search

pdtpartners / nix-snapshotter

Brings native understanding of Nix packages to containerd
MIT License
600 stars 16 forks source link

defaultRuntime = "runsc" seems to have no effect #130

Closed msackman closed 1 month ago

msackman commented 9 months ago

I'm experimenting with the new gvisor support.

    virtualisation.containerd.rootless = {
      enable = true;
      nixSnapshotterIntegration = true;
      gVisorIntegration = true;
      defaultRuntime = "runsc";
    };
# nerdctl run nix:0/nix/store/adnry81s33j2lmvy5bxpmlyxdc5z0jq7-nix-image-my-redis2.tar:latest
...

it certainly starts up and works, but on the host a ps aux | grep runsc gives nothing. ps aux | grep runc does give results.

Whereas:

# nerdctl run --runtime runsc nix:0/nix/store/adnry81s33j2lmvy5bxpmlyxdc5z0jq7-nix-image-my-redis2.tar:latest

and now a ps aux | grep runsc shows runsc-gofer and runsc-sandbox working.

Incidentally:

# nerdctl help run | grep runsc
      --runtime string                                 Runtime to use for this container, e.g. "crun", or "io.containerd.runsc.v1" (default "io.containerd.runc.v2")

But if I set defaultRuntime = "io.containerd.runsc.v1" then I get the cgroup error (WARN[0002] cannot set cgroup manager to "systemd" for runtime "io.containerd.runsc.v1") because it's not going through your wrapper to ignore the cgroups. So your runsc wrapper definitely works when explicitly used, but for some reason it doesn't seem to be found when set as the default.

The containerd.toml does contain default_runtime_name = "runsc", so I do not understand why it's not taking effect.

elpdt852 commented 1 month ago

I finally had some time to dig into this, it's simply because nerdctl defaults runtime to io.containerd.runc.v2 and explicitly sends this to containerd so it doesn't use its default setting. If you want nerdctl to respect containerd's default runtime you'll need to file an upstream issue.

As for this repository's VM running with k3sIntegration = true; gVisorIntegration = true I see all the kube-system pods running runsc:

[root@nixos:~]# ps aux | grep runsc
root        2005  0.0  0.2 1235980 9856 ?        Sl   23:46   0:00 /nix/store/ns4p5pskqlmzl2bh2565v39l9wab2svn-gvisor-20240401.0/bin/containerd-shim-runsc-v1 -namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /nix/store/gq22qd
root        2007  0.0  0.2 1235980 9728 ?        Sl   23:46   0:00 /nix/store/ns4p5pskqlmzl2bh2565v39l9wab2svn-gvisor-20240401.0/bin/containerd-shim-runsc-v1 -namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /nix/store/gq22qd
root        2059  0.0  0.3 1254592 15360 ?       Ssl  23:46   0:00 runsc-gofer --root=/run/containerd/runsc/k8s.io --log=/run/containerd/io.containerd.runtime.v2.task/k8s.io/65add7a5e81e2362c5c8d7a49f65c8d9e7f0b9096f072ef1f7048e2e4080af77/log.json -1

See:

cc @akihirosuda

AkihiroSuda commented 1 month ago

See https://github.com/containerd/nerdctl/blob/v2.0.0-rc.2/docs/faq.md#nerdctl-ignores-pluginsiocontainerdgrpcv1cri-config

nerdctl ignores [plugins."io.containerd.grpc.v1.cri"] config

Expected behavior, because nerdctl does not use CRI (Kubernetes Container Runtime Interface) API.