diff --git a/docs/design/kata-guest-image-management-design.md b/docs/design/kata-guest-image-management-design.md index 164698f2b7..160cf53215 100644 --- a/docs/design/kata-guest-image-management-design.md +++ b/docs/design/kata-guest-image-management-design.md @@ -113,6 +113,13 @@ Next, the kata-agent's RPC module will handle the create container request which > **Notes:** > In this flow, `ImageService.pull_image()` parses the image metadata, looking for either the `io.kubernetes.cri.container-type: sandbox` or `io.kubernetes.cri-o.ContainerType: sandbox` (CRI-IO case) annotation, then it never calls the `image-rs.pull_image()` because the pause image is expected to already be inside the guest's filesystem, so instead `ImageService.unpack_pause_image()` is called. +## Using guest image pull with `nerdctl` + +When running a workload, add the `--label io.kubernetes.cri.image-name=` option e.g.: +```sh +nerdctl run --runtime io.containerd.kata.v2 --snapshotter nydus --label io.kubernetes.cri.image-name=docker.io/library/busybox:latest --rm docker.io/library/busybox:latest uname -r +``` + References: [1] [[RFC] Image management proposal for hosting sharing and peer pods](https://github.com/confidential-containers/confidential-containers/issues/137) [2] https://github.com/containerd/containerd/blob/main/docs/content-flow.md diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 9d4c59cf7a..b56c3d7e0d 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -1613,13 +1613,25 @@ func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.Kata if containerType == string(PodSandbox) { image_ref = "pause" } else { + const kubernetesCRIImageName = "io.kubernetes.cri.image-name" + const kubernetesCRIOImageName = "io.kubernetes.cri-o.ImageName" + switch criContainerType { case ctrAnnotations.ContainerType: - image_ref = container_annotations["io.kubernetes.cri.image-name"] + image_ref = container_annotations[kubernetesCRIImageName] case podmanAnnotations.ContainerType: - image_ref = container_annotations["io.kubernetes.cri-o.ImageName"] + image_ref = container_annotations[kubernetesCRIOImageName] default: - image_ref = "" + // There are cases, like when using nerdctl, where the criContainerType + // will never be set, leading to this code path. + // + // nerdctl also doesn't set any mechanism for automatically setting the + // image, but as part of it's v2.0.0 release it allows the user to set + // any kind of OCI annotation, which we can take advantage of and use. + // + // With this in mind, let's "fallback" to the default k8s cri image-name + // annotation, as documented on our image-pull documentation. + image_ref = container_annotations[kubernetesCRIImageName] } if image_ref == "" {