From f4dd1c112277c0f66cb490ba905a5c5f10267fcb Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Wed, 31 Mar 2021 20:10:46 +0000 Subject: [PATCH] Add support for --runtime. Signed-off-by: Shishir Mahajan --- README.md | 13 +++++++++++-- containerd/containerd.go | 2 +- containerd/driver.go | 4 +++- containerd/utils.go | 31 +++++++++++++++++++++++++++++++ example/agent.hcl | 1 - 5 files changed, 46 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 11a6c04..1bb3bf8 100644 --- a/README.md +++ b/README.md @@ -79,18 +79,26 @@ More detailed instructions are in the [`example README.md`](https://github.com/R To interact with `images` and `containers` directly, you can use [`nerdctl`](https://github.com/containerd/nerdctl) which is a docker compatible CLI for `containerd`. `nerdctl` is already installed in the vagrant VM at `/usr/local/bin`. -## Supported options +## Supported Options **Driver Config** | Option | Type | Required | Default | Description | | :---: | :---: | :---: | :---: | :--- | | **enabled** | bool | no | true | Enable/Disable task driver. | -| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. | +| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. | | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. | | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. | | **auth** | block | no | N/A | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. | +## Supported Runtimes + +Valid options for `containerd_runtime` (**Driver Config**). + +- `io.containerd.runc.v1`: `runc` runtime that supports a single container. +- `io.containerd.runc.v2` (Default): `runc` runtime that supports multiple containers per shim. +- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/) + **Task Config** | Option | Type | Required | Description | @@ -111,6 +119,7 @@ To interact with `images` and `containers` directly, you can use [`nerdctl`](htt | **shm_size** | string | no | Size of /dev/shm e.g. "128M" if you want 128 MB of /dev/shm. | | **sysctl** | map[string]string | no | A key-value map of sysctl configurations to set to the containers on start. | | **readonly_rootfs** | bool | no | Container root filesystem will be read-only. | +| **runtime** | string | no | A string representing a configured runtime to pass to containerd. This is equivalent to the `--runtime` argument in the docker CLI. | | **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. | | **extra_hosts** | []string | no | A list of hosts, given as host:IP, to be added to /etc/hosts. | | **cap_add** | []string | no | Add individual capabilities. | diff --git a/containerd/containerd.go b/containerd/containerd.go index 8ee3878..3425d52 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -327,7 +327,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC return d.client.NewContainer( ctxWithTimeout, containerConfig.ContainerName, - containerd.WithRuntime(d.config.ContainerdRuntime, nil), + buildRuntime(d.config.ContainerdRuntime, config.Runtime), containerd.WithNewSnapshot(containerConfig.ContainerSnapshotName, containerConfig.Image), containerd.WithNewSpec(opts...), ) diff --git a/containerd/driver.go b/containerd/driver.go index a82e12d..4017477 100644 --- a/containerd/driver.go +++ b/containerd/driver.go @@ -78,7 +78,7 @@ var ( hclspec.NewAttr("enabled", "bool", false), hclspec.NewLiteral("true"), ), - "containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true), + "containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", false), "stats_interval": hclspec.NewAttr("stats_interval", "string", false), "allow_privileged": hclspec.NewDefault( hclspec.NewAttr("allow_privileged", "bool", false), @@ -121,6 +121,7 @@ var ( "shm_size": hclspec.NewAttr("shm_size", "string", false), "sysctl": hclspec.NewAttr("sysctl", "list(map(string))", false), "readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false), + "runtime": hclspec.NewAttr("runtime", "string", false), "host_network": hclspec.NewAttr("host_network", "bool", false), "auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{ "username": hclspec.NewAttr("username", "string", true), @@ -194,6 +195,7 @@ type TaskConfig struct { ImagePullTimeout string `codec:"image_pull_timeout"` ExtraHosts []string `codec:"extra_hosts"` Entrypoint []string `codec:"entrypoint"` + Runtime string `codec:"runtime"` ReadOnlyRootfs bool `codec:"readonly_rootfs"` HostNetwork bool `codec:"host_network"` Auth RegistryAuth `codec:"auth"` diff --git a/containerd/utils.go b/containerd/utils.go index 5b6f329..090ded0 100644 --- a/containerd/utils.go +++ b/containerd/utils.go @@ -20,10 +20,14 @@ package containerd import ( "context" "os" + "strings" "syscall" + "github.com/containerd/containerd" "github.com/containerd/containerd/containers" "github.com/containerd/containerd/oci" + "github.com/containerd/containerd/plugin" + runcoptions "github.com/containerd/containerd/runtime/v2/runc/options" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -99,3 +103,30 @@ func WithMemoryLimits(soft, hard int64) oci.SpecOpts { return nil } } + +// buildRuntime sets the container runtime e.g. runc or runsc (gVisor). +func buildRuntime(pluginRuntime, jobRuntime string) containerd.NewContainerOpts { + var ( + runcOpts runcoptions.Options + runtimeOpts interface{} = &runcOpts + ) + + // plugin.RuntimeRuncV2 = io.containerd.runc.v2 + runtime := plugin.RuntimeRuncV2 + + if jobRuntime != "" { + if strings.HasPrefix(jobRuntime, "io.containerd.runc.") { + runtime = jobRuntime + } else { + runcOpts.BinaryName = jobRuntime + } + } else if pluginRuntime != "" { + if strings.HasPrefix(pluginRuntime, "io.containerd.runc.") { + runtime = pluginRuntime + } else { + runcOpts.BinaryName = pluginRuntime + } + } + + return containerd.WithRuntime(runtime, runtimeOpts) +} diff --git a/example/agent.hcl b/example/agent.hcl index 4b579b2..88421c6 100644 --- a/example/agent.hcl +++ b/example/agent.hcl @@ -4,7 +4,6 @@ data_dir = "/tmp/nomad" plugin "containerd-driver" { config { enabled = true - containerd_runtime = "io.containerd.runc.v2" stats_interval = "5s" } }