containerd / nerdctl Goto Github PK

View Code? Open in Web Editor NEW

7.7K 7.7K 570.0 8.1 MB

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...

License: Apache License 2.0

Go 97.08% Makefile 0.21% Dockerfile 0.84% Shell 1.63% Roff 0.11% PowerShell 0.05% Ruby 0.08%

containerd

nerdctl's People

Contributors

Stargazers

Watchers

Forkers

fuweid isgasho ctmcisco christian-korneck nooproblem seemethere tchigher shishir-a412ed hmilkovi hien knight42 06kellyjac daxmc99 nikhilgorantla xin-cqu fahedouch dio bharath-123 albertocavalcante shivdudhani ukontainer neverso ktock westonsteimel akihirosuda mikebrow dhiltgen nikopen mthalman edgarlanting dolanor-galaxy zcubbs ibreakthecloud amissine wzshiming tears-of-noobs isabella232 hadoop835 chester-cl-liu tuananh jsturtevant racoltacalin pathcl ldnn elserhumano watermeion jangocheng usamaelshazly hmrg-grmh hs0210 cndoit18 kulong0105 huihuiyule-www happysky2046 rkjakeer doytsujin timyinshi smowafy metaimagine shaneutt liubin pwfoo rudeigerc maxking zhengqin apx103 ilyee jadarsie acodetailor dmiruke cyril-corbon calshankar louygan lwdgit developgo k36666 developer-guy vbatts cpuguy83 ningmingxiao cnb0 ksaur jacobjohansen onixus74 jenot15 cli-design robberphex jorgearteiro djs55 okamosy hassanalsamahi akhramov piotrbelina hypnoce ameir tosone ehazlett chmarp winonecheng farhansaed

nerdctl's Issues

Pack all the deps in a single tar.gz (“nerdpack”)

Pack all the dependency binaries in a single "nerdpack.tar.gz"

nerdctl
containerd
runc
CNI plugins
BuildKit
stargz snapshotter
imgcrypt
RootlessKit
slirp4netns

Add compatible with io.containerd.kata.v2

Hi,

When i running nerdctl with kata containers , there are some error on exit:

# nerdctl run --runtime io.containerd.kata.v2 -it --rm docker.io/library/alpine:latest sh
WARN[0000] To isolate bridge networks, CNI plugin "isolation" needs to be installed in CNI_PATH ("/opt/cni/bin"), see https://github.com/AkihiroSuda/cni-isolation 
WARN[0000] cannot set cgroup manager to "systemd" for runtime "io.containerd.kata.v2" 
/ # ls
bin    dev    etc    home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
/ # exit
ERRO[0004] exit status 1: stdout: , stderr: time="2021-03-22T17:38:55+08:00" level=fatal msg="state dir must be set": unknown 
WARN[0004] failed to remove container "981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5"  error="failed to delete task 981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5: exit status 1: stdout: , stderr: time=\"2021-03-22T17:38:55+08:00\" level=fatal msg=\"state dir must be set\"\n: unknown"
WARN[0004] failed to remove container "981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5"  error="failed to delete task 981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5: exit status 1: stdout: , stderr: time=\"2021-03-22T17:38:55+08:00\" level=fatal msg=\"state dir must be set\"\n: unknown"
WARN[0004] failed to release name store for container "981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5"  error="failed to delete task 981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5: exit status 1: stdout: , stderr: time=\"2021-03-22T17:38:55+08:00\" level=fatal msg=\"state dir must be set\"\n: unknown"
WARN[0004] failed to remove container 981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5  error="failed to delete task 981ec8f9968d8c61ee93e581b24e4520484177fd2dad2b3f74f7ce3cb4c3c7a5: exit status 1: stdout: , stderr: time=\"2021-03-22T17:38:55+08:00\" level=fatal msg=\"state dir must be set\"\n: unknown"

There are not error when running with ctr, so i think it may be some compatible issue in nerdctl.
It is better to support kata as an alternavive runtime.

# ctr run --runtime io.containerd.kata.v2 -t --rm docker.io/library/alpine:latest abc sh
/ # ls
bin    dev    etc    home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
/ # exit

test env:

❯ kata-runtime --version
  : 2.0.1
   commit   : 3df65f4f3a439c8c7b97dd581f8ff4fc1c877a70
   OCI specs: 1.0.1-dev
❯ nerdctl --version
nerdctl version 0.7.2
❯ ctr --version
ctr github.com/containerd/containerd v1.4.4

Thanks.

CI: switch away from Docker Hub

nerdctl/pkg/testutil/testutil.go

Lines 276 to 282 in ed8eec8

    
           // use GCR mirror to avoid hitting Docker Hub rate limit 
        
           const ( 
        
           	AlpineImage                 = "mirror.gcr.io/library/alpine:3.13" 
        
           	NginxAlpineImage            = "mirror.gcr.io/library/nginx:1.19-alpine" 
        
           	NginxAlpineIndexHTMLSnippet = "<title>Welcome to nginx!</title>" 
        
           	RegistryImage               = "mirror.gcr.io/library/registry:2" 
        
           )

Docker Hub has rate limit, and OTOH mirror.gcr.io seems unstable:

docker: Error response from daemon: manifest for mirror.gcr.io/library/nginx:1.19-alpine not found: manifest unknown: Failed to fetch "1.19-alpine" from request "/v2/library/nginx/manifests/1.19-alpine".

We are currently using ~~mirror.gcr.io~~ (EDIT: switched back to plain old Docker Hub: #148) but should switch to something else.

Requirements:

No rate limit
Stable
Provides multi-arch images for alpine:3.13, nginx:1.19-alpine, and registry:2

cannot work with k3s

Hello

K3s is running ,but there is no output from nerdctl .

./nerdctl --address /run/k3s/containerd/containerd.sock ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Thanks !

Running over tunneled sockets

Is it possible to run the nerdctl client over tunneled sockets ?

Trying to run, but getting errors from the supposed local rootless.

