Add support for --runtime.

Signed-off-by: Shishir Mahajan <smahajan@roblox.com>

README.md

@@ -87,18 +87,26 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 
 To interact with `images` and `containers` directly, you can use [`nerdctl`](https://github.com/containerd/nerdctl) which is a docker compatible CLI for `containerd`. `nerdctl` is already installed in the vagrant VM at `/usr/local/bin`.
 
-## Supported options
+## Supported Options
 
 **Driver Config**
 
 | Option | Type | Required | Default | Description |
 | :---: | :---: | :---: | :---: | :--- |
 | **enabled** | bool | no | true | Enable/Disable task driver. |
-| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
+| **containerd_runtime** | string | no | `io.containerd.runc.v2` | Runtime for containerd. |
 | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
 | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |
 | **auth** | block | no | N/A | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |
 
+## Supported Runtimes
+
+Valid options for `containerd_runtime` (**Driver Config**).
+
+- `io.containerd.runc.v1`: `runc` runtime that supports a single container.
+- `io.containerd.runc.v2` (Default): `runc` runtime that supports multiple containers per shim.
+- `io.containerd.runsc.v1`: `gVisor` is an OCI compliant container runtime which provides better security than `runc`. They achieve this by implementing a user space kernel written in go, which implements a substantial portion of the Linux system call interface. For more details, please check their [`official documentation`](https://gvisor.dev/docs/)
+
 **Task Config**
 
 | Option | Type | Required | Description |
@@ -119,6 +127,7 @@ To interact with `images` and `containers` directly, you can use [`nerdctl`](htt
 | **shm_size** | string | no | Size of /dev/shm e.g. "128M" if you want 128 MB of /dev/shm. |
 | **sysctl** | map[string]string | no | A key-value map of sysctl configurations to set to the containers on start. |
 | **readonly_rootfs** | bool | no | Container root filesystem will be read-only. |
+| **runtime** | string | no | A string representing a configured runtime to pass to containerd. This is equivalent to the `--runtime` argument in the docker CLI. |
 | **host_network** | bool | no | Enable host network. This is equivalent to `--net=host` in docker. |
 | **extra_hosts** | []string | no | A list of hosts, given as host:IP, to be added to /etc/hosts. |
 | **cap_add** | []string | no | Add individual capabilities. |

containerd/containerd.go

@@ -351,7 +351,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 	return d.client.NewContainer(
 		ctxWithTimeout,
 		containerConfig.ContainerName,
-		containerd.WithRuntime(d.config.ContainerdRuntime, nil),
+		buildRuntime(d.config.ContainerdRuntime, config.Runtime),
 		containerd.WithNewSnapshot(containerConfig.ContainerSnapshotName, containerConfig.Image),
 		containerd.WithNewSpec(opts...),
 	)

containerd/driver.go

@@ -79,7 +79,7 @@ var (
 			hclspec.NewAttr("enabled", "bool", false),
 			hclspec.NewLiteral("true"),
 		),
-		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true),
+		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", false),
 		"stats_interval":     hclspec.NewAttr("stats_interval", "string", false),
 		"allow_privileged": hclspec.NewDefault(
 			hclspec.NewAttr("allow_privileged", "bool", false),
@@ -124,6 +124,7 @@ var (
 		"shm_size":        hclspec.NewAttr("shm_size", "string", false),
 		"sysctl":          hclspec.NewAttr("sysctl", "list(map(string))", false),
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
+		"runtime":         hclspec.NewAttr("runtime", "string", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
 			"username": hclspec.NewAttr("username", "string", true),
@@ -199,6 +200,7 @@ type TaskConfig struct {
 	ImagePullTimeout string             `codec:"image_pull_timeout"`
 	ExtraHosts       []string           `codec:"extra_hosts"`
 	Entrypoint       []string           `codec:"entrypoint"`
+	Runtime          string             `codec:"runtime"`
 	ReadOnlyRootfs   bool               `codec:"readonly_rootfs"`
 	HostNetwork      bool               `codec:"host_network"`
 	Auth             RegistryAuth       `codec:"auth"`

containerd/utils.go

@@ -20,10 +20,14 @@ package containerd
 import (
 	"context"
 	"os"
+	"strings"
 	"syscall"
 
+	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
+	"github.com/containerd/containerd/plugin"
+	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -99,3 +103,30 @@ func WithMemoryLimits(soft, hard int64) oci.SpecOpts {
 		return nil
 	}
 }
+
+// buildRuntime sets the container runtime e.g. runc or runsc (gVisor).
+func buildRuntime(pluginRuntime, jobRuntime string) containerd.NewContainerOpts {
+	var (
+		runcOpts    runcoptions.Options
+		runtimeOpts interface{} = &runcOpts
+	)
+
+	// plugin.RuntimeRuncV2 = io.containerd.runc.v2
+	runtime := plugin.RuntimeRuncV2
+
+	if jobRuntime != "" {
+		if strings.HasPrefix(jobRuntime, "io.containerd.runc.") {
+			runtime = jobRuntime
+		} else {
+			runcOpts.BinaryName = jobRuntime
+		}
+	} else if pluginRuntime != "" {
+		if strings.HasPrefix(pluginRuntime, "io.containerd.runc.") {
+			runtime = pluginRuntime
+		} else {
+			runcOpts.BinaryName = pluginRuntime
+		}
+	}
+
+	return containerd.WithRuntime(runtime, runtimeOpts)
+}

example/agent.hcl

@@ -4,7 +4,6 @@ data_dir = "/tmp/nomad"
 plugin "containerd-driver" {
   config {
     enabled = true
-    containerd_runtime = "io.containerd.runc.v2"
     stats_interval = "5s"
   }
 }