feat: add soci snapshotter extension

zlangbert · zlangbert · commit 94a64b023cd8 · 2025-11-06T11:04:53.000-05:00
Adds the AWS SOCI containerd snapshotter, allowing for lazy pulls (similar to stargz)
diff --git a/container-runtime/soci-snapshotter/10-soci-snapshotter.part b/container-runtime/soci-snapshotter/10-soci-snapshotter.part
@@ -0,0 +1,8 @@
+[proxy_plugins]
+  [proxy_plugins.soci]
+    type = "snapshot"
+    address = "/var/run/soci-snapshotter/soci-snapshotter-grpc.sock"
+
+[plugins."io.containerd.cri.v1.images"]
+  snapshotter = "soci"
+  disable_snapshot_annotations = false
diff --git a/container-runtime/soci-snapshotter/README.md b/container-runtime/soci-snapshotter/README.md
@@ -0,0 +1,16 @@
+# AWS SOCI Snapshotter extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Pulling from Privte Registries
+
+To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the [SOCI docs](https://github.com/awslabs/soci-snapshotter/blob/main/docs/registry-authentication.md#kubernetes-cri-credentials). An example config patch:
+
+```yaml
+machine:
+  kubelet:
+    extraConfig:
+      imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+```
diff --git a/container-runtime/soci-snapshotter/config.toml b/container-runtime/soci-snapshotter/config.toml
@@ -0,0 +1,7 @@
+# SOCI Snapshotter configuration
+
+# Enable use of the SOCI snapshotter as a proxy ImageService so it can pull
+# images from private registries.
+[cri_keychain]
+enable_keychain = true
+image_service_path = "/var/run/containerd/containerd.sock"
diff --git a/container-runtime/soci-snapshotter/manifest.yaml.tmpl b/container-runtime/soci-snapshotter/manifest.yaml.tmpl
@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: soci-snapshotter
+  version: "{{ .VERSION }}"
+  author: Sidero Labs
+  description: |
+    [{{ .TIER }}] This system extension provides AWS SOCI Snapshotter using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.8.0"
diff --git a/container-runtime/soci-snapshotter/pkg.yaml b/container-runtime/soci-snapshotter/pkg.yaml
@@ -0,0 +1,69 @@
+name: soci-snapshotter
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/awslabs/soci-snapshotter/archive/refs/tags/{{ .SOCI_SNAPSHOTTER_VERSION }}.tar.gz
+        destination: soci-snapshotter.tar.gz
+        sha256: {{ .SOCI_SNAPSHOTTER_SHA256 }}
+        sha512: {{ .SOCI_SNAPSHOTTER_SHA512 }}
+    env:
+      GOPATH: /tmp/go
+    cachePaths:
+      - /.cache/go-build
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        mkdir -p ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        tar -xzf soci-snapshotter.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter/cmd
+        go mod download
+  - network: none
+    build:
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        make soci-snapshotter-grpc
+        make soci
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/bin
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter
+
+        cd ${GOPATH}/src/github.com/containerd/soci-snapshotter
+
+        cp ./out/soci-snapshotter-grpc /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+        chmod +x rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+
+        cp ./out/soci /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+        chmod +x rootfs/usr/local/lib/containers/soci-snapshotter/soci
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/10-soci-snapshotter.part /rootfs/etc/cri/conf.d/10-soci-snapshotter.part
+
+        mkdir -p /rootfs/usr/local/etc/soci-snapshotter-grpc
+        cp /pkg/config.toml /rootfs/usr/local/etc/soci-snapshotter-grpc/config.toml
+
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/soci-snapshotter.yaml /rootfs/usr/local/etc/containers/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/soci-snapshotter.spdx.json
+      version: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      licenses:
+        - Apache-2.0
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
diff --git a/container-runtime/soci-snapshotter/soci-snapshotter.yaml b/container-runtime/soci-snapshotter/soci-snapshotter.yaml
@@ -0,0 +1,39 @@
+name: soci-snapshotter
+depends:
+  - service: cri
+restart: always
+container:
+  entrypoint: ./soci-snapshotter-grpc
+  args:
+    - -log-level=debug
+    - -address=/var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+    - -root=/var/lib/containerd/io.containerd.snapshotter.v1.soci
+  security:
+    rootfsPropagation: shared
+  mounts:
+    - source: /var
+      destination: /var
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /run
+      destination: /run
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /etc/ssl/certs
+      destination: /etc/ssl/certs
+      type: bind
+      options:
+        - rbind
+        - ro
+    - source: /usr/local/etc/soci-snapshotter-grpc
+      destination: /etc/soci-snapshotter-grpc
+      type: bind
+      options:
+        - bind
+        - ro
diff --git a/container-runtime/soci-snapshotter/vars.yaml b/container-runtime/soci-snapshotter/vars.yaml
@@ -0,0 +1,2 @@
+VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"
+TIER: "extra"
diff --git a/container-runtime/vars.yaml b/container-runtime/vars.yaml
@@ -9,6 +9,10 @@ GVISOR_SHA512: 0e7327735f37f38430ca1b32a708de95c280a62c2bcec14afcdcd18b20f114326
 STARGZ_SNAPSHOTTER_VERSION: v0.18.0
 STARGZ_SNAPSHOTTER_SHA256: 674062cea54d3d4908da6155a484f09e3a249f8625689643d4800893df09fcea
 STARGZ_SNAPSHOTTER_SHA512: 7134372586f5fd8d9b29d6cc44638defa5abd5f3d398bf63123edfa1f00abc0e607848b36a6fad16a730aafb218a6d0d5b5d6321ad0c63f116d10cc12de18d79
+# renovate: datasource=github-releases depName=awslabs/soci-snapshotter
+SOCI_SNAPSHOTTER_VERSION: v0.11.1
+SOCI_SNAPSHOTTER_SHA256: cabeac915c9bd31c5ab16dd11ef3fb46ce9f9b707428b88319aa8940b9de3b5a
+SOCI_SNAPSHOTTER_SHA512: f42bf8bf1121cce918ed9cfab542d81e2ee5562fe42ef2d4806b7cf78da2e3e15f830eb86fc1dbc17fc0f1f2566723a4db3feadb473e66c06f2f5bbf21f69588
 # renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
 CLOUD_PROVIDER_AWS_VERSION: v1.34.1
 CLOUD_PROVIDER_AWS_SHA256: 41acb02dcbf3357d2f2f910a9dcc2a115b1f8eecc9d02c3df089e116a0a63905

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"`
	`2`	`+TIER: "extra"`