$ ctr --version
ctr containerd.io 1.4.4
$ echo $CONTAINERD_ADDRESS 
./containerd.sock

$ ctr version
Client:
  Version:  1.4.4
  Revision: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
  Go version: go1.13.15

Server:
  Version:  1.4.3
  Revision: 269548fa27e0089a8b8278fc4fc781d7f65a939b
  UUID: dbc0f319-4fee-4dc1-9c5f-1e3433fe6c68
WARNING: version mismatch
WARNING: revision mismatch

$ nerdctl --version
nerdctl version 0.7.1
$ nerdctl version
FATA[0000] rootless containerd not running? (hint: use `containerd-rootless-setuptool.sh install` to start rootless containerd): stat /run/user/1000/containerd-rootless: no such file or directory

~~Similar with BuildKit, but couldn't find the environment variable for it.~~

It also has a slightly different syntax on the param and the address.

$ buildctl debug workers
ID				PLATFORMS
m54eigt1xxnto7i8iihho63dw	linux/amd64
$ echo $BUILDKIT_HOST 
unix://buildkitd.sock

EDIT: Did find BUILDKIT_HOST eventually, didn't look hard enough.

Guess it rhymes with DOCKER_HOST and not CONTAINERD_ADDRESS

add script for updating `Dockerfile.d/SHA256SUMS.d`

Suggested by @ktock: #147 (review)

For making the contribution easier, we'll want helper scripts something like this ( https://github.com/kubernetes-sigs/kind/blob/8fe8b962521db017e3ffb22fc410f521dd8bc154/images/base/update-shasums.sh )

Can you add binaries please?

Perhaps the CI from arkade/k3sup would help here? Feel free to use it as an example:

https://github.com/alexellis/arkade/blob/master/.github/workflows/publish.yml
https://github.com/alexellis/arkade/blob/master/.github/workflows/build.yml

On my RPi I get this error, so having binaries would be useful.

pi@k4s-1:~ $ go get -u github.com/AkihiroSuda/nerdctl
nerdctl
ls go/bin/
# cd /home/pi/go/src/github.com/containerd/containerd; git pull --ff-only
From https://github.com/containerd/containerd
   c8523cc5b..e98d7f8ea master      -> origin/master
   7f1f9b1cb..3b3e9d5f6 release/1.2 -> origin/release/1.2
   6c71fe1c4..ea765aba0 release/1.3 -> origin/release/1.3
   09814d48d..269548fa2 release/1.4 -> origin/release/1.4
 * [new tag]           v1.3.9      -> v1.3.9
 * [new tag]           v1.4.3      -> v1.4.3
 * [new tag]             v1.2.14     -> v1.2.14
 * [new tag]             v1.3.8      -> v1.3.8
 * [new tag]             v1.4.1      -> v1.4.1
 * [new tag]             v1.4.2      -> v1.4.2
You are not currently on a branch.
Please specify which branch you want to merge with.
See git-pull(1) for details.

    git pull <remote> <branch>

package github.com/containerd/containerd: exit status 1
package github.com/containerd/containerd/reference/docker: cannot find package "github.com/containerd/containerd/reference/docker" in any of:
	/usr/local/go/src/github.com/containerd/containerd/reference/docker (from $GOROOT)
	/home/pi/go/src/github.com/containerd/containerd/reference/docker (from $GOPATH)

package github.com/containerd/containerd: exit status 1
package github.com/containerd/containerd/reference/docker: cannot find package "github.com/containerd/containerd/reference/docker" in any of:
	/usr/local/go/src/github.com/containerd/containerd/reference/docker (from $GOROOT)
	/home/pi/go/src/github.com/containerd/containerd/reference/docker (from $GOPATH)

Enhance install instructions with BuildKit steps

While I'd love to see native OS packages (deb/rpm) so it's easier to stay up to date, the install instructions on the releases page are super helpful to get folks up and running quickly using the full tar file.

The one piece that's missing is further instructions on how to get BuildKit running properly so build works.

I followed the Quickstart Rootful instructions on 0.7.1, got hello world run to work, but build doesn't

% nerdctl build -t test .
FATA[0000] rootless containerd not running? (hint: use `containerd-rootless-setuptool.sh install` to start rootless containerd): stat /run/user/1000/containerd-rootless: no such file or directory

I think build will be a key use case for a lot of people coming from the docker ecosystem, so it would be nice to help them along the journey.

`nerdctl run -p 8080:80` should listen on IPv6 as well

Currently, nerdctl run -p 8080:80 does not listen on IPv6, while docker run -p 8080:80 listens on IPv6 as well as on IPv4.

let `sudo nerdctl <COMMAND> <TAB>` show rootful objects, not rootless ones

Currently, sudo nerdctl rm <TAB> shows rootless containers, but this should show rootful containers.

Add Makefile

Write a Makefile for the project to allow easy compiling.

nerdctl panics on missing XDG_RUNTIME_DIR env var

Expected behavior: I'd expect it to exit more cleanly where XDG_RUNTIME_DIR is really needed & continue on where it isn't needed

$ nerdctl completion bash

panic: environment variable XDG_RUNTIME_DIR is not set

goroutine 1 [running]:
github.com/AkihiroSuda/nerdctl/pkg/defaults.BuildKitHost(0x203000, 0x203000)
        github.com/AkihiroSuda/nerdctl/pkg/defaults/defaults.go:86 +0x105
main.init()
        github.com/AkihiroSuda/nerdctl/build.go:42 +0x34

`nerdctl images` should show unpacked size

nerdctl images is expected to show unpacked size as in docker images

$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
alpine       latest    389fef711851   2 weeks ago   5.58MB

The current implementation shows packed size:

$ nerdctl images
REPOSITORY    TAG       IMAGE ID        CREATED          SIZE
alpine        latest    3c7497bf0c7a    5 seconds ago    2.7 MiB

https://github.com/AkihiroSuda/nerdctl/blob/5bb45da65b3e16ae69cde5ce8bf3a5b80c2d22ba/images.go#L83

docker inspect Portbinding information

Container exposed port are not shown in nerdctl inspect command .

docker :

        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "ebbb0cd371a1ff02304ec6031b4b200ee7c83eb37ac3e34ec8278e2a3884bb80",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "80/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "80"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "80"
                    }
                ]
            },

this should be implement in nerdctl

Provide linux/ppc64le binary

It would be awesome if the team could produce binary for linux ppc64le.

It could be done with cross-compilation OR if needed I could provide you the access to my ppc64le linux box

Flaky test: TestLogsWithFailingContainer

=== RUN   TestLogsWithFailingContainer
    logs_test.go:46: assertion failed: 
        Command:  /usr/local/bin/nerdctl --namespace=nerdctl-test logs -f nerdctl-test-logs
        ExitCode: 0
        Stdout:   
        Stderr:   
        
        Failures:
        Expected stdout to contain "bar"
--- FAIL: TestLogsWithFailingContainer (0.50s)

Support `nerdctl run --security-opt=XXX`

Add the security options to the nerdctl run.

Windows support

I am looking for a way to use containerd on Windows Server 2019 with a Docker CLI replacement like this one. I see there are Linux builds, but has a Windows port been attempted?

Long story short, containerd for Windows should handle graceful shutdowns for containers, but the current version of Docker is still using HCS v1 + some really broken stuff under the hood, meaning Windows containers have never supported graceful shutdowns (microsoft/Windows-Containers#16).

There is no clear migration path for Docker to adopt containerd on Windows in the short term, so I would be fine with installing containerd on Windows (https://kubernetes.io/docs/setup/production-environment/container-runtimes/#install-containerd) but then I just need a proper CLI on top of it, other than 'ctr' which is very primitive and marked as unsupported/unstable.

I am not familiar with Go, but how difficult would it be to attempt a Windows port of this tool?

Docker-py compatible Python Bindings for nerdctl / containerd

It would be interesting to create python bindings for nerdctl that are compatible with the docker-py implementation as well.
With this it might be possible to run docker-compose (or nerd-compose) via containerd.

Support `nerdctl logs [CONTAINER ID]`

Support nerdctl logs [CONTAINER ID]. It get the container's log on the containerd.

Support `nerdctl save [CONTAINER IMAGE ID]`

Support nerdctl save [CONTAINER IMAGE ID].

--entrypoint support for nerdctl run

Is there a plan to support --entrypoint for the nerdctl run command?
I see it's supported in podman so was wondering if it's part of the nerdctl roadmap?

I can take a stab at it, but right now I am not very clear on how to go about it! since OCI runtime spec doesn't have a notion of entrypoint

/cc @AkihiroSuda

Please add official pronunciation guide to avoid fragmenting the community 😂

I'm sorry for polluting your repo with this joke issue

Can not run kata-containers with nerdctl in rootless mode

Hi,

When i try to run kata-containers with nerdctl in rootless mode, there is a fatal error

$ nerdctl --debug run --runtime io.containerd.kata.v2 -it alpine sh
DEBU[0000] rootless parent main: executing "/usr/bin/nsenter" with [-r/ -w/home/lsm/work/github/nerdctl --preserve-credentials -m -n -U -t 424166 -F nerdctl --debug run --runtime io.containerd.kata.v2 -it alpine sh] 
WARN[0000] To isolate bridge networks, CNI plugin "isolation" needs to be installed in CNI_PATH ("/opt/cni/bin"), see https://github.com/AkihiroSuda/cni-isolation 
WARN[0000] cannot set cgroup manager to "systemd" for runtime "io.containerd.kata.v2" 
FATA[0000] operation not permitted: unknown

logs in container shows:

$ nerdctl logs bcc7cdec6843
FATA[0000] failed to open "/home/lsm/.local/share/nerdctl/1935db59/containers/default/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10-json.log", container is not created with `nerdctl run -d`?: stat /home/lsm/.local/share/nerdctl/1935db59/containers/default/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10-json.log: no such file or directory

the specified directory only has resolv.conf file:

$ ls -l /home/lsm/.local/share/nerdctl/1935db59/containers/default/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10                                                                                                       
Alias tip: ll /home/lsm/.local/share/nerdctl/1935db59/containers/default/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10
total 4
-rw-r--r-- 1 lsm lsm 57 Mar 24 20:20 resolv.conf

the containerd logs:

Mar 24 20:20:59 stable containerd-rootless.sh[424191]: time="2021-03-24T20:20:59.973694862+08:00" level=debug msg="stat snapshot" key="sha256:cb381a32b2296e4eb5af3f84092a2e6685e88adbc54ee0768a1a1010ce6376c7"
Mar 24 20:20:59 stable containerd-rootless.sh[424191]: time="2021-03-24T20:20:59.986019983+08:00" level=debug msg="prepare snapshot" key=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 parent="sha256:cb381a32b2296e4eb5af3f84092a2e6685e88adbc54ee0768a1a1010ce6376c7"
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.005997956+08:00" level=debug msg="event published" ns=default topic=/snapshot/prepare type=containerd.events.SnapshotPrepare
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.009349200+08:00" level=debug msg="get snapshot mounts" key=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.052399224+08:00" level=debug msg="event published" ns=default topic=/containers/create type=containerd.events.ContainerCreate
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.061838750+08:00" level=debug msg="get snapshot mounts" key=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.141498645+08:00" level=debug msg="registering ttrpc server"
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.141667806+08:00" level=debug msg="serving api on abstract socket" socket="[inherited from parent]"
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.141700703+08:00" level=info msg="starting signal loop" namespace=default path=/run/containerd/io.containerd.runtime.v2.task/default/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 pid=425356
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.142074716+08:00" level=debug msg="converting /run/containerd/io.containerd.runtime.v2.task/default/bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10/config.json" pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=virtcontainers subsystem=compatoci
Mar 24 20:21:00 stable kata[425356]: time="2021-03-24T20:21:00.146501275+08:00" level=info msg="loaded configuration" file=/etc/.ro921613803/kata-containers/configuration.toml format=TOML pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=katautils
Mar 24 20:21:00 stable kata[425356]: time="2021-03-24T20:21:00.146660798+08:00" level=info msg="IOMMUPlatform is disabled by default." pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=katautils
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.146501275+08:00" level=info msg="loaded configuration" file=/etc/.ro921613803/kata-containers/configuration.toml format=TOML pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=katautils
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.146660798+08:00" level=info msg="IOMMUPlatform is disabled by default." pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=katautils
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.147275144+08:00" level=info msg="shm-size detected: 67108864" source=virtcontainers subsystem=oci
Mar 24 20:21:00 stable kata[425356]: time="2021-03-24T20:21:00.147275144+08:00" level=info msg="shm-size detected: 67108864" source=virtcontainers subsystem=oci
Mar 24 20:21:00 stable kata[425356]: time="2021-03-24T20:21:00.148721538+08:00" level=info msg="create netns" netns=/run/user/1000/netns/net-b37cc011-a5c1-e7df-e334-25ec56812f79 pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=katautils
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.148721538+08:00" level=info msg="create netns" netns=/run/user/1000/netns/net-b37cc011-a5c1-e7df-e334-25ec56812f79 pid=425356 sandbox=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10 source=katautils
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.202585125+08:00" level=debug msg="garbage collected" d=6.465577ms
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.215223216+08:00" level=debug msg="failed to delete task" error="rpc error: code = NotFound desc = container does not exist bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10: not found" id=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.217176886+08:00" level=info msg="shim disconnected" id=bcc7cdec68437f9d9c91110d5dac7529838146cf06dfd67dbfb35128ec78fb10
Mar 24 20:21:00 stable containerd-rootless.sh[424191]: time="2021-03-24T20:21:00.217307144+08:00" level=error msg="copy shim log" error="read /proc/self/fd/16: file already closed"

Move from github.com/AkihiroSuda to github.com/containerd

Proposed in containerd/project#69

rootless: containerd.service cannot be restarted when killed

$ systemctl --user kill -s KILL containerd
$ nerdctl info
FATA[0000] stat /run/user/1001/containerd-rootless/child_pid: no such file or directory

AkihiroSuda@692cb8a

RootlessKit v0.13.1

Remove the ctr command

When we run nerdctl build , the ctr command which is unsupported by containerd proj is called.
We should remove it.

rootless: -p with a specific host IP does not work

$ nerdctl run -d -p 192.168.60.11:8080:80 nginx:alpine
$ curl 192.168.60.11:8080
curl: (56) Recv failure: Connection reset by peer

192.168.60.11 is the IP of the host interface.

Support decryption and encryption

ref: containerd/imgcrypt#32

imcompatible with docker cli regarding port mapping (docker run -p 7000-7005:7000-7005)

this works in docker cli

docker run -p 7000-7005:7000-7005 myimage

however, with nerdctl, i got this error

FATA[0000] strconv.Atoi: parsing "7000-7005": invalid syntax

it seems that nerdctl does dedup str slice for port portSlice := strutil.DedupeStrSlice(clicontext.StringSlice("p")) but doesn't take into account this case.

Support filters opts

Add the filter options to the nerdctl.

The almost default behavior to add multiple filter args is equals to append OR conditions.

rootless: provide workaround for `nerdctl pull 127.0.0.1:5000/foo`

nerdctl pull 127.0.0.1:5000/foo with rootless doesn't work as expected because pull occurs in the child namespace.

Needs something like socat exec:'containerd-rootless-setuptool.sh nsenter socat "tcp-listen:5000,reuseaddr,fork" "stdio"' tcp-connect:127.0.0.1:5000 (WIP: this exits on HTTP error)

mysql doesn't work: "Could not create unix socket lock file /var/run/mysqld/mysqld.sock.lock."

mysql:5.7 fails with "Could not create unix socket lock file /var/run/mysqld/mysqld.sock.lock." error:

$ sudo nerdctl run --rm -e MYSQL_RANDOM_ROOT_PASSWORD=1 mysql:5.7
2021-04-06 09:54:04+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.33-1debian10 started.
2021-04-06 09:54:04+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2021-04-06 09:54:04+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.33-1debian10 started.
2021-04-06 09:54:04+00:00 [Note] [Entrypoint]: Initializing database files
2021-04-06T09:54:04.538227Z 0 [Warning] Changed limits: max_open_files: 1024 (requested 5000)
2021-04-06T09:54:04.538279Z 0 [Warning] Changed limits: table_open_cache: 431 (requested 2000)
2021-04-06T09:54:04.538422Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2021-04-06T09:54:04.681246Z 0 [Warning] InnoDB: New log files created, LSN=45790
2021-04-06T09:54:04.702290Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2021-04-06T09:54:04.757163Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 05a4ce2c-96be-11eb-ae5d-6a02f70cbce2.
2021-04-06T09:54:04.758657Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2021-04-06T09:54:05.245398Z 0 [Warning] CA certificate ca.pem is self signed.
2021-04-06T09:54:05.312521Z 1 [Warning] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2021-04-06 09:54:07+00:00 [Note] [Entrypoint]: Database files initialized
2021-04-06 09:54:07+00:00 [Note] [Entrypoint]: Starting temporary server
2021-04-06 09:54:07+00:00 [Note] [Entrypoint]: Waiting for server startup
2021-04-06T09:54:07.406640Z 0 [Warning] Changed limits: max_open_files: 1024 (requested 5000)
2021-04-06T09:54:07.406802Z 0 [Warning] Changed limits: table_open_cache: 431 (requested 2000)
2021-04-06T09:54:07.562373Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2021-04-06T09:54:07.563477Z 0 [Note] mysqld (mysqld 5.7.33) starting as process 79 ...
2021-04-06T09:54:07.567023Z 0 [Note] InnoDB: PUNCH HOLE support available
2021-04-06T09:54:07.567156Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2021-04-06T09:54:07.567244Z 0 [Note] InnoDB: Uses event mutexes
2021-04-06T09:54:07.567283Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2021-04-06T09:54:07.567320Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2021-04-06T09:54:07.567359Z 0 [Note] InnoDB: Using Linux native AIO
2021-04-06T09:54:07.567566Z 0 [Note] InnoDB: Number of pools: 1
2021-04-06T09:54:07.567771Z 0 [Note] InnoDB: Using CPU crc32 instructions
2021-04-06T09:54:07.569022Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2021-04-06T09:54:07.574574Z 0 [Note] InnoDB: Completed initialization of buffer pool
2021-04-06T09:54:07.576370Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2021-04-06T09:54:07.588582Z 0 [Note] InnoDB: Highest supported file format is Barracuda.
2021-04-06T09:54:07.597812Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2021-04-06T09:54:07.598199Z 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2021-04-06T09:54:07.612405Z 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2021-04-06T09:54:07.613822Z 0 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
2021-04-06T09:54:07.614059Z 0 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
2021-04-06T09:54:07.615034Z 0 [Note] InnoDB: Waiting for purge to start
2021-04-06T09:54:07.665894Z 0 [Note] InnoDB: 5.7.33 started; log sequence number 2746831
2021-04-06T09:54:07.666379Z 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2021-04-06T09:54:07.666880Z 0 [Note] Plugin 'FEDERATED' is disabled.
2021-04-06T09:54:07.668750Z 0 [Note] InnoDB: Buffer pool(s) load completed at 210406  9:54:07
2021-04-06T09:54:07.674449Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2021-04-06T09:54:07.675043Z 0 [Note] Skipping generation of SSL certificates as certificate files are present in data directory.
2021-04-06T09:54:07.676457Z 0 [Warning] CA certificate ca.pem is self signed.
2021-04-06T09:54:07.676935Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
2021-04-06T09:54:07.677496Z 0 [ERROR] Could not create unix socket lock file /var/run/mysqld/mysqld.sock.lock.
2021-04-06T09:54:07.677657Z 0 [ERROR] Unable to setup unix socket lock file.
2021-04-06T09:54:07.677718Z 0 [ERROR] Aborting

