From 6cab345633ab86b36d97f152b7061e936ca8fbd7 Mon Sep 17 00:00:00 2001
From: Shishir <smahajan@roblox.com>
Date: Mon, 7 Dec 2020 13:51:19 -0800
Subject: [PATCH] Update containerd task driver docs. (#9550)

---
 .../docs/drivers/external/containerd.mdx      | 100 +++++++++++++++++-
 1 file changed, 99 insertions(+), 1 deletion(-)

diff --git a/website/pages/docs/drivers/external/containerd.mdx b/website/pages/docs/drivers/external/containerd.mdx
index 71bc19873..17b5d9de6 100644
--- a/website/pages/docs/drivers/external/containerd.mdx
+++ b/website/pages/docs/drivers/external/containerd.mdx
@@ -113,6 +113,9 @@ config {
 }
 ```
 
+- `cwd` - (Optional) Specify the current working directory (cwd) for your container process.
+  If the directory does not exist, one will be created for you.
+
 - `privileged` - (Optional) `true` or `false` (default) Run container in
   privileged mode. Your container will have all Linux capabilities when running
   in privileged mode.
@@ -123,6 +126,27 @@ config {
 }
 ```
 
+- `host_dns` - (Optional) `true` (default) or `false` By default, a container
+  launched using `containerd-driver` will use host `/etc/resolv.conf`. This is
+  similar to [Docker's behavior]. However, if you don't want to use
+  host DNS, you can turn off this flag by setting `host_dns=false`.
+
+- `seccomp` - (Optional) Enable default seccomp profile. List of [allowed syscalls].
+
+- `seccomp_profile` - (Optional) Path to custom seccomp profile.
+  `seccomp` must be set to `true` in order to use `seccomp_profile`.
+
+  The default `docker` seccomp profile found in the [Moby repository]
+  can be downloaded, and modified (by removing/adding syscalls) to create a custom seccomp profile.
+  The custom seccomp profile can then be saved under `/opt/seccomp/seccomp.json` on the Nomad client nodes.
+
+```hcl
+config {
+  seccomp         = true
+  seccomp_profile = "/opt/seccomp/seccomp.json"
+}
+```
+
 - `readonly_rootfs` - (Optional) `true` or `false` (default) Container root
   filesystem will be read-only.
 
@@ -214,7 +238,7 @@ them should be used at a time.
    config of the job spec (see [host_network][host-network] under Task
    Configuration).
 
-1. **Bridge** network can be enabled by setting the `network` stanza in the task
+2. **Bridge** network can be enabled by setting the `network` stanza in the task
    group section of the job spec.
 
 ```hcl
@@ -234,6 +258,75 @@ before you can use `bridge` networks.
  $ sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz
 ```
 
+Also, ensure your Linux operating system distribution has been configured
+to allow container traffic through the bridge network to be routed via iptables.
+These tunables can be set as follows:
+
+```hcl
+ $ echo 1 > /proc/sys/net/bridge/bridge-nf-call-arptables
+ $ echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
+ $ echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
+```
+
+To preserve these settings on startup of a Nomad client node, add a file
+including the following to `/etc/sysctl.d/` or remove the file your Linux
+distribution puts in that directory.
+
+```hcl
+ net.bridge.bridge-nf-call-arptables = 1
+ net.bridge.bridge-nf-call-ip6tables = 1
+ net.bridge.bridge-nf-call-iptables = 1
+```
+
+## Port Forwarding
+
+Nomad supports both `static` and `dynamic` port mapping.
+
+1. **Static ports**
+
+Static port mapping can be added in the `network` stanza.
+
+```hcl
+network {
+  mode = "bridge"
+  port "lb" {
+    static = 8889
+    to     = 8889
+  }
+}
+```
+Here, `host` port `8889` is mapped to `container` port `8889`.<br/>
+**NOTE:** static ports are usually not recommended, except for
+`system` or specialized jobs like load balancers.
+
+2. **Dynamic ports**
+
+Dynamic port mapping is also enabled in the `network` stanza.
+
+```hcl
+network {
+  mode = "bridge"
+  port "http" {
+    to = 8080
+  }
+}
+```
+Here, nomad will allocate a dynamic port on the `host` and that port
+will be mapped to `8080` in the container.
+
+You can read more about configuring networking under the [`network`] stanza documentation.
+
+## Service discovery
+
+Nomad schedules workloads of various types across a cluster of generic hosts.
+Because of this, placement is not known in advance and you will need to use
+service discovery to connect tasks to other services deployed across your cluster.
+Nomad integrates with Consul to provide service discovery and monitoring.
+
+A [`service`] block can be added to your job spec, to enable service discovery.
+
+The service stanza instructs Nomad to register a service with Consul.
+
 ## Plugin Options ((#plugin_options))
 
 - `enabled` - (Optional) The `containerd` driver may be disabled on hosts by
@@ -268,4 +361,9 @@ the external driver in the [plugin_dir][plugin_dir] directory.
 [plugin-options]: #plugin_options
 [host-network]: #host_network
 [`mount options`]: https://github.com/containerd/containerd/blob/9561d9389d3dd87ff6030bf1da4e705bbc024130/mount/mount_linux.go#L198-L222
+[Moby repository]: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
+[Docker's behavior]: https://docs.docker.com/config/containers/container-networking/#dns-services
+[allowed syscalls]: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390
+[`network`]: /docs/job-specification/network
+[`service`]: /docs/job-specification/service
 [releases]: https://github.com/Roblox/nomad-driver-containerd/releases/