search

google / gvisor-website

The gVisor project website.
https://gvisor.dev/
Apache License 2.0
17 stars 19 forks source link

gVisor Documentation runtime params #125

Open chad-autry opened 4 years ago

chad-autry commented 4 years ago

The various runtimeArgs to runsc don't seem documented.

Also I see on the 'one year later' article https://opensource.googleblog.com/2019/05/gvisor-one-year-later.html that Docker's CPU and memory limits are now obeyed. Presumably they work as runtimeArgs?

ianlewis commented 4 years ago

The limits are provided to the runtime in a json file that's part of the OCI bundle so they don't get passed as runtime args. Though there are a number of args that runsc does support. We have some docs for them in https://gvisor.dev/docs/user_guide/debugging/ etc. but the docs are not exhaustive.

Are there any other runtime args you think would be useful to document? Most, if not all, supported global flags should be documented in runsc when you run runsc flags

chad-autry commented 4 years ago

I think overlap/inconsistency might be what is confusing me somewhat.

--network=none can be specified literally everywhere it seems. In /etc/docker/daemon.json runtimeArgs, on the Docker command line, or as a flag to runsc (when running an OCI bundle), and you seem to say it can even go in the OCI config.json.

Meanwhile memory limitations seem only accessible as a docker flag, or in the OCI config.json. But not in /etc/docker/daemon.json or as a flag to runsc.

Starting with docker where the two were equivalent cli flags, and investigating gvisor + OCI Bundle where they're not both runsc flags threw me for a loop.

ianlewis commented 4 years ago

Yeah, I can see how some options might be confusing. As you noted, Docker images don't contain metadata about resource limits and so they are specified via command line flags, but for OCI bundles they are part of the metadata in config.json.

runtimeArgs is actually the flags that are passed to runsc as a command line flag by Docker on every invocation. So runtimeArgs in /etc/docker/daemon.json and runsc's command line flags are the same thing. Though Docker's --network option and runsc's --network option are different. Docker's is documented here with possible values like bridge or container:<name|id> and specifies what network to connect to. Whereas runsc's --network option supports sandbox, host, or none, and specifies what network stack to use.

FWIW we have tried to document use of flags and options by use case (e.g. https://gvisor.dev/docs/user_guide/networking/, https://gvisor.dev/docs/user_guide/debugging/) but if you have more specific ideas or suggestions about how to improve the docs that would be really helpful.