New Runner based on Sysbox Runtime

I’d like to propose a new runner for Drone that would obviate the need for docker-out-of-docker hacks that exist in the current docker runner, while still maintaining security.

The idea, in brief, is to use the sysbox container runtime:

  • create a new runner that launches every pipeline inside of an isolated “system container”.
  • each step in the pipeline runs as a separate container inside the system container
  • each step is free to interact with the system container docker daemon without compromising host isolation
  • pipeline steps can use regular docker commands! No need to use a special plugin when building docker images
    • This means step 1 of a pipeline can build an image that is used to run tests in step 2 without the need to publish the untested image to a separate cache.
    • this also means that steps can use e.g. docker-compose to orchestrate sidecar services, so teams can use the same config they use to develop locally to run their tests in CI.

Such a setup would also enable running kubernetes applications in CI/CD pipelines without needing to maintain a separate cluster.

1 Like