You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment we're using bwrap and a whole load of custom logic to sandbox execution. This can be drastically simplified by switching to an OCI-compliant runtime, which is essentially a standardised version of the kind of interface sandbox provides.
crun looks to be the most promising at the moment, as it is mature, fast, supports rootless mode, and cgroup v2 (see #5). In future we could consider using gvisor/runsc or even kata-containers for better sandboxing.
Is it worth using a container manager like podman, or can its functionality be replicated in the API?
I think Podman would be able to interface with Docker images directly, negating the need for either manual image extraction or another tool (#30). However, it also has a lot of stuff that might create too much setup complexity (it uses user namespaces by default which requires managing user/group ID mappings, and includes a lot of extraneous functionality). It also seems like it might be too slow (1.3s to run echo hello :/)
conmon (which is included with Podman) might also replace some or all of the functionality of our wrapper, but it also might not meet our needs and just add extra overhead.
Thank you to @RedwolfPrograms for his RTO prototype - it made me look into some of the more standard container tooling again in more detail, which I initially ignored as too complex when starting ATO.
The text was updated successfully, but these errors were encountered:
pxeger
added
change
Minor tweak or modification that is neither a bug nor a feature
internal
Internal backend/infrastructure-related
labels
Sep 17, 2021
pxeger
changed the title
Replace sandbox entirely with OCI runtime and maybe
Replace sandbox entirely with OCI runtime and maybe a container manager
Sep 17, 2021
At the moment we're using
bwrap
and a whole load of custom logic to sandbox execution. This can be drastically simplified by switching to an OCI-compliant runtime, which is essentially a standardised version of the kind of interfacesandbox
provides.crun looks to be the most promising at the moment, as it is mature, fast, supports rootless mode, and cgroup v2 (see #5). In future we could consider using gvisor/runsc or even kata-containers for better sandboxing.
Is it worth using a container manager like podman, or can its functionality be replicated in the API?
I think Podman would be able to interface with Docker images directly, negating the need for either manual image extraction or another tool (#30). However, it also has a lot of stuff that might create too much setup complexity (it uses user namespaces by default which requires managing user/group ID mappings, and includes a lot of extraneous functionality). It also seems like it might be too slow (1.3s to run
echo hello
:/)conmon (which is included with Podman) might also replace some or all of the functionality of our
wrapper
, but it also might not meet our needs and just add extra overhead.Thank you to @RedwolfPrograms for his RTO prototype - it made me look into some of the more standard container tooling again in more detail, which I initially ignored as too complex when starting ATO.
The text was updated successfully, but these errors were encountered: