Runit System Port for k3s server

[e-dong]

It looks like k3s officially supports systemd or openrc as the init system. I use Artix (Arch without systemd) with the runit system.

I wanted to share my port to make a runit service.

/etc/runit/sv/k3s/run

!/bin/sh
# Based on the systemd and openrc version of this service

# limit on max num of open file descriptors to avoid performance issues
# https://github.com/k3s-io/k3s/commit/b4335630b78b5cf927e79724067803a6c0d7c04f
ulimit -c unlimited -n 1048576 -u unlimited

# Redirect output
exec 2>&1; set -e

/sbin/modprobe br_netfilter
/sbin/modprobe overlay

exec k3s server

/etc/runit/sv/k3s/log/run

#!/bin/sh
exec 2>&1; set -e

[ -d /var/log/k3s ] || install -dm 755 /var/log/k3s
svlogd -tt /var/log/k3s

To enable on startup, ln -s /etc/runit/sv/k3s /run/runit/service/k3s

Use sv status k3s / sv start k3s / sv stop k3s

[brandond]

Are you aware of any other distros that use runit as their init system? I've never seen it used outside containers.

[e-dong]

I can think of Void Linux, antix, and devuan right now.

[mschirrmeister]

I am in the same situation where I would love to see support for runit in the k3s install script. That would avoid manual work.
My services k3s and its dedicated log service look like this.

root@nanopir76s ~# cat /etc/sv/k3s/run
#!/bin/sh
# Ensure the entire mount tree is shared for Cilium/K3s
mount --make-rshared /
mountpoint -q /sys/fs/bpf || mount -t bpf bpf /sys/fs/bpf
/sbin/modprobe br_netfilter
/sbin/modprobe overlay

# LimitNOFILE
ulimit -n 1048576
# LimitNPROC
ulimit -u unlimited
# LimitCORE
ulimit -c unlimited

# Load environment variables
[ -r ./conf ] && . ./conf

exec 2>&1
exec /usr/local/bin/k3s server \
	'--disable' \
	'servicelb' \
	'--disable' \
	'traefik' \
	'--node-taint' \
	'node.cilium.io/agent-not-ready=true:NoSchedule' \
	'--kube-apiserver-arg' \
	'default-not-ready-toleration-seconds=30' \
	'--kube-apiserver-arg' \
	'default-unreachable-toleration-seconds=30' \
	'--kube-controller-arg' \
	'node-monitor-period=20s' \
	'--kube-controller-arg' \
	'node-monitor-grace-period=20s' \
	'--kubelet-arg' \
	'node-status-update-frequency=5s' \
	'--kubelet-arg' \
	'resolv-conf=' \
	'--flannel-backend=none' \
	'--disable-network-policy' \
	'--disable-kube-proxy' \
	'--cluster-cidr=fd0:cafe:52::/56,10.52.0.0/16' \
	'--service-cidr=fd0:cafe:53::/112,10.53.0.0/16' \
	'--node-external-ip=fd92:aca1:6bc9:4a84:2700:a144:f913:c39a,192.168.2.124' \
	'--kubelet-arg=node-ip=fd92:aca1:6bc9:4a84:2700:a144:f913:c39a,192.168.2.124' \
	'--node-ip=fd92:aca1:6bc9:4a84:2700:a144:f913:c39a,192.168.2.124' \

root@nanopir76s ~# cat /etc/sv/k3s/log/run
#!/bin/sh
mkdir -p /var/log/k3s
exec svlogd -tt /var/log/k3s

I have created a patch for the get.k3s.io install script. The files above, are actually created via the modified script.

diff -Naur a/get.k3s.io b/get.k3s.io
--- a/get.k3s.io        2026-01-07 20:56:29.233031104 +0100
+++ b/get.k3s.io        2026-01-07 21:07:22.210639159 +0100
@@ -125,6 +125,10 @@
         HAS_SYSTEMD=true
         return
     fi
+    if [ -x /usr/bin/runit ] || [ -d /etc/runit ]; then
+        HAS_RUNIT=true
+        return
+    fi
     fatal 'Can not find systemd or openrc to use as a process supervisor for k3s'
 }

