Merge pull request #9945 from avagin:gvisor-in-gke

PiperOrigin-RevId: 603203411

g3doc/user_guide/tutorials/BUILD

@@ -63,3 +63,21 @@ doc(
     subcategory = "Tutorials",
     weight = "50",
 )
+
+doc(
+    name = "docker_in_gvisor",
+    src = "docker-in-gvisor.md",
+    category = "User Guide",
+    permalink = "/docs/tutorials/docker-in-gvisor/",
+    subcategory = "Tutorials",
+    weight = "50",
+)
+
+doc(
+    name = "docker_in_gke_sandbox",
+    src = "docker-in-gke-sandbox.md",
+    category = "User Guide",
+    permalink = "/docs/tutorials/docker-in-gke-sandbox/",
+    subcategory = "Tutorials",
+    weight = "50",
+)

g3doc/user_guide/tutorials/docker-in-gke-sandbox.md

@@ -0,0 +1,95 @@
+# Docker in gVisor
+
+Docker is a platform designed to help developers build, share, and run container
+applications.
+
+In gVisor, all basic docker commands should function as expected. However, it's
+important to note that, currently, only the host network driver is supported.
+This means that both 'docker run' and 'docker build' commands must be executed
+with the `--network=host` option.
+
+# How to run Docker in a GKE Sandbox
+
+First, install a GKE cluster (1.29.0 or higher) and deploy a node pool with
+gVisor enabled. You can view the full documentation [here][gke-sandbox-docs].
+
+Prepare a container image with pre-installed Docker:
+
+```shell
+$ cd g3doc/user_guide/tutorials/docker-in-gke-sandbox/
+$ docker build -t {registry_url}/docker-in-gvisor:latest .
+$ docker push {registry_url}/docker-in-gvisor:latest
+```
+
+Create a Kubernetes pod YAML file (docker.yaml) with the following content:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: docker-in-gvisor
+spec:
+  runtimeClassName: gvisor
+  containers:
+  - name: docker-in-gvisor
+    image: {registry_url}/docker-in-gvisor:latest
+    securityContext:
+      capabilities:
+        add: ["all"]
+    volumeMounts:
+      - name: docker
+        mountPath: /var/lib/docker
+  volumes:
+  - name: docker
+    emptyDir: {}
+```
+
+This YAML file defines a Kubernetes Pod named docker-in-gvisor that will run a
+single container from the avagin/docker-in-gvisor:0.1 image.
+
+Apply the pod YAML to your GKE cluster using the kubectl apply command:
+
+```shell
+$ kubectl apply -f docker.yaml
+```
+
+Verify that the docker-in-gvisor pid is running successfully: `shell $ kubectl
+get pods | grep docker-in-gvisor`
+
+You can access the container by executing a shell inside it. Use the following
+command:
+
+```shell
+kubectl exec -it docker-in-gvisor -- bash
+```
+
+Now, we can build and run Docker containers.
+
+```shell
+$ mkdir whalesay && cd whalesay
+$ cat > Dockerfile <<EOF
+FROM ubuntu
+
+RUN apt-get update && apt-get install -y cowsay curl
+RUN mkdir -p /usr/share/cowsay/cows/
+RUN curl -o /usr/share/cowsay/cows/docker.cow https://raw.githubusercontent.com/docker/whalesay/master/docker.cow
+ENTRYPOINT ["/usr/games/cowsay", "-f", "docker.cow"]
+EOF
+$ docker build --network=host -t whalesay .
+....
+Successfully tagged whalesay:latest
+$ docker run --network host -it --rm whalesay "Containers do not contain, but gVisor-s do!"
+ _________________________________________
+/ Containers do not contain, but gVisor-s \
+\ do!                                     /
+ -----------------------------------------
+   \               ##         .
+    \        ## ## ##        ==
+          ## ## ## ##       ===
+       /""""""""""""""""\___/ ===
+  ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
+       \______ o          __/
+         \    \        __/
+          \____\______/
+
+```

g3doc/user_guide/tutorials/docker-in-gke-sandbox/Dockerfile

@@ -0,0 +1,8 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND="noninteractive"
+RUN apt-get update && apt-get install -y docker.io
+
+COPY docker-run.sh /usr/local/bin/docker-run.sh
+
+CMD /usr/local/bin/docker-run.sh

g3doc/user_guide/tutorials/docker-in-gke-sandbox/docker-run.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Copyright 2024 The gVisor Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+test -f /sys/fs/cgroup/devices/tasks || {
+  mount -t tmpfs cgroups /sys/fs/cgroup
+  mkdir /sys/fs/cgroup/devices
+  mount -t cgroup -o devices devices /sys/fs/cgroup/devices
+}
+
+exec /usr/bin/dockerd --bridge=none --iptables=false --ip6tables=false "$@"

g3doc/user_guide/tutorials/docker-in-gke-sandbox/docker.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: docker-in-gvisor
+spec:
+  runtimeClassName: gvisor
+  containers:
+  - name: docker-in-gvisor
+    image: avagin/docker-in-gvisor:0.1
+    securityContext:
+      capabilities:
+        add: ["all"]
+    volumeMounts:
+      - name: docker
+        mountPath: /var/lib/docker
+  volumes:
+  - name: docker
+    emptyDir: {}

website/BUILD

@@ -171,6 +171,8 @@ docs(
         "//g3doc/user_guide/tutorials:cni",
         "//g3doc/user_guide/tutorials:docker",
         "//g3doc/user_guide/tutorials:docker_compose",
+        "//g3doc/user_guide/tutorials:docker_in_gke_sandbox",
+        "//g3doc/user_guide/tutorials:docker_in_gvisor",
         "//g3doc/user_guide/tutorials:falco",
         "//g3doc/user_guide/tutorials:knative",
         "//g3doc/user_guide/tutorials:kubernetes",