rootless: Support BuildKit containerd worker

Signed-off-by: Kohei Tokunaga <[email protected]>

Author: ktock

Dockerfile

@@ -25,7 +25,7 @@ ARG CNI_PLUGINS_VERSION=v1.1.0
 # Extra deps: CNI isolation
 ARG CNI_ISOLATION_VERSION=v0.0.4
 # Extra deps: Build
-ARG BUILDKIT_VERSION=v0.9.3
+ARG BUILDKIT_VERSION=v0.10.0
 # Extra deps: Lazy-pulling
 ARG STARGZ_SNAPSHOTTER_VERSION=v0.11.2
 # Extra deps: Encryption
@@ -264,8 +264,9 @@ COPY --from=gcr.io/projectsigstore/cosign:v1.3.1@sha256:3cd9b3a866579dc2e0cf2fde
 # enable offline ipfs for integration test
 COPY ./Dockerfile.d/test-integration-etc_containerd-stargz-grpc_config.toml /etc/containerd-stargz-grpc/config.toml
 COPY ./Dockerfile.d/test-integration-ipfs-offline.service /usr/local/lib/systemd/system/
+COPY ./Dockerfile.d/test-integration-buildkit-nerdctl-test.service /usr/local/lib/systemd/system/
 # install ipfs service. avoid using 5001(api)/8080(gateway) which are reserved by tests.
-RUN systemctl enable test-integration-ipfs-offline && \
+RUN systemctl enable test-integration-ipfs-offline test-integration-buildkit-nerdctl-test && \
     ipfs init && \
     ipfs config Addresses.API "/ip4/127.0.0.1/tcp/5888" && \
     ipfs config Addresses.Gateway "/ip4/127.0.0.1/tcp/5889"

Dockerfile.d/SHA256SUMS.d/buildkit-v0.10.0

@@ -0,0 +1,2 @@
+ed9d3942ca3f1cbc4906577a2422e5084416dd2739f3d85b800a129d61557630  buildkit-v0.10.0.linux-amd64.tar.gz
+f201c30dca4877eca9598ae41c1c8934c98b37a9ad323cec8b30ce9138f957ac  buildkit-v0.10.0.linux-arm64.tar.gz

Dockerfile.d/SHA256SUMS.d/buildkit-v0.9.3

@@ -0,0 +1,41 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Copied from released buildkit.service
+
+[Unit]
+After=network.target local-fs.target
+Description=buildkit daemon for integration test (namespace: nerdctl-test)
+
+[Service]
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true --addr="unix:///run/buildkit-nerdctl-test/buildkitd.sock" --root=/var/lib/buildkit-nerdctl-test --containerd-worker-namespace=nerdctl-test
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=docker-entrypoint.target

Dockerfile.d/test-integration-buildkit-nerdctl-test.service

@@ -38,7 +38,7 @@ else
 	if [[ -e /workaround-cirrus ]]; then
 		echo "WORKAROUND_CIRRUS: Not enabling BuildKit (https://github.com/containerd/nerdctl/issues/622)" >&2
 	else
-		containerd-rootless-setuptool.sh install-buildkit
+		CONTAINERD_NAMESPACE="nerdctl-test" containerd-rootless-setuptool.sh install-buildkit-containerd
 	fi
 	containerd-rootless-setuptool.sh install-stargz
 	cat <<EOF >>/home/rootless/.config/containerd/config.toml

Dockerfile.d/test-integration-rootless.sh

@@ -299,6 +299,8 @@ It does not necessarily mean that the corresponding features are missing in cont
     - [:nerd_face: nerdctl apparmor load](#nerd_face-nerdctl-apparmor-load)
     - [:nerd_face: nerdctl apparmor ls](#nerd_face-nerdctl-apparmor-ls)
     - [:nerd_face: nerdctl apparmor unload](#nerd_face-nerdctl-apparmor-unload)
+  - [Builder management](#builder-management)
+    - [:whale: nerdctl builder prune](#whale-nerdctl-builder-prune)
   - [System](#system)
     - [:whale: nerdctl events](#whale-nerdctl-events)
     - [:whale: nerdctl info](#whale-nerdctl-info)
@@ -1116,6 +1118,19 @@ Unload an AppArmor profile. The target profile name defaults to "nerdctl-default
 
 Usage: `nerdctl apparmor unload [PROFILE]`
 
+## Builder management
+### :whale: nerdctl builder prune
+Clean up BuildKit build cache.
+
+:warning: The output format is not compatible with Docker.
+
+Usage: `nerdctl builder prune`
+
+Flags:
+- :nerd_face: `--buildkit-host=<BUILDKIT_HOST>`: BuildKit address
+
+Unimplemented `docker builder prune` flags: `--all`, `--filter`, `--force`, `--keep-storage`
+
 ## System
 ### :whale: nerdctl events
 Get real time events from the server.