2021-04-06T09:54:07.677938Z 0 [Note] Binlog end
2021-04-06T09:54:07.678252Z 0 [Note] Shutting down plugin 'ngram'
2021-04-06T09:54:07.678561Z 0 [Note] Shutting down plugin 'partition'
2021-04-06T09:54:07.678647Z 0 [Note] Shutting down plugin 'BLACKHOLE'
2021-04-06T09:54:07.678714Z 0 [Note] Shutting down plugin 'ARCHIVE'
2021-04-06T09:54:07.678774Z 0 [Note] Shutting down plugin 'PERFORMANCE_SCHEMA'
2021-04-06T09:54:07.678929Z 0 [Note] Shutting down plugin 'MRG_MYISAM'
2021-04-06T09:54:07.679026Z 0 [Note] Shutting down plugin 'MyISAM'
2021-04-06T09:54:07.679225Z 0 [Note] Shutting down plugin 'INNODB_SYS_VIRTUAL'
2021-04-06T09:54:07.679362Z 0 [Note] Shutting down plugin 'INNODB_SYS_DATAFILES'
2021-04-06T09:54:07.679428Z 0 [Note] Shutting down plugin 'INNODB_SYS_TABLESPACES'
2021-04-06T09:54:07.679486Z 0 [Note] Shutting down plugin 'INNODB_SYS_FOREIGN_COLS'
2021-04-06T09:54:07.679558Z 0 [Note] Shutting down plugin 'INNODB_SYS_FOREIGN'
2021-04-06T09:54:07.679621Z 0 [Note] Shutting down plugin 'INNODB_SYS_FIELDS'
2021-04-06T09:54:07.679662Z 0 [Note] Shutting down plugin 'INNODB_SYS_COLUMNS'
2021-04-06T09:54:07.679725Z 0 [Note] Shutting down plugin 'INNODB_SYS_INDEXES'
2021-04-06T09:54:07.679848Z 0 [Note] Shutting down plugin 'INNODB_SYS_TABLESTATS'
2021-04-06T09:54:07.679908Z 0 [Note] Shutting down plugin 'INNODB_SYS_TABLES'
2021-04-06T09:54:07.679958Z 0 [Note] Shutting down plugin 'INNODB_FT_INDEX_TABLE'
2021-04-06T09:54:07.680085Z 0 [Note] Shutting down plugin 'INNODB_FT_INDEX_CACHE'
2021-04-06T09:54:07.680210Z 0 [Note] Shutting down plugin 'INNODB_FT_CONFIG'
2021-04-06T09:54:07.680320Z 0 [Note] Shutting down plugin 'INNODB_FT_BEING_DELETED'
2021-04-06T09:54:07.680367Z 0 [Note] Shutting down plugin 'INNODB_FT_DELETED'
2021-04-06T09:54:07.680510Z 0 [Note] Shutting down plugin 'INNODB_FT_DEFAULT_STOPWORD'
2021-04-06T09:54:07.680570Z 0 [Note] Shutting down plugin 'INNODB_METRICS'
2021-04-06T09:54:07.680611Z 0 [Note] Shutting down plugin 'INNODB_TEMP_TABLE_INFO'
2021-04-06T09:54:07.680689Z 0 [Note] Shutting down plugin 'INNODB_BUFFER_POOL_STATS'
2021-04-06T09:54:07.680782Z 0 [Note] Shutting down plugin 'INNODB_BUFFER_PAGE_LRU'
2021-04-06T09:54:07.680895Z 0 [Note] Shutting down plugin 'INNODB_BUFFER_PAGE'
2021-04-06T09:54:07.680964Z 0 [Note] Shutting down plugin 'INNODB_CMP_PER_INDEX_RESET'
2021-04-06T09:54:07.681066Z 0 [Note] Shutting down plugin 'INNODB_CMP_PER_INDEX'
2021-04-06T09:54:07.681146Z 0 [Note] Shutting down plugin 'INNODB_CMPMEM_RESET'
2021-04-06T09:54:07.681181Z 0 [Note] Shutting down plugin 'INNODB_CMPMEM'
2021-04-06T09:54:07.681333Z 0 [Note] Shutting down plugin 'INNODB_CMP_RESET'
2021-04-06T09:54:07.681423Z 0 [Note] Shutting down plugin 'INNODB_CMP'
2021-04-06T09:54:07.681493Z 0 [Note] Shutting down plugin 'INNODB_LOCK_WAITS'
2021-04-06T09:54:07.681674Z 0 [Note] Shutting down plugin 'INNODB_LOCKS'
2021-04-06T09:54:07.681758Z 0 [Note] Shutting down plugin 'INNODB_TRX'
2021-04-06T09:54:07.681823Z 0 [Note] Shutting down plugin 'InnoDB'
2021-04-06T09:54:07.682321Z 0 [Note] InnoDB: FTS optimize thread exiting.
2021-04-06T09:54:07.683916Z 0 [Note] InnoDB: Starting shutdown...
2021-04-06T09:54:07.785292Z 0 [Note] InnoDB: Dumping buffer pool(s) to /var/lib/mysql/ib_buffer_pool
2021-04-06T09:54:07.785637Z 0 [Note] InnoDB: Buffer pool(s) dump completed at 210406  9:54:07
2021-04-06T09:54:09.298766Z 0 [Note] InnoDB: Shutdown completed; log sequence number 2746850
2021-04-06T09:54:09.302354Z 0 [Note] InnoDB: Removed temporary tablespace data file: "ibtmp1"
2021-04-06T09:54:09.302803Z 0 [Note] Shutting down plugin 'MEMORY'
2021-04-06T09:54:09.303010Z 0 [Note] Shutting down plugin 'CSV'
2021-04-06T09:54:09.303350Z 0 [Note] Shutting down plugin 'sha256_password'
2021-04-06T09:54:09.303536Z 0 [Note] Shutting down plugin 'mysql_native_password'
2021-04-06T09:54:09.303974Z 0 [Note] Shutting down plugin 'binlog'
2021-04-06T09:54:09.304578Z 0 [Note] mysqld: Shutdown complete

2021-04-06 09:54:38+00:00 [ERROR] [Entrypoint]: Unable to start server.

System info

$ sudo nerdctl info
Client:
 Namespace:     default
 Debug Mode:    false

Server:
 Server Version: v1.5.0-beta.4-95-g9a9bd0975
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Log: json-file
  Storage: native overlayfs fuse-overlayfs stargz
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.8.0-48-generic
 Operating System: Ubuntu 20.10
 OSType: linux
 Architecture: x86_64
 Name: suda-ws01
 ID: 343cfb49-cce9-453f-b21c-e5d22ca2cb47

$ sudo nerdctl version
Client:
 Version:       v0.7.3
 Git commit:    77801f5042e05ed3cac52efbeb18aafc09795675

Server:
 containerd:
  Version:      v1.5.0-beta.4-95-g9a9bd0975
  Revision:     9a9bd097564b0973bfdb0b39bf8262aa1b7da6aa

Don't see the CNI default bridge!

ls -l /opt/cni/bin/
total 72196
-rwxr-xr-x 1 root root  4151672 Dec  9 18:48 bandwidth
-rwxr-xr-x 1 root root  4527563 Dec  9 18:48 bridge
-rwxr-xr-x 1 root root 10261898 Dec  9 18:48 dhcp
-rwxr-xr-x 1 root root  4759170 Dec  9 18:48 firewall
-rwxr-xr-x 1 root root  3349743 Dec  9 18:48 flannel
-rwxr-xr-x 1 root root  4131577 Dec  9 18:48 host-device
-rwxr-xr-x 1 root root  3565330 Dec  9 18:49 host-local
-rwxr-xr-x 1 root root  4288339 Dec  9 18:48 ipvlan
-rwxr-xr-x 1 root root  3526435 Dec  9 18:48 loopback
-rwxr-xr-x 1 root root  4367216 Dec  9 18:48 macvlan
-rwxr-xr-x 1 root root  3953818 Dec  9 18:48 portmap
-rwxr-xr-x 1 root root  4462872 Dec  9 18:48 ptp
-rwxr-xr-x 1 root root  3697042 Dec  9 18:48 sbr
-rwxr-xr-x 1 root root  3149234 Dec  9 18:49 static
-rwxr-xr-x 1 root root  3668289 Dec  9 18:48 tuning
-rwxr-xr-x 1 root root  4287972 Dec  9 18:48 vlan
-rwxr-xr-x 1 root root  3755881 Dec  9 18:48 vrf
nerdctl run -it --rm alpine
ip  a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

containerd-rootless.sh: /run/xtables.lock EACCES on SELinux hosts

We need to backport moby/moby#42199 (dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts) to containerd-rootless.sh (used by nerdctl, not by Docker) in this repo.

can nerdctl info print the cgroup driver like docker ?

for docker

[root@k8s-dev tmp]# docker info -f {{.CgroupDriver}}
cgroupfs

for containerd

[root@k8s-dev tmp]# ./nerdctl  info
Client:
 Namespace:	default
 Debug Mode:	false

Server:
 Server Version: v1.3.9
 Storage Driver: overlayfs
 Cgroup Version: 1
 Plugins:
  Storage: native overlayfs
 Security Options:
  seccomp
   Profile: default
 ID: ed68ee7f-4ec0-4199-b3da-ed3305f21414
[root@k8s-dev tmp]# vim /etc/containerd/config.toml 
[root@k8s-dev tmp]# ./nerdctl version
Client:
 Version:	v0.4.0
 Git commit:	21b64b3c5079002334ab3df678e578259c414b26

Server:
 containerd:
  Version:	v1.3.9
  Revision:	ea765aba0d05254012b0b9e595e995c09186427f

`nerdctl run --net=host -it` fails while `nerdctl run -it --net=host` works

$ nerdctl run --net host -i  alpine echo hi
hi
$ nerdctl run --net=host -it alpine echo hi
FATA[0000] currently, number of networks must be 1      
$ nerdctl run -it --net=host alpine echo hi
hi

Something is broken around -t. Likely to be an issue of https://github.com/urfave/cli .

Support `nerdctl rm [SHORTID]`

Currently, nerdctl rm 133fd7a617f4eb77db0ef395c66e652dc2a292048f34bf45a9a741c986a53f53 can't be shorten like nerdctl rm 133fd7a617f4

allow for a different cni plugin directory?

Can you add an override environment variable so the cni plugin directory can be somewhere different to /opt/cni/bin? Or is that a bad idea?

https://github.com/AkihiroSuda/nerdctl/blob/master/run.go#L169
https://github.com/containerd/go-cni/blob/master/types.go#L22

[QUESTION] Any Advise for removing the unsupported ctr command, please

Overview

Hi, Thank you for the great tools.

