Merge pull request #10132 from fidencio/topic/support-image-pull-with-nerdctl

runtime: image-pull: Make it work with nerdctl
2025-09-13 21:09:31 +00:00 · 2024-08-06 15:33:40 -06:00
parent 63802ecdd9 f33f2d09f7
commit fb166956ab
2 changed files with 22 additions and 3 deletions
--- a/docs/design/kata-guest-image-management-design.md
+++ b/docs/design/kata-guest-image-management-design.md
@@ -113,6 +113,13 @@ Next, the kata-agent's RPC module will handle the create container request which
 > **Notes:**
 > In this flow, `ImageService.pull_image()` parses the image metadata, looking for either the `io.kubernetes.cri.container-type: sandbox` or `io.kubernetes.cri-o.ContainerType: sandbox` (CRI-IO case) annotation, then it never calls the `image-rs.pull_image()` because the pause image is expected to already be inside the guest's filesystem, so instead `ImageService.unpack_pause_image()` is called.

+## Using guest image pull with `nerdctl`
+
+When running a workload, add the `--label io.kubernetes.cri.image-name=<image>` option e.g.:
+```sh
+nerdctl run --runtime io.containerd.kata.v2 --snapshotter nydus --label io.kubernetes.cri.image-name=docker.io/library/busybox:latest --rm docker.io/library/busybox:latest uname -r
+```
+
 References:
 [1] [[RFC] Image management proposal for hosting sharing and peer pods](https://github.com/confidential-containers/confidential-containers/issues/137)
 [2] https://github.com/containerd/containerd/blob/main/docs/content-flow.md
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@@ -1613,13 +1613,25 @@ func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.Kata
 	if containerType == string(PodSandbox) {
 		image_ref = "pause"
 	} else {
+		const kubernetesCRIImageName = "io.kubernetes.cri.image-name"
+		const kubernetesCRIOImageName = "io.kubernetes.cri-o.ImageName"
+
 		switch criContainerType {
 		case ctrAnnotations.ContainerType:
-			image_ref = container_annotations["io.kubernetes.cri.image-name"]
+			image_ref = container_annotations[kubernetesCRIImageName]
 		case podmanAnnotations.ContainerType:
-			image_ref = container_annotations["io.kubernetes.cri-o.ImageName"]
+			image_ref = container_annotations[kubernetesCRIOImageName]
 		default:
-			image_ref = ""
+			// There are cases, like when using nerdctl, where the criContainerType
+			// will never be set, leading to this code path.
+			//
+			// nerdctl also doesn't set any mechanism for automatically setting the
+			// image, but as part of it's v2.0.0 release it allows the user to set
+			// any kind of OCI annotation, which we can take advantage of and use.
+			//
+			// With this in mind, let's "fallback" to the default k8s cri image-name
+			// annotation, as documented on our image-pull documentation.
+			image_ref = container_annotations[kubernetesCRIImageName]
 		}

 		if image_ref == "" {