@@ -268,6 +272,13 @@
         INSTALL_K3S_SKIP_DOWNLOAD=true
     fi

+if [ "${HAS_RUNIT}" = true ]; then
+    # Runit stores its definitions here
+    RUNIT_SV_DIR="/etc/sv/${SYSTEM_NAME}"
+    FILE_K3S_SERVICE="${RUNIT_SV_DIR}/run"
+    FILE_K3S_LOG_SERVICE="${RUNIT_SV_DIR}/log/run"
+    FILE_K3S_ENV="${RUNIT_SV_DIR}/conf" # We'll use a conf file for env vars
+fi
     # --- setup channel values
     INSTALL_K3S_CHANNEL_URL=${INSTALL_K3S_CHANNEL_URL:-'https://update.k3s.io/v1-release/channels'}
     INSTALL_K3S_CHANNEL=${INSTALL_K3S_CHANNEL:-'stable'}
@@ -794,6 +805,17 @@
     [ -x $service ] && $service stop
 done

+for service in /etc/sv/k3s; do
+    if [ -d "$service" ]; then
+        # Tell the supervisor to kill the processes
+        sv stop "$service"
+        sv stop "$service/log"
+
+        # Now that it's quiet, remove the link so it stays gone
+        rm -f "/var/service/$(basename $service)"
+    fi
+done
+
 pschildren() {
     ps -e -o ppid= -o pid= | \
     sed -e 's/^\s*//g; s/\s\s*/\t/g;' | \
@@ -1058,10 +1080,49 @@
 EOF
 }

+# --- write runit service file ---
+create_runit_service_file() {
+    info "runit: Creating service directory ${RUNIT_SV_DIR}"
+    $SUDO mkdir -p "${RUNIT_SV_DIR}/log"
+
+    info "runit: Creating service file ${FILE_K3S_SERVICE}"
+    $SUDO tee ${FILE_K3S_SERVICE} >/dev/null << EOF
+#!/bin/sh
+# Ensure the entire mount tree is shared for Cilium/K3s
+mount --make-rshared /
+mountpoint -q /sys/fs/bpf || mount -t bpf bpf /sys/fs/bpf
+/sbin/modprobe br_netfilter
+/sbin/modprobe overlay
+
+# LimitNOFILE
+ulimit -n 1048576
+# LimitNPROC
+ulimit -u unlimited
+# LimitCORE
+ulimit -c unlimited
+
+# Load environment variables
+[ -r ./conf ] && . ./conf
+
+exec 2>&1
+exec ${BIN_DIR}/k3s ${CMD_K3S_EXEC}
+EOF
+    $SUDO chmod 0755 ${FILE_K3S_SERVICE}
+
+    info "runit: Creating logger file ${FILE_K3S_LOG_SERVICE}"
+    $SUDO tee ${FILE_K3S_LOG_SERVICE} >/dev/null << EOF
+#!/bin/sh
+mkdir -p /var/log/${SYSTEM_NAME}
+exec svlogd -tt /var/log/${SYSTEM_NAME}
+EOF
+    $SUDO chmod 0755 ${FILE_K3S_LOG_SERVICE}
+}
+
 # --- write systemd or openrc service file ---
 create_service_file() {
     [ "${HAS_SYSTEMD}" = true ] && create_systemd_service_file && restore_systemd_service_file_context
     [ "${HAS_OPENRC}" = true ] && create_openrc_service_file
+    [ "${HAS_RUNIT}" = true ] && create_runit_service_file
     return 0
 }

