容器启动加速Nydus调研与实践

Posted by elrond on June 9, 2023

1. 概述

Nydus是一个镜像加速器,主要通过容器启动时懒加载镜像提高启动速度, 大镜像可以秒级启动,后续的读写通过COW方式。以下是nydus的几个标签:

  • Nydus是蚂蚁、阿里云、字节等共建的开源容器镜像加速项目
  • CNCF孵化的项目Dragonfly中的一个子项目
  • 新的镜像格式,不同于oci
  • 良好的生态,兼容containerd、k8s、harbor、buildkit – 从构建、存储、部署、到CI集成,有丰富的解决方案
  • erofs+fscache+cachefiles 缓存方案: 使用内核缓存和只读文件系统进行io加速
    • cachefiles: 获取文件缓存
    • fscache: 管理cachefiles的缓存内容
    • erofs: 将缓存以文件系统接口方式提供访问

用Nydus对容器进行加速,当前可用,可以使用(k8s+)buildkit构建镜像,使用(k8s+)containerd进行发布, 使用skaffold进行CI(但路途坎坷,该文档内容主要为这部分);未来可期,使用fscache+erofs进行底层存储加速。

1.1. 使用nydus需要考虑的问题

如果要落地Nydus,需要考虑如下几个问题:

  • 当前k8s container runtime 如果是docker,则需要切换成containerd,切换需要注意
    • pod服务可能会中断
    • 监控日志,原来通过docker接口,现在需要通过containerd接口 – 这部分k8s可以屏蔽
  • CI如何处理原有的docker build方式和现在buildkit构建方式
  • containerd功能相对简单,要用它来进行构建、运行等操作需要多个组件配合才行,要使用起来需要做不少操作:
    • containerd
    • nerdctl
    • buildkitd
    • buildctl …
    • nydus-snapshotter 要使用nydus镜像的话需要
  • ⚠️性能问题,写时复制从远端拉取,例如从镜像仓库拉取的话需要考虑
    • 镜像仓库本身的IO性能
    • 从pod到仓库的网络带宽
  • ⚠️容器化使用nydus-snapshotter有待改进 现在nydus-snapshotter容器故障之后由于和容器启动需要nydus-snapshotter这样的循环依赖,所以无法自愈,需要
    • 删除containerd中的nydus-snapshotter配置
    • 重启containerd
    • 重新配置containerd

1.2. 当前实践探索中遇到的问题

在实践探索中主要有如下问题:

  • 涉及项目多,各项目版本不明确,遇到较多版本兼容问题
  • 文档分散,不易查阅
  • 实践类文档较少
  • 文档落后代码较多
  • 部分项目CI部分代码落后于主体代码

正在解决中的问题

  • 构建出来的本地镜像缺少layer无法run

2. 容器集成nydus

2.1. contanierd 集成【核心】

2.1.1. 版本说明

组件 版本 备注
内核 5.18.2-1.el7.elrepo.x86_64  
containerd containerd.io 1.6.6 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1  
buildkit github.com/moby/buildkit 76aeaa55.m 76aeaa55ff4e1c575644bffbf0a43bea92215fbe.m 从https://github.com/nydusaccelerator/buildkit.git构建
nydus-image v2.2.1  
containerd-nydus-grpc v0.8.0  
nerdctl 1.3.1  

2.1.2. 概念说明

  • nydus镜像: nydus格式的镜像,不同于现在的ociv1 ociv2,在使用时可进行懒加载,加快容器启动速度
  • nydus镜像构建
    • buildkitd: 构建nydus镜像的工具,需要增加nydus兼容配置, 一般以守护进程运行,客户端通过 buildctl 命令通过sock文件或tcp进行与服务端连接,也支持daemonless
    • nydus-image: nydus镜像工具,可以集成到buildkit中构建nydus格式的镜像,也可以单独使用进行nydus镜像构建、检查、导出等
  • nydus镜像运行
    • containerd: 容器运行时
    • nydus-snapshotter: 是一个containerd插件,用来支持contanierd使用nydus格式的镜像1

buidlkit+nydus构建完镜像之后推送到仓库,可以是docker registry,也可以是harbor等 运行的时候每启动一个nydus镜像的容器,containerd会调用 nydus-snapshotter 去查看本地有没有缓存,如果没有的话启动 nydusd 进程去拉取,如果有的话启动nydusd fuse进程作为文件服务器提供给容器挂载,这里是懒加载的关键,容器需要什么nydusd就会从仓库拉什么,启动对应的snapshotter挂载进程。

/usr/bin/nydusd fuse --thread-num 10 --config /var/lib/containerd-nydus/config/chmadgaihqqap9ldb1eg/config.json --bootstrap /var/lib/containerd-nydus/snapshots/833/fs/image/image.boot --mountpoint /var/lib/containerd-nydus/snapshots/833/mnt --apisock /var/lib/containerd-nydus/socket/chmadgaihqqap9ldb1eg/api.sock --log-level debug --log-file /var/lib/containerd-nydus/logs/chmadgaihqqap9ldb1eg/nydusd.log

架构图如下,这里用的是fuse文件系统, erofs的社区文档比较少,暂时先用fuse

nydus architecture

如果用erofs

nydus_fscache_erofs_arch

2.1.3. 构建

2.1.3.1. 构建 buildkitd

官方社区仓库是 moby/buildkit, 这里用的nydusaccelerator的项目,是因为当前bug/新功能会先在nydusaccelerator发布,所以暂时先用这个项目

git clone https://github.com/nydusaccelerator/buildkit.git
cd buildkit
go build -tags=nydus -o ./bin/buildkitd ./cmd/buildkitd
mv ./bin/buildkitd /usr/bin/
chmod +x /usr/bin/buildkitd

2.1.3.2. 安装nydus

wget https://github.com/dragonflyoss/image-service/releases/download/v2.2.1/nydus-static-v2.2.1-linux-amd64.tgz
tar zxf nydus-static-v2.2.1-linux-amd64.tgz
cd nydus-static
sudo install -D -m 755 nydusd nydus-image nydusify nydusctl nydus-overlayfs /usr/bin

2.1.3.3. 启动buildkitd进程

buildkit 配置2

cat > /etc/buildkit/buildkitd.toml <<EOF
debug = false
[worker.oci]
  enabled = false

[worker.containerd]
  enabled = true
  # 构建成功的之后的镜像存储位置
  namespace = "default"
  address = "/run/containerd/containerd.sock"
  enabled = true
  platforms = [ "linux/amd64", "linux/arm64" ]
  gc = true
  # gckeepstorage sets storage limit for default gc profile, in MB.
  gckeepstorage = 9000
EOF
cat > /etc/systemd/system/buildkitd.service << EOF
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Service]
Environment="NYDUS_BUILDER=/usr/bin/nydus-image"
ExecStart=/usr/bin/buildkitd --config /etc/buildkit/buildkitd.toml

[Install]
WantedBy=multi-user.target
EOF
systemctl enable buildkitd
systemctl start buildkitd

2.1.3.4. 构建镜像

构建一个简单的hello world镜像

  • hello world程序
mkdir golang-helloworld

编辑 main.go

package main

import "fmt"

func main() {
  fmt.Println("Hello, world!")
}

构建可执行文件

go build -o hello main.go
  • Dockerfile

编辑dockerfile

FROM  ubuntu:20.04
COPY hello /
ENTRYPOINT [ "/hello" ]
  • 构建

这里会构建一个nydus格式的镜像 名称为reg.harbor.com/hello/hello-k8s:v0.0.4, pushtrue 则构建完成之后推送远端仓库

buildctl  build --progress=plain \
  --frontend=dockerfile.v0  \
  --local context=.  \
  --local dockerfile=.  \
  --output type=image,name=reg.harbor.com/hello/hello-k8s:v0.0.4,compression=nydus,oci-mediatypes=true,push=true
  • 校验

这里我们构建出来了nydus镜像,可以校验一下

nydusify check --target reg.harbor.com/hello/hello-k8s:v0.0.4
INFO[2023-05-24T10:59:56+08:00] Parsing image reg.harbor.com/hello/hello-k8s:v0.0.4
INFO[2023-05-24T10:59:56+08:00] Dumping OCI and Nydus manifests to ./output
...
INFO[2023-05-24T10:59:57+08:00] Verified Nydus image reg.harbor.com/hello/hello-k8s:v0.0.4

这里check的是远端镜像,一切符合预期,是nydus镜像3

cat output/nydus_manifest.json
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:3121880b13bcaf21d0748cc35139769cb353bdd8429e541da489d1833c0c9ea7",
    "size": 6940
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a",
      "size": 30779473,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    ...
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab",
      "size": 1067099,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "digest": "sha256:4c73ce0e2ddc066d200bc119cc2b6f39938fd136b93fb8d47a590788cc91c91c",
      "size": 2258453,
      "annotations": {
        "containerd.io/snapshot/nydus-blob-ids": "[\"e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a\",\"15596146dcdb421faaf9881e63baa87731603f412d1f05aa78e2d8f5bb78f1d5\",\"68fb6d505c4733f3c39645876ab9ed30dbf46056b36630be2dafe48634af1e01\",\"32a3c81c8fb5b12c68d74e01b29cd02463d8e85c0296ac3e30874f0f38412ec9\",\"89fe8a5a29e872cb9afbdeffeb9307498e67f42a0d3fdeca754b7a55b8849083\",\"43f9d24cfd0900b5ccbc7030559df305d237932f5383f592128d165c723ca553\",\"5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab\"]",
        "containerd.io/snapshot/nydus-bootstrap": "true",
        "containerd.io/snapshot/nydus-fs-version": ""
      }
    }
  ]
}

本地镜像暂时无法使用,使用会报错(这里是部署了nydus snapshotter之后)

nerdctl run --rm reg.harbor.com/hello/hello-k8s:v0.0.4 --snapshotter=nydus
INFO[0000] apply failure, attempting cleanup             error="failed to extract layer sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: failed to get reader from content store: content digest sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: not found" key="extract-504360049-gvw0 sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a"
FATA[0000] failed to extract layer sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: failed to get reader from content store: content digest sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: not found

这里应该应该是nydus+fuse的bug,解决方法为在构建完成之后把本地镜像删除掉, 使用时通过远端拉取

nerdctl rmi reg.harbor.com/hello/hello-k8s:v0.0.4

本地镜像构建出来的manifest和远端一致,这里不能用是因为存储的时候少存储了snapshotter,具体问题待社区确认

2.1.4. 部署

2.1.4.1. 部署nydus-snapshotter

  • 安装 containerd-nydus-grpc
wget https://github.com/containerd/nydus-snapshotter/releases/download/v0.8.0/nydus-snapshotter-v0.8.0-x86_64.tgz
tar zxf nydus-snapshotter-v0.8.0-x86_64.tgz
install -D -m 755 nydus-snapshotter/containerd-nydus-grpc /usr/bin
  • nydus-fusedev 配置
# nydus blob 缓存
mkdir /opt/nydus/cache
cat > /etc/nydus/nydusd-config.fusedev.json <<EOF
{
  "device": {
    "backend": {
      "type": "registry",
      "config": {
        "scheme": "https",
        "skip_verify": true,
        "timeout": 5,
        "connect_timeout": 5,
        "retry_limit": 4
      }
    },
    "cache": {
      "type": "blobcache",
      "config": {
        "work_dir": "/opt/nydus/cache"
      }
    }
  },
  "mode": "direct",
  "digest_validate": false,
  "iostats_files": false,
  "enable_xattr": true,
  "fs_prefetch": {
    "enable": true,
    "threads_count": 4
  }
}
EOF
  • nydus snapshotter 主进程配置4
cat /etc/nydus/config.toml
version = 1
address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
daemon_mode = "multiple"
cleanup_on_close = false

[system]
enable = true
address = "/run/containerd-nydus/system.sock"

[system.debug]
daemon_cpu_profile_duration_secs = 5
pprof_address = ""

[daemon]
nydusd_path = "/usr/bin/nydusd"
nydusimage_path = "/usr/bin/nydus-image"
# fusedev or fscache
fs_driver = "fusedev"
# How to process when daemon dies: "none", "restart" or "failover"
recover_policy = "restart"
# Specify a configuration file for nydusd
nydusd_config = "/etc/nydus/nydusd-config.fusedev.json"
# The fuse or fscache IO working threads started by nydusd
threads_number = 10

[log]
# Print logs to stdout rather than logging files
log_to_stdout = false
level = "debug"
log_rotation_compress = true
log_rotation_local_time = true
log_rotation_max_age = 7
log_rotation_max_backups = 5
log_rotation_max_size = 1

[metrics]
# Enable by assigning an address, empty indicates metrics server is disabled
address = ":9110"

[remote]
convert_vpc_registry = false

[remote.mirrors_config]
dir = ""

[remote.auth]
enable_kubeconfig_keychain = false
kubeconfig_path = ""
enable_cri_keychain = false
image_service_address = ""

[snapshot]
enable_nydus_overlayfs = false
sync_remove = false

[cache_manager]
disable = false
gc_period = "24h"
cache_dir = "/opt/nydus/cache/"

[image]
public_key_file = ""
validate_signature = false

[experimental]
enable_stargz = false
enable_referrer_detect = false
cat > /etc/systemd/system/nydus-snapshotter.service <<EOF
[Unit]
Description=nydus snapshotter
After=network.target
Before=containerd.service

[Service]
Type=simple
Environment=HOME=/root
ExecStart=/usr/local/bin/containerd-nydus-grpc --config /etc/nydus/config.toml
Restart=always
RestartSec=1
KillMode=process
OOMScoreAdjust=-999
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable nydus-snapshotter
systemctl start nydus-snapshotter

2.1.4.2. 配置containerd支持nydus snapshotter

编辑containerd配置 /etc/containerd/config.toml

version = 2
state = "/run/containerd"

[grpc]
  address = "/run/containerd/containerd.sock"
  uid = 0
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216

[timeouts]
  "io.containerd.timeout.shim.cleanup" = "5s"
  "io.containerd.timeout.shim.load" = "5s"
  "io.containerd.timeout.shim.shutdown" = "3s"
  "io.containerd.timeout.task.state" = "2s"

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    # k8s原来用的container runtime是docker,则需要配置pause镜像,否则runtime改编之后k8s原有pod无法启动
    sandbox_image = "reg.harbor.com/kubernetes/pause:3.6"
    [plugins."io.containerd.grpc.v1.cri".cni]
      # cni插件路径
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]

# Nydus插件主要配置
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

[plugins."io.containerd.grpc.v1.cri".containerd]
   snapshotter = "nydus"
   disable_snapshot_annotations = false
   discard_unpacked_layers = false

