Add support for --runtime.

shishir-a412ed · shishir-a412ed · commit 6db85a480a55 · 2021-06-28T10:57:50.000-07:00
Signed-off-by: Shishir Mahajan &lt;smahajan@roblox.com&gt;
diff --git a/README.md b/README.md
@@ -77,17 +77,25 @@ will launch the job.<br/>
 
 More detailed instructions are in the [`example README.md`](https://github.com/Roblox/nomad-driver-containerd/tree/master/example)
 
-## Supported options
+## Supported Options
 
 **Driver Config**
 
 | Option | Type | Required | Default | Description |
 | :---: | :---: | :---: | :---: | :--- |
 | **enabled** | bool | no | true | Enable/Disable task driver. |
-| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
+| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. |
 | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
 | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |
 
+## Supported Runtimes
+
+Valid options for `containerd_runtime` (**Driver Config**).
+
+- `io.containerd.runc.v1`: `runc` runtime that supports a single container.
+- `io.containerd.runc.v2` (Default): `runc` runtime that supports multiple containers per shim.
+- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/)
+
 **Task Config**
 
 | Option | Type | Required | Description |
@@ -106,6 +114,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | **seccomp_profile** | string | no | Path to custom seccomp profile. `seccomp` must be set to `true` in order to use `seccomp_profile`. The default `docker` seccomp profile found [`here`](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) can be used as a reference, and modified to create a custom seccomp profile. |
 | **sysctl** | map[string]string | no | A key-value map of sysctl configurations to set to the containers on start. |
 | **readonly_rootfs** | bool | no | Container root filesystem will be read-only. |
+| **runtime** | string | no | A string representing a configured runtime to pass to containerd. This is equivalent to the `--runtime` argument in the docker CLI. |
 | **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. |
 | **extra_hosts** | []string | no | A list of hosts, given as host:IP, to be added to /etc/hosts. |
 | **cap_add** | []string | no | Add individual capabilities. |
diff --git a/containerd/containerd.go b/containerd/containerd.go
@@ -300,7 +300,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 	return d.client.NewContainer(
 		ctxWithTimeout,
 		containerConfig.ContainerName,
-		containerd.WithRuntime(d.config.ContainerdRuntime, nil),
+		buildRuntime(d.config.ContainerdRuntime, config.Runtime),
 		containerd.WithNewSnapshot(containerConfig.ContainerSnapshotName, containerConfig.Image),
 		containerd.WithNewSpec(opts...),
 	)
diff --git a/containerd/driver.go b/containerd/driver.go
@@ -78,7 +78,7 @@ var (
 			hclspec.NewAttr("enabled", "bool", false),
 			hclspec.NewLiteral("true"),
 		),
-		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true),
+		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", false),
 		"stats_interval":     hclspec.NewAttr("stats_interval", "string", false),
 		"allow_privileged": hclspec.NewDefault(
 			hclspec.NewAttr("allow_privileged", "bool", false),
@@ -115,6 +115,7 @@ var (
 		"seccomp_profile": hclspec.NewAttr("seccomp_profile", "string", false),
 		"sysctl":          hclspec.NewAttr("sysctl", "list(map(string))", false),
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
+		"runtime":         hclspec.NewAttr("runtime", "string", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
 			"username": hclspec.NewAttr("username", "string", false),
@@ -185,6 +186,7 @@ type TaskConfig struct {
 	ImagePullTimeout string             `codec:"image_pull_timeout"`
 	ExtraHosts       []string           `codec:"extra_hosts"`
 	Entrypoint       []string           `codec:"entrypoint"`
+	Runtime          string             `codec:"runtime"`
 	ReadOnlyRootfs   bool               `codec:"readonly_rootfs"`
 	HostNetwork      bool               `codec:"host_network"`
 	Auth             RegistryAuth       `codec:"auth"`
diff --git a/containerd/utils.go b/containerd/utils.go
@@ -20,10 +20,14 @@ package containerd
 import (
 	"context"
 	"os"
+	"strings"
 	"syscall"
 
+	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
+	"github.com/containerd/containerd/plugin"
+	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -85,3 +89,30 @@ func WithMemoryLimits(soft, hard int64) oci.SpecOpts {
 		return nil
 	}
 }
+
+// buildRuntime sets the container runtime e.g. runc or runsc (gVisor).
+func buildRuntime(pluginRuntime, jobRuntime string) containerd.NewContainerOpts {
+	var (
+		runcOpts    runcoptions.Options
+		runtimeOpts interface{} = &runcOpts
+	)
+
+	// plugin.RuntimeRuncV2 = io.containerd.runc.v2
+	runtime := plugin.RuntimeRuncV2
+
+	if jobRuntime != "" {
+		if strings.HasPrefix(jobRuntime, "io.containerd.runc.") {
+			runtime = jobRuntime
+		} else {
+			runcOpts.BinaryName = jobRuntime
+		}
+	} else if pluginRuntime != "" {
+		if strings.HasPrefix(pluginRuntime, "io.containerd.runc.") {
+			runtime = pluginRuntime
+		} else {
+			runcOpts.BinaryName = pluginRuntime
+		}
+	}
+
+	return containerd.WithRuntime(runtime, runtimeOpts)
+}
diff --git a/example/agent.hcl b/example/agent.hcl
@@ -3,7 +3,6 @@ log_level = "INFO"
 plugin "containerd-driver" {
   config {
     enabled = true
-    containerd_runtime = "io.containerd.runc.v2"
     stats_interval = "5s"
   }
 }
diff --git a/tests/010-test-allow-privileged.sh b/tests/010-test-allow-privileged.sh
@@ -9,7 +9,7 @@ test_allow_privileged() {
 
     cp agent.hcl agent.hcl.bkp
 
-    sed -i '8 i \    allow_privileged = false' agent.hcl
+    sed -i '7 i \    allow_privileged = false' agent.hcl
     sudo systemctl restart nomad
     is_systemd_service_active "nomad.service" true
 

Original file line number	Diff line number	Diff line change
`@@ -300,7 +300,7 @@ func (d Driver) createContainer(containerConfig ContainerConfig, config *TaskC`
`300`	`300`	`return d.client.NewContainer(`
`301`	`301`	`ctxWithTimeout,`
`302`	`302`	`containerConfig.ContainerName,`
`303`		`- containerd.WithRuntime(d.config.ContainerdRuntime, nil),`
	`303`	`+ buildRuntime(d.config.ContainerdRuntime, config.Runtime),`
`304`	`304`	`containerd.WithNewSnapshot(containerConfig.ContainerSnapshotName, containerConfig.Image),`
`305`	`305`	`containerd.WithNewSpec(opts...),`
`306`	`306`	`)`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@ log_level = "INFO"`
`3`	`3`	`plugin "containerd-driver" {`
`4`	`4`	`config {`
`5`	`5`	`enabled = true`
`6`		`- containerd_runtime = "io.containerd.runc.v2"`
`7`	`6`	`stats_interval = "5s"`
`8`	`7`	`}`
`9`	`8`	`}`