diff --git a/README.md b/README.md index cf73793..2c0aeaa 100644 --- a/README.md +++ b/README.md @@ -77,17 +77,25 @@ will launch the job.
More detailed instructions are in the [`example README.md`](https://github.com/Roblox/nomad-driver-containerd/tree/master/example) -## Supported options +## Supported Options **Driver Config** | Option | Type | Required | Default | Description | | :---: | :---: | :---: | :---: | :--- | | **enabled** | bool | no | true | Enable/Disable task driver. | -| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. | +| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. | | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. | | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. | +## Supported Runtimes + +Valid options for `containerd_runtime` (**Driver Config**). + +- `io.containerd.runc.v1`: `runc` runtime that supports a single container. +- `io.containerd.runc.v2` (Default): `runc` runtime that supports multiple containers per shim. +- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/) + **Task Config** | Option | Type | Required | Description | @@ -106,6 +114,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R | **seccomp_profile** | string | no | Path to custom seccomp profile. `seccomp` must be set to `true` in order to use `seccomp_profile`. The default `docker` seccomp profile found [`here`](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) can be used as a reference, and modified to create a custom seccomp profile. | | **sysctl** | map[string]string | no | A key-value map of sysctl configurations to set to the containers on start. | | **readonly_rootfs** | bool | no | Container root filesystem will be read-only. | +| **runtime** | string | no | A string representing a configured runtime to pass to containerd. This is equivalent to the `--runtime` argument in the docker CLI. | | **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. | | **extra_hosts** | []string | no | A list of hosts, given as host:IP, to be added to /etc/hosts. | | **cap_add** | []string | no | Add individual capabilities. | diff --git a/containerd/containerd.go b/containerd/containerd.go index 50c1cdd..33c7daa 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -300,7 +300,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC return d.client.NewContainer( ctxWithTimeout, containerConfig.ContainerName, - containerd.WithRuntime(d.config.ContainerdRuntime, nil), + buildRuntime(d.config.ContainerdRuntime, config.Runtime), containerd.WithNewSnapshot(containerConfig.ContainerSnapshotName, containerConfig.Image), containerd.WithNewSpec(opts...), ) diff --git a/containerd/driver.go b/containerd/driver.go index 6ecd340..a62490d 100644 --- a/containerd/driver.go +++ b/containerd/driver.go @@ -78,7 +78,7 @@ var ( hclspec.NewAttr("enabled", "bool", false), hclspec.NewLiteral("true"), ), - "containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true), + "containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", false), "stats_interval": hclspec.NewAttr("stats_interval", "string", false), "allow_privileged": hclspec.NewDefault( hclspec.NewAttr("allow_privileged", "bool", false), @@ -115,6 +115,7 @@ var ( "seccomp_profile": hclspec.NewAttr("seccomp_profile", "string", false), "sysctl": hclspec.NewAttr("sysctl", "list(map(string))", false), "readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false), + "runtime": hclspec.NewAttr("runtime", "string", false), "host_network": hclspec.NewAttr("host_network", "bool", false), "auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{ "username": hclspec.NewAttr("username", "string", false), @@ -185,6 +186,7 @@ type TaskConfig struct { ImagePullTimeout string `codec:"image_pull_timeout"` ExtraHosts []string `codec:"extra_hosts"` Entrypoint []string `codec:"entrypoint"` + Runtime string `codec:"runtime"` ReadOnlyRootfs bool `codec:"readonly_rootfs"` HostNetwork bool `codec:"host_network"` Auth RegistryAuth `codec:"auth"` diff --git a/containerd/utils.go b/containerd/utils.go index fdbab31..73909ef 100644 --- a/containerd/utils.go +++ b/containerd/utils.go @@ -20,10 +20,14 @@ package containerd import ( "context" "os" + "strings" "syscall" + "github.com/containerd/containerd" "github.com/containerd/containerd/containers" "github.com/containerd/containerd/oci" + "github.com/containerd/containerd/plugin" + runcoptions "github.com/containerd/containerd/runtime/v2/runc/options" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -85,3 +89,30 @@ func WithMemoryLimits(soft, hard int64) oci.SpecOpts { return nil } } + +// buildRuntime sets the container runtime e.g. runc or runsc (gVisor). +func buildRuntime(pluginRuntime, jobRuntime string) containerd.NewContainerOpts { + var ( + runcOpts runcoptions.Options + runtimeOpts interface{} = &runcOpts + ) + + // plugin.RuntimeRuncV2 = io.containerd.runc.v2 + runtime := plugin.RuntimeRuncV2 + + if jobRuntime != "" { + if strings.HasPrefix(jobRuntime, "io.containerd.runc.") { + runtime = jobRuntime + } else { + runcOpts.BinaryName = jobRuntime + } + } else if pluginRuntime != "" { + if strings.HasPrefix(pluginRuntime, "io.containerd.runc.") { + runtime = pluginRuntime + } else { + runcOpts.BinaryName = pluginRuntime + } + } + + return containerd.WithRuntime(runtime, runtimeOpts) +} diff --git a/example/agent.hcl b/example/agent.hcl index eefd6a4..abe5808 100644 --- a/example/agent.hcl +++ b/example/agent.hcl @@ -3,7 +3,6 @@ log_level = "INFO" plugin "containerd-driver" { config { enabled = true - containerd_runtime = "io.containerd.runc.v2" stats_interval = "5s" } } diff --git a/tests/010-test-allow-privileged.sh b/tests/010-test-allow-privileged.sh index 87769c1..9bb0ce0 100755 --- a/tests/010-test-allow-privileged.sh +++ b/tests/010-test-allow-privileged.sh @@ -9,7 +9,7 @@ test_allow_privileged() { cp agent.hcl agent.hcl.bkp - sed -i '8 i \ allow_privileged = false' agent.hcl + sed -i '7 i \ allow_privileged = false' agent.hcl sudo systemctl restart nomad is_systemd_service_active "nomad.service" true