I tried to remove the using unsupported ctr command.
After that, it seems that loading images to containerd is OK, But I failed the running command.
If you have the time, please consult with me.

Process

I fixed the build.go and copy some process from the images/import.go.
The biggest modification is that the output format of the buildkit is converted from docker to an OCI tar files.

	buildctlCmd := exec.Command("buildctl",
		"build",
		"--frontend=dockerfile.v0",
		"--local=context="+buildContext,
		"--local=dockerfile="+buildContext,
		"--output=type=oci,dest="+**tarball_path**) <= I fixed it
	buildctlCmd.Env = os.Environ()

And so I could import tarball to containerd.

        r, err = os.Open(**tarball_path**)
	imgs, err := client.Import(ctx, r, opts...)  <= I fixed it
	if err != nil {
		return err
	}
	closeErr := r.Close()

	if closeErr != nil {
		return closeErr
	}

	for _, img := range imgs {
		// TODO: Allow configuration of the platform
		image := containerd.NewImage(client, img)

		// TODO: Show unpack status
		//fmt.Println("unpacking %s (%s)...", img.Name, img.Target.Digest)
		fmt.Println("build")
		err = image.Unpack(ctx, sn)
		if err != nil {
			fmt.Println(err)
			return err
		}
		fmt.Println("done")
	}

I success uploading the images.

$ sudo ctr images ls
REF                                                                               TYPE                                       DIGEST
                              SIZE     PLATFORMS   LABELS
overlayfs@sha256:2715e19bf11d27ec753cc046aab89435bdb3fec7c6915e029bcb60e38ea8ab12 application/vnd.oci.image.manifest.v1+json sha256:2715e19bf11d27ec753cc046aab89435bdb3fec7c6915e029bcb60e38ea8ab12 51.1 MiB linux/amd64 -

ref: https://github.com/soharaki/nerdctl/blob/alt-crt-when-builds/build.go#L78

Support anonymous volumes (`docker run -v /foo` and Dockerfile `VOLUME /foo`)

Support anonymous volumes:

docker run -v /foo
Dockerfile VOLUME /foo

Anonymous volumes are deleted on container deletion if docker run is invoked with --rm.

However, anonymous volumes are NOT deleted on invocation of docker rm.

Support multi-arch images

nerdctl should support operating with multi-arch images, e.g., nerdctl pull --platform linux/arm64, nerdctl pull --all-platforms

nerdctl image convert https://github.com/AkihiroSuda/nerdctl/blob/v0.7.0/image_convert.go#L80-L89
nerdctl pull #448
nerdctl push#448
nerdctl build (should have same UI/UX as docker buildx build) #448
nerdctl load #316

Can't login to ghcr.io

$ nerdctl pull ghcr.io/stargz-containers/python:3.9-org
FATA[0000] expected the hostname part of ac.ServerAddress ("ghcr.io") to be authConfigHostname="ghcr.io", got ""

~/.docker/config.json:

{
        "auths": {
                "ghcr.io": {
                        "auth":  "<base64>"
                }
        }
}

nerdctl version: v0.7.1

[Lazy-pulling] failed to make lazy pulling

Hi,

I am testing the Lazy-pulling using Stargz Snapshotter with nerdctl in a docker container :

docker run -it --privileged -v /tmp:/tmp -v /Users/faheddorgaa/go/src/github.com/nerdctl/:/home/nerdctl --tmpfs /var/lib/containerd nerdctl:test1 bash

but it failed. It seems fetching all layers when I test with : time nerdctl --snapshotter=stargz run -it --rm ghcr.io/stargz-containers/python:3.7-esgz python3 -c 'print("hi")'

root@f499843b6869:/home/nerdctl/_output# time ./nerdctl --snapshotter=stargz run -it --rm ghcr.io/stargz-containers/python:3.7-esgz python3 -c 'print("hi")'
ghcr.io/stargz-containers/python:3.7-esgz:                                        resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:6a421075162f4656aa95e13fe93f0efd8c434f1469e73bd925e24bc7caa14948:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:1c5718103be74575eb2f39ec81e9b5f8026fad0ffe8b79e43110608ab19220c5: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:f5905ad4cd9389cc522fffa4ccb0cd13fb9516d350d7e6f6fd45872812b31df5:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:09dcfffe1239fa012cdd72898c3ebe45c6c095f39fd106150187b896a807e982:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:80505726a0e2e80ef6336f4976e6a30ed3de572934224603cdc66801bbf195b9:    downloading    |+++-----------------------------------|  4.0 MiB/50.5 MiB  
layer-sha256:7999a84dec8ca5cdc77fbf9c6c4790d6cf4c869384ff33c590261704a3eb9b2d:    downloading    |++++++++++++++++++++++++++++++--------|  6.0 MiB/7.5 MiB   
layer-sha256:3ef2ba902efb61d82f35b700b184bde123382462f5877451971585ae9e6b31c0:    downloading    |+++++++++++++++-----------------------|  4.0 MiB/9.6 MiB   
layer-sha256:d50ab0bcfb98d6682d284b3863c07a8327f4a40547ba9f88e675269a39614120:    downloading    |++------------------------------------|  4.0 MiB/51.9 MiB  
layer-sha256:dfd38485f3518ed3f34b28bd388be806515bcf575acf8f9fdd405c2287c1af51:    downloading    |+-------------------------------------|  7.0 MiB/189.2 MiB 
layer-sha256:e83a4f1702924b39745065c6af11af6662e87e127acee9adb327504027d127f4:    downloading    |+++++++++++++++++++++++++++++++-------|  5.0 MiB/6.1 MiB   
layer-sha256:5206ddfd1f29b28bdf212e9c32f2bf2f7d53cb4535d3c36c0c009efc2cb4836c:    downloading    |+++++++++++---------------------------|  5.0 MiB/16.0 MiB  
layer-sha256:70ad7b0f74ab9fcc8cf624d59b069fd31e61404c4cae74cf67702b2fb1c7ddb9:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 27.9s                                                                    total:  37.3 M (1.3 MiB/s)

