From 93c10b8c1067d250cf4082f719271dedee33fb8c Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Fri, 18 Oct 2024 11:55:40 +1300 Subject: [PATCH 1/3] chore: make iipod run as privileged for use with docker --- deployment.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deployment.tf b/deployment.tf index 9e1d1eb..a21bc9b 100644 --- a/deployment.tf +++ b/deployment.tf @@ -94,7 +94,9 @@ resource "kubernetes_deployment" "iipod" { image = data.coder_parameter.container-image.value command = ["sh", "-c", coder_agent.iipod.init_script] security_context { - run_as_user = "1001" + run_as_user = "1001" + privileged = true + allow_privilege_escalation = true } resources { requests = { From bee24d91ec6b1748022700fb54b47196c1ce3e86 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Fri, 18 Oct 2024 11:56:41 +1300 Subject: [PATCH 2/3] chore: add mounts for docker make docker+kind work --- deployment.tf | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/deployment.tf b/deployment.tf index a21bc9b..6c6ee02 100644 --- a/deployment.tf +++ b/deployment.tf @@ -89,6 +89,37 @@ resource "kubernetes_deployment" "iipod" { run_as_user = "1001" fs_group = "1001" } + volume { + name = "modules" + host_path { + path = "/lib/modules" + type = "Directory" + } + } + volume { + name = "cgroup" + host_path { + path = "/sys/fs/cgroup" + type = "Directory" + } + } + volume { + name = "var-run" + empty_dir { + } + } + volume { + name = "var-lib-docker" + empty_dir { + } + } + dns_policy = "None" + dns_config { + nameservers = [ + "1.0.0.1", + "1.1.1.1" + ] + } container { name = "iipod" image = data.coder_parameter.container-image.value @@ -110,6 +141,23 @@ resource "kubernetes_deployment" "iipod" { "memory" = "${var.container_resource_memory}Gi" } } + volume_mount { + mount_path = "/lib/modules" + name = "modules" + read_only = true + } + volume_mount { + mount_path = "/sys/fs/cgroup" + name = "cgroup" + } + volume_mount { + mount_path = "/var/run" + name = "var-run" + } + volume_mount { + mount_path = "/var/lib/docker" + name = "var-lib-docker" + } env { name = "CODER_AGENT_TOKEN" value = coder_agent.iipod.token From 04dc0856eeaf8cabb0d860dad8f5d24f2720de12 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Fri, 18 Oct 2024 11:57:13 +1300 Subject: [PATCH 3/3] feat: kata and dind attempt to use kata runtime and use dind --- deployment.tf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/deployment.tf b/deployment.tf index 6c6ee02..6112826 100644 --- a/deployment.tf +++ b/deployment.tf @@ -120,6 +120,7 @@ resource "kubernetes_deployment" "iipod" { "1.1.1.1" ] } + runtime_class_name = "kata" container { name = "iipod" image = data.coder_parameter.container-image.value @@ -167,6 +168,33 @@ resource "kubernetes_deployment" "iipod" { value = local.spacename } } + container { + name = "dind" + image = "docker:20.10-dind-rootless" + security_context { + run_as_user = "1001" + privileged = true + } + resources { + limits = { + "cpu" = var.container_resource_cpu + "memory" = "${var.container_resource_memory}Gi" + } + } + volume_mount { + mount_path = "/lib/modules" + name = "modules" + read_only = true + } + volume_mount { + mount_path = "/var/run" + name = "var-run" + } + volume_mount { + mount_path = "/var/lib/docker" + name = "var-lib-docker" + } + } } } }