Fix: Auto-detect unprivileged user and use XDG_RUNTIME_DIR for default root

[sidneychang]

Description

This change mirrors runc’s behavior when running as a non-root user (or as root inside a user namespace). In these cases, the runtime now automatically falls back to using $XDG_RUNTIME_DIR as the default runtime root, instead of requiring callers to explicitly pass --root.

This adjustment resolves a common failure mode when launching urunc via Podman in non-root scenarios, including cases where a non-root user invokes Podman with sudo. Previously, urunc would attempt to create its state directory under /run/urunc, leading to permission errors such as:

Error: time="2026-02-05T08:56:50Z" level=error msg="mkdir /run/urunc/8d8087c99c08b0c915b360d5a5c14fc58dccedd90ec393fb1c97d03977fedccd: permission denied": OCI permission denied

By honoring $XDG_RUNTIME_DIR by default in these environments, urunc now aligns with runc’s behavior and integrates more smoothly with Podman.

Related issues

• Fixes Check integration of urunc with podman #114

How was this tested?

sudo apt install podman

Configure Podman to use urunc

Copy the default configuration and register the urunc runtime:

sudo mkdir -p /etc/containers
sudo cp /usr/share/containers/containers.conf /etc/containers/containers.conf

Edit /etc/containers/containers.conf and add:

[engine.runtimes]
urunc = ["/usr/local/bin/urunc"]

Configure urunc

Create /etc/urunc/config.toml and set the monitor path for hypervisor (e.g. QEMU). See configuration for full options.

which qemu-system-$(uname -m)
# Example output: /usr/bin/qemu-system-x86_64

[monitors.qemu]
default_memory_mb = 256
default_vcpus = 1
path = "/usr/bin/qemu-system-x86_64"
# default_memory_mb, default_vcpus, etc. are optional; see configuration.md

Run the unikernel with Podman

Run the Nginx Unikraft unikernel:

sudo podman run --rm -d --runtime urunc harbor.nbfc.io/nubificus/urunc/nginx-qemu-unikraft-initrd:latest
88aa2508eb9ba7bc9932b5046f90eab8a57f27d99f19def8dd01ea7d98249217

Inspect and verify (replace the container ID with yours):

sudo podman ps
CONTAINER ID  IMAGE                                                             COMMAND               CREATED         STATUS         PORTS       NAMES
88aa2508eb9b  harbor.nbfc.io/nubificus/urunc/nginx-qemu-unikraft-initrd:latest  -c /nginx/conf/ng...  About a minute  Up About a minute              compassionate_swanson

sudo podman inspect 88aa2508eb9ba7bc9932b5046f90eab8a57f27d99f19def8dd01ea7d98249217 | grep IPAddress
            "IPAddress": "10.88.0.2",
                    "IPAddress": "10.88.0.2",

LLM usage

N/A

Checklist

• I have read the contribution guide.
• The linter passes locally (make lint).
• The e2e tests of at least one tool pass locally (make test_ctr, make test_nerdctl, make test_docker, make test_crictl).
• If LLMs were used: I have read the llm policy.

[netlify]

✅ Deploy Preview for urunc ready!

Name	Link
🔨 Latest commit	1a2c637
🔍 Latest deploy log	https://app.netlify.com/projects/urunc/deploys/698962814f06b400086cd003
😎 Deploy Preview	https://deploy-preview-465--urunc.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.