github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-14 05:19:21 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10132 from fidencio/topic/support-image-pull-with-nerdctl

Browse Source 
runtime: image-pull: Make it work with nerdctl
This commit is contained in:
GabyCT
2024-08-06 15:33:40 -06:00
committed by GitHub
parent 63802ecdd9 f33f2d09f7
commit fb166956ab
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/design/kata-guest-image-management-design.md
View File

@@ -113,6 +113,13 @@ Next, the kata-agent's RPC module will handle the create container request which
> **Notes:** > **Notes:**
> In this flow, `ImageService.pull_image()` parses the image metadata, looking for either the `io.kubernetes.cri.container-type: sandbox` or `io.kubernetes.cri-o.ContainerType: sandbox` (CRI-IO case) annotation, then it never calls the `image-rs.pull_image()` because the pause image is expected to already be inside the guest's filesystem, so instead `ImageService.unpack_pause_image()` is called. > In this flow, `ImageService.pull_image()` parses the image metadata, looking for either the `io.kubernetes.cri.container-type: sandbox` or `io.kubernetes.cri-o.ContainerType: sandbox` (CRI-IO case) annotation, then it never calls the `image-rs.pull_image()` because the pause image is expected to already be inside the guest's filesystem, so instead `ImageService.unpack_pause_image()` is called.
## Using guest image pull with `nerdctl`
When running a workload, add the `--label io.kubernetes.cri.image-name=<image>` option e.g.:
```sh
nerdctl run --runtime io.containerd.kata.v2 --snapshotter nydus --label io.kubernetes.cri.image-name=docker.io/library/busybox:latest --rm docker.io/library/busybox:latest uname -r
```
References: References:
[1] [[RFC] Image management proposal for hosting sharing and peer pods](https://github.com/confidential-containers/confidential-containers/issues/137) [1] [[RFC] Image management proposal for hosting sharing and peer pods](https://github.com/confidential-containers/confidential-containers/issues/137)
[2] https://github.com/containerd/containerd/blob/main/docs/content-flow.md [2] https://github.com/containerd/containerd/blob/main/docs/content-flow.md

18
src/runtime/virtcontainers/kata_agent.go
View File

@@ -1613,13 +1613,25 @@ func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.Kata
if containerType == string(PodSandbox) { if containerType == string(PodSandbox) {
image_ref = "pause" image_ref = "pause"
} else { } else {
const kubernetesCRIImageName = "io.kubernetes.cri.image-name"
const kubernetesCRIOImageName = "io.kubernetes.cri-o.ImageName"
switch criContainerType { switch criContainerType {
case ctrAnnotations.ContainerType: case ctrAnnotations.ContainerType:
image_ref = container_annotations["io.kubernetes.cri.image-name"] image_ref = container_annotations[kubernetesCRIImageName]
case podmanAnnotations.ContainerType: case podmanAnnotations.ContainerType:
image_ref = container_annotations["io.kubernetes.cri-o.ImageName"] image_ref = container_annotations[kubernetesCRIOImageName]
default: default:
image_ref = "" // There are cases, like when using nerdctl, where the criContainerType
// will never be set, leading to this code path.
//
// nerdctl also doesn't set any mechanism for automatically setting the
// image, but as part of it's v2.0.0 release it allows the user to set
// any kind of OCI annotation, which we can take advantage of and use.
//
// With this in mind, let's "fallback" to the default k8s cri image-name
// annotation, as documented on our image-pull documentation.
image_ref = container_annotations[kubernetesCRIImageName]
} }
if image_ref == "" { if image_ref == "" {