Crate is a small container runtime written in Go, built to explore containers work internally. It supports both rootless (without sudo) and rootful (with sudo) execution, with rootless mode being the main focus.
Install using (Go 1.20+ recommended):
go install github.com/aayushkdev/crate/cmd/crate@latest(ensure GOBIN is in path)
Verify installation:
crate --helpPulls an image from a registry and stores it in the local image store.
crate pull alpineCrate resolves the tag on each pull and skips blob work when the resolved manifest digest is already present locally.
Lists local images from the manifest-backed metadata store.
crate imagesCreates a container from an image and prints the container ID.
crate create alpineStarts an existing container by ID.
crate start <CONTAINER_ID> [COMMAND] [ARG...]Add -d / --detach to start it in the background.
Examples:
crate start c144672a8e04crate start c144672a8e04 ls -l /crate start -d c144672a8e04If no command is provided, the image’s default CMD is used.
In attached mode, Crate allocates a real PTY so interactive shells and terminal programs behave normally.
run is a convenience command that creates a new container and immediately starts it.
crate run alpinecrate run alpine /bin/sh -c "echo hello world" crate run -d alpineStops one or more running containers by ID.
crate stop <CONTAINER_ID>Removes one or more stopped containers.
crate rm <CONTAINER_ID>Running containers must be stopped first.
Lists running containers by default.
crate psShow all containers:
crate ps -aPrints a container’s captured stdout/stderr.
crate logs <CONTAINER_ID>Follow output:
crate logs -f <CONTAINER_ID>Removes one or more local image tags.
crate rmi alpine:latestIf removing a tag leaves a manifest untagged, Crate deletes that manifest metadata and prunes any config or layer blobs that are no longer referenced by another local image.
- PID namespace
- UTS namespace (hostname)
- Mount namespace
- User namespace (rootless mode)
- Root filesystem setup using
pivot_root(orchrootin rootless mode) /procmounted inside the container/devmounted astmpfswith minimal devices (null,zero,random,urandom,full,shm,pts,ptmx)/runmounted astmpfs/sysmounted read-only in rootful mode
- Image name parsing (
repo:tag) - Pulling images from registries (docker only for now)
- OCI/Docker manifest resolution
- Manifest-based local image metadata with mutable local tags
- Local blob store (layers and config)
- Local image listing and removal
- Blob pruning when untagged manifests become unreferenced
- PID 1 replaced with the container process using
execve - Proper PATH-based command resolution (no shell)
- CMD, Entrypoint and environment variables used from image config
- PTY-backed attached mode for interactive shells and terminal programs
- Container lifecycle commands:
start,stop,ps,logs,rm, and detached mode
- Networking
- Cgroups / resource limits
- Volume mounts
- More configuration options
- Security hardening
- Full OCI spec compliance