CI: add nerdctl

Signed-off-by: Akihiro Suda <[email protected]>
rootless-containers · Aug 18, 2024 · a8301ef · a8301ef
1 parent 635c2c4
commit a8301ef
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 5 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        engine: [docker, podman]
+        engine: [docker, nerdctl, podman]
     env:
       CONTAINER_ENGINE: "${{ matrix.engine }}"
     steps:
@@ -37,6 +37,13 @@ jobs:
           sudo rm -rf /var/run/docker*
           dockerd-rootless-setuptool.sh install
           docker info
+      - name: Set up Rootless nerdctl
+        if: ${{ matrix.engine == 'nerdctl' }}
+        run: |
+          set -eux -o pipefail
+          sudo ./init-host/init-host.root.d/install-nerdctl.sh
+          ./init-host/init-host.rootless.sh
+          nerdctl info
       - name: Set up Rootless Podman
         if: ${{ matrix.engine == 'podman' }}
         run: |
@@ -68,6 +75,8 @@ jobs:
         include:
           - lxc-image: ubuntu:24.04
             engine: docker
+          - lxc-image: ubuntu:24.04
+            engine: nerdctl
 # LXD is now banned from pulling images:fedora from https://images.linuxcontainers.org/
 # TODO: switch away from LXD to Incus: https://github.com/rootless-containers/usernetes/pull/332
 #          - lxc-image: images:fedora/39/cloud

diff --git a/hack/create-hosts-lxd.sh b/hack/create-hosts-lxd.sh
@@ -55,8 +55,9 @@ for name in ${names}; do
 	# runc requires pivot_root:
 	# > runc run failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied
 	${LXC} shell "${name}" -- bash -c 'echo "pivot_root," >>/etc/apparmor.d/local/runc'
-	# Propagate the profile for /usr/sbin/runc (Canonical's package) to /usr/bin/runc (Docker's package)
+	# Propagate the profile for /usr/sbin/runc (Canonical's package) to /usr/bin/runc (Docker's package) and /usr/local/bin/runc (nerdctl-full package)
 	${LXC} shell "${name}" -- bash -c 'sed -e s@/usr/sbin/runc@/usr/bin/runc@g /etc/apparmor.d/runc > /etc/apparmor.d/usr.bin.runc'
+	${LXC} shell "${name}" -- bash -c 'sed -e s@/usr/sbin/runc@/usr/local/bin/runc@g /etc/apparmor.d/runc > /etc/apparmor.d/usr.local.bin.runc'
 	${LXC} shell "${name}" -- bash -c 'systemctl restart apparmor'
 
 	sleep 10

diff --git a/init-host/init-host.root.d/install-nerdctl.sh b/init-host/init-host.root.d/install-nerdctl.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -eux -o pipefail
+if [ "$(id -u)" != "0" ]; then
+	echo "Must run as the root"
+	exit 1
+fi
+
+VERSION="2.0.0-rc.1"
+SHASHA="7086527171059921baf076ec0111881c6f411ff0b672623e7cb4bb69fd93226c"
+
+arch=""
+case "$(uname -m)" in
+"x86_64")
+	arch="amd64"
+	;;
+"aarch64")
+	arch="arm64"
+	;;
+*)
+	echo >&2 "Unsupported architecture"
+	exit 1
+	;;
+esac
+
+mkdir -p /root/nerdctl.tmp
+(
+	cd /root/nerdctl.tmp
+	curl -fSLO https://github.com/containerd/nerdctl/releases/download/v${VERSION}/nerdctl-full-${VERSION}-linux-${arch}.tar.gz
+	curl -fSLO https://github.com/containerd/nerdctl/releases/download/v${VERSION}/SHA256SUMS
+	[ "$(sha256sum SHA256SUMS | awk '{print $1}')" = "${SHASHA}" ]
+	sha256sum --check --ignore-missing SHA256SUMS
+	tar Cxzvvf /usr/local nerdctl-full-${VERSION}-linux-${arch}.tar.gz
+)
+rm -rf /root/nerdctl.tmp
+
+if [ -e /etc/apparmor.d/rootlesskit ]; then
+	# https://rootlesscontaine.rs/getting-started/common/apparmor/
+	sed -e s@/usr/bin/rootlesskit@/usr/local/bin/rootlesskit@g /etc/apparmor.d/rootlesskit >/etc/apparmor.d/usr.local.bin.rootlesskit
+	systemctl restart apparmor
+fi
diff --git a/init-host/init-host.root.sh b/init-host/init-host.root.sh
@@ -57,9 +57,9 @@ case "${CONTAINER_ENGINE}" in
 	fi
 	systemctl disable --now docker
 	;;
-"podman")
-	if ! command -v podman >/dev/null 2>&1; then
-		"${script_dir}"/init-host.root.d/install-podman.sh
+"podman" | "nerdctl")
+	if ! command -v "${CONTAINER_ENGINE}" >/dev/null 2>&1; then
+		"${script_dir}"/init-host.root.d/install-"${CONTAINER_ENGINE}".sh
 	fi
 	;;
 *)

diff --git a/init-host/init-host.rootless.sh b/init-host/init-host.rootless.sh
@@ -11,6 +11,11 @@ case "${CONTAINER_ENGINE}" in
 "docker")
 	dockerd-rootless-setuptool.sh install || (journalctl --user --since "10 min ago"; exit 1)
 	;;
+"nerdctl")
+	containerd-rootless-setuptool.sh install
+	containerd-rootless-setuptool.sh install-buildkit-containerd
+	containerd-rootless-setuptool.sh install-bypass4netnsd
+	;;
 "podman")
 	systemctl --user enable --now podman-restart
 	;;