here is the stacktrace of containerd-stargz-grpc . I see some error

{"dir":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/23/fs","error":"invalid argument","level":"debug","msg":"failed to unmount","time":"2020-12-27T17:31:49.069990900Z"}
{"level":"debug","mountpoint":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/24/fs","msg":"verified","time":"2020-12-27T17:35:23.011426500Z"}
{"error":"exec: \"/bin/fusermount\": stat /bin/fusermount: no such file or directory","level":"debug","mountpoint":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/24/fs","msg":"failed to make filesstem server","time":"2020-12-27T17:35:23.012327600Z"}
{"error":null,"key":"default/39/extract-359502800-ByGC sha256:6e6a4cb20b5903038aa24041fce65094b339f0e6d9b52720f7b912b8d3799ae1","level":"debug","msg":"failed to prepare remote snapshot","parent":"","remote-snapshot-prepared":"false","time":"2020-12-27T17:35:23.012412100Z"}
{"level":"debug","mountpoint":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/24/fs","msg":"completed to prefetch","time":"2020-12-27T17:35:23.015400100Z"}
{"level":"debug","mountpoint":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/24/fs","msg":"completed to fetch all layer data in background","time":"2020-12-27T17:35:28.189298800Z"}

Cant' build on FreeBSD

Hello,

I'm trying to build nerdctl on FreeBSD and I see this error:

package github.com/containerd/nerdctl
	imports github.com/containerd/containerd/pkg/cap: build constraints exclude all Go files in /home/kwiat/go/pkg/mod/github.com/containerd/[email protected]/pkg/cap
*** Error code 1

Containerd from tag v1.5.0-beta.4 builds fine:

$ ./bin/containerd -v
containerd github.com/containerd/containerd v1.5.0-beta.4 f201b78b9065f167071bf472a9708b3921c3d5d1

Is it possible to run buildkitd as container in containerd system-namespace?

nerdctl needs user to install buildkitd. So is it possible to support system-plugin as container running in specific container namespace? If so, the user doesn't need to care about buildkitd, nerdctl can help to install buildkitd as running container.

Support `nerdctl rmi [SHORTID]`

https://github.com/AkihiroSuda/nerdctl/pull/29 added support for removing images with longID, but does not support shortID yet

Running a stargz container panics with 10% probability

# ntimes -n 10 nerdctl --snapshotter=stargz run -it --rm --pull=always ghcr.io/stargz-containers/alpine:3.10.2-esgz echo hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0xba1b45]

goroutine 1 [running]:
github.com/containerd/containerd.WithImage.func1(0xf8e420, 0xc00007dda0, 0xc0003802a0, 0xc00041a280, 0x0, 0x0)
        /home/suda/gopath/pkg/mod/github.com/containerd/[email protected]/container_opts.go:75 +0x25
github.com/containerd/containerd.(*Client).NewContainer(0xc0003802a0, 0xf8e420, 0xc00007dda0, 0xc00003c3c0, 0x40, 0xc0004005c0, 0x5, 0x8, 0x0, 0x0, ...)
        /home/suda/gopath/pkg/mod/github.com/containerd/[email protected]/client.go:277 +0x1f8
main.runAction(0xc00029ba80, 0x0, 0x0)
        /home/suda/gopath/src/github.com/AkihiroSuda/nerdctl/run.go:186 +0xb1f
github.com/urfave/cli/v2.(*Command).Run(0x1483820, 0xc00029b3c0, 0x0, 0x0)
        /home/suda/gopath/pkg/mod/github.com/urfave/cli/[email protected]/command.go:163 +0x4ed
github.com/urfave/cli/v2.(*App).RunContext(0xc000370340, 0xf8e3a0, 0xc0000b8010, 0xc0000c2000, 0x9, 0x9, 0x0, 0x0)
        /home/suda/gopath/pkg/mod/github.com/urfave/cli/[email protected]/app.go:313 +0x81f
github.com/urfave/cli/v2.(*App).Run(...)
        /home/suda/gopath/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
        /home/suda/gopath/src/github.com/AkihiroSuda/nerdctl/main.go:33 +0x67
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi
fetching sha256:99600da2... application/vnd.docker.distribution.manifest.v2+json
fetching sha256:86ec6e9e... application/vnd.docker.container.image.v1+json
hi

real average: 1.003369466s, max: 1.210267331s, min: 55.889304ms, std dev: 342.807166ms
real 99 percentile: 1.210267331s, 95 percentile: 1.210267331s, 50 percentile: 1.014338627s
user average: 92.1856ms, max: 148.378ms, min: 10.566ms, std dev: 36.726424ms
sys  average: 78.6631ms, max: 133.147ms, min: 2.641ms, std dev: 35.770673ms
flaky: 10%

nerdctl version: fedbca9
stargz snapshotter version: containerd/stargz-snapshotter@b1b0a3e
containerd version: containerd/containerd@e98d7f8

can't get completions without having an accessible containerd socket

When packaging programs it can be common to extract completions to a file to be put in /usr/share/bash-completions/completions/x (or similar) but can't be done without a containerd socket that's accessible

$ nerdctl completion bash
FATA[0000] rootless containerd not running? (hint: use `containerd-rootless-setuptool.sh install` to start rootless containerd): stat /run/user/1000/containerd-rootless: no such file or directory

This is also a problem for nerdctl version but that is more understandable since it'll output the containerd details

`nerdctl run --user` should reset additional GIDs

The behavior is different:

$ docker  run -it --rm --user 1000 alpine  id
uid=1000 gid=0(root)

$ nerdctl run -it --rm --user 1000 alpine  id
uid=1000 gid=0(root) groups=1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

	// use GCR mirror to avoid hitting Docker Hub rate limit
	const (
	AlpineImage = "mirror.gcr.io/library/alpine:3.13"
	NginxAlpineImage = "mirror.gcr.io/library/nginx:1.19-alpine"
	NginxAlpineIndexHTMLSnippet = "<title>Welcome to nginx!</title>"
	RegistryImage = "mirror.gcr.io/library/registry:2"
	)