gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/g3doc/user_guide/tutorials/docker-in-gke-sandbox.md

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/g3doc/user_guide/tutorials/docker-in-gke-sandbox.md (about)

     1  # Docker in a GKE sandbox
     2  
     3  Docker is a platform designed to help developers build, share, and run container
     4  applications.
     5  
     6  In gVisor, all basic docker commands should function as expected. However, it's
     7  important to note that, currently, only the host network driver is supported.
     8  This means that both 'docker run' and 'docker build' commands must be executed
     9  with the `--network=host` option.
    10  
    11  ## How to run Docker in a GKE Sandbox
    12  
    13  First, install a GKE cluster (1.29.0 or higher) and deploy a node pool with
    14  gVisor enabled. You can view the full documentation [here][gke-sandbox-docs].
    15  
    16  Prepare a container image with pre-installed Docker:
    17  
    18  ```shell
    19  $ cd g3doc/user_guide/tutorials/docker-in-gke-sandbox/
    20  $ docker build -t {registry_url}/docker-in-gvisor:latest .
    21  $ docker push {registry_url}/docker-in-gvisor:latest
    22  ```
    23  
    24  Create a Kubernetes pod YAML file (docker.yaml) with the following content:
    25  
    26  ```yaml
    27  apiVersion: v1
    28  kind: Pod
    29  metadata:
    30    name: docker-in-gvisor
    31  spec:
    32    runtimeClassName: gvisor
    33    containers:
    34    - name: docker-in-gvisor
    35      image: {registry_url}/docker-in-gvisor:latest
    36      securityContext:
    37        capabilities:
    38          add: ["all"]
    39      volumeMounts:
    40        - name: docker
    41          mountPath: /var/lib/docker
    42    volumes:
    43    - name: docker
    44      emptyDir: {}
    45  ```
    46  
    47  This YAML file defines a Kubernetes Pod named docker-in-gvisor that will run a
    48  single container from the avagin/docker-in-gvisor:0.1 image.
    49  
    50  Apply the pod YAML to your GKE cluster using the kubectl apply command:
    51  
    52  ```shell
    53  $ kubectl apply -f docker.yaml
    54  ```
    55  
    56  Verify that the docker-in-gvisor pid is running successfully: `shell $ kubectl
    57  get pods | grep docker-in-gvisor`
    58  
    59  You can access the container by executing a shell inside it. Use the following
    60  command:
    61  
    62  ```shell
    63  kubectl exec -it docker-in-gvisor -- bash
    64  ```
    65  
    66  Now, we can build and run Docker containers.
    67  
    68  ```shell
    69  $ mkdir whalesay && cd whalesay
    70  $ cat > Dockerfile <<EOF
    71  FROM ubuntu
    72  
    73  RUN apt-get update && apt-get install -y cowsay curl
    74  RUN mkdir -p /usr/share/cowsay/cows/
    75  RUN curl -o /usr/share/cowsay/cows/docker.cow https://raw.githubusercontent.com/docker/whalesay/master/docker.cow
    76  ENTRYPOINT ["/usr/games/cowsay", "-f", "docker.cow"]
    77  EOF
    78  $ docker build --network=host -t whalesay .
    79  ....
    80  Successfully tagged whalesay:latest
    81  $ docker run --network host -it --rm whalesay "Containers do not contain, but gVisor-s do!"
    82   _________________________________________
    83  / Containers do not contain, but gVisor-s \
    84  \ do!                                     /
    85   -----------------------------------------
    86     \               ##         .
    87      \        ## ## ##        ==
    88            ## ## ## ##       ===
    89         /""""""""""""""""\___/ ===
    90    ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
    91         \______ o          __/
    92           \    \        __/
    93            \____\______/
    94  
    95  ```