.nh .TH runc-exec "8" .SH NAME .PP \fBrunc-exec\fP - execute new process inside the container .SH SYNOPSIS .PP \fBrunc exec\fP [\fIoption\fP ...] \fIcontainer-id\fP [--] \fIcommand\fP [\fIarg\fP ...] .PP \fBrunc exec\fP [\fIoption\fP ...] \fB-p\fP \fIprocess.json\fP \fIcontainer-id\fP .SH OPTIONS .TP \fB--console-socket\fP \fIpath\fP Path to an \fBAF_UNIX\fP socket which will receive a file descriptor referencing the master end of the console's pseudoterminal. See docs/terminals \[la]https://github.com/opencontainers/runc/blob/master/docs/terminals.md\[ra]\&. .TP \fB--cwd\fP \fIpath\fP Change to \fIpath\fP in the container before executing the command. .TP \fB--env\fP|\fB-e\fP \fIname\fP=\fIvalue\fP Set an environment variable \fIname\fP to \fIvalue\fP\&. Can be specified multiple times. .TP \fB--tty\fP|\fB-t\fP Allocate a pseudo-TTY. .TP \fB--user\fP|\fB-u\fP \fIuid\fP[:\fIgid\fP] Run the \fIcommand\fP as a user (and, optionally, group) specified by \fIuid\fP (and \fIgid\fP). .TP \fB--additional-gids\fP|\fB-g\fP \fIgid\fP Add additional group IDs. Can be specified multiple times. .TP \fB--process\fP|\fB-p\fP \fIprocess.json\fP Instead of specifying all the exec parameters directly on the command line, get them from a \fIprocess.json\fP, a JSON file containing the process specification as defined by the OCI runtime spec \[la]https://github.com/opencontainers/runtime\-spec/blob/master/config.md#process\[ra]\&. .TP \fB--detach\fP|\fB-d\fP Detach from the container's process. .TP \fB--pid-file\fP \fIpath\fP Specify the file to write the container process' PID to. .TP \fB--process-label\fP \fIlabel\fP Set the asm process label for the process commonly used with \fBselinux\fP(7). .TP \fB--apparmor\fP \fIprofile\fP Set the \fBapparmor\fP(7) \fIprofile\fP for the process. .TP \fB--no-new-privs\fP Set the "no new privileges" value for the process. .TP \fB--cap\fP \fIcap\fP Add a capability to the bounding set for the process. Can be specified multiple times. .TP \fB--preserve-fds\fP \fIN\fP Pass \fIN\fP additional file descriptors to the container (\fBstdio\fP + \fB$LISTEN_FDS\fP + \fIN\fP in total). Default is \fB0\fP\&. .TP \fB--ignore-paused\fP Allow exec in a paused container. By default, if a container is paused, \fBrunc exec\fP errors out; this option can be used to override it. A paused container needs to be resumed for the exec to complete. .TP \fB--cgroup\fP \fIpath\fP | \fIcontroller\fP[,\fIcontroller\fP\&...]:\fIpath\fP Execute a process in a sub-cgroup. If the specified cgroup does not exist, an error is returned. Default is empty path, which means to use container's top level cgroup. For cgroup v1 only, a particular \fIcontroller\fP (or multiple comma-separated controllers) can be specified, and the option can be used multiple times to set different paths for different controllers. Note for cgroup v2, in case the process can't join the top level cgroup, \fBrunc exec\fP fallback is to try joining the cgroup of container's init. This fallback can be disabled by using \fB--cgroup /\fP\&. .SH EXIT STATUS .PP Exits with a status of \fIcommand\fP (unless \fB-d\fP is used), or \fB255\fP if an error occurred. .SH EXAMPLES .PP If the container can run \fBps\fP(1) command, the following will output a list of processes running in the container: .EX # runc exec ps .EE .SH SEE ALSO .PP \fBrunc\fP(8).