Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Runtime: experiment using containerd runtime or containerd/cgroups vs syscalls to isolate user code #35

Open
4 tasks
camerondurham opened this issue Feb 5, 2022 · 0 comments
Labels
runtime Engine runtime handles safely executing user submitted code

Comments

@camerondurham
Copy link
Owner

camerondurham commented Feb 5, 2022

Look into using containerd/containerd as a container runtime to run processes or using containerd/cgroups to enforce limits instead of Linux syscall setrlimit : https://github.com/camerondurham/runner/blob/9cc6b646cb85552122482783d44008383ea14966/engine/runtime/limits.go#L33

An example of using cgroups instead of resource limits could be setting the pids cgroup value to the proc limit (see the containerd/cgroups repo for what this library can do for cgroups, specifically: https://github.com/containerd/cgroups#create-a-new-cgroup).

Related links:

Note:

This will likely require setting up a custom Linux VM as these tools cannot be tested in a container. We'd have to adjust the project's deployment strategy accordingly to pursue these alternate libraries/runtimes.

This does not have to be limited to containerd. We can explore other container runtimes besides this, including Docker itself. Ideally using containerd would be preferred since it is a lower level runtime that can expose more customization for us. Docker is really meant for users and dev experience and has many extra features we don't need such as image building included in the Docker daemon.

AC:

If containerd is a good fit:

  • determine dependencies required to run a containerd daemon
  • create Ansible/Vagrant or some automated configuration to run containerd
  • write module to start daemon and execute code in containers

If containerd is not a good fit:

  • decide on syscalls and security strategy that our runtime should use
@camerondurham camerondurham added the runtime Engine runtime handles safely executing user submitted code label Feb 5, 2022
@camerondurham camerondurham changed the title Runtime: experiment using containerd vs syscalls to run user code Runtime: experiment using containerd runtime or containerd/cgroups vs syscalls to isolate user code May 14, 2022
@camerondurham camerondurham removed this from the Code Isolation milestone Jun 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
runtime Engine runtime handles safely executing user submitted code
Projects
Development

No branches or pull requests

1 participant