containerd_runtime: Use default.

Roblox · Mar 31, 2021 · d05f0fa · d05f0fa
1 parent 2959f6b
commit d05f0fa
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -84,10 +84,19 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | Option | Type | Required | Default | Description |
 | :---: | :---: | :---: | :---: | :--- |
 | **enabled** | bool | no | true | Enable/Disable task driver. |
-| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
+| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. |
 | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
 | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |
 
+## Supported Runtimes
+
+Valid options for `containerd_runtime` (Driver Config).
+
+- `io.containerd.runc.v1`: runc runtime that supports a single container.
+- `io.containerd.runc.v2` (Default): runc runtime that supports multiple containers per shim.
+- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/)
+- `sysbox-runc`: `sysbox-runc` is another container runtime that runs a system container which will have system services like systemd (init system), docker, kubernetes already running inside that system container. This will allow you to have a container that is more akin to a VM, and you can launch other containers inside that system container. This also provides better security than `runc` as they run their system container in a user namespace and use shiftfs filesystem to shift UIDs/GIDs. For more details, please check their [`official documentation`](https://www.nestybox.com)
+
 **Task Config**
 
 | Option | Type | Required | Description |

diff --git a/example/agent.hcl b/example/agent.hcl
@@ -3,7 +3,6 @@ log_level = "INFO"
 plugin "containerd-driver" {
   config {
     enabled = true
-    containerd_runtime = "io.containerd.runc.v2"
     stats_interval = "5s"
   }
 }

diff --git a/tests/009-test-allow-privileged.sh b/tests/009-test-allow-privileged.sh
@@ -9,7 +9,7 @@ test_allow_privileged() {
 
     cp agent.hcl agent.hcl.bkp
 
-    sed -i '8 i \    allow_privileged = false' agent.hcl
+    sed -i '7 i \    allow_privileged = false' agent.hcl
     sudo systemctl restart nomad
     is_systemd_service_active "nomad.service" true