修改完毕重启containerd

systemctl restart containerd

2.1.5. 使用nydus镜像启动containerd容器

containerd也有类似docker的命令行 nerdctl

  • 安装 nerdctl
wget https://github.com/containerd/nerdctl/releases/download/v1.3.1/nerdctl-1.3.1-linux-amd64.tar.gz
tar zxvf nerdctl-1.3.1-linux-amd64.tar.gz
install -D -m 755  nerdctl /usr/bin/
  • 配置 nerdctl

默认使用 nydus-snapshotter

cat > /etc/nerdctl/nerdctl.toml <<EOF
debug          = false
debug_full     = false
address        = "unix:///var/run/containerd/containerd.sock"
namespace      = "default"
snapshotter    = "nydus"
experimental   = true
EOF
  • 使用构建阶段产生的镜像运行容器

先删除本地镜像 nerdctl rmi reg.harbor.com/hello/hello-k8s:v0.0.4

nerdctl run --rm reg.harbor.com/hello/hello-k8s:v0.0.4
# 输出
reg.harbor.com/hello/hello-k8s:v0.0.4:                                      resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:c6ab4a56b80d503312322bda42fc31b038d6f6989d8d9e801c991787b8301132: exists         |++++++++++++++++++++++++++++++++++++++|
config-sha256:3121880b13bcaf21d0748cc35139769cb353bdd8429e541da489d1833c0c9ea7:   exists         |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4c73ce0e2ddc066d200bc119cc2b6f39938fd136b93fb8d47a590788cc91c91c:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.6 s                                                                    total:  2.2 Mi (3.6 MiB/s)
Hello, world!

使用 nerdctl 命令时可能会遇到 failed to call cni.Setup: plugin type=\"bridge\" failed (add): incompatible CNI versions; config is \"1.0.0\", plugin supports [\"0.1.0\" \"0.2.0\" \"0.3.0\" \"0.3.1\" \"0.4.0\"]" cni不支持的问题,需要升级cni

https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-arm64-v1.1.1.tgz
tar zxf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin

升级完毕即可用

到这里使用nydus加速containerd容器启动,基本完成。使用erofs待探索

2.2. kubernertes集成

2.2.1. 版本说明

组件 版本 备注
k8s v1.22.10  
containerd containerd.io 1.6.6 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1  
buildkitd github.com/moby/buildkit 76aeaa55.m 76aeaa55ff4e1c575644bffbf0a43bea92215fbe.m 从https://github.com/nydusaccelerator/buildkit.git构建
nydus-snapshotter v0.6.1 通过helm部署5,生产用的话需要更新下

2.2.2. k8s集群准备

首先需要一个 container runtime为containerd的集群

kubectl describe nodes |grep -i runtime
  Container Runtime Version:    docker://20.10.8
  Container Runtime Version:    docker://20.10.8
  Container Runtime Version:    docker://20.10.8

如果是docker,则需要更改为containerd

2.2.2.1. 将k8s cri从docker替换为containerd

此处操作比较粗糙,生产切换请慎重

  • 更改 kubelet 配置

编辑/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

增加/在KUBELET_EXTRA_ARGS追加如内容

Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock"
  • 创建 containerd 配置

新建 ``

version = 2
state = "/run/containerd"

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "reg.harbor.com/kubernetes/pause:3.6"
You have new mail in /var/spool/mail/root

重启containerd kubelet服务

systemctl daemon-reload
systemctl restart containerd kubelet

如果 kubelet 启动失败,请查看日志做对应处理 journalctl -xu kubelet -f

启动成功之后检查如下输出之后说明切换成功

kubectl describe nodes |grep -i runtime
  # 三个节点
  Container Runtime Version:    containerd://1.6.6
  Container Runtime Version:    containerd://1.6.6
  Container Runtime Version:    containerd://1.6.6

2.2.3. 部署buildkit

2.2.3.1. 构建buildkit镜像

社区的镜像不支持nydus,需要构建镜像

git clone https://github.com/nydusaccelerator/buildkit.git
cd buildkit

修改 Dockerfile

diff --git a/Dockerfile b/Dockerfile
index 8869138b..b006e584 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -97,7 +97,7 @@ ARG TARGETPLATFORM
 RUN --mount=target=. --mount=target=/root/.cache,type=cache \
   --mount=target=/go/pkg/mod,type=cache \
   --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildkit-version \
-  CGO_ENABLED=0 xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags '-static'" -tags "osusergo netgo static_build seccomp ${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \
+  CGO_ENABLED=0 xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags '-static'" -tags "osusergo netgo nydus static_build seccomp ${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \
   xx-verify --static /usr/bin/buildkitd

 FROM scratch AS binaries-linux-helper
@@ -176,6 +176,7 @@ ARG ROOTLESSKIT_VERSION
 RUN git clone https://github.com/rootless-containers/rootlesskit.git /go/src/github.com/rootless-containers/rootlesskit
 WORKDIR /go/src/github.com/rootless-containers/rootlesskit
 ARG TARGETPLATFORM
+ENV GOPROXY "https://goproxy.cn,direct"
 RUN  --mount=target=/root/.cache,type=cache \
   git checkout -q "$ROOTLESSKIT_VERSION"  && \
   CGO_ENABLED=0 xx-go build -o /rootlesskit ./cmd/rootlesskit && \
@@ -203,6 +204,7 @@ RUN mkdir -p /out/nydus-static && tar xzvf nydus-static-$NYDUS_VERSION-$TARGETOS

 FROM buildkit-export AS buildkit-linux
 COPY --link --from=binaries / /usr/bin/
+COPY --from=nydus /out/nydus-static/* /usr/bin/
 ENTRYPOINT ["buildkitd"]

 FROM binaries AS buildkit-darwin

主要有三处修改:

  • 编译增加nydus支持 – 必须
  • 增加goproxy配置 – 国内拉依赖包会失败,需要配置goproxy
  • 将nydus-image打入镜像,这步经测试可有可无
make build

会构建出两个镜像,我们只使用非rootless的 moby/buildkit:local

2.2.3.2. 按需修改yaml并部署

git clone https://github.com/nydusaccelerator/buildkit.git
cd buildkit

这里使用deployment+service.privileged 6

编辑 deployment+service.privileged.yaml,去掉了tls配置,增加了NYDUS_BUILDER环境变量,最终如下

镜像 shoery/buildkit:76aeaa55

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: buildkitd
  name: buildkitd
spec:
  replicas: 1
  selector:
    matchLabels:
      app: buildkitd
  template:
    metadata:
      labels:
        app: buildkitd
    spec:
      containers:
        - name: buildkitd
          env:
           - name: NYDUS_BUILDER
             value: /usr/bin/nydus-image
          image:  shoery/buildkit:76aeaa55
          args:
            - --addr
            - unix:///run/buildkit/buildkitd.sock
            - --addr
            - tcp://0.0.0.0:1234
          # the probe below will only work after Release v0.6.3
          readinessProbe:
            exec:
              command:
                - buildctl
                - debug
                - workers
            initialDelaySeconds: 5
            periodSeconds: 30
          # the probe below will only work after Release v0.6.3
          livenessProbe:
            exec:
              command:
                - buildctl
                - debug
                - workers
            initialDelaySeconds: 5
            periodSeconds: 30
          securityContext:
            privileged: true
          ports:
            - containerPort: 1234
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: buildkitd
  name: buildkitd
spec:
  ports:
    - port: 1234
      protocol: TCP
  selector:
    app: buildkitd

