-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About the containerd of v0.8.0 #315
Comments
One of the big changes in v0.8.0 was the move away from the CoCo containerd fork (which we felt was not feasible to maintain longterm and not acceptable for production use). With the containerd fork, image pull requests would be fulfilled by the Kata Agent. In the new approach, we use the nydus snapshotter on the host to intercede in the image pulling process. The snapshotter then communicates directly with image-rs inside the guest, which pulls the image. So, I think what you are describing here is by design. Is there a particular issue that you run into? |
Thanks for your reply. but I couldn't find the corresponding code implementation in https://github.com/containerd/nydus-snapshotter about the information: |
That diagram is showing host-pulling, which is not yet implemented yet (we pull with image-rs inside the guest), but otherwise I think it is accurate. |
Installing version 0.8.0 of ccruntime using the following command does not seem to automatically upgrade the containerd version of the host to 1.7.0 or higher? kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/default?ref=v0.8.0 |
Hm I thought we had some kind of support for updating containerd via the operator i.e. for Ubuntu 20.04. @wainersm might have more details. |
Describe the bug
When I installed CoCo Operator v0.3.0, I found that the system's default containerd service had been replaced with CoCo's containerd (/opt/confidential containers/bin/containerd), and I could find:
--1) In the/etc/containerd/config.toml configuration, add the "cri_handler=" cc "" configuration for each cc runtime;
--2) The containerd of CoCo will ultimately send the request for PullImage to kata agent, who will be responsible for PullImage and DescryptImage.
However, when I installed CoCo Operator v0.8.0, I found that the containerd service was still official containerd (/usr/bin/containerd), and I could find:
--1) In the/etc/containerd/config.toml configuration, a "snapshotter="nydus“"configuration has been added for each cc runtime (but there is no" cri_handler="cc" configuration);
--2) The official containerd did not send the PullImage request to kata runtime and kata agent, so I have the following issue in CoCo Operator v0.8.0:
----a) Who is truly responsible for PullImage and DescryptImage? What is the detailed process flow like?
----b) The nydus-snapshotter modified by CoCo was used for PullImage forwarding to kata-agent? but I couldn't find the corresponding code implementation?
To Reproduce
Steps to reproduce the behavior:
Describe the results you expected
A clear and concise description of what you expected to happen.
Describe the results you received:
A clear and concise description of what happened.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: