Skip to content

Commit df0f2f7

Browse files
zlangbertfrezbo
zlangbert
authored and
frezbo
committed
feat: add soci snapshotter extension
Adds the AWS SOCI containerd snapshotter, allowing for lazy pulls (similar to stargz) Signed-off-by: Noel Georgi <[email protected]>
1 parent 313ae03 commit df0f2f7

File tree

10 files changed

+150
-0
lines changed

10 files changed

+150
-0
lines changed

.kres.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ spec:
5353
- qlogic-firmware
5454
- realtek-firmware
5555
- revpi-firmware
56+
- soci-snapshotter
5657
- spin
5758
- stargz-snapshotter
5859
- tailscale

Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,7 @@ TARGETS += qemu-guest-agent
110110
TARGETS += qlogic-firmware
111111
TARGETS += realtek-firmware
112112
TARGETS += revpi-firmware
113+
TARGETS += soci-snapshotter
113114
TARGETS += spin
114115
TARGETS += stargz-snapshotter
115116
TARGETS += tailscale

container-runtime/soci-snapshotter/10-soci-snapshotter.part

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
[proxy_plugins]
2+
[proxy_plugins.soci]
3+
type = "snapshot"
4+
address = "/var/run/soci-snapshotter/soci-snapshotter-grpc.sock"
5+
6+
[plugins."io.containerd.cri.v1.images"]
7+
snapshotter = "soci"
8+
disable_snapshot_annotations = false

container-runtime/soci-snapshotter/README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
# AWS SOCI Snapshotter extension
2+
3+
## Installation
4+
5+
See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
6+
7+
## Pulling from Privte Registries
8+
9+
To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the [SOCI docs](https://github.com/awslabs/soci-snapshotter/blob/main/docs/registry-authentication.md#kubernetes-cri-credentials). An example config patch:
10+
11+
```yaml
12+
machine:
13+
kubelet:
14+
extraConfig:
15+
imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock
16+
```

container-runtime/soci-snapshotter/config.toml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# SOCI Snapshotter configuration
2+
3+
# Enable use of the SOCI snapshotter as a proxy ImageService so it can pull
4+
# images from private registries.
5+
[cri_keychain]
6+
enable_keychain = true
7+
image_service_path = "/var/run/containerd/containerd.sock"

container-runtime/soci-snapshotter/manifest.yaml.tmpl

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
version: v1alpha1
2+
metadata:
3+
name: soci-snapshotter
4+
version: "{{ .VERSION }}"
5+
author: Sidero Labs
6+
description: |
7+
[{{ .TIER }}] This system extension provides AWS SOCI Snapshotter using containerd's runtime handler.
8+
compatibility:
9+
talos:
10+
version: ">= v1.8.0"

container-runtime/soci-snapshotter/pkg.yaml

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
name: soci-snapshotter
2+
variant: scratch
3+
shell: /bin/bash
4+
dependencies:
5+
- stage: base
6+
steps:
7+
- sources:
8+
- url: https://github.com/awslabs/soci-snapshotter/archive/refs/tags/{{ .SOCI_SNAPSHOTTER_VERSION }}.tar.gz
9+
destination: soci-snapshotter.tar.gz
10+
sha256: {{ .SOCI_SNAPSHOTTER_SHA256 }}
11+
sha512: {{ .SOCI_SNAPSHOTTER_SHA512 }}
12+
env:
13+
GOPATH: /tmp/go
14+
cachePaths:
15+
- /.cache/go-build
16+
- /tmp/go/pkg
17+
- network: default
18+
prepare:
19+
- |
20+
mkdir -p ${GOPATH}/src/github.com/awslabs/soci-snapshotter
21+
22+
tar -xzf soci-snapshotter.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/awslabs/soci-snapshotter
23+
- |
24+
cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter/cmd
25+
go mod download
26+
- network: none
27+
build:
28+
- |
29+
cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
30+
31+
make soci-snapshotter-grpc
32+
make soci
33+
install:
34+
- |
35+
mkdir -p /rootfs/usr/local/bin
36+
mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter
37+
38+
cd ${GOPATH}/src/github.com/containerd/soci-snapshotter
39+
40+
cp ./out/soci-snapshotter-grpc /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
41+
chmod +x rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
42+
43+
cp ./out/soci /rootfs/usr/local/lib/containers/soci-snapshotter/soci
44+
chmod +x rootfs/usr/local/lib/containers/soci-snapshotter/soci
45+
46+
cp /pkg/config.toml /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/config.toml
47+
- |
48+
mkdir -p /rootfs/etc/cri/conf.d
49+
cp /pkg/10-soci-snapshotter.part /rootfs/etc/cri/conf.d/10-soci-snapshotter.part
50+
51+
mkdir -p /rootfs/usr/local/etc/containers
52+
cp /pkg/soci-snapshotter.yaml /rootfs/usr/local/etc/containers/
53+
test:
54+
- |
55+
mkdir -p /extensions-validator-rootfs
56+
cp -r /rootfs/ /extensions-validator-rootfs/rootfs
57+
cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
58+
/extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
59+
sbom:
60+
outputPath: /rootfs/usr/local/share/spdx/soci-snapshotter.spdx.json
61+
version: {{ .SOCI_SNAPSHOTTER_VERSION }}
62+
licenses:
63+
- Apache-2.0
64+
finalize:
65+
- from: /rootfs
66+
to: /rootfs
67+
- from: /pkg/manifest.yaml
68+
to: /

container-runtime/soci-snapshotter/soci-snapshotter.yaml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
name: soci-snapshotter
2+
depends:
3+
- service: cri
4+
restart: always
5+
container:
6+
entrypoint: ./soci-snapshotter-grpc
7+
args:
8+
- -log-level=debug
9+
- -address=/var/run/soci-snapshotter/soci-snapshotter-grpc.sock
10+
- -root=/var/lib/containerd/io.containerd.snapshotter.v1.soci
11+
security:
12+
rootfsPropagation: shared
13+
mounts:
14+
- source: /var
15+
destination: /var
16+
type: bind
17+
options:
18+
- rshared
19+
- rbind
20+
- rw
21+
- source: /run
22+
destination: /run
23+
type: bind
24+
options:
25+
- rshared
26+
- rbind
27+
- rw
28+
- source: /etc/ssl/certs
29+
destination: /etc/ssl/certs
30+
type: bind
31+
options:
32+
- rbind
33+
- ro

container-runtime/soci-snapshotter/vars.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"
2+
TIER: "extra"

container-runtime/vars.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ GVISOR_SHA512: 038631f7b6e03ca14b2a038b51756b0ce8e3f9b490deebe4938419e82f98c9e81
99
STARGZ_SNAPSHOTTER_VERSION: v0.18.1
1010
STARGZ_SNAPSHOTTER_SHA256: 42e9bf7536a3c1eca2160b58fc865de47f6a338f30bb88a25fe50ed8b0d130e3
1111
STARGZ_SNAPSHOTTER_SHA512: 076943cd8488bf58b0fd54b41471f99d0289b4fc63f66549fb946c82fdb7e68794c215b8b9ed0e858cf12227db59bf7a360004d5232b6c090decdbb36a1bd323
12+
# renovate: datasource=github-releases depName=awslabs/soci-snapshotter
13+
SOCI_SNAPSHOTTER_VERSION: v0.11.1
14+
SOCI_SNAPSHOTTER_SHA256: cabeac915c9bd31c5ab16dd11ef3fb46ce9f9b707428b88319aa8940b9de3b5a
15+
SOCI_SNAPSHOTTER_SHA512: f42bf8bf1121cce918ed9cfab542d81e2ee5562fe42ef2d4806b7cf78da2e3e15f830eb86fc1dbc17fc0f1f2566723a4db3feadb473e66c06f2f5bbf21f69588
1216
# renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
1317
CLOUD_PROVIDER_AWS_VERSION: v1.34.1
1418
CLOUD_PROVIDER_AWS_SHA256: 41acb02dcbf3357d2f2f910a9dcc2a115b1f8eecc9d02c3df089e116a0a63905

0 commit comments

Comments
 (0)