部署

kubectl apply -f examples/kubernetes/deployment+service.privileged.yaml

构建镜像时仅需客户端有 buildctl 即可, 通过 --addr tcp://0.0.0.0:1234 连接到 buildkitd

2.2.4. 部署 nydus-snapshotter

run_nydus_in_kubernetes

这里注意用 v0.8.2 以上的镜像版本

这里没太多修改的地方, 两个地方需要修改,其他按文档部署即可

git clone https://github.com/dragonflyoss/helm-charts.git
cd helm-charts

2.2.4.1. 更改nydus镜像

新建 config-nydus.yaml

name: nydus-snapshotter
image: ghcr.io/containerd/nydus-snapshotter
tag: v0.8.2
pullPolicy: IfNotPresent
hostNetwork: true
dragonfly:
  enable: false

containerRuntime:
  containerd:
    enable: true

2.2.4.2. 修改configmap

如果不增加nydus.toml配置,懒加载不会生效

编辑 charts/nydus-snapshotter/templates/nydus-snapshotter/snapshotter-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ template "nydus-snapshotter.fullname" . }}
  labels:
    app: {{ template "nydus-snapshotter.fullname" . }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
    component: {{ .Values.name }}
data:
  config.json: |-
    {
      "device": {
        "backend": {
          "type": "registry",
          "config": {
          {{- if .Values.dragonfly.enable }}
            "mirrors": {{ mustToJson .Values.dragonfly.mirrorConfig }},
          {{- end }}
            "timeout": 5,
            "connect_timeout": 5,
            "retry_limit": 2
          }
        },
        "cache": {
          "type": "blobcache",
          "config": {
            "work_dir": "/var/lib/nydus/cache/"
          }
        }
      },
      "mode": "direct",
      "digest_validate": false,
      "iostats_files": false,
      "enable_xattr": true,
      "fs_prefetch": {
        "enable": true,
        "threads_count": 8,
        "merging_size": 1048576,
        "prefetch_all": true
      }
    }
  nydus.toml: |-
    version = 1
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
    daemon_mode = "multiple"
    cleanup_on_close = false
    [system]
    enable = true
    address = "/run/containerd-nydus/system.sock"
    [system.debug]
    daemon_cpu_profile_duration_secs = 5
    pprof_address = ""
    [daemon]
    nydusd_path = "/usr/local/bin/nydusd"
    nydusimage_path = "/usr/local/bin/nydus-image"
    fs_driver = "fusedev"
    recover_policy = "restart"
    nydusd_config = "/etc/nydus/config.json"
    threads_number = 10
    [log]
    log_to_stdout = false
    level = "debug"
    log_rotation_compress = true
    log_rotation_local_time = true
    log_rotation_max_age = 7
    log_rotation_max_backups = 5
    log_rotation_max_size = 1
    [metrics]
    address = ":9110"
    [remote]
    convert_vpc_registry = false
    [remote.mirrors_config]
    dir = ""
    [remote.auth]
    enable_kubeconfig_keychain = false
    kubeconfig_path = ""
    enable_cri_keychain = false
    image_service_address = ""
    [snapshot]
    enable_nydus_overlayfs = false
    sync_remove = false
    [cache_manager]
    disable = false
    gc_period = "24h"
    [image]
    public_key_file = ""
    validate_signature = false
    [experimental]
    enable_stargz = false
    enable_referrer_detect = false

安装

helm install --wait --timeout 10m --dependency-update \
    --create-namespace --namespace nydus-system \
    -f config-nydus.yaml \
    nydus-snapshotter charts/nydus-snapshotter

2.2.4.3. 重启nydus-snapshotter

后续维护中可能会有重启 nydus-snapshotter 的需求

由于修改containerd配置使用nyduys snapshotter之后, containerd和snapshotter会互相依赖,重启nydus-snapshotter容器会起不来,所以,每次重启都先把 /etc/containerd/config.toml 中如下部分去掉

[plugins."io.containerd.grpc.v1.cri".containerd]
discard_unpacked_layers = false
disable_snapshot_annotations = false
snapshotter = "nydus"
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

重启 containerd 重新创建 nydus-snapshotter pod

2.2.5. 验证

验证点: 在pod中构建nydus格式的镜像,使用pod启动nydus镜像容器

2.2.5.1. 在pod中构建nydus格式的镜像

要挂载 /root/.docker, 否则push镜像可能会没权限

挂载golang-helloworld的目的是将 hello 和 Dockerfile挂载进去

创建 build-nydus-image.yaml

apiVersion: v1
kind: Pod
metadata:
  name: build-pod
spec:
  restartPolicy: Never
  containers:
    - name: build-container
      image: buildkit:local
      command: ["buildctl", "--addr", "tcp://buildkitd.default:1234", "build", "--progress=plain", "--frontend=dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", "--output", "type=image,name=reg.harbor.com/hello/hello-k8s:v0.0.6,compression=nydus,oci-mediatypes=true,push=true"]
      volumeMounts:
        - name: host-path-volume
          mountPath: /opt/golang-helloworld
        - name: docker-config-volume
          mountPath: /root/.docker
      workingDir: /opt/golang-helloworld
  volumes:
    - name: host-path-volume
      hostPath:
        path: /home/elrond/nydus/golang-helloworld
    - name: docker-config-volume
      hostPath:
        path: /root/.docker

命令说明

buildctl \
  # buildkitd的svc:port
  --addr tcp://default.buildkitd:1234 \
  build \
  # 输出的详细程度
  --progress=plain \
  # build frontend 类型
  --frontend=dockerfile.v0 \
  # 指定本地context路径
  --local context=.  \
  # 制定本地dockerfile路径
  --local dockerfile=.  \
  # 指定dockerfile文件,如果为空,默认值为Dockerfile
  --opt filename=hello.dockerfile
  # 镜像tag与类型、是否推送到远端
  --output type=image,name=reg.harbor.com/hello/hello-k8s:v0.0.6,compression=nydus,oci-mediatypes=true,push=true

开始构建

kubectl apply -f build-nydus-image.yaml

构建成功

k get po
NAME                         READY   STATUS      RESTARTS        AGE
build-pod                    0/1     Completed   0               23s

2.2.5.2. 使用pod启动nydus镜像容器

创建 nydus-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: nydus-pod
spec:
  containers:
    - name: hello
      image: reg.harbor.com/hello/hello-k8s:v0.0.6
      imagePullPolicy: Always
      command: ["sh", "-c"]
      args:
        - tail -f /dev/null

运行

kubectl apply -f nydus-pod.yaml

这里可能会因为构建的镜像不正常,导致pod起不来,可以使用标准镜像 ghcr.io/dragonflyoss/image-service/nginx:nydus-latest 做测试

到这里在k8s上完成了nydus镜像的构建,和nydus镜像格式容器的启动

2.3. docker 集成

参照docker-env-setup

docker-nydus-graphdriver 尚在 Experimental 状态,且k8s在转向containerd,云原生社区对docker支持变弱,所以后续不考虑使用docker

3. CI集成 – skaffold集成nydus

编辑 skaffold.yaml

apiVersion: skaffold/v4beta4
kind: Config
build:
  tagPolicy:
    envTemplate:
      template: "{{.FOO}}"
  artifacts:
  - image: reg.harbor.com/hello/hello-k8s
    custom:
       buildCommand: buildctl --addr tcp://10.233.98.169:1234 build  --progress=plain --frontend=dockerfile.v0  --local context=. --local dockerfile=. --output type=image,name=reg.harbor.com/hello/hello-k8s:"{{.FOO}}",compression=nydus,oci-mediatypes=true,push=true --opt filename=hello.dockerfile
  local:
    push: true

