feat: add soci snapshotter extension

Adds the AWS SOCI containerd snapshotter, allowing for lazy pulls (similar to stargz)

Signed-off-by: Noel Georgi <[email protected]>

Author: zlangbert

.kres.yaml

@@ -53,6 +53,7 @@ spec:
     - qlogic-firmware
     - realtek-firmware
     - revpi-firmware
+    - soci-snapshotter
     - spin
     - stargz-snapshotter
     - tailscale

Makefile

@@ -110,6 +110,7 @@ TARGETS += qemu-guest-agent
 TARGETS += qlogic-firmware
 TARGETS += realtek-firmware
 TARGETS += revpi-firmware
+TARGETS += soci-snapshotter
 TARGETS += spin
 TARGETS += stargz-snapshotter
 TARGETS += tailscale

container-runtime/soci-snapshotter/10-soci-snapshotter.part

@@ -0,0 +1,8 @@
+[proxy_plugins]
+  [proxy_plugins.soci]
+    type = "snapshot"
+    address = "/var/run/soci-snapshotter/soci-snapshotter-grpc.sock"
+
+[plugins."io.containerd.cri.v1.images"]
+  snapshotter = "soci"
+  disable_snapshot_annotations = false

container-runtime/soci-snapshotter/README.md

@@ -0,0 +1,16 @@
+# AWS SOCI Snapshotter extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Pulling from Privte Registries
+
+To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the [SOCI docs](https://github.com/awslabs/soci-snapshotter/blob/main/docs/registry-authentication.md#kubernetes-cri-credentials). An example config patch:
+
+```yaml
+machine:
+  kubelet:
+    extraConfig:
+      imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+```

container-runtime/soci-snapshotter/config.toml

@@ -0,0 +1,7 @@
+# SOCI Snapshotter configuration
+
+# Enable use of the SOCI snapshotter as a proxy ImageService so it can pull
+# images from private registries.
+[cri_keychain]
+enable_keychain = true
+image_service_path = "/var/run/containerd/containerd.sock"

container-runtime/soci-snapshotter/manifest.yaml.tmpl

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: soci-snapshotter
+  version: "{{ .VERSION }}"
+  author: Sidero Labs
+  description: |
+    [{{ .TIER }}] This system extension provides AWS SOCI Snapshotter using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.8.0"

container-runtime/soci-snapshotter/pkg.yaml

@@ -0,0 +1,71 @@
+name: soci-snapshotter
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/awslabs/soci-snapshotter/archive/refs/tags/{{ .SOCI_SNAPSHOTTER_VERSION }}.tar.gz
+        destination: soci-snapshotter.tar.gz
+        sha256: {{ .SOCI_SNAPSHOTTER_SHA256 }}
+        sha512: {{ .SOCI_SNAPSHOTTER_SHA512 }}
+    env:
+      GOPATH: /tmp/go
+      VERSION: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      REVISION: {{ .SOCI_SNAPSHOTTER_REV }}
+    cachePaths:
+      - /.cache/go-build
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        mkdir -p ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        tar -xzf soci-snapshotter.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter/cmd
+        go mod download
+  - network: none
+    build:
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        make soci-snapshotter-grpc
+        make soci
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/bin
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter
+
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+        
+        cp ./out/soci-snapshotter-grpc /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+        chmod +x /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+
+        cp ./out/soci /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+        chmod +x /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/ 
+        cp /pkg/config.toml /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/config.toml
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/10-soci-snapshotter.part /rootfs/etc/cri/conf.d/10-soci-snapshotter.part
+
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/soci-snapshotter.yaml /rootfs/usr/local/etc/containers/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/soci-snapshotter.spdx.json
+      version: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      licenses:
+        - Apache-2.0
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

container-runtime/soci-snapshotter/soci-snapshotter.yaml

@@ -0,0 +1,33 @@
+name: soci-snapshotter
+depends:
+  - service: cri
+restart: always
+container:
+  entrypoint: ./soci-snapshotter-grpc
+  args:
+    - -log-level=debug
+    - -address=/var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+    - -root=/var/lib/containerd/io.containerd.snapshotter.v1.soci
+  security:
+    rootfsPropagation: shared
+  mounts:
+    - source: /var
+      destination: /var
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /run
+      destination: /run
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /etc/ssl/certs
+      destination: /etc/ssl/certs
+      type: bind
+      options:
+        - rbind
+        - ro

container-runtime/soci-snapshotter/vars.yaml

@@ -0,0 +1,2 @@
+VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"
+TIER: "extra"

container-runtime/vars.yaml

@@ -9,6 +9,11 @@ GVISOR_SHA512: 038631f7b6e03ca14b2a038b51756b0ce8e3f9b490deebe4938419e82f98c9e81
 STARGZ_SNAPSHOTTER_VERSION: v0.18.1
 STARGZ_SNAPSHOTTER_SHA256: 42e9bf7536a3c1eca2160b58fc865de47f6a338f30bb88a25fe50ed8b0d130e3
 STARGZ_SNAPSHOTTER_SHA512: 076943cd8488bf58b0fd54b41471f99d0289b4fc63f66549fb946c82fdb7e68794c215b8b9ed0e858cf12227db59bf7a360004d5232b6c090decdbb36a1bd323
+# renovate: datasource=github-releases depName=awslabs/soci-snapshotter
+SOCI_SNAPSHOTTER_VERSION: v0.11.1
+SOCI_SNAPSHOTTER_REV: 28781de6731978b2e2f0f43573a345e9fa14dbd1
+SOCI_SNAPSHOTTER_SHA256: cabeac915c9bd31c5ab16dd11ef3fb46ce9f9b707428b88319aa8940b9de3b5a
+SOCI_SNAPSHOTTER_SHA512: f42bf8bf1121cce918ed9cfab542d81e2ee5562fe42ef2d4806b7cf78da2e3e15f830eb86fc1dbc17fc0f1f2566723a4db3feadb473e66c06f2f5bbf21f69588
 # renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
 CLOUD_PROVIDER_AWS_VERSION: v1.34.1
 CLOUD_PROVIDER_AWS_SHA256: 41acb02dcbf3357d2f2f910a9dcc2a115b1f8eecc9d02c3df089e116a0a63905