Add install support for binary images

ehazlett · crosbymichael · commit 1537f31381b9 · 2018-08-02T17:11:29.000-04:00
This adds a way for users to programatically install containerd binary
dependencies.

With runtime v2 and new shim's being built, it will be a challenge to
get those onto machines.  Users would have to find the link, download,
place it in their path, yada yada yada.

With this functionality of a managed `/opt` directory, containerd can
use existing image and distribution infra. to get binarys, shims, etc
onto the system.

Configuration:

*default:* `/opt/containerd`

*containerd config:*
```toml
[plugins.opt]
	path = "/opt/mypath"

```

Usage:

*code:*

```go
image, err := client.Pull(ctx, "docker.io/crosbymichael/runc:latest")
client.Install(ctx, image)
```

*ctr:*

```bash
ctr content fetch docker.io/crosbymichael/runc:latest
ctr install docker.io/crosbymichael/runc:latest
```

You can manage versions and see what is running via standard image
commands.

Images:

These images MUST be small and only contain binaries.

```Dockerfile
FROM scratch
Add runc /bin/runc
```

Containerd will only extract files in `/bin` of the image.

Later on, we can add support for `/lib`.

The code adds a service to manage an `/opt/containerd` directory and
provide that path to callers via the introspection service.

How to Test:

Delete runc from your system.

```bash
&gt; sudo ctr run --rm  docker.io/library/redis:alpine redis
ctr: OCI runtime create failed: unable to retrieve OCI runtime error (open /run/containerd/io.containerd.runtime.v1.linux/default/redis/log.json: no such file or directory): exec: "runc": executable file not found in $PATH: unknown

&gt; sudo ctr content fetch docker.io/crosbymichael/runc:latest
&gt; sudo ctr  install docker.io/crosbymichael/runc:latest

&gt; sudo ctr run --rm  docker.io/library/redis:alpine redis
1:C 01 Aug 15:59:52.864 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:C 01 Aug 15:59:52.864 # Redis version=4.0.10, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 01 Aug 15:59:52.864 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf
1:M 01 Aug 15:59:52.866 # You requested maxclients of 10000 requiring at least 10032 max file descriptors.
1:M 01 Aug 15:59:52.866 # Server can't set maximum open files to 10032 because of OS error: Operation not permitted.
1:M 01 Aug 15:59:52.866 # Current maximum open files is 1024. maxclients has been reduced to 992 to compensate for low ulimit. If you need higher maxclients increase 'ulimit -n'.
1:M 01 Aug 15:59:52.870 * Running mode=standalone, port=6379.
1:M 01 Aug 15:59:52.870 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
1:M 01 Aug 15:59:52.870 # Server initialized
1:M 01 Aug 15:59:52.870 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
1:M 01 Aug 15:59:52.870 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never &gt; /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
1:M 01 Aug 15:59:52.870 * Ready to accept connections
^C1:signal-handler (1533139193) Received SIGINT scheduling shutdown...
1:M 01 Aug 15:59:53.472 # User requested shutdown...
1:M 01 Aug 15:59:53.472 * Saving the final RDB snapshot before exiting.
1:M 01 Aug 15:59:53.484 * DB saved on disk
1:M 01 Aug 15:59:53.484 # Redis is now ready to exit, bye bye...
```

Signed-off-by: Evan Hazlett &lt;ejhazlett@gmail.com&gt;
Signed-off-by: Michael Crosby &lt;crosbymichael@gmail.com&gt;
diff --git a/archive/tar.go b/archive/tar.go
@@ -114,6 +114,9 @@ func Apply(ctx context.Context, root string, r io.Reader, opts ...ApplyOpt) (int
 			return 0, errors.Wrap(err, "failed to apply option")
 		}
 	}
+	if options.Filter == nil {
+		options.Filter = all
+	}
 
 	return apply(ctx, root, tar.NewReader(r), options)
 }
@@ -155,6 +158,10 @@ func applyNaive(ctx context.Context, root string, tr *tar.Reader, options ApplyO
 		// Normalize name, for safety and for a simple is-root check
 		hdr.Name = filepath.Clean(hdr.Name)
 