README.md

@@ -28,6 +28,7 @@ import (
 
 	"path/filepath"
 
+	dockerreference "github.com/containerd/containerd/reference/docker"
 	"github.com/containerd/nerdctl/pkg/buildkitutil"
 	"github.com/containerd/nerdctl/pkg/defaults"
 	"github.com/containerd/nerdctl/pkg/platformutil"
@@ -73,22 +74,59 @@ func newBuildCommand() *cobra.Command {
 	return buildCommand
 }
 
+func getBuildkitHost(cmd *cobra.Command) (string, error) {
+	if cmd.Flags().Changed("buildkit-host") {
+		// If address is explicitly specified, use it.
+		buildkitHost, err := cmd.Flags().GetString("buildkit-host")
+		if err != nil {
+			return "", err
+		}
+		if err := buildkitutil.PingBKDaemon(buildkitHost); err != nil {
+			return "", err
+		}
+		return buildkitHost, nil
+	}
+	ns, err := cmd.Flags().GetString("namespace")
+	if err != nil {
+		return "", err
+	}
+	return buildkitutil.GetBuildkitHost(ns)
+}
+
+func isImageSharable(buildkitHost string, namespace, uuid string) (bool, error) {
+	labels, err := buildkitutil.GetWorkerLabels(buildkitHost)
+	if err != nil {
+		return false, err
+	}
+	logrus.Debugf("worker labels: %+v", labels)
+	executor, ok := labels["org.mobyproject.buildkit.worker.executor"]
+	if !ok {
+		return false, nil
+	}
+	containerdUUID, ok := labels["org.mobyproject.buildkit.worker.containerd.uuid"]
+	if !ok {
+		return false, nil
+	}
+	containerdNamespace, ok := labels["org.mobyproject.buildkit.worker.containerd.namespace"]
+	if !ok {
+		return false, nil
+	}
+	return executor == "containerd" && containerdUUID == uuid && containerdNamespace == namespace, nil
+}
+
 func buildAction(cmd *cobra.Command, args []string) error {
 	platform, err := cmd.Flags().GetStringSlice("platform")
 	if err != nil {
 		return err
 	}
 	platform = strutil.DedupeStrSlice(platform)
 
-	buildkitHost, err := cmd.Flags().GetString("buildkit-host")
+	buildkitHost, err := getBuildkitHost(cmd)
 	if err != nil {
 		return err
 	}
-	if err := buildkitutil.PingBKDaemon(buildkitHost); err != nil {
-		return err
-	}
 
