Docker Swarm with gVisor

I would like to use gVisor with Docker Swarm. However, I cannot figure out how to specify a different runtime like runsc in the case of gVisor with Docker Swarm config. Is Docker Swarm compatible with specifying other runtimes or is it not possible? If not possible, what are my alternatives? Kubernetes seems to work fine, but is a massive overhead for my deployment. At the same time, running each container by hand is not really feasible either.

Thank you for your helpful comments!

1 Like

Unlike docker run, the docker service create command does not have the --runtime argument.

You could try if adding it as runtime and setting it as default-runtime in /etc/docker/daemon.json does the trick. It does for plain docker containers (=deployed with docker run or docker compose), see: https://docs.docker.com/reference/cli/dockerd/#runtime-options. I have no idea whether this option is valid for swarm services as well, but it would make sense if it is,

Thanks, the issue with this approach is that I don’t want to run all my containers with gVisor as it can have quite a performance impact (especially on backend DB containers like PostgreSQL).

Alternatively, I could go back to docker compose. Docker compose supports the runtime spec, right? So I could use docker compose for a single server and then switch to K8s as soon as I need multiple servers.

Every docker run command can be translated to a compose configuration, and the other way around.

https://docs.docker.com/compose/compose-file/05-services/#runtime

Not necessary, as the gvisor docs point out. Not all versions of Docker Compose are compatible with the runtime specification. Anyway, it works in my case, so thanks for your help!

Years ago the statement would have been true :slight_smile:

Though, it refers to the legacy compose file version v2 and v3. The latest compose specification unified both versions. Docker compose v2 (=the cli plugin) ignores the compose file schema version, and always uses the latest version of the specification.

The legacy compose file schema versions had different target groups in mind:

  • schema v2.x was aimed for docker compose deployments and allow 1:1 translation of docker run commands, but lacked docker swarm specifics.
  • schema v3.x was aimed for docker stack (=swarm) deployments, but lacked many of the low level configuration items. Earlier version of docker compose (=older v1 version) ignored all swarm specific elements.

Well those days are over. docker compose v2 (=the cli plugin) can leverage every configuration element from the compose file specification. Though, the same is not true for docker stack deployments.