From 0e425ab753df929dc1e154108ac3ced55ee0424d Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Wed, 10 Apr 2024 16:15:05 +0900 Subject: [PATCH] CI: add nerdctl Signed-off-by: Akihiro Suda --- .github/workflows/main.yaml | 11 ++++- hack/create-hosts-lxd.sh | 3 +- init-host/init-host.root.d/install-nerdctl.sh | 40 +++++++++++++++++++ init-host/init-host.root.sh | 6 +-- init-host/init-host.rootless.sh | 5 +++ 5 files changed, 60 insertions(+), 5 deletions(-) create mode 100755 init-host/init-host.root.d/install-nerdctl.sh diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 9bdd581..7f8abdf 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -12,7 +12,7 @@ jobs: strategy: fail-fast: false matrix: - engine: [docker, podman] + engine: [docker, nerdctl, podman] env: CONTAINER_ENGINE: "${{ matrix.engine }}" steps: @@ -37,6 +37,13 @@ jobs: sudo rm -rf /var/run/docker* dockerd-rootless-setuptool.sh install docker info + - name: Set up Rootless nerdctl + if: ${{ matrix.engine == 'nerdctl' }} + run: | + set -eux -o pipefail + sudo ./init-host/init-host.root.d/install-nerdctl.sh + ./init-host/init-host.rootless.sh + nerdctl info - name: Set up Rootless Podman if: ${{ matrix.engine == 'podman' }} run: | @@ -68,6 +75,8 @@ jobs: include: - lxc-image: ubuntu:24.04 engine: docker + - lxc-image: ubuntu:24.04 + engine: nerdctl # LXD is now banned from pulling images:fedora from https://images.linuxcontainers.org/ # TODO: switch away from LXD to Incus: https://github.com/rootless-containers/usernetes/pull/332 # - lxc-image: images:fedora/39/cloud diff --git a/hack/create-hosts-lxd.sh b/hack/create-hosts-lxd.sh index cbab984..b728d72 100755 --- a/hack/create-hosts-lxd.sh +++ b/hack/create-hosts-lxd.sh @@ -55,8 +55,9 @@ for name in ${names}; do # runc requires pivot_root: # > runc run failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied ${LXC} shell "${name}" -- bash -c 'echo "pivot_root," >>/etc/apparmor.d/local/runc' - # Propagate the profile for /usr/sbin/runc (Canonical's package) to /usr/bin/runc (Docker's package) + # Propagate the profile for /usr/sbin/runc (Canonical's package) to /usr/bin/runc (Docker's package) and /usr/local/bin/runc (nerdctl-full package) ${LXC} shell "${name}" -- bash -c 'sed -e s@/usr/sbin/runc@/usr/bin/runc@g /etc/apparmor.d/runc > /etc/apparmor.d/usr.bin.runc' + ${LXC} shell "${name}" -- bash -c 'sed -e s@/usr/sbin/runc@/usr/local/bin/runc@g /etc/apparmor.d/runc > /etc/apparmor.d/usr.local.bin.runc' ${LXC} shell "${name}" -- bash -c 'systemctl restart apparmor' sleep 10 diff --git a/init-host/init-host.root.d/install-nerdctl.sh b/init-host/init-host.root.d/install-nerdctl.sh new file mode 100755 index 0000000..41ebda4 --- /dev/null +++ b/init-host/init-host.root.d/install-nerdctl.sh @@ -0,0 +1,40 @@ +#!/bin/bash +set -eux -o pipefail +if [ "$(id -u)" != "0" ]; then + echo "Must run as the root" + exit 1 +fi + +VERSION="2.0.0-rc.3" +SHASHA="147010c5987e04e23e1275975a35b8f2f751760cce0b18a25a1f045df49bda0f" + +arch="" +case "$(uname -m)" in +"x86_64") + arch="amd64" + ;; +"aarch64") + arch="arm64" + ;; +*) + echo >&2 "Unsupported architecture" + exit 1 + ;; +esac + +mkdir -p /root/nerdctl.tmp +( + cd /root/nerdctl.tmp + curl -fSLO https://github.com/containerd/nerdctl/releases/download/v${VERSION}/nerdctl-full-${VERSION}-linux-${arch}.tar.gz + curl -fSLO https://github.com/containerd/nerdctl/releases/download/v${VERSION}/SHA256SUMS + [ "$(sha256sum SHA256SUMS | awk '{print $1}')" = "${SHASHA}" ] + sha256sum --check --ignore-missing SHA256SUMS + tar Cxzvvf /usr/local nerdctl-full-${VERSION}-linux-${arch}.tar.gz +) +rm -rf /root/nerdctl.tmp + +if [ -e /etc/apparmor.d/rootlesskit ]; then + # https://rootlesscontaine.rs/getting-started/common/apparmor/ + sed -e s@/usr/bin/rootlesskit@/usr/local/bin/rootlesskit@g /etc/apparmor.d/rootlesskit >/etc/apparmor.d/usr.local.bin.rootlesskit + systemctl restart apparmor +fi diff --git a/init-host/init-host.root.sh b/init-host/init-host.root.sh index 5151eb1..48cf0da 100755 --- a/init-host/init-host.root.sh +++ b/init-host/init-host.root.sh @@ -57,9 +57,9 @@ case "${CONTAINER_ENGINE}" in fi systemctl disable --now docker ;; -"podman") - if ! command -v podman >/dev/null 2>&1; then - "${script_dir}"/init-host.root.d/install-podman.sh +"podman" | "nerdctl") + if ! command -v "${CONTAINER_ENGINE}" >/dev/null 2>&1; then + "${script_dir}"/init-host.root.d/install-"${CONTAINER_ENGINE}".sh fi ;; *) diff --git a/init-host/init-host.rootless.sh b/init-host/init-host.rootless.sh index 1b76e27..145b01e 100755 --- a/init-host/init-host.rootless.sh +++ b/init-host/init-host.rootless.sh @@ -11,6 +11,11 @@ case "${CONTAINER_ENGINE}" in "docker") dockerd-rootless-setuptool.sh install || (journalctl --user --since "10 min ago"; exit 1) ;; +"nerdctl") + containerd-rootless-setuptool.sh install + containerd-rootless-setuptool.sh install-buildkit-containerd + containerd-rootless-setuptool.sh install-bypass4netnsd + ;; "podman") systemctl --user enable --now podman-restart ;;