Support for other OCI runtimes (alpha)¶
Docker supports running other Open Container Initiative (OCI) compatible runtimes, such as Kata.
Some of these runtimes have vastly different methods of running containers compared to the default runtime used by docker (runc).
For example, Kata spins virtual machines rather than containers based on cgroups. This allows to (more) safely run container as root.
There is preliminary, alpha support of using other OCI runtimes in INGInious. By default, INGInious attempts to detect if
runc, crun and kata are available or not. You can use other runtimes by using the -runtime
arg of the inginious-agent-docker
command.
Behavior¶
Runtimes are classified by INGInious in categories:
Runtimes on which all containers share the same kernel
Runtimes on which it is safe to run as root
They are not mutually exclusive in theory, but are in practice.
Runtimes on which it is safe to run as root¶
On these runtimes, the run file will be run by the user root
(id 0, gid 0) rather than by worker
(id 4242, gid 4242), allowing
to do things normally unsupported such as editing the network stack, mounting things, …
Since unix sockets and shared file descriptors are not usable on these containers, run_student
and ssh_student
have to transfer signals and outputs via messages using the agent as proxy.
Installing other runtimes¶
Please see the documentation of the runtimes to install them in Docker; verify that they work using the docker
CLI.
Then, use the --runtime
of the inginious-agent-docker
command if they are not automatically detected by INGInious (after a restart).