Nydus-snapshotter - A containerd snapshotter with capability of on-demand read

Nydus Snapshotter

Nydus-snapshotter is a non-core sub-project of containerd.

Pulling and unpacking OCI container image are time consuming when start a container. Nydus is a vendor-neutral project aiming at mitigating the problem. It designs a new container image oriented and optimized file system format with capability of on-demand read. For instructions on how to build nydus container image, please refer to nydusify conversion tool.

Building

Just invoke make and find output binary ./bin/containerd-nydus-grpc

make

Integrate Nydus-snapshotter into Containerd

Containerd provides a general mechanism to exploit different types of snapshotters. Please ensure your containerd's version is beyond 1.4.0. Add nydus as a proxy plugin into containerd's configuration file which may be located at /etc/containerd/config.toml.

# The `address` field specifies through which socket snapshotter and containerd communicate.
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

Restart your containerd service making the change take effect. Assume that your node is systemd based, restart the service as below:

systemctl restart containerd

Get Nydusd Binary

Find a suitable nydusd release for you from nydus releases page.

nydusd-fusedev is FUSE userspace daemon handling linux kernel fuse requests from /dev/fuse frontend. nydusd-virtiofs is a virtiofs daemon handling guest kernel fuse requests.

Configure Nydus

Nydus is configured by a json file which is required now. Because nydus container images are likely stored in a registry, where auth has to be provided. Please follow instructions to configure nydus configure nydus making it work properly in your environment.

Start Nydus Snapshotter

Nydus-snapshotter is implemented as a proxy plugin (containerd-nydus-grpc) for containerd.

A example of starting nydus-snapshotter:

# `nydusd-path` is the path to nydusd binary
# `address` is the domain socket that you configured in containerd configuration file
# `root` is the path to nydus snapshotter
# `config-path` is the path to nydus configuration file
$ ./containerd-nydus-grpc \
    --config-path /etc/nydusd-config.json \
    --shared-daemon \
    --log-level info \
    --root /var/lib/containerd/io.containerd.snapshotter.v1.nydus \
    --cache-dir /var/lib/nydus/cache \
    --address /run/containerd/containerd-nydus-grpc.sock \
    --nydusd-path /usr/local/bin/nydusd \
    --nydusimg-path /usr/local/bin/nydus-image \
    --log-to-stdout

Validate Nydus-snapshotter Setup

Utilize containerd's ctr CLI command to validate if nydus-snapshotter is set up successfully.

$ ctr -a /run/containerd/containerd.sock plugin ls
TYPE                            ID                       PLATFORMS      STATUS
io.containerd.snapshotter.v1    nydus                    -              ok

Quickly Start Container with Lazy Pulling

Start Container on Node

Containerd can start container with specified snapshotter, so legacy method like nerdctl or ctr needs to specify the nydus snapshotter when start container. A CLI tool ctr-remote is alongside. Use nydus ctr-remote to pull nydus image or start container based on nydus image.

$ sudo ctr-remote image rpull ghcr.io/dragonflyoss/image-service/nginx:nydus-latest
fetching sha256:75002dfe... application/vnd.oci.image.manifest.v1+json
fetching sha256:5a42e21c... application/vnd.oci.image.config.v1+json
fetching sha256:eb1af2e1... application/vnd.oci.image.layer.v1.tar+gzip

# Start container by `ctr`
$ sudo ctr-remote run --snapshotter nydus ghcr.io/dragonflyoss/image-service/nginx:nydus-latest

# Start container by `nerdctl`
nerdctl --snapshotter nydus run ghcr.io/dragonflyoss/image-service/nginx:nydus-latest

Start Container in Kubernetes

NOTE: A potential drawback using CRI is that we can hardly specify snapshotter to nydus-snapshotter. So we have to change containerd's default snapshotter in its configuration file like below:

[plugins."io.containerd.grpc.v1.cri".containerd]
   snapshotter = "nydus"

Use crictl to debug starting container via Kubernetes CRI. Dry run steps of using ctrctl can be found in documents.

