Getting concourse to run using nestybox/sysbox runc

[concourse-sysbox]

I have a use case where we do not want concourse to run privileged containers, but at the same time we need to use Docker-in-Docker. While apparently contradictory, there are a couple of ways to try to untie the two constraints.

I am investigating using https://github.com/nestybox/sysbox with our concourse deployment. Sysbox provides an OCI compliant runc that should work with containerd, docker, guardian, or other container managers.

I am having trouble configuring concourse to utilize sysbox-runc. I have tried the following two approaches:

1. I have replaced the "runc" binary with the sysbox-runc binary.
2. Giving containerd, via concourse worker, a "toml" configuration file that points it at sysbox.

I want to give a detailed explanation about how each has failed, however it may not be pertitent to the discussion. I have found debugging and pinpointing the causes somewhat hard due to the number of abstractions between the golang binaries, the container manageers, the shims, and ultimately the runc.

Is there a supported way for concourse to run with e.g. containerd, and to have containerd run a specific runc, such as sysbox runc? I am happy to use guardian so long as I can configure guardian to use sysbox-runc.

Again the ultimate goal is to create non-privileged containers that are able to run Docker-in-docker workloads securely.