From 3154c03f8a22839aeb1b7b79f298b36b7ca56166 Mon Sep 17 00:00:00 2001 From: Sebastian Serth Date: Wed, 7 Sep 2022 22:19:20 +0200 Subject: [PATCH] Recommend using gVisor as a sandbox --- docs/configuration.md | 4 ++++ docs/resources/client.example.hcl | 5 +---- docs/resources/docker.daemon.json | 10 ++++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 docs/resources/docker.daemon.json diff --git a/docs/configuration.md b/docs/configuration.md index e5e50ea..d8d6ec2 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -72,3 +72,7 @@ In order to allow full networking support in Nomad, the `containernetworking-plu ``` If the path is not set up correctly or the dependency is missing, the following error will be shown in Nomad: `failed to find plugin "bridge" in path [/opt/cni/bin]` + +### Use gVisor as a sandbox + +We recommend using gVisor as a sandbox for the execution environments. First, [install gVisor following the official documentation](https://gvisor.dev/docs/user_guide/install/) and second, adapt the `/etc/docker/daemon.json` with reasonable defaults as shown in our [example configuration for Docker](./resources/docker.daemon.json). diff --git a/docs/resources/client.example.hcl b/docs/resources/client.example.hcl index 0b75c70..63c7f9c 100644 --- a/docs/resources/client.example.hcl +++ b/docs/resources/client.example.hcl @@ -9,12 +9,9 @@ client { plugin "docker" { config { + allow_runtimes = ["runsc"] gc { image_delay = "0s" } - - # auth { - # config = "/root/.docker/config.json" - # } } } diff --git a/docs/resources/docker.daemon.json b/docs/resources/docker.daemon.json new file mode 100644 index 0000000..43accc3 --- /dev/null +++ b/docs/resources/docker.daemon.json @@ -0,0 +1,10 @@ +{ + "default-runtime": "runsc", + "runtimes": { + "runsc": { + "path": "/usr/bin/runsc", + "runtimeArgs": [ + ] + } + } +}