Skip to content

Commit

Permalink
Add support for --runtime.
Browse files Browse the repository at this point in the history
Signed-off-by: Shishir Mahajan <smahajan@roblox.com>
  • Loading branch information
shishir-a412ed committed Jun 28, 2021
1 parent 6f20bcf commit 6db85a4
Show file tree
Hide file tree
Showing 6 changed files with 47 additions and 6 deletions.
13 changes: 11 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,17 +77,25 @@ will launch the job.<br/>

More detailed instructions are in the [`example README.md`](https://github.com/Roblox/nomad-driver-containerd/tree/master/example)

## Supported options
## Supported Options

**Driver Config**

| Option | Type | Required | Default | Description |
| :---: | :---: | :---: | :---: | :--- |
| **enabled** | bool | no | true | Enable/Disable task driver. |
| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. |
| **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
| **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |

## Supported Runtimes

Valid options for `containerd_runtime` (**Driver Config**).

- `io.containerd.runc.v1`: `runc` runtime that supports a single container.
- `io.containerd.runc.v2` (Default): `runc` runtime that supports multiple containers per shim.
- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/)

**Task Config**

| Option | Type | Required | Description |
Expand All @@ -106,6 +114,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
| **seccomp_profile** | string | no | Path to custom seccomp profile. `seccomp` must be set to `true` in order to use `seccomp_profile`. The default `docker` seccomp profile found [`here`](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) can be used as a reference, and modified to create a custom seccomp profile. |
| **sysctl** | map[string]string | no | A key-value map of sysctl configurations to set to the containers on start. |
| **readonly_rootfs** | bool | no | Container root filesystem will be read-only. |
| **runtime** | string | no | A string representing a configured runtime to pass to containerd. This is equivalent to the `--runtime` argument in the docker CLI. |
| **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. |
| **extra_hosts** | []string | no | A list of hosts, given as host:IP, to be added to /etc/hosts. |
| **cap_add** | []string | no | Add individual capabilities. |
Expand Down
2 changes: 1 addition & 1 deletion containerd/containerd.go
Original file line number Diff line number Diff line change
Expand Up @@ -300,7 +300,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
return d.client.NewContainer(
ctxWithTimeout,
containerConfig.ContainerName,
containerd.WithRuntime(d.config.ContainerdRuntime, nil),
buildRuntime(d.config.ContainerdRuntime, config.Runtime),
containerd.WithNewSnapshot(containerConfig.ContainerSnapshotName, containerConfig.Image),
containerd.WithNewSpec(opts...),
)
Expand Down
4 changes: 3 additions & 1 deletion containerd/driver.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ var (
hclspec.NewAttr("enabled", "bool", false),
hclspec.NewLiteral("true"),
),
"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true),
"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", false),
"stats_interval": hclspec.NewAttr("stats_interval", "string", false),
"allow_privileged": hclspec.NewDefault(
hclspec.NewAttr("allow_privileged", "bool", false),
Expand Down Expand Up @@ -115,6 +115,7 @@ var (
"seccomp_profile": hclspec.NewAttr("seccomp_profile", "string", false),
"sysctl": hclspec.NewAttr("sysctl", "list(map(string))", false),
"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
"runtime": hclspec.NewAttr("runtime", "string", false),
"host_network": hclspec.NewAttr("host_network", "bool", false),
"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
"username": hclspec.NewAttr("username", "string", false),
Expand Down Expand Up @@ -185,6 +186,7 @@ type TaskConfig struct {
ImagePullTimeout string `codec:"image_pull_timeout"`
ExtraHosts []string `codec:"extra_hosts"`
Entrypoint []string `codec:"entrypoint"`
Runtime string `codec:"runtime"`
ReadOnlyRootfs bool `codec:"readonly_rootfs"`
HostNetwork bool `codec:"host_network"`
Auth RegistryAuth `codec:"auth"`
Expand Down
31 changes: 31 additions & 0 deletions containerd/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,14 @@ package containerd
import (
"context"
"os"
"strings"
"syscall"

"github.com/containerd/containerd"
"github.com/containerd/containerd/containers"
"github.com/containerd/containerd/oci"
"github.com/containerd/containerd/plugin"
runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
specs "github.com/opencontainers/runtime-spec/specs-go"
)

Expand Down Expand Up @@ -85,3 +89,30 @@ func WithMemoryLimits(soft, hard int64) oci.SpecOpts {
return nil
}
}

// buildRuntime sets the container runtime e.g. runc or runsc (gVisor).
func buildRuntime(pluginRuntime, jobRuntime string) containerd.NewContainerOpts {
var (
runcOpts runcoptions.Options
runtimeOpts interface{} = &runcOpts
)

// plugin.RuntimeRuncV2 = io.containerd.runc.v2
runtime := plugin.RuntimeRuncV2

if jobRuntime != "" {
if strings.HasPrefix(jobRuntime, "io.containerd.runc.") {
runtime = jobRuntime
} else {
runcOpts.BinaryName = jobRuntime
}
} else if pluginRuntime != "" {
if strings.HasPrefix(pluginRuntime, "io.containerd.runc.") {
runtime = pluginRuntime
} else {
runcOpts.BinaryName = pluginRuntime
}
}

return containerd.WithRuntime(runtime, runtimeOpts)
}
1 change: 0 additions & 1 deletion example/agent.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ log_level = "INFO"
plugin "containerd-driver" {
config {
enabled = true
containerd_runtime = "io.containerd.runc.v2"
stats_interval = "5s"
}
}
Expand Down
2 changes: 1 addition & 1 deletion tests/010-test-allow-privileged.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ test_allow_privileged() {

cp agent.hcl agent.hcl.bkp

sed -i '8 i \ allow_privileged = false' agent.hcl
sed -i '7 i \ allow_privileged = false' agent.hcl
sudo systemctl restart nomad
is_systemd_service_active "nomad.service" true

Expand Down

0 comments on commit 6db85a4

Please sign in to comment.