Spike: OCI workloads

[jordan-rash]

Details TBD

[autodidaddict]

The main goal of this issue is to figure out if it's possible to support OCI-type workloads without having to add a docker daemon to the rootfs. When we experimented with that before, the addition of docker to the rootfs bloated well over 130MB.

With that in mind, the next thing to figure out is how to cache OCI artifacts (see OCI Distribution. The cache will need to be available to agents/workloads running on the nex node that likely do not have direct access to the OCI registry from which the nex node pulls.

Finally, how do we manage security of these OCI workloads while keeping the workloads useful and enforcing multi-tenant isolation.

[kthomas]

After some research, the following approach makes the most sense for supporting OCI:

• On macOS and Windows OCI support is provided via the Docker daemon, which must be configured with a TCP socket — attempting to start the node without a TLS configuration for the Docker client connection will result in an error.

• On Linux, OCI images will be pulled by the agent and unpacked into a rootfs for use with runc.

[mskarbek]

• On Linux, OCI images will be pulled by the agent and unpacked into a rootfs for use with runc.

crun is a lighter and faster alternative to runc and could be evaluated as well.