入参:

  • –addr tcp://10.233.98.169:1234: 容器化的话,这个是svc的host和port
  • –local dockerfile=.: dockerfile路径
  • –output name=reg.harbor.com/hello/hello-k8s:”{{.FOO}}”: 镜像tag
  • –opt filename: dockerfile文件名

其他都是默认值

4. nydus镜像启动pod与ociv1镜像启动pod效果对比

镜像 ociv1拉取时间 nydus拉取时间
wordpress 12.26946259s 1.879414943s

4.1. wordpress镜像

先把镜像拉下来,推送到自己的仓库,然后转化一下推送到自己的仓库,用镜像启动k8s pod

docker pull wordpress:latest
docker tag wordpress:latest reg.harbor.com/hello/wordpress:latest
nydusify -D convert --nydus-image /usr/local/bin/nydus-image \
  --source reg.harbor.com/hello/wordpress:latest \
  --target reg.harbor.com/hello/wordpress:latest-nydus

4.1.1. oci v1镜像容器pulling image时间

新建 wordpress-ociv1.yaml

apiVersion: v1
kind: Pod
metadata:
  name: wordpress-ociv1
spec:
  containers:
  - name: wordpress
    image: reg.harbor.com/hello/wordpress:latest
    imagePullPolicy: Always
    command:
      - sleep
      - "36000000000"
    resources:
      limits:
        cpu: "0.5"
        memory: "256Mi"
kubectl apply -f wordpress-ociv1.yaml
kubectl describe po wordpress-ociv1
Normal  Pulling    3m20s                 kubelet            Pulling image "reg.harbor.com/hello/wordpress:latest"
Normal  Pulled     3m7s                  kubelet            Successfully pulled image "reg.harbor.com/hello/wordpress:latest" in 12.26946259s

4.1.2. nydus镜像容器pulling image时间

新建 wordpress-nydus.yaml

apiVersion: v1
kind: Pod
metadata:
  name: wordpress-nydus
spec:
  containers:
  - name: wordpress
    image: reg.harbor.com/hello/wordpress:latest-nydus
    imagePullPolicy: Always
    command:
      - sleep
      - "36000000000"
    resources:
      limits:
        cpu: "0.5"
        memory: "256Mi"
Normal  Pulling    40s                kubelet            Pulling image "reg.harbor.com/hello/wordpress:latest-nydus"
Normal  Pulled     39s                kubelet            Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus" in 1.879414943s

5. 问题记录

5.1. 镜像无法构建

git clone https://github.com/nydusaccelerator/buildkit.git
cd buildkit
go build -tags=nydus -o ./bin/buildkitd ./cmd/buildkitd
mv ./bin/buildkitd /usr/bin/
chmod +x /usr/bin/buildkitd
  • 原生的buildkit不支持nydus格式构建,需要重新编译支持
  • 官方的buildkit对大镜像构建有bug,需要用nydus官方上游的仓库

5.2. containerd 命令速记

container与task7

主要用nerdctl工具

# 启动容器
ctr run -d docker.io/library/nginx:alpine my-container
# 容器列表
ctr -n default c ls
# task列表
ctr -n default task ls
# 删除容器
ctr -n default delete xxxxx
# 容器交互式命令
ctr task exec --tty --exec-id my-container my-container bash
# 镜像列表
ctr -n default images ls

# 获取contanierd镜像的manifest 先找到RepoDigests sha256
nerdctl inspect d88ba62a3cbb
cat /opt/docker/io.containerd.content.v1.content/blobs/sha256/d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3
# 转换镜像并推送到仓库
nydusify -D convert --nydus-image /usr/local/bin/nydus-image   --source  reg.harbor.com:443/library/golang@sha256:4b5cc6ca083856af8f58ab332f279b4401e1e46cc6d999957d5f88c563df24a7  --target reg.harbor.com:443/library/golang:1.18.7-nydus

nydusify -D convert --nydus-image /usr/local/bin/nydus-image   --source  ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5  --target reg.harbor.com/hello/ubuntu:nydus-nightly-v6

5.3. 镜像无法下载

nerdctl pull  ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5
ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5:                       resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:cb13d8b2c3b275fd392991b610e31462ab5dc588d4735b0c469ff867f86f617f:    exists         |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:d9ea5e7108f5405da73ae48972441da2ab976da640264c4c06e07a473ebb86c3: exists         |++++++++++++++++++++++++++++++++++++++|
config-sha256:d2197022013289d923e5b5aa9c9e22ec60bcdfa236948a02d24106b525f6171e:   exists         |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f264de8a417d8927c431ef2a74286e24d716c3447a96ef7c7bd95d3af4ab3331:    exists         |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c279d170bbf5c24d3b0b80bc1b49d147098d0f9f3f62cb010e98295b8d0e1f7c:    downloading    |+++++++++++++++++++++++++++++++++++++-| 31.0 MiB/31.1 MiB
docker.io/library/alpine:latest:                                                  resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11:    done           |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:c0669ef34cdc14332c0f1ab0c2c01acb91d96014b172f1a76f3a39e63d1f0bda: done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:5e2b554c1c45d22c9d1aa836828828e320a26011b76c08631ac896cbc3625e3e:   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:8a49fdb3b6a5ff2bd8ec6a86c05b2922a0f7454579ecc07637e94dfd1d0639b6:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 44.9s                                                                    total:  3.2 Mi (73.9 KiB/s)
FATA[0045] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2023-05-15T21:27:17+08:00" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): incompatible CNI versions; config is \"1.0.0\", plugin supports [\"0.1.0\" \"0.2.0\" \"0.3.0\" \"0.3.1\" \"0.4.0\"]"
Failed to write to log, write /var/lib/nerdctl/1935db59/containers/default/286be294817095497aef32271dac13b13e02756166a010917420039060f9aa9c/oci-hook.createRuntime.log: file already closed: unknown

解决 升级cni到v1.1.1

5.4. 如何判断一个镜像是否是nydus镜像

如何判断一个镜像是否是nydus镜像8

5.4.1. 通过本地manifest判断

如果镜像在containerd上

nerdctl inspect d88ba62a3cbb
# 找到RepoDigests sha256 d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3
[
    {
        "Id": "sha256:13afb147bdb4382b43a833b646765dca8bc6fca92cc2a60b02e4fc718b356d97",
        "RepoTags": [
            "reg.harbor.com/hello/helloworld:v0.0.1"
        ],
        "RepoDigests": [
            "reg.harbor.com/hello/helloworld@sha256:d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3"
        ],
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2023-05-16T20:28:18.501558103+08:00",
        "Author": "",
        "Config": {
            "AttachStdin": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Entrypoint": [
                "/hello"
            ],
            "Labels": {
                "org.opencontainers.image.ref.name": "ubuntu",
                "org.opencontainers.image.version": "22.04"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 79822848,
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca",
                "sha256:95fc9a6f9c1a1ef74f6545d70c96011577f05741079cd8793aa134f4b1f51006",
                "sha256:719749732676f2e82e3baa4e1b0f5ea9cfa6aa83dde0c929a5ef8e78cacc7e24",
                "sha256:ed593dc031518310cd5ea3a5b20bfb2c73f6108badffb30b080de9edc251476d"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

