Skip to content
OCI-interfacing Container runtime for Nabla Containers
Branch: master
Clone or download
ananos and lumjjb resolve hostnames: Include standard /etc files from host OS (#68)
* resolve: Include standard /etc files from host OS

To be able to resolve hostnames from the nabla-container, we use the
Mounts dict from the docker cli config.json and cp resolv.conf, hosts
& hostname to the rootfs dir before creating the ISO fs.

This is a temporary hack. We need to figure out how to do that

Signed-off-by: Anastassios Nanos <>

* resolve: use short-hand notation for local vars

Signed-off-by: Anastassios Nanos <>
Latest commit 46ededd Mar 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
hack Support for `make container-uninstall` (#67) Mar 20, 2019
solo5 @ 120848b
tests solo5: update to point to the latest upstream (#63) Feb 26, 2019
.gitmodules solo5: update to point to the latest upstream (#63) Feb 26, 2019
.travis.yml solo5: update to point to the latest upstream (#63) Feb 26, 2019
AUTHORS license and DCO 1.1 Jun 15, 2018
Gopkg.toml Created initial skeleton of runnc-cli Aug 6, 2018
Makefile Updated README to install jq Feb 14, 2019
delete.go replaced old runnc with new runnc-cli Oct 18, 2018
exec.go replaced old runnc with new runnc-cli Oct 18, 2018
init.go Change print line to format (#54) Nov 30, 2018
kill.go replaced old runnc with new runnc-cli Oct 18, 2018
runnc.go fix typos, whitespace (#43) Nov 6, 2018
start.go replaced old runnc with new runnc-cli Oct 18, 2018
util.go Pass memory to runnc (#47) Nov 28, 2018
util_nabla.go replaced old runnc with new runnc-cli Oct 18, 2018
util_runner.go replaced old runnc with new runnc-cli Oct 18, 2018
util_signal.go replaced old runnc with new runnc-cli Oct 18, 2018
util_tty.go Pass memory to runnc (#47) Nov 28, 2018

Build Status Go Report Card


runnc is the nabla-container runtime which interfaces with the container OCI runtime spec to create a nabla-container runtime. The runtime currently re-uses functionality from runc for some setup steps, but will eventually be self-sufficient in providing nabla-container equivalent setups.

Getting started with the go repo!

  1. Ensure that your GOPATH is set. (
  2. Go get the repo go get
  3. Install genisoimage on host sudo apt install genisoimage
  4. Install jq on host sudo apt install jq
  5. Ensure that docker is installed (docker-ce recent versions, i.e. v15 onwards)

Docker major versions tested with:

  • docker-ce 17

Build and Install Runnc

We have created two ways to build and install runnc. You may build inside a container, or perform a local build.

Build with a container

# Go to the repo
cd $GOPATH/src/

# make container-build to build runnc.
make container-build

# make container-install to install runnc
make container-install

Build locally

# Go to the repo
cd $GOPATH/src/

# Get the neceesary binaries for the runtime
make build

# Install libseccomp on the host
sudo apt install libseccomp-dev

# Install the appropriate binaries/libraries
make install

Configure Docker to use new Runtime

  1. Install genisoimage and libseccomp on host
sudo apt install genisoimage
sudo apt install libseccomp-dev
  1. Modify to add runtime to /etc/docker/daemon.json, for example:
    "runtimes": {
        "runnc": {
                "path": "/usr/local/bin/runnc"
  1. Restart docker
systemctl restart docker
  1. Run with runtime:
sudo docker run --rm --runtime=runnc nablact/nabla-node-base:latest


There are many. Some are fixable and being worked on, some are fixable but harder and will take some time, and some others are ones that we don't really know how to fix (or possibly not worth fixing).

Container runtime limitations:

  • Unable to properly handle /32 IP address assignments. Current hack converts cidr from 32 to 1

Here are some missing features that we are currently working on:

  • a golang base image
  • MirageOS and IncludeOS base images
  • base images for all the known apps that can run on rumprun (from rumprun-packages), like openjdk.
  • a writable file system. Currently only /tmp is writable.
  • support for committing the image
  • volumes (as in docker -v /a:/a)
  • not ignoring cgroups (start with the memory ones)
  • multiple network interfaces
  • not using runc as an intermediate step. Right now, runnc calls runc which then calls nabla-run
  • runnc use of interactive console/tty (i.e. docker run -it)

These are some harder features (sorted from more to less important):

  • allow dynamic loading of libraries. The nabla runtime can only start static binaries and that seems to be OK for most things, but one big limitation is that python can't load modules with .so's in them.
  • use something other than the rumprun netbsd libc: we could use LKL, or IncludeOS recent support for musl libc, or wrap the netbsd libc on something that looks like glibc
  • mmap() for sharing memory to/from another process (nabla and not nabla)
  • GPU support
  • support for custom/host namespaces
  • docker exec. What exactly would it run? what do people do for microcontainers (like an image with just one statically built go binary)
  • "real" TLS (Thread Local Storage) support. Right now, pthread-key based thread specific data is supported (pthread_key_create / pthread_setspecific), but it does not use the real segment-based TLS. So you would get the correct behavior, but not the best-performing implementation. Also, __thread is not supported.

Harder limitations that we don't know how to fix (nor we don't know if they should be fixed):

  • support for running vanilla images. Currently nabla can only run nabla based images.
  • fork(). Should a nabla process fork another nabla process (unikernel)? a single unikernel can't run multiple address spaces
You can’t perform that action at this time.