-	buildctlBinary, buildctlArgs, needsLoading, metaFile, cleanup, err := generateBuildctlArgs(cmd, platform, args)
+	buildctlBinary, buildctlArgs, needsLoading, metaFile, cleanup, err := generateBuildctlArgs(cmd, buildkitHost, platform, args)
 	if err != nil {
 		return err
 	}
@@ -164,7 +202,7 @@ func buildAction(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func generateBuildctlArgs(cmd *cobra.Command, platform, args []string) (string, []string, bool, string, func(), error) {
+func generateBuildctlArgs(cmd *cobra.Command, buildkitHost string, platform, args []string) (string, []string, bool, string, func(), error) {
 	var needsLoading bool
 	if len(args) < 1 {
 		return "", nil, false, "", nil, errors.New("context needs to be specified")
@@ -184,13 +222,34 @@ func generateBuildctlArgs(cmd *cobra.Command, platform, args []string) (string,
 		return "", nil, false, "", nil, err
 	}
 	if output == "" {
-		output = "type=docker"
-		if len(platform) > 1 {
-			// For avoiding `error: failed to solve: docker exporter does not currently support exporting manifest lists`
-			// TODO: consider using type=oci for single-platform build too
-			output = "type=oci"
+		client, ctx, cancel, err := newClient(cmd)
+		if err != nil {
+			return "", nil, false, "", nil, err
+		}
+		defer cancel()
+		info, err := client.Server(ctx)
+		if err != nil {
+			return "", nil, false, "", nil, err
+		}
+		ns, err := cmd.Flags().GetString("namespace")
+		if err != nil {
+			return "", nil, false, "", nil, err
+		}
+		sharable, err := isImageSharable(buildkitHost, ns, info.UUID)
+		if err != nil {
+			return "", nil, false, "", nil, err
+		}
+		if sharable {
+			output = "type=image,unpack=true" // ensure the target stage is unlazied (needed for any snapshotters)
+		} else {
+			output = "type=docker"
+			if len(platform) > 1 {
+				// For avoiding `error: failed to solve: docker exporter does not currently support exporting manifest lists`
+				// TODO: consider using type=oci for single-platform build too
+				output = "type=oci"
+			}
+			needsLoading = true
 		}
-		needsLoading = true
 	}
 	tagValue, err := cmd.Flags().GetStringArray("tag")
 	if err != nil {
@@ -200,12 +259,12 @@ func generateBuildctlArgs(cmd *cobra.Command, platform, args []string) (string,
 		if len(tagSlice) > 1 {
 			return "", nil, false, "", nil, fmt.Errorf("specifying multiple -t is not supported yet")
 		}
-		output += ",name=" + tagSlice[0]
-	}
-
-	buildkitHost, err := cmd.Flags().GetString("buildkit-host")
-	if err != nil {
-		return "", nil, false, "", nil, err
+		ref := tagSlice[0]
+		named, err := dockerreference.ParseNormalizedNamed(ref)
+		if err != nil {
+			return "", nil, false, "", nil, err
+		}
+		output += ",name=" + dockerreference.TagNameOnly(named).String()
 	}
 
 	buildctlArgs := buildkitutil.BuildctlBaseArgs(buildkitHost)
@@ -375,14 +434,19 @@ func getDigestFromMetaFile(path string) (string, error) {
 	}
 	defer os.Remove(path)
 
-	metadata := map[string]string{}
+	metadata := map[string]json.RawMessage{}
 	if err := json.Unmarshal(data, &metadata); err != nil {
 		logrus.WithError(err).Errorf("failed to unmarshal metadata file %s", path)
 		return "", err
 	}
-	digest, ok := metadata["containerimage.digest"]
+	digestRaw, ok := metadata["containerimage.digest"]
 	if !ok {
 		return "", errors.New("failed to find containerimage.digest in metadata file")
 	}
+	var digest string
+	if err := json.Unmarshal(digestRaw, &digest); err != nil {
+		logrus.WithError(err).Errorf("failed to unmarshal digset")
+		return "", err
+	}
 	return digest, nil
 }

cmd/nerdctl/build.go

@@ -28,9 +28,9 @@ import (
 )
 
 func TestBuild(t *testing.T) {
-	t.Parallel()
 	testutil.RequiresBuild(t)
 	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
 	imageName := testutil.Identifier(t)
 	defer base.Cmd("rmi", imageName).Run()
 
@@ -48,25 +48,100 @@ CMD ["echo", "nerdctl-build-test-string"]
 	base.Cmd("run", "--rm", imageName).AssertOutExactly("nerdctl-build-test-string\n")
 }
 
