You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a use case where we do not want concourse to run privileged containers, but at the same time we need to use Docker-in-Docker. While apparently contradictory, there are a couple of ways to try to untie the two constraints.
I am investigating using https://github.com/nestybox/sysbox with our concourse deployment. Sysbox provides an OCI compliant runc that should work with containerd, docker, guardian, or other container managers.
I am having trouble configuring concourse to utilize sysbox-runc. I have tried the following two approaches:
I have replaced the "runc" binary with the sysbox-runc binary.
Giving containerd, via concourse worker, a "toml" configuration file that points it at sysbox.
I want to give a detailed explanation about how each has failed, however it may not be pertitent to the discussion. I have found debugging and pinpointing the causes somewhat hard due to the number of abstractions between the golang binaries, the container manageers, the shims, and ultimately the runc.
Is there a supported way for concourse to run with e.g. containerd, and to have containerd run a specific runc, such as sysbox runc? I am happy to use guardian so long as I can configure guardian to use sysbox-runc.
Again the ultimate goal is to create non-privileged containers that are able to run Docker-in-docker workloads securely.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I have a use case where we do not want concourse to run privileged containers, but at the same time we need to use Docker-in-Docker. While apparently contradictory, there are a couple of ways to try to untie the two constraints.
I am investigating using https://github.com/nestybox/sysbox with our concourse deployment. Sysbox provides an OCI compliant runc that should work with containerd, docker, guardian, or other container managers.
I am having trouble configuring concourse to utilize sysbox-runc. I have tried the following two approaches:
I want to give a detailed explanation about how each has failed, however it may not be pertitent to the discussion. I have found debugging and pinpointing the causes somewhat hard due to the number of abstractions between the golang binaries, the container manageers, the shims, and ultimately the runc.
Is there a supported way for concourse to run with e.g. containerd, and to have containerd run a specific runc, such as sysbox runc? I am happy to use guardian so long as I can configure guardian to use sysbox-runc.
Again the ultimate goal is to create non-privileged containers that are able to run Docker-in-docker workloads securely.
Beta Was this translation helpful? Give feedback.
All reactions