Community

Nydus aims to form a vendor-neutral opensource image distribution solution to all communities. Questions, bug reports, technical discussion, feature requests and contribution are always welcomed!

Join our Slack workspace

Owner
containerd
containerd
https://github.com/containerd/nydus-snapshotter
Comments
  • Support cri image service proxy mode for getting registry auth

    Support cri image service proxy mode for getting registry auth

    Support cri based authentication like stargz-snapshotter (https://github.com/containerd/stargz-snapshotter/blob/main/docs/overview.md#cri-based-authentication). The proxy service uses the implementation by stargz directly.

    Fixes: #47

    Signed-off-by: Li Yuxuan [email protected]

  • Add helper functions for containerd image convertion

    Add helper functions for containerd image convertion

    Add some functions which are helpful for using the Convert function in the containerd client library to convert OCI images to Nydus images.

    For example, we can use these functions to support nerdctl to convert Nydus images.

    Signed-off-by: Nan Li [email protected]

  • remove scheme field in nydusd config

    remove scheme field in nydusd config

    remove scheme field in nydusd config

    We have implemented automatically scheme detect for nydusd in this PR:

    https://github.com/dragonflyoss/image-service/pull/893#merged-event

    So we can remove the default scheme field in nydusd config file.

  • converter: support ref image build

    converter: support ref image build

    It allows nydus lazily load OCI targz layer with the nydus zran ref image.

    Related nydus components implementation: https://github.com/dragonflyoss/image-service/pull/858

  • automatically fill registry http scheme for daemon config

    automatically fill registry http scheme for daemon config

    We'd better fill "scheme": "https" field as default in the daemon config, but still can fallback to "scheme": "http" by pre-checking the registry server.

  • Fix the annotation error of the converted bootstrap layer

    Fix the annotation error of the converted bootstrap layer

    This pr fixes the fs-version annotation error of the converted Nydus bootstrap layer.

    By now, the "containerd.io/snapshot/nydus-fs-version" annotation of the converted bootstrap layer is always 5 which is the default value. The reason for this error is that the value of MergeOption.FsVersion is not assigned correctly in the convertManifest function of convert_unix.go when call the MergeLayers function and the MergeLayers always uses the empty string as the value of MergeOption.FsVersion.

    Signed-off-by: Nan Li [email protected]

  • start nydus by toml config

    start nydus by toml config

    Use the toml file to configure the startup parameters of nydus-snapshotter relates to https://github.com/containerd/nydus-snapshotter/pull/178 Signed-off-by: raoxiang [email protected]

  • metrics: collect the metrics of nydusd events

    metrics: collect the metrics of nydusd events

    Collect the metrics of nydus daemon events, including INIT, RUNNING and DIED.

    Result:

    curl -s --unix-socket /var/lib/containerd-nydus/api.sock http://unix/metrics | grep "lifetime_event"