+		if !options.Filter(hdr) {
+			continue
+		}
+
 		if skipFile(hdr) {
 			log.G(ctx).Warnf("file %q ignored: archive may not be supported on system", hdr.Name)
 			continue
diff --git a/archive/tar_opts.go b/archive/tar_opts.go
@@ -16,5 +16,23 @@
 
 package archive
 
+import "archive/tar"
+
 // ApplyOpt allows setting mutable archive apply properties on creation
 type ApplyOpt func(options *ApplyOptions) error
+
+// Filter specific files from the archive
+type Filter func(*tar.Header) bool
+
+// all allows all files
+func all(_ *tar.Header) bool {
+	return true
+}
+
+// WithFilter uses the filter to select which files are to be extracted.
+func WithFilter(f Filter) ApplyOpt {
+	return func(options *ApplyOptions) error {
+		options.Filter = f
+		return nil
+	}
+}
diff --git a/archive/tar_opts_unix.go b/archive/tar_opts_unix.go
@@ -20,4 +20,5 @@ package archive
 
 // ApplyOptions provides additional options for an Apply operation
 type ApplyOptions struct {
+	Filter Filter // Filter tar headers
 }
diff --git a/archive/tar_opts_windows.go b/archive/tar_opts_windows.go
@@ -22,6 +22,7 @@ package archive
 type ApplyOptions struct {
 	ParentLayerPaths        []string // Parent layer paths used for Windows layer apply
 	IsWindowsContainerLayer bool     // True if the tar stream to be applied is a Windows Container Layer
+	Filter                  Filter   // Filter tar headers
 }
 
 // WithParentLayers adds parent layers to the apply process this is required
diff --git a/cmd/containerd/builtins.go b/cmd/containerd/builtins.go
@@ -30,6 +30,7 @@ import (
 	_ "github.com/containerd/containerd/services/introspection"
 	_ "github.com/containerd/containerd/services/leases"
 	_ "github.com/containerd/containerd/services/namespaces"
+	_ "github.com/containerd/containerd/services/opt"
 	_ "github.com/containerd/containerd/services/snapshots"
 	_ "github.com/containerd/containerd/services/tasks"
 	_ "github.com/containerd/containerd/services/version"
diff --git a/cmd/ctr/app/main.go b/cmd/ctr/app/main.go
@@ -24,6 +24,7 @@ import (
 	"github.com/containerd/containerd/cmd/ctr/commands/content"
 	"github.com/containerd/containerd/cmd/ctr/commands/events"
 	"github.com/containerd/containerd/cmd/ctr/commands/images"
+	"github.com/containerd/containerd/cmd/ctr/commands/install"
 	"github.com/containerd/containerd/cmd/ctr/commands/leases"
 	namespacesCmd "github.com/containerd/containerd/cmd/ctr/commands/namespaces"
 	"github.com/containerd/containerd/cmd/ctr/commands/plugins"
@@ -103,6 +104,7 @@ containerd CLI
 		run.Command,
 		snapshots.Command,
 		tasks.Command,
+		install.Command,
 	}, extraCmds...)
 	app.Before = func(context *cli.Context) error {
 		if context.GlobalBool("debug") {
diff --git a/cmd/ctr/commands/install/install.go b/cmd/ctr/commands/install/install.go
@@ -0,0 +1,43 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package install
+
+import (
+	"github.com/containerd/containerd/cmd/ctr/commands"
+	"github.com/urfave/cli"
+)
+
+// Command to install binary packages
+var Command = cli.Command{
+	Name:        "install",
+	Usage:       "install a new package",
+	ArgsUsage:   "<ref>",
+	Description: "install a new package",
+	Action: func(context *cli.Context) error {
+		client, ctx, cancel, err := commands.NewClient(context)
+		if err != nil {
+			return err
+		}
+		defer cancel()
+		ref := context.Args().First()
+		image, err := client.GetImage(ctx, ref)
+		if err != nil {
+			return err
+		}
+		return client.Install(ctx, image)
+	},
+}
diff --git a/install.go b/install.go
@@ -0,0 +1,76 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package containerd
+
+import (
+	"archive/tar"
+	"context"
+	"errors"
+	"path/filepath"
+
+	introspectionapi "github.com/containerd/containerd/api/services/introspection/v1"
+	"github.com/containerd/containerd/archive"
+	"github.com/containerd/containerd/archive/compression"
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/platforms"
+)
+
+// Install a binary image into the opt service
+func (c *Client) Install(ctx context.Context, image Image) error {
+	resp, err := c.IntrospectionService().Plugins(ctx, &introspectionapi.PluginsRequest{
+		Filters: []string{
+			"id==opt",
+		},
+	})
+	if err != nil {
+		return err
+	}
+	if len(resp.Plugins) != 1 {
+		return errors.New("opt service not enabled")
+	}
+	path := resp.Plugins[0].Exports["path"]
+	if path == "" {
+		return errors.New("opt path not exported")
+	}
+	var (
+		cs       = image.ContentStore()
+		platform = platforms.Default()
+	)
+	manifest, err := images.Manifest(ctx, cs, image.Target(), platform)
+	if err != nil {
+		return err
+	}
+	for _, layer := range manifest.Layers {
+		ra, err := cs.ReaderAt(ctx, layer)
+		if err != nil {
+			return err
+		}
+		cr := content.NewReader(ra)
+		r, err := compression.DecompressStream(cr)
+		if err != nil {
+			return err
+		}
+		defer r.Close()
+		if _, err := archive.Apply(ctx, path, r, archive.WithFilter(func(hdr *tar.Header) bool {
+			return filepath.Dir(hdr.Name) == "bin"
+		})); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/services/opt/path_unix.go b/services/opt/path_unix.go
@@ -0,0 +1,21 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package opt
+
+const defaultPath = "/opt/containerd"
diff --git a/services/opt/path_windows.go b/services/opt/path_windows.go
@@ -0,0 +1,25 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package opt
+
+import (
+	"path/filepath"
+
+	"github.com/containerd/containerd/defaults"
+)
+
+var defaultPath = filepath.Join(defaults.DefaultRootDir, "opt")
diff --git a/services/opt/service.go b/services/opt/service.go
@@ -0,0 +1,58 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package opt
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/containerd/plugin"
+	"github.com/pkg/errors"
+)
+
+// Config for the opt manager
+type Config struct {
+	// Path for the opt directory
+	Path string `toml:"path"`
+}
+
+func init() {
+	plugin.Register(&plugin.Registration{
+		Type: plugin.InternalPlugin,
+		ID:   "opt",
+		Config: &Config{
+			Path: defaultPath,
+		},
+		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
+			path := ic.Config.(*Config).Path
+			ic.Meta.Exports["path"] = path
+
+			bin := filepath.Join(path, "bin")
+			if err := os.MkdirAll(bin, 0711); err != nil {
+				return nil, err
+			}
+			if err := os.Setenv("PATH", fmt.Sprintf("%s:%s", bin, os.Getenv("PATH"))); err != nil {
+				return nil, errors.Wrapf(err, "set binary image directory in path %s", bin)
+			}
+			return &manager{}, nil
+		},
+	})
+}
+
+type manager struct {
+}

