feat: add soci snapshotter extension

Adds the AWS SOCI containerd snapshotter, allowing for lazy pulls (similar to stargz)

Signed-off-by: Noel Georgi <[email protected]>

Author: zlangbert

.kres.yaml

@@ -53,6 +53,7 @@ spec:
     - qlogic-firmware
     - realtek-firmware
     - revpi-firmware
+    - soci-snapshotter
     - spin
     - stargz-snapshotter
     - tailscale

Makefile

@@ -110,6 +110,7 @@ TARGETS += qemu-guest-agent
 TARGETS += qlogic-firmware
 TARGETS += realtek-firmware
 TARGETS += revpi-firmware
+TARGETS += soci-snapshotter
 TARGETS += spin
 TARGETS += stargz-snapshotter
 TARGETS += tailscale

README.md

@@ -65,6 +65,7 @@ tiers based on support level:
 | [gvisor](container-runtime/gvisor) | :green_square: core | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | `20251103.0` |  This system extension provides gVisor using containerd's runtime handler. |
 | [gvisor-debug](container-runtime/gvisor-debug) | :yellow_square: extra | [ghcr.io/siderolabs/gvisor-debug](https://github.com/siderolabs/extensions/pkgs/container/gvisor-debug) | `v1.0.0` |  This system extension enables gVisor debug logging. |
 | [kata-containers](container-runtime/kata-containers) | :yellow_square: extra | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | `3.22.0` |  This system extension provides kata-container using containerd's runtime handler. |
+| [soci-snapshotter](container-runtime/soci-snapshotter) | :yellow_square: extra | [ghcr.io/siderolabs/soci-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/soci-snapshotter) | `v0.11.1` |  This system extension provides AWS SOCI Snapshotter using containerd's runtime handler. |
 | [spin](container-runtime/spin) | :yellow_square: extra | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | `v0.22.0` |  This system extension provides support for spin runtime (WebAssembly) containers. |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter) | :green_square: core | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | `v0.18.1` |  This system extension provides Stargz Snapshotter using containerd's runtime handler. |
 | [wasmedge](container-runtime/wasmedge) | :yellow_square: extra | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge) | `v0.6.0` |  This system extension provides support for WasmEdge runtime (WebAssembly) containers. |

container-runtime/soci-snapshotter/10-soci-snapshotter.part

@@ -0,0 +1,8 @@
+[proxy_plugins]
+  [proxy_plugins.soci]
+    type = "snapshot"
+    address = "/var/run/soci-snapshotter/soci-snapshotter-grpc.sock"
+
+[plugins."io.containerd.cri.v1.images"]
+  snapshotter = "soci"
+  disable_snapshot_annotations = false

container-runtime/soci-snapshotter/README.md

@@ -0,0 +1,16 @@
+# AWS SOCI Snapshotter extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Pulling from Privte Registries
+
+To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the [SOCI docs](https://github.com/awslabs/soci-snapshotter/blob/main/docs/registry-authentication.md#kubernetes-cri-credentials). An example config patch:
+
+```yaml
+machine:
+  kubelet:
+    extraConfig:
+      imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+```

container-runtime/soci-snapshotter/config.toml

@@ -0,0 +1,7 @@
+# SOCI Snapshotter configuration
+
+# Enable use of the SOCI snapshotter as a proxy ImageService so it can pull
+# images from private registries.
+[cri_keychain]
+enable_keychain = true
+image_service_path = "/var/run/containerd/containerd.sock"

container-runtime/soci-snapshotter/manifest.yaml.tmpl

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: soci-snapshotter
+  version: "{{ .VERSION }}"
+  author: Sidero Labs
+  description: |
+    [{{ .TIER }}] This system extension provides AWS SOCI Snapshotter using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.8.0"

container-runtime/soci-snapshotter/pkg.yaml

@@ -0,0 +1,71 @@
+name: soci-snapshotter
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/awslabs/soci-snapshotter/archive/refs/tags/{{ .SOCI_SNAPSHOTTER_VERSION }}.tar.gz
+        destination: soci-snapshotter.tar.gz
+        sha256: {{ .SOCI_SNAPSHOTTER_SHA256 }}
+        sha512: {{ .SOCI_SNAPSHOTTER_SHA512 }}
+    env:
+      GOPATH: /tmp/go
+      VERSION: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      REVISION: {{ .SOCI_SNAPSHOTTER_REV }}
+    cachePaths:
+      - /.cache/go-build
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        mkdir -p ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        tar -xzf soci-snapshotter.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter/cmd
+        go mod download
+  - network: none
+    build:
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        make soci-snapshotter-grpc
+        make soci
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/bin
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter
+
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+        
+        cp ./out/soci-snapshotter-grpc /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+        chmod +x /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+
+        cp ./out/soci /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+        chmod +x /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/ 
+        cp /pkg/config.toml /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/config.toml
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/10-soci-snapshotter.part /rootfs/etc/cri/conf.d/10-soci-snapshotter.part
+
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/soci-snapshotter.yaml /rootfs/usr/local/etc/containers/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/soci-snapshotter.spdx.json
+      version: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      licenses:
+        - Apache-2.0
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

container-runtime/soci-snapshotter/soci-snapshotter.yaml

@@ -0,0 +1,33 @@
+name: soci-snapshotter
+depends:
+  - service: cri
+restart: always
+container:
+  entrypoint: ./soci-snapshotter-grpc
+  args:
+    - -log-level=debug
+    - -address=/var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+    - -root=/var/lib/containerd/io.containerd.snapshotter.v1.soci
+  security:
+    rootfsPropagation: shared
+  mounts:
+    - source: /var
+      destination: /var
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /run
+      destination: /run
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /etc/ssl/certs
+      destination: /etc/ssl/certs
+      type: bind
+      options:
+        - rbind
+        - ro

container-runtime/soci-snapshotter/vars.yaml

@@ -0,0 +1,2 @@
+VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"
+TIER: "extra"