Show HN: I built an OCI container runtime in Python(for fun)
4 months ago
- #docker
- #python
- #container-runtime
- Puncker-rt is an educational, OCI-compliant container runtime written in pure Python.
- It replaces runc in the Docker stack to demonstrate container internals.
- Uses ctypes to interact with Linux system calls (unshare, mount, pivot_root, execve).
- Implements OCI Runtime Specification, acting as a translation layer between JSON config and Linux Kernel.
- Core concepts include Namespaces, Filesystem Dance (pivot_root), Capabilities, and Cgroups V2.
- Requires Linux Kernel 5.x+, Python 3.13+, and Docker for management.
- Installation involves cloning the repo and installing the binary via pip.
- Docker integration requires editing /etc/docker/daemon.json and restarting Docker.
- Supports running containers via Docker CLI with the --runtime=puncker flag.
- Codebase is structured for readability with main.py, constants.py, and errors.py.
- Features include Filesystem Isolation, Proc/Sysfs/Tmpfs Mounting, and Docker Integration.
- Limitations include no TTY support, missing Seccomp, and Cgroups v1 support.
- Encourages contributions via PRs under the MIT License.