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,9 @@ func Apply(ctx context.Context, root string, r io.Reader, opts ...ApplyOpt) (int`
`114`	`114`	`return 0, errors.Wrap(err, "failed to apply option")`
`115`	`115`	`}`
`116`	`116`	`}`
	`117`	`+ if options.Filter == nil {`
	`118`	`+ options.Filter = all`
	`119`	`+ }`
`117`	`120`
`118`	`121`	`return apply(ctx, root, tar.NewReader(r), options)`
`119`	`122`	`}`
`@@ -155,6 +158,10 @@ func applyNaive(ctx context.Context, root string, tr *tar.Reader, options ApplyO`
`155`	`158`	`// Normalize name, for safety and for a simple is-root check`
`156`	`159`	`hdr.Name = filepath.Clean(hdr.Name)`
`157`	`160`
	`161`	`+ if !options.Filter(hdr) {`
	`162`	`+ continue`
	`163`	`+ }`
	`164`	`+`
`158`	`165`	`if skipFile(hdr) {`
`159`	`166`	`log.G(ctx).Warnf("file %q ignored: archive may not be supported on system", hdr.Name)`
`160`	`167`	`continue`
Original file line number	Diff line number	Diff line change
`@@ -20,4 +20,5 @@ package archive`
`20`	`20`
`21`	`21`	`// ApplyOptions provides additional options for an Apply operation`
`22`	`22`	`type ApplyOptions struct {`
	`23`	`+ Filter Filter // Filter tar headers`
`23`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ package archive`
`22`	`22`	`type ApplyOptions struct {`
`23`	`23`	`ParentLayerPaths []string // Parent layer paths used for Windows layer apply`
`24`	`24`	`IsWindowsContainerLayer bool // True if the tar stream to be applied is a Windows Container Layer`
	`25`	`+ Filter Filter // Filter tar headers`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`// WithParentLayers adds parent layers to the apply process this is required`