building runc, refer to the [build instructions in the runc README](https://github.com/opencontainers/runc#building).