# HELP nydusd_lifetime_event_times nydusd lifetime event times.
# TYPE nydusd_lifetime_event_times counter
nydusd_lifetime_event_times{daemon_id="cdvh2ds58hm9ebu61990",event="DIED",time="2022-11-25 17:55:45.051"} 1
nydusd_lifetime_event_times{daemon_id="cdvh2ds58hm9ebu61990",event="INIT",time="2022-11-25 18:05:28.848"} 1
nydusd_lifetime_event_times{daemon_id="cdvh2ds58hm9ebu61990",event="READY",time="2022-11-25 18:05:28.849"} 1
nydusd_lifetime_event_times{daemon_id="cdvh2ds58hm9ebu61990",event="RUNNING",time="2022-11-25 17:55:11.463"} 1
nydusd_lifetime_event_times{daemon_id="cdvh2ds58hm9ebu61990",event="RUNNING",time="2022-11-25 17:55:26.676"} 1
nydusd_lifetime_event_times{daemon_id="cdvh2ds58hm9ebu61990",event="RUNNING",time="2022-11-25 17:55:26.704"} 1
nydusd_lifetime_event_times{daemon_id="ce0920c58hm43as257lg",event="DIED",time="2022-11-25 17:55:48.402"} 1
nydusd_lifetime_event_times{daemon_id="ce0920c58hm43as257lg",event="RUNNING",time="2022-11-25 17:55:14.121"} 1
nydusd_lifetime_event_times{daemon_id="ce0920c58hm43as257lg",event="RUNNING",time="2022-11-25 17:55:14.322"} 1
nydusd_lifetime_event_times{daemon_id="ce0921s58hm43as257m0",event="DIED",time="2022-11-25 17:55:51.832"} 1
nydusd_lifetime_event_times{daemon_id="ce0921s58hm43as257m0",event="RUNNING",time="2022-11-25 17:55:20.141"} 1
nydusd_lifetime_event_times{daemon_id="ce0921s58hm43as257m0",event="RUNNING",time="2022-11-25 17:55:20.159"} 1

    Signed-off-by: Bin Tang [email protected]

  • The blobs annotation in manifest should be deprecated

    The blobs annotation in manifest should be deprecated

    Currently, nydus image puts an annotation to the manifest to track all referenced blobs in bootstrap: nydus

    This will cause the label kv size limitation to be exceeded in containerd when acceld/buildkit write a nydus manifest included a large number of blobs into the content store: containerd

    I noticed that the blobs annotation only be used for blob cache gc in nydus-snapshotter: nydus-snapshotter

    A feasible workaround is to use nydusd sock API to get the blobs in use, instead of using the list in manifest annotation, so we can remove the annotation from acceld/buildkit.

  • System http server

    System http server

    Add a system controller which runs a HTTP server as a user interface to interact with nydus-snapshotter. With the system controller, we can fetch all managed nydusds's working state and control nydusd workflows.

    Nydus-snapshotter might manage dozens of running nydus daemons, each daemon may have multiple file system instances attached. For easy maintenance, the system controller can interact with all the daemons in a consistent and automatic way.

  • Fix some bugs in image conversion

    Fix some bugs in image conversion

    This patch fixes some bugs in image conversion using LayerConvertFunc and ConvertHookFunc.

    1. append nydus.remoteimage.v1 to os.features of the manifest descriptor in the index
    2. add "containerd.io/snapshot/nydus-blob": "true" to the annotations of the blob layer descriptor in the manifest
    3. avoid appending duplicate bootstrap layer digest to the diffID list of the config

    This patch also adds a smoke test TestContainerdImageConvert to make sure LayerConvertFunc and ConvertHookFunc work well with the containerd image conversion library.

    Signed-off-by: Nan Li [email protected]

  • Kubelet log has error when use default root dir

    Kubelet log has error when use default root dir

    The log(combined contaienrd and kubelet):

    Dec 12 11:34:51 kind-control-plane containerd[2874]: time="2022-12-12T11:34:51.360081705Z" level=debug msg=ImageFsInfo Dec 12 11:34:51 kind-control-plane containerd[2874]: time="2022-12-12T11:34:51.360168006Z" level=debug msg="ImageFsInfo returns filesystem info [&FilesystemUsage{Timestamp:1670844891360135406,FsId:&FilesystemIdentifier{Mountpoint:/var/lib/containerd/io.containerd.snapshotter.v1.nydus,},UsedBytes:&UInt64Value{Value:0,},InodesUsed:&UInt64Value{Value:0,},}]" Dec 12 11:34:51 kind-control-plane kubelet[601]: E1212 11:34:51.360778 601 cri_stats_provider.go:455] "Failed to get the info of the filesystem with mountpoint" err="failed to get device for dir "/var/lib/containerd/io.containerd.snapshotter.v1.nydus": stat failed on /var/lib/containerd/io.containerd.snapshotter.v1.nydus with error: no such file or directory" mountpoint="/var/lib/containerd/io.containerd.snapshotter.v1.nydus"

