invalid value "all:rootfs" for flag -overlay2: unexpected medium specifier for --overlay2: "rootfs" Usage: image Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information export-metrics export metric data for the sandbox read-control read a cgroups control value inside the container state shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files metric-server implements Prometheus metrics HTTP endpoint umount umount the specified directory when one byte is read from synd-fd Use "image flags" for a list of top-level flags