@@ -1098,6 +1159,19 @@
     $SUDO ${FILE_K3S_SERVICE} restart
 }

+runit_enable() {
+    info "runit: Enabling ${SYSTEM_NAME} via /var/service"
+    $SUDO ln -sf ${RUNIT_SV_DIR} /var/service/
+}
+
+runit_start() {
+    info "runit: Starting ${SYSTEM_NAME}"
+    # Wait a moment to the the "runsv supervisor" settle
+    sleep 2
+    # We don't need to start the service, since the link creation in enable takes care of that
+    $SUDO sv status ${SYSTEM_NAME}
+}
+
 has_working_xtables() {
     if $SUDO sh -c "command -v \"$1-save\"" 1> /dev/null && $SUDO sh -c "command -v \"$1-restore\"" 1> /dev/null; then
         if $SUDO $1-save 2>/dev/null | grep -q '^-A CNI-HOSTPORT-MASQ -j MASQUERADE$'; then
@@ -1121,6 +1195,7 @@

     [ "${HAS_SYSTEMD}" = true ] && systemd_enable
     [ "${HAS_OPENRC}" = true ] && openrc_enable
+    [ "${HAS_RUNIT}" = true ] && runit_enable

     [ "${INSTALL_K3S_SKIP_START}" = true ] && return

@@ -1138,6 +1213,7 @@

     [ "${HAS_SYSTEMD}" = true ] && systemd_start
     [ "${HAS_OPENRC}" = true ] && openrc_start
+    [ "${HAS_RUNIT}" = true ] && runit_start
     return 0
 }

For testing I host the full script locally on a webserver and have get.k3s.io point to that local ip.
I called the installer like this.

curl -sfL http://get.k3s.io | INSTALL_K3S_VERSION=v1.35.0+k3s1 INSTALL_K3S_EXEC="server" sh -s - --disable servicelb --disable traefik --node-taint node.cilium.io/agent-not-ready=true:NoSchedule --kube-apiserver-arg default-not-ready-toleration-seconds=30 --kube-apiserver-arg default-unreachable-toleration-seconds=30 --kube-controller-arg node-monitor-period=20s --kube-controller-arg node-monitor-grace-period=20s --kubelet-arg node-status-update-frequency=5s --kubelet-arg resolv-conf= --flannel-backend=none --disable-network-policy --disable-kube-proxy --cluster-cidr=fd0:cafe:52::/56,10.52.0.0/16 --service-cidr=fd0:cafe:53::/112,10.53.0.0/16 --node-external-ip=fd92:aca1:6bc9:4a84:2700:a144:f913:c39a,192.168.2.124 --kubelet-arg=node-ip="fd92:aca1:6bc9:4a84:2700:a144:f913:c39a,192.168.2.124" --node-ip=fd92:aca1:6bc9:4a84:2700:a144:f913:c39a,192.168.2.124

If that patch looks ok and if you are willing to support runit, I am happy to create a PR.

[e-dong]

This looks great, thanks for sharing! Definitely more complete than my simple example.

[mschirrmeister]

After more testing I have created an updated version. I has some small changes, since the dash shell does not support ulimit -u.

Patch

root@k3scp1 ~# cat k3s.v2.patch

diff -Naur a/get.k3s.io b/get.k3s.io
--- a/get.k3s.io	2026-02-19 18:51:28.463845017 +0100
+++ b/get.k3s.io	2026-02-19 22:37:39.614584528 +0100
@@ -124,6 +124,10 @@
         HAS_SYSTEMD=true
         return
     fi
+    if [ -x /usr/bin/runit ] || [ -d /etc/runit ]; then
+        HAS_RUNIT=true
+        return
+    fi
     fatal 'Can not find systemd or openrc to use as a process supervisor for k3s'
 }

@@ -257,6 +261,13 @@
         $SUDO mkdir -p /etc/rancher/k3s
         FILE_K3S_SERVICE=/etc/init.d/${SYSTEM_NAME}
         FILE_K3S_ENV=/etc/rancher/k3s/${SYSTEM_NAME}.env
+    elif [ "${HAS_RUNIT}" = true ]; then
+        # Runit stores its definitions here
+        RUNIT_SV_DIR="/etc/sv/${SYSTEM_NAME}"
+        $SUDO mkdir -p $RUNIT_SV_DIR
+        FILE_K3S_SERVICE="${RUNIT_SV_DIR}/run"
+        FILE_K3S_LOG_SERVICE="${RUNIT_SV_DIR}/log/run"
+        FILE_K3S_ENV="${RUNIT_SV_DIR}/conf" # We'll use a conf file for env vars
     fi