    Continerd returns a fixed-format directory for snapshotters:

    func imageFSPath(rootDir, snapshotter string) string {
	return filepath.Join(rootDir, fmt.Sprintf("%s.%s", plugin.SnapshotPlugin, snapshotter))
}
  • proposal: support targz-ref conversion and runtime

    proposal: support targz-ref conversion and runtime

    Converter

    Related PR for nydus-image builder: https://github.com/dragonflyoss/image-service/pull/858 Related PR for nydus snapshotter: https://github.com/containerd/nydus-snapshotter/pull/245 Related Branch for acceld conversion tool: https://github.com/imeoer/acceleration-service/tree/nydus-support-ref

    To implement pull tar.gz lazily, the converter workflow will be:

    1. Create the nydus blob layer (application/vnd.oci.image.layer.nydus.blob.v1) with the tar-like format:
    • image.blob.meta: nydus blob meta
    • image.boot: nydus bootstrap
    | <image.blob.meta> | <image.blob.meta> header | <image.boot> | <image.boot> header |
    1. Merge all <image.boot> into a final bootstrap (application/vnd.oci.image.layer.v1.tar+gzip).
    2. Acceld/Nydusify support converting all nydus blob layers and bootstrap layer into OCI artifact manifest like:
    {
  "mediaType": "application/vnd.oci.artifact.manifest.v1+json",
  "artifactType": "application/vnd.nydus.ref.v1",
  "blobs": [
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "size": 123,
      "digest": "sha256:87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630",
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "size": 456,
      "digest": "sha256:87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630",
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "digest": "sha256:aec98c9e3dce739877b8f5fe1cddd339de1db2b36c20995d76f6265056dbdb08",
      "size": 789,
      "annotations": {
        "containerd.io/snapshot/nydus-bootstrap": "true"
      }
    }
  ],
  "subject": {
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "size": 123,
    "digest": "sha256:cc06a2839488b8bd2a2b99dcdc03d5cfd818eed72ad08ef3cc197aac64c0d0a0"
  },
  "annotations": {
    "containerd.io/snapshot/nydus-fs-version": "6"
  }
}
    • The subject field reference the original OCI image, https://github.com/opencontainers/image-spec/blob/main/artifact.md.
    • Perhaps the legacy registry does not support OCI artifact, we need to make it works by using a compatible image manifest format like:
    {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:e8366802635d22a771339e18ef406d117b5ee5fa86b2373bd99d188c3cba5c5a",
    "size": 16297
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:0269b9edd97b7088428e7913fd635ffa6fda08af373a6aa86edc9f181572c8d7",
      "size": 3179520,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true",
        "containerd.io/snapshot/nydus-ref": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:748cba355624ad8d5ebed6e47af9bd88bf64061e326e0c5fc7f43ddcf4ccb49d",
      "size": 29696,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true",
        "containerd.io/snapshot/nydus-ref": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "digest": "sha256:787addb807451fbad912aac460e37edf204c2364b81ece348b4a65f6a1cbed02",
      "size": 1121814,
      "annotations": {
        "containerd.io/snapshot/nydus-bootstrap": "true",
        "containerd.io/snapshot/nydus-fs-version": "6",
        "containerd.io/snapshot/nydus-ref": "true"
      }
    }
  ]
}

    Runtime

    1. Range fetch <image.blob.meta> data from the remote registry layer by layer and then write to the blob cache directory.
    2. Pull the final bootstrap data (in tar.gz format) and unpack it to the snapshot directory.
    3. Boot nydusd and mount the final bootstrap.
Related tags
DevOps Tools container-image containerd-snapshotter
Fast docker image distribution plugin for containerd, based on CRFS/stargz
 Fast docker image distribution plugin for containerd, based on CRFS/stargz

[ ⬇️ Download] [ ?? Browse images] [ ☸ Quick Start (Kubernetes)] [ ?? Quick Start (nerdctl)] Stargz Snapshotter Read also introductory blog: Startup C

Dec 29, 2022
Repositório para a aula sobre integração do containerd com Golang
 Repositório para a aula sobre integração do containerd com Golang

Integrando containers nativamente usando Golang Este é o código finalizado da aplicação Já pensou em uma alternativa ao Docker? Que tal manipular cont

May 4, 2021
Container-Explorer is a tool to explore containerd installation on a mounted image.

Container-Explorer Container-Explorer is a tool to explore containerd installation on a mounted image. Container-Explorer attempts to provide the simi

Dec 27, 2022
Installs containerd on Windows, optionally with default CNI plugins

containerd-installer Installs containerd on Windows, optionally with default CNI plugins Usage NAME: containerd-installer.exe - Install containerd

Nov 27, 2022
Runwasi - A containerd shim which runs wasm workloads in wasmtime

containerd-shim-wasmtime-v1 This is a containerd shim which runs wasm workloads

Dec 28, 2022
Cli tool to save useful links to read it later
 Cli tool to save useful links to read it later

lnk - Cli tool to save useful links still in development Usage lnk <new|list> [url] - new: creates a new link url: required params, which i

Jun 23, 2022
Write controller-runtime based k8s controllers that read/write to git, not k8s

Git Backed Controller The basic idea is to write a k8s controller that runs against git and not k8s apiserver. So the controller is reading and writin

Dec 10, 2021
Dgraph Backup and Restore (cloud). Read-only mirror.

dgbrx Dgraph Backup and Restore X dgbrx is a Go commandline tool which helps to do a backup, restore or clean on a Dgraph Cloud (aka slash / managed)

Oct 28, 2021
Repo CRUD - write e read in mongoDB
 Repo CRUD - write e read in mongoDB

Meli User - userwrite Este repo é responsável por um cadastro onde teremos somen

Jan 3, 2022
Godart - Amazon Alexa skill in Go to read train times out loud

GODART Alexa skill to have DART times for the requested station. build and deplo

Apr 13, 2022
An example of using Litestream's live read replication feature.

Litestream Read Replica Example This repository is an example of how to setup and deploy a multi-node SQLite database using Litestream's live read rep

Dec 14, 2022
contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...

Jan 4, 2023
A parallel downloader with resume capability
 A parallel downloader with resume capability

Grozilla The Grozilla is a simple implementation that allows downloading of video,audio,package or zip files parallely and efficiently using light wei

May 5, 2022
🤖🤝A tool to test and analyze storage and retrieval deal capability on the Filecoin network.

Dealbot A tool to test and analyze storage and retrieval deal capability on the Filecoin network. Getting Started Clone the repo and build: git clone

Sep 10, 2022
This library provides WebAssembly capability for goja Javascript engine

This module provides WebAssembly functions into goja javascript engine.

Jan 10, 2022
Live on-demand transcoding in go using ffmpeg. Also with NVIDIA GPU hardware acceleration.

Go live HTTP on-demand transcoding Transcoding is expensive and resource consuming operation on CPU and GPU. For big companies with thousands of custo

Dec 16, 2022
Golang binaries compiled on-demand for your system
 Golang binaries compiled on-demand for your system

Go Binaries Go Binaries is an on-demand binary server, allowing non-Go users to quickly install tools written in Go without installing go itself, and

Dec 3, 2022
Tiny binary serializer and deserializer to create on demand parsers and compilers

Parco Hobbyist binary compiler and parser built with as less reflection as possible, highly extensible and with zero dependencies. There are plenty pa

Nov 9, 2022
log on demand for Go.

logondemand log on demand for Go.

Feb 14, 2022
Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply.
 Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply.

Cyber Stasis Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply. How to Play The game r

Dec 31, 2022