From d05f0fa9b8295d63a128e506896c62885d546565 Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Wed, 31 Mar 2021 13:52:25 -0700 Subject: [PATCH] containerd_runtime: Use default. --- README.md | 11 ++++++++++- example/agent.hcl | 1 - tests/009-test-allow-privileged.sh | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 486660b..d4ca9d8 100644 --- a/README.md +++ b/README.md @@ -84,10 +84,19 @@ More detailed instructions are in the [`example README.md`](https://github.com/R | Option | Type | Required | Default | Description | | :---: | :---: | :---: | :---: | :--- | | **enabled** | bool | no | true | Enable/Disable task driver. | -| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. | +| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. | | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. | | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. | +## Supported Runtimes + +Valid options for `containerd_runtime` (Driver Config). + +- `io.containerd.runc.v1`: runc runtime that supports a single container. +- `io.containerd.runc.v2` (Default): runc runtime that supports multiple containers per shim. +- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/) +- `sysbox-runc`: `sysbox-runc` is another container runtime that runs a system container which will have system services like systemd (init system), docker, kubernetes already running inside that system container. This will allow you to have a container that is more akin to a VM, and you can launch other containers inside that system container. This also provides better security than `runc` as they run their system container in a user namespace and use shiftfs filesystem to shift UIDs/GIDs. For more details, please check their [`official documentation`](https://www.nestybox.com) + **Task Config** | Option | Type | Required | Description | diff --git a/example/agent.hcl b/example/agent.hcl index 02fa770..756345a 100644 --- a/example/agent.hcl +++ b/example/agent.hcl @@ -3,7 +3,6 @@ log_level = "INFO" plugin "containerd-driver" { config { enabled = true - containerd_runtime = "io.containerd.runc.v2" stats_interval = "5s" } } diff --git a/tests/009-test-allow-privileged.sh b/tests/009-test-allow-privileged.sh index 87769c1..9bb0ce0 100755 --- a/tests/009-test-allow-privileged.sh +++ b/tests/009-test-allow-privileged.sh @@ -9,7 +9,7 @@ test_allow_privileged() { cp agent.hcl agent.hcl.bkp - sed -i '8 i \ allow_privileged = false' agent.hcl + sed -i '7 i \ allow_privileged = false' agent.hcl sudo systemctl restart nomad is_systemd_service_active "nomad.service" true