     # --- get hash of config & exec for currently installed k3s ---
@@ -814,6 +825,17 @@
     [ -x $service ] && $service stop
 done

+for service in /etc/sv/k3s; do
+    if [ -d "$service" ]; then
+        # Tell the supervisor to kill the processes
+        sv stop "$service"
+        sv stop "$service/log"
+
+        # Now that it's quiet, remove the link so it stays gone
+        rm -f "/var/service/$(basename $service)"
+    fi
+done
+
 pschildren() {
     ps -e -o ppid= -o pid= | \
     sed -e 's/^\s*//g; s/\s\s*/\t/g;' | \
@@ -958,6 +980,8 @@
 rm -rf /var/lib/kubelet
 rm -f ${BIN_DIR}/k3s
 rm -f ${KILLALL_K3S_SH}
+sleep 3
+rm -rf /etc/sv/k3s

 if type yum >/dev/null 2>&1; then
     yum remove -y k3s-selinux
@@ -1078,10 +1102,53 @@
 EOF
 }

+# --- write runit service file ---
+create_runit_service_file() {
+    info "runit: Creating service directory ${RUNIT_SV_DIR}"
+    $SUDO mkdir -p "${RUNIT_SV_DIR}/log"
+
+    info "runit: Creating service file ${FILE_K3S_SERVICE}"
+    $SUDO tee ${FILE_K3S_SERVICE} >/dev/null << EOF
+#!/bin/sh
+# Ensure the entire mount tree is shared for Cilium/K3s
+mount --make-rshared /
+mountpoint -q /sys/fs/bpf || mount -t bpf bpf /sys/fs/bpf
+/sbin/modprobe br_netfilter
+/sbin/modprobe overlay
+
+# LimitNOFILE
+ulimit -n 1048576
+# LimitNPROC
+#ulimit -u unlimited
+# LimitCORE
+ulimit -c unlimited
+
+# For the processes (NPROC), since dash is a hater,
+# we use the 'prlimit' command. It's part of util-linux.
+# It can set the HARD and SOFT limits directly on a process.
+
+# Load environment variables
+[ -r ./conf ] && . ./conf
+
+exec 2>&1
+exec prlimit --nproc=unlimited ${BIN_DIR}/k3s ${CMD_K3S_EXEC}
+EOF
+    $SUDO chmod 0755 ${FILE_K3S_SERVICE}
+
+    info "runit: Creating logger file ${FILE_K3S_LOG_SERVICE}"
+    $SUDO tee ${FILE_K3S_LOG_SERVICE} >/dev/null << EOF
+#!/bin/sh
+mkdir -p /var/log/${SYSTEM_NAME}
+exec svlogd -tt /var/log/${SYSTEM_NAME}
+EOF
+    $SUDO chmod 0755 ${FILE_K3S_LOG_SERVICE}
+}
+
 # --- write systemd or openrc service file ---
 create_service_file() {
     [ "${HAS_SYSTEMD}" = true ] && create_systemd_service_file && restore_systemd_service_file_context
     [ "${HAS_OPENRC}" = true ] && create_openrc_service_file
+    [ "${HAS_RUNIT}" = true ] && create_runit_service_file
     return 0
 }

@@ -1118,6 +1185,19 @@
     $SUDO ${FILE_K3S_SERVICE} restart
 }

+runit_enable() {
+    info "runit: Enabling ${SYSTEM_NAME} via /var/service"
+    $SUDO ln -sf ${RUNIT_SV_DIR} /var/service/
+}
+
+runit_start() {
+    info "runit: Starting ${SYSTEM_NAME}"
+    # Wait a moment to the the "runsv supervisor" settle
+    sleep 5
+    # We don't need to start the service, since the link creation in enable takes care of that
+    $SUDO sv status ${SYSTEM_NAME}
+}
+
 has_working_xtables() {
     if $SUDO sh -c "command -v \"$1-save\"" 1> /dev/null && $SUDO sh -c "command -v \"$1-restore\"" 1> /dev/null; then
         if $SUDO $1-save 2>/dev/null | grep -q '^-A CNI-HOSTPORT-MASQ -j MASQUERADE$'; then
@@ -1141,6 +1221,7 @@

     [ "${HAS_SYSTEMD}" = true ] && systemd_enable
     [ "${HAS_OPENRC}" = true ] && openrc_enable
+    [ "${HAS_RUNIT}" = true ] && runit_enable

     [ "${INSTALL_K3S_SKIP_START}" = true ] && return

@@ -1158,6 +1239,7 @@

     [ "${HAS_SYSTEMD}" = true ] && systemd_start
     [ "${HAS_OPENRC}" = true ] && openrc_start
+    [ "${HAS_RUNIT}" = true ] && runit_start
     return 0
 }

Here is an example with live patching.

root@k3scp1 ~# curl -sfL https://get.k3s.io | patch -f -s -o - -i k3s.v2.patch | env INSTALL_K3S_VERSION=v1.35.0+k3s1 INSTALL_K3S_EXEC=server sh -s - --disable servicelb --disable traefik --node-taint node.cilium.io/agent-not-ready=true:NoSchedule --kube-apiserver-arg default-not-ready-toleration-seconds=30 --kube-apiserver-arg default-unreachable-toleration-seconds=30 --kube-controller-arg node-monitor-period=20s --kube-controller-arg node-monitor-grace-period=20s --kubelet-arg node-status-update-frequency=5s --kubelet-arg resolv-conf= --flannel-backend=none --disable-network-policy --disable-kube-proxy --cluster-cidr=fd0:cafe:52::/56,10.52.0.0/16 --service-cidr=fd0:cafe:53::/112,10.53.0.0/16 --node-external-ip=2a02:174:318:6140::11,10.0.0.11 --kubelet-arg=node-ip="2a02:174:318:6140::11,10.0.0.11" --node-ip=2a02:174:318:6140::11,10.0.0.11
[INFO]  Using v1.35.0+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.35.0+k3s1/sha256sum-arm64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.35.0+k3s1/k3s-arm64
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/sv/k3s/conf
[INFO]  runit: Creating service directory /etc/sv/k3s
[INFO]  runit: Creating service file /etc/sv/k3s/run
[INFO]  runit: Creating logger file /etc/sv/k3s/log/run
[INFO]  runit: Enabling k3s via /var/service
[INFO]  runit: Starting k3s
run: k3s: (pid 1096) 2s; run: log: (pid 1095) 2s

root@k3scp1 ~# cat /proc/(pgrep -f "k3s server")/limits
Limit                     Soft Limit           Hard Limit           Units
Max cpu time              unlimited            unlimited            seconds
Max file size             unlimited            unlimited            bytes
Max data size             unlimited            unlimited            bytes
Max stack size            8388608              unlimited            bytes
Max core file size        unlimited            unlimited            bytes
Max resident set          unlimited            unlimited            bytes
Max processes             unlimited            unlimited            processes
Max open files            1000000              1000000              files
Max locked memory         8388608              8388608              bytes
Max address space         unlimited            unlimited            bytes
Max file locks            unlimited            unlimited            locks
Max pending signals       14775                14775                signals
Max msgqueue size         819200               819200               bytes
Max nice priority         0                    0
Max realtime priority     0                    0
Max realtime timeout      unlimited            unlimited            us

root@k3scp1 ~# kubectl get node -o wide
NAME                   STATUS     ROLES           AGE   VERSION        INTERNAL-IP             EXTERNAL-IP             OS-IMAGE     KERNEL-VERSION   CONTAINER-RUNTIME
k3scp1.test.lab   NotReady   control-plane   39s   v1.35.0+k3s1   2a02:174:318:6140::11   2a02:174:318:6140::11   Void Linux   6.18.12-msc_1    containerd://2.1.5-k3s1

Will a pull request be accepted to support runit? Or is this nothing thats planned?