+// TestBuildBaseImage tests if an image can be built on the previously built image.
+// This isn't currently supported by nerdctl with BuildKit OCI worker.
+func TestBuildBaseImage(t *testing.T) {
+	testutil.RequiresBuild(t)
+	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
+	imageName := testutil.Identifier(t)
+	defer base.Cmd("rmi", imageName).Run()
+	imageName2 := imageName + "-2"
+	defer base.Cmd("rmi", imageName2).Run()
+
+	dockerfile := fmt.Sprintf(`FROM %s
+RUN echo hello > /hello
+CMD ["echo", "nerdctl-build-test-string"]
+	`, testutil.CommonImage)
+
+	buildCtx, err := createBuildContext(dockerfile)
+	assert.NilError(t, err)
+	defer os.RemoveAll(buildCtx)
+
+	base.Cmd("build", "-t", imageName, buildCtx).AssertOK()
+	base.Cmd("build", buildCtx, "-t", imageName).AssertOK()
+
+	dockerfile2 := fmt.Sprintf(`FROM %s
+RUN echo hello2 > /hello2
+CMD ["cat", "/hello2"]
+	`, imageName)
+
+	buildCtx2, err := createBuildContext(dockerfile2)
+	assert.NilError(t, err)
+	defer os.RemoveAll(buildCtx2)
+
+	base.Cmd("build", "-t", imageName2, buildCtx2).AssertOK()
+	base.Cmd("build", buildCtx2, "-t", imageName2).AssertOK()
+
+	base.Cmd("run", "--rm", imageName2).AssertOutExactly("hello2\n")
+}
+
+// TestBuildFromContainerd tests if an image can be built on an image pulled by nerdctl.
+// This isn't currently supported by nerdctl with BuildKit OCI worker.
+func TestBuildFromContainerd(t *testing.T) {
+	testutil.DockerIncompatible(t)
+	testutil.RequiresBuild(t)
+	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
+	imageName := testutil.Identifier(t)
+	defer base.Cmd("rmi", imageName).Run()
+	imageName2 := imageName + "-2"
+	defer base.Cmd("rmi", imageName2).Run()
+
+	// FIXME: BuildKit sometimes tries to use base image manifests of platforms that hasn't been
+	//        pulled by `nerdctl pull`. This leads to "not found" error for the base image.
+	//        To avoid this issue, images shared to BuildKit should always be pulled by manifest
+	//        digest or `--all-platforms` needs to be added.
+	base.Cmd("pull", "--all-platforms", testutil.CommonImage).AssertOK()
+	base.Cmd("tag", testutil.CommonImage, imageName).AssertOK()
+	base.Cmd("rmi", testutil.CommonImage).AssertOK()
+
+	dockerfile2 := fmt.Sprintf(`FROM %s
+RUN echo hello2 > /hello2
+CMD ["cat", "/hello2"]
+	`, imageName)
+
+	buildCtx2, err := createBuildContext(dockerfile2)
+	assert.NilError(t, err)
+	defer os.RemoveAll(buildCtx2)
+
+	base.Cmd("build", "-t", imageName2, buildCtx2).AssertOK()
+	base.Cmd("build", buildCtx2, "-t", imageName2).AssertOK()
+
+	base.Cmd("run", "--rm", imageName2).AssertOutExactly("hello2\n")
+}
+
 func TestBuildFromStdin(t *testing.T) {
 	t.Parallel()
 	testutil.RequiresBuild(t)
 	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
 	imageName := testutil.Identifier(t)
 	defer base.Cmd("rmi", imageName).Run()
 
 	dockerfile := fmt.Sprintf(`FROM %s
 CMD ["echo", "nerdctl-build-test-stdin"]
 	`, testutil.CommonImage)
 
-	base.Cmd("build", "-t", imageName, "-f", "-", ".").CmdOption(testutil.WithStdin(strings.NewReader(dockerfile))).AssertOutContains(imageName)
+	base.Cmd("build", "-t", imageName, "-f", "-", ".").CmdOption(testutil.WithStdin(strings.NewReader(dockerfile))).AssertCombinedOutContains(imageName)
 }
 
 func TestBuildLocal(t *testing.T) {
 	t.Parallel()
 	testutil.DockerIncompatible(t)
 	testutil.RequiresBuild(t)
 	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
 	const testFileName = "nerdctl-build-test"
 	const testContent = "nerdctl"
 	outputDir := t.TempDir()
@@ -108,6 +183,7 @@ func TestBuildWithIIDFile(t *testing.T) {
 	t.Parallel()
 	testutil.RequiresBuild(t)
 	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
 	imageName := testutil.Identifier(t)
 	defer base.Cmd("rmi", imageName).Run()
 
@@ -134,6 +210,7 @@ func TestBuildWithLabels(t *testing.T) {
 	t.Parallel()
 	testutil.RequiresBuild(t)
 	base := testutil.NewBase(t)
+	defer base.Cmd("builder", "prune").Run()
 	imageName := testutil.Identifier(t)
 
 	dockerfile := fmt.Sprintf(`FROM %s