查看manifest

# containerd的默认是/var/lib/containerd
cat /var/lib/containerd/io.containerd.content.v1.content/blobs/sha256/d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3

mediaType是nydus就是nydus镜像

{
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "schemaVersion": 2,
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:13afb147bdb4382b43a833b646765dca8bc6fca92cc2a60b02e4fc718b356d97",
    "size": 2137
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca",
      "size": 32571260,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:95fc9a6f9c1a1ef74f6545d70c96011577f05741079cd8793aa134f4b1f51006",
      "size": 295017,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:719749732676f2e82e3baa4e1b0f5ea9cfa6aa83dde0c929a5ef8e78cacc7e24",
      "size": 1067099,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "digest": "sha256:bb55b253c36e5a008051aad37f2554a65ec6661476a08666d76e5ee1b84dbf4c",
      "size": 297871,
      "annotations": {
        "containerd.io/snapshot/nydus-blob-ids": "[\"f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca\",\"95fc9a6f9c1a1ef74f6545d70c96011577f05741079cd8793aa134f4b1f51006\",\"719749732676f2e82e3baa4e1b0f5ea9cfa6aa83dde0c929a5ef8e78cacc7e24\"]",
        "containerd.io/snapshot/nydus-bootstrap": "true",
        "containerd.io/snapshot/nydus-fs-version": ""
      }
    }
  ]
}

5.4.2. 通过nydusify check检查

nydusify check --target reg.harbor.com/hello/helloworld:v0.0.11-nydus-nightly-v5
INFO[2023-05-18T10:46:09+08:00] Parsing image reg.harbor.com/hello/helloworld:v0.0.11-nydus-nightly-v5
INFO[2023-05-18T10:46:11+08:00] Dumping OCI and Nydus manifests to ./output
INFO[2023-05-18T10:46:11+08:00] Pulling Nydus bootstrap to output/nydus_bootstrap
INFO[2023-05-18T10:46:11+08:00] Checking Nydus manifest
INFO[2023-05-18T10:46:11+08:00] Checking Nydus bootstrap
RAFS filesystem metadata is valid, referenced data blobs:
	 0: f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca, compressed data size 0x1e5beec, compressed file size 0x1e5c0ec, uncompressed file size 0x49b715a, chunks: 0x9d4, features: cap_toc tar-header
	 1: ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129, compressed data size 0x459da, compressed file size 0x45bda, uncompressed file size 0xb3c90, chunks: 0x1, features: cap_toc tar-header
	 2: 5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab, compressed data size 0x102213, compressed file size 0x102413, uncompressed file size 0x1ad499, chunks: 0x2, features: cap_toc tar-header
INFO[2023-05-18T10:46:11+08:00] Verified Nydus image reg.harbor.com/hello/helloworld:v0.0.11-nydus-nightly-v5

查看nydus manifest

cat output/nydus_manifest.json
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:f259d1eb0bf769d60aac8c78e4811a8eeefd811a27c24f6db6c36f72ac5c2324",
    "size": 2137
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca",
      "size": 32571260,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129",
      "size": 295018,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab",
      "size": 1067099,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "digest": "sha256:e26163305101a9bc6d05ad80945a8d360d99a48b0d3ef070cf0c2137655b6115",
      "size": 297868,
      "annotations": {
        "containerd.io/snapshot/nydus-blob-ids": "[\"f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca\",\"ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129\",\"5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab\"]",
        "containerd.io/snapshot/nydus-bootstrap": "true",
        "containerd.io/snapshot/nydus-fs-version": ""
      }
    }
  ]
}

5.5. nydus snapshotter无法启动

可能是有另一个 nydus-snapshotter进程在启动 ps -ef|grep containerd-nydus-grpc

/usr/local/bin/containerd-nydus-grpc --root /opt/docker/io.containerd.snapshotter.v1.nydus --config-path /etc/nydus/nydusd-config.fusedev.json --config /etc/nydus/config.toml --log-to-stdout --log-level trace
INFO[2023-05-17T15:08:33.047605411+08:00] Start nydus-snapshotter. PID 25641 Version v0.8.0 FsDriver fusedev DaemonMode multiple
FATA[2023-05-17T15:08:37.018373244+08:00] failed to start nydus-snapshotter             error="failed to initialize snapshotter: create database: timeout"ß

5.6. buildkit构建nydus镜像构建不成功

buildctl  build  --progress=plain --frontend=dockerfile.v0  --local context=.  --local dockerfile=.  --output type=image,name=reg.harbor.com/hello/helloworld:v0.0.4-nydus-from-golang,compression=nydus,oci-mediatypes=true,push=true
#6 [2/2] COPY hello /
#6 ERROR: mount callback failed on /run/user/0/containerd-mount2534958279: apply nydus blob: unpack nydus blob: unpack nydus tar: unpack bootstrap from nydus: parse tar header: rpc error: code = OutOfRange desc = read past object length 54797046 bytes
------
 > [2/2] COPY hello /:
------
Dockerfile:2
--------------------
   1 |     FROM reg.harbor.com/library/golang:1.18.7-nydus
   2 | >>> COPY hello /
   3 |     ENTRYPOINT [ "/hello" ]
   4 |
--------------------
error: failed to solve: OutOfRange: failed to compute cache key: mount callback failed on /run/user/0/containerd-mount2534958279: apply nydus blob: unpack nydus blob: unpack nydus tar: unpack bootstrap from nydus: parse tar header: rpc error: code = OutOfRange desc = read past object length 54797046 bytes

nydus-image log

time="2023-05-17T15:34:24+08:00" level=debug msg="saved dapdgw7aeqou4bbcymhfxc94n as context:context:" span="[internal] load build context" spanID=7108c9f5c020f1dd traceID=3841af58efa9339c11d3c4107ad1e65a
time="2023-05-17T15:34:24+08:00" level=error msg="/moby.buildkit.v1.Control/Solve returned error: rpc error: code = Unknown desc = failed to compute cache key: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown"
failed to compute cache key: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown
20015 0.0.0+unknown buildkitd --config /etc/buildkit/buildkitd.toml
github.com/moby/buildkit/solver.(*edge).createInputRequests.func1.1
	/root/buildkit/solver/edge.go:839
github.com/moby/buildkit/solver/internal/pipe.NewWithFunction.func2
	/root/buildkit/solver/internal/pipe/pipe.go:82
runtime.goexit
	/root/sdk/go1.18/src/runtime/asm_amd64.s:1571

20015 0.0.0+unknown buildkitd --config /etc/buildkit/buildkitd.toml
main.unaryInterceptor.func1
	/root/buildkit/cmd/buildkitd/main.go:576
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1
	/root/buildkit/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:25
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1
	/root/buildkit/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:34
github.com/moby/buildkit/api/services/control._Control_Solve_Handler
	/root/buildkit/api/services/control/control.pb.go:2440
google.golang.org/grpc.(*Server).processUnaryRPC
	/root/buildkit/vendor/google.golang.org/grpc/server.go:1340
google.golang.org/grpc.(*Server).handleStream
	/root/buildkit/vendor/google.golang.org/grpc/server.go:1713
google.golang.org/grpc.(*Server).serveStreams.func1.2
	/root/buildkit/vendor/google.golang.org/grpc/server.go:965
runtime.goexit
	/root/sdk/go1.18/src/runtime/asm_amd64.s:1571

使用 nydusaccelerator/buildkit 构建buildkit之后未复现

5.7. dragonflyoss仓库的镜像无法 inspect

 nerdctl inspect ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xda8eb3]

goroutine 1 [running]:
github.com/containerd/nerdctl/pkg/inspecttypes/dockercompat.ImageFromNative(0xc0006cc000)
	/home/runner/work/nerdctl/nerdctl/pkg/inspecttypes/dockercompat/dockercompat.go:297 +0x253
github.com/containerd/nerdctl/pkg/cmd/image.Inspect.func1({0x13f0190?, _}, {{{0xc0006b0280, 0x3a}, 0x0, {{0xc0006ae0c0, 0x27}, {0xc0006c0050, 0x47}, 0x248, ...}, ...}, ...})
	/home/runner/work/nerdctl/nerdctl/pkg/cmd/image/inspect.go:52 +0x205
github.com/containerd/nerdctl/pkg/idutil/imagewalker.(*ImageWalker).Walk(0xc000547568, {0x13f0190, 0xc00014cd20}, {0x7ffc1ceb0732, 0x3a})
	/home/runner/work/nerdctl/nerdctl/pkg/idutil/imagewalker/imagewalker.go:81 +0x666
github.com/containerd/nerdctl/pkg/idutil/imagewalker.(*ImageWalker).WalkAll(0x0?, {0x13f0190, 0xc00014cd20}, {0xc0005477c0?, 0x1, 0x103b5e0?}, 0x1)
	/home/runner/work/nerdctl/nerdctl/pkg/idutil/imagewalker/imagewalker.go:98 +0xea
github.com/containerd/nerdctl/pkg/cmd/image.Inspect({_, _}, _, {_, _, _}, {{0x13e7d20, 0xc00012e008}, {0x0, 0x0, ...}, ...})
	/home/runner/work/nerdctl/nerdctl/pkg/cmd/image/inspect.go:64 +0x1a6
main.inspectAction(0xc000382600, {0xc00034e040, 0x1, 0x1?})
	/home/runner/work/nerdctl/nerdctl/cmd/nerdctl/inspect.go:147 +0xb7c
github.com/spf13/cobra.(*Command).execute(0xc000382600, {0xc000120170, 0x1, 0x1})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:940 +0x862
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004300)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:992
main.xmain()
	/home/runner/work/nerdctl/nerdctl/cmd/nerdctl/main.go:136 +0x9f
main.main()
	/home/runner/work/nerdctl/nerdctl/cmd/nerdctl/main.go:119 +0x19

原因未知

5.8. nydus镜像与oci镜像manifest的区别

  • ociv19
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "size": 7023,
    "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "size": 32654,
      "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0"
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "size": 16724,
      "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "size": 73109,
      "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
    }
  ],
  "subject": {
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "size": 7682,
    "digest": "sha256:5b0bcabd1ed22e9fb1310cf6c2dec7cdef19f0ad69efa1f392e94a4333501270"
  },
  "annotations": {
    "com.example.key1": "value1",
    "com.example.key2": "value2"
  }
}
  • docker v2.2
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4710,
         "digest": "sha256:016db0f74f4d70593d50a571e76792f1223971e14fb791f9f6fbef3695846295",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4708,
         "digest": "sha256:1a3cd94d36b750c10782c41bf88458128686cf9b5b81da4bb136dae7c11e439f",
         "platform": {
            "architecture": "arm",
            "os": "linux",
            "variant": "v5"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4708,
         "digest": "sha256:fac5d849d932a3a33d421f2918d6b36214fb8f048a04533e95bba5a1da263dc5",
         "platform": {
            "architecture": "arm",
            "os": "linux",
            "variant": "v7"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4709,
         "digest": "sha256:6196a365b5ac3c585d65aeb73b68810fc9a24453d5e78ae6a8f229a0d8edf060",
         "platform": {
            "architecture": "arm64",
            "os": "linux",
            "variant": "v8"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4710,
         "digest": "sha256:1703758d9c663476da8b6e3ae929a359633d93f217dabb75fc09bda99b46aa84",
         "platform": {
            "architecture": "386",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4708,
         "digest": "sha256:d4089c75201a6f692e55a9b5480ab7bb94a58937d4452d444f06863324d1ccd5",
         "platform": {
            "architecture": "mips64le",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4710,
         "digest": "sha256:bc495de2c53f8e0df08ee58ab06ef2e4fae9304826f649c8285c27a3ee9674eb",
         "platform": {
            "architecture": "ppc64le",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 4708,
         "digest": "sha256:bb98ee8ed8c2bf30b82a612775d9218cde446a7ea342d58b1826b2b29aeccaad",
         "platform": {
            "architecture": "s390x",
            "os": "linux"
         }
      }
   ]
}
  • nydus
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:f259d1eb0bf769d60aac8c78e4811a8eeefd811a27c24f6db6c36f72ac5c2324",
    "size": 2137
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca",
      "size": 32571260,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129",
      "size": 295018,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nydus.blob.v1",
      "digest": "sha256:5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab",
      "size": 1067099,
      "annotations": {
        "containerd.io/snapshot/nydus-blob": "true"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "digest": "sha256:e26163305101a9bc6d05ad80945a8d360d99a48b0d3ef070cf0c2137655b6115",
      "size": 297868,
      "annotations": {
        "containerd.io/snapshot/nydus-blob-ids": "[\"f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca\",\"ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129\",\"5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab\"]",
        "containerd.io/snapshot/nydus-bootstrap": "true",
        "containerd.io/snapshot/nydus-fs-version": ""
      }
    }
  ]
}

5.9. 构建的镜像list时告警

nerdctl images
WARN[0000] failed to get unpacked size of image "reg.harbor.com/hello/helloworld:v0.0.7-nydus-nightly-v5" for platform "linux/amd64"  error="snapshot sha256:0ee114e6b61fec8478b90a426bdcbbc145d5857d84822922152dc8e09111f391 does not exist: not found"
REPOSITORY                            TAG                        IMAGE ID        CREATED           PLATFORM       SIZE     BLOB SIZE
reg.harbor.com/hello/helloworld    v0.0.7-nydus-nightly-v5    484d07c284ad    33 seconds ago    linux/amd64    0.0 B    345.5 MiB

本地镜像存储问题 删除本地镜像即可,具体问题尚未可知

5.10. 问题 buildkit打的nydus镜像无法run ,run ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5 没问题

  • 现象:

buildkit打的nydus镜像无法run ,run ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5 没问题 使用nerdctl命令运行也一样

ctr run -d reg.harbor.com/hello/helloworld:v0.0.10-nydus-nightly-v5  hello

错误输出

INFO[0000] apply failure, attempting cleanup             error="failed to extract layer sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown" key="extract-962072102-FeAw sha256:f5294af206581b011d1423a0b7c580b44338d6fb790eaf0ebdcc838fcb107d29"
ctr: failed to extract layer sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown

构建完使用 nerdctl命令查看有告警信息

 nerdctl images
WARN[0000] failed to get unpacked size of image "reg.harbor.com/hello/helloworld:v0.0.10-nydus-nightly-v5" for platform "linux/amd64"  error="snapshot sha256:66e2cbc88c92b00741c687d56bedd11654d45c08dec2fcb38406683fb2695135 does not exist: not found"
REPOSITORY                                   TAG                         IMAGE ID        CREATED           PLATFORM       SIZE        BLOB SIZE
xxxx/hello/helloworld           v0.0.10-nydus-nightly-v5    b3faf19db1a6    11 minutes ago    linux/amd64    0.0 B       32.6 MiB

containerd配置

[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

[plugins."io.containerd.grpc.v1.cri".containerd]
   snapshotter = "nydus"
   disable_snapshot_annotations = false
   discard_unpacked_layers = false
  • 环境说明
    • containerd containerd.io 1.6.6 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
    • buildkitd -v buildkitd github.com/moby/buildkit v0.0.0+unknown 是通过ttps://github.com/nydusaccelerator/buildkit.git 构建的
    • nerdctl -v nerdctl version 1.3.1 在 /etc/nerdctl/nerdctl.toml 指定了 snapshotter
    debug          = false
    debug_full     = false
    address        = "unix:///var/run/containerd/containerd.sock"
    namespace      = "default"
    snapshotter    = "nydus"
    experimental   = true
    
    • buildkitd 启动命令
    NYDUS_BUILDER=/usr/bin/nydus-image buildkitd --oci-worker-snapshotter=nydus --config /etc/buildkit/buildkitd.toml`
    
    • 构建命令
    buildctl  build  --progress=plain --frontend=dockerfile.v0  --local context=.  --local dockerfile=.  --output type=image,name=xxxx/helloworld:v0.0.10-nydus-nightly-v5,compression=nydus,oci-mediatypes=true
    

本地镜像存储问题 删除本地镜像即可,问题同上,nydus-snapshotter+fusedev的问题,具体尚未可知,删除本地镜像使用远端镜像即可

5.11. 运行oci-ref镜像导致nydusd进程z状态

使用nydus zran artifact

使用zran artifact镜像启动容器导致nydusd进程d状态

5.11.1. 现象

  • pod 无法启动,describe po信息
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  33s                default-scheduler  Successfully assigned default/busybox-nydus-oci-ref to node1
  Normal   Pulled     31s                kubelet            Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref" in 1.035131143s
  Normal   Pulled     25s                kubelet            Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref" in 119.347118ms
  Warning  Failed     19s (x2 over 25s)  kubelet            Error: failed to create containerd container: wait until daemon is RUNNING: get daemon state: daemon socket /var/lib/containerd-nydus/socket/cho77etp707gng95ic00/api.sock: not found
  Normal   Pulling    5s (x3 over 32s)   kubelet            Pulling image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref"
  Normal   Pulled     5s                 kubelet            Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref" in 101.618808ms
  • 查看nydus-snapshotter log
2023-05-26 08:54:19.401685 +00:00] INFO [app/src/lib.rs:74] Program Version: v2.1.5, Git Commit: "ef2033c2e21d36938410069f07d32a5095a19398", Build Time: "2023-03-09T10:09:03.563891101Z", Profile: "release", Rustc Version: "rustc 1.61.0 (fe5b13d68 2022-05-18)"
[2023-05-26 08:54:19.401791 +00:00] INFO [src/bin/nydusd/main.rs:514] Set rlimit-nofile to 1000000, maximum 1048576
[2023-05-26 08:54:19.402224 +00:00] DEBUG [/cargo/registry/src/github.com-1ecc6299db9ec823/fuse-backend-rs-0.9.6/src/api/pseudo_fs.rs:161] pseudo fs iterate "/"
[2023-05-26 08:54:19.402452 +00:00] INFO [rafs/src/metadata/md_v6.rs:47] rafs superblock features: DIGESTER_SHA256 | EXPLICIT_UID_GID | HAS_XATTR | COMPRESS_GZIP | PRESERVED_INLINED_CHUNK_DIGEST
[2023-05-26 08:54:19.402573 +00:00] ERROR [rafs/src/metadata/layout/v6.rs:1375] RafsV6Blob: idx 0 invalid ci_digest
[2023-05-26 08:54:19.402588 +00:00] ERROR [error/src/error.rs:21] Error:
	"invalid Rafs v6 blob entry"
	at rafs/src/metadata/layout/v6.rs:1495
	note: enable `RUST_BACKTRACE=1` env to display a backtrace
[2023-05-26 08:54:19.402630 +00:00] ERROR [error/src/error.rs:21] Error:
	Rafs(FillSuperblock(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }))
	at src/bin/nydusd/daemon.rs:140
	note: enable `RUST_BACKTRACE=1` env to display a backtrace
[2023-05-26 08:54:19.402669 +00:00] ERROR [src/bin/nydusd/main.rs:664] Failed in starting daemon: Invalid argument (os error 22)
Error: Os { code: 22, kind: InvalidInput, message: "Invalid argument" }
time="2023-05-26T08:54:19.404707985Z" level=error msg="Process 14029 has been a zombie"
time="2023-05-26T08:54:19.404759638Z" level=error msg="Nydusd cho77etp707gng95ic00 probably not started"
time="2023-05-26T08:54:19.412716804Z" level=error msg="Process 14029 has been a zombie"
time="2023-05-26T08:54:19.579192096Z" level=error msg="Process 14029 has been a zombie"
time="2023-05-26T08:54:19.719630411Z" level=error msg="Process 14029 has been a zombie"
time="2023-05-26T08:54:19.853129550Z" level=error msg="Process 14029 has been a zombie"
time="2023-05-26T08:54:20.023548928Z" level=error msg="Process 14029 has been a zombie"
time="2023-05-26T08:54:20.181968604Z" level=error msg="Process 14029 has been a zombie"
  • 查看进程进入z状态
[root@node1 nydus]# ps -ef|grep 14029
root     14029 22492  0 08:54 ?        00:00:00 [nydusd] <defunct>
root     16385 15474  0 08:56 pts/2    00:00:00 grep --color=auto 14029

5.11.2. 解决方式

oci ref 要求 nydus-image/nydusd 2.2

5.12. nydus镜像和oci镜像拉取镜像时间相同

nydus镜像容器创建时最开始只会加载最后一层,所以会很快

{
  "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
  "digest": "sha256:ff67b2807cdb0005ac0137bb8d5a4cf453fead83247082f56351fa2ecc3acba0",
  "size": 1134668,
  "annotations": {
    "containerd.io/snapshot/nydus-bootstrap": "true",
    "containerd.io/snapshot/nydus-fs-version": "6"
  }
}

对比的时候记得把已经在本地的镜像删除掉

  • 编辑 configmap 增加nydus.toml配置
kubectl edit cm -n nydus-system  nydus-snapshotter
apiVersion: v1
data:
  config.json: |-
    ...
  nydus.toml: |-
    version = 1
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
    daemon_mode = "multiple"
    cleanup_on_close = false
    [system]
    enable = true
    address = "/run/containerd-nydus/system.sock"
    [system.debug]
    daemon_cpu_profile_duration_secs = 5
    pprof_address = ""
    [daemon]
    nydusd_path = "/usr/local/bin/nydusd"
    nydusimage_path = "/usr/local/bin/nydus-image"
    fs_driver = "fusedev"
    recover_policy = "restart"
    nydusd_config = "/etc/nydus/config.json"
    threads_number = 10
    [log]
    log_to_stdout = false
    level = "debug"
    log_rotation_compress = true
    log_rotation_local_time = true
    log_rotation_max_age = 7
    log_rotation_max_backups = 5
    log_rotation_max_size = 1
    [metrics]
    address = ":9110"
    [remote]
    convert_vpc_registry = false
    [remote.mirrors_config]
    dir = ""
    [remote.auth]
    enable_kubeconfig_keychain = false
    kubeconfig_path = ""
    enable_cri_keychain = false
    image_service_address = ""
    [snapshot]
    enable_nydus_overlayfs = false
    sync_remove = false
    [cache_manager]
    disable = false
    gc_period = "24h"
    [image]
    public_key_file = ""
    validate_signature = false
    [experimental]
    enable_stargz = false
    enable_referrer_detect = false
  • 重启nydus-snapshotter

去掉 /etc/containerd/config.toml 中的

[plugins."io.containerd.grpