-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import base layer images #1688
Import base layer images #1688
Conversation
If a project creates a base layer image and wants to directly import the base then this ensure the baseline file are in place. It is a follow up to microsoft#1637 and enables containerd with ctr image import image.tar of a base layer. Signed-off-by: James Sturtevant <[email protected]>
If I understand correctly, this is to make arbitrary tarballs importable as base layers? My initial question is: does this introduce any risks or issues if multiple imports of the same tarball actually end up with different (meta)data inside If support for this feature is desired, we might need a stronger Also, I can't think of any issue this can cause, but this does mean that the Edit: Looking at the context, I realise this is for WASI container images, which can't be expected to have Windows-specific stuff in their base layer. So definitely an important use-case, and given existing HCS layer-mounting requirements, I can't see any better approach than running something like Edit again: Actually, perhaps WASI images can't be cross-platform like I thought in my earlier edit, since AFAIR the WCOW layer format includes the top-level Gah, I'm too far from this stuff these days, my recollections aren't reliable and I don't have time to check the code right now. So I know at least one of the above two paragraphs is incorrect. ^_^ |
I skipped adding tests in hcsshim, as this is heavily used in containerd, and we run the containerd integration tests as part of the hcsshim CI pipeline. Sadly, the containerd branch using this is not yet merged.
To be honest, I can't think of any negative implications of being able to import and mount any arbitrary layer. They won't actually be usable to start a container on Windows, but they will be mountable at least. I see no harm in this tbh, but I am hardly an authority on this 😄 |
I considered a different snapshotter as well but this would be quite a bit of additional overhead. Maybe longer term it could be the right approach (and now that @gabriel-samfira has enabled Bind Filters in Windows we might be able to use the native snapshoter with some minor tweaks? I only look briefly and this is a bit out of my comfort zone)
The other use case for this is HostProcess Containers for images like https://github.com/microsoft/windows-host-process-containers-base-image. I user could generate an image for this locally, import it and then run it.
With this change the image generated at https://github.com/containerd/runwasi/blob/main/crates/wasi-demo-app/build.rs doesn't require any changes to run on windows (since this adds those meta data files). It does add some additional files that won't be used (like the vhd files). so the image is technically cross platform if you squint. Again maybe using a custom snapshotter would make sense longer term but this also opens the possibility to do this with HPC.
I am not sure I understand all of this, but could try putting it during the cleanup? It needs to be called before ImportLayer or it errors because those files are not present. |
|
This is actually great. We can finally have |
For peace of mind, you could try out the snapshotter tests in containerd/containerd#8043. Just sh.exe -c "EXTRA_TESTFLAGS=-test.run=TestSnapshotterClient make integration" |
This is semi-related: opencontainers/runtime-spec#1185 |
Yeah, I'm thinking maybe put it before hcsshim/internal/wclayer/baselayerwriter.go Line 161 in 4e0656f
ensureBaseLayer .
|
I'm surprised that image works; it's basically the same as the earlier version of the "base layer creation" PR (i.e. before real hive creation was added, when ensureHive was just Anyway, I'm somewhat curious, is "tar up a filesystem and |
I am getting an error even when not using my PR.
Haven't dug into it, might be related to my dev env. |
The image https://github.com/microsoft/windows-host-process-containers-base-image isn't in an oci format, but it probably should be. As for the common, making your own super small compact image for HPC should be something that could be enabled. As an example, provide an oci formatted tar package that has only your binary you want and I would expect directly importing to work. |
Skimming https://github.com/microsoft/windows-host-process-containers-base-image/blob/main/New-HostProcessBaseImage.ps1, that does appear to be creating a Docker-formatted image tarball (i.e. with
Yeah, I think I had a faulty assumption earlier, I thought this was for handling arbitrary tarballs (just a raw rootfs), not an OCI or Docker image tarball with a handrolled rootfs tarball (contrasting with a rootfs tarball prepared by, e.g. The use case I understand we're talking about now is similar to #750, although since that'd be solve in this repo, it'd be able to use I think the rest of my concerns (about being able to repeatedly import a given tarball and produce a 100% identical result including file-creation/modification metadata and ensuring this is a no-op when the root tarball does contain all of the necessary files) are applicable though. Contrasting this to the existing approach (including those files in the exported base layer), this approach provides simpler base-layer hand-assembly, including not relying on access to empty hive templates or a hive-creation library. (Modulo that zero-byte hives failed to be processed last time I tested it, but perhaps that's changed again, since However, base layers created without the required hives will only be importable with hcsshim-using systems that have taken a version of hcsshim after this pull is completed, or they'll get failures referencing Hence, I'd be concerned to start seeing such images pushed with the So, I wouldn't use this feature to implement |
Are you saying it would be preferable to generate the empty hive files like the HPC example does vs generating them on import? This won't work since there are checks to make sure those paths exist, which the don't even with the dummy files. I think the HPC is a good example of a use case that could be updated to be a valid OCI tar format with a tool like https://github.com/containerd/runwasi/tree/main/crates/oci-tar-builder and should be importable without having to use hcsshim to create base layers. Or is there another way to something similiar (point at a folder with an executable and generate a base image that can be shared via tarball)? I will have to dig deeper on your concerns about the reproducibility of imports. |
I don't understand what you mean by not working here. If the dummy files exist, then a check for them by path should pass. Maybe there's some confusion on my part; I have assumed the HPC base image generated by that repo is importable into containerd today, as importing of layers hasn't been changed by the work I've been involved with. But I haven't tried it myself, so if it's failing, knowing that (and how it fails) would be informative. But yeah, my general preference is to produce base layers in the existing format, and avoid actions in the import process that produce a The
What's invalid about the HPC base-image's format now? It's in Docker format, rather than OCI format, but it looked valid as a base layer from reading the script that produces it. (I didn't run it up side-by-side with the Docker image manifest spec though.)
I don't think there's any complete pipeline that can do that, apart from the containerd snapshotter integration tests, which (once the PR lands) will be using the existing Now that hcsshim-side stuff has landed, I was considering putting a script together (like the HPC repo) using the |
nothing was invalid but it wasn't importing. I figured out why though, it doesn't have an annotations so the image wasn't identified. If I run |
I get the following when I put dummy files in the oci image. Now that I've figured out why the HPC image wasn't loading this does seem to work for HPC so I'm looking deeper into why its not working for me.
I initially though by writing these files we could solve this problem but I see your concerns about the datetimes. If I can sort out the error above by passing blank files I think that can work for my use case, otherwise I guess I will need to mimic the wclayer calls in rust. |
Are you building the tarball in code? My best guess for your error is that entries for each directory in the chain |
For reference, the bare-minimum base-layer tarball looks like this:
That's created with
I say "bare mimimum", but those are real (emtpy) hives. I tried with empty files, and it worked, but in the past mounting has failed so this might vary by OS build. This is an empty-file equivalent to
producing
|
This was it. I was generating the file via code and the tar file didn't have the appropriate header files for the directories (TIL Thanks for helping me work through the issue. I will close this for now given the fact that this doesn't reproduce repeatable images as you pointed out. |
If a project creates a base layer image and wants to directly import the base then this ensure the baseline file are in place. It is a follow up to #1637 and enables containerd with
ctr image import image.tar
of a base layer.@gabriel-samfira @helsaawy @TBBle
I didn't find any tests that I could run but I am happy to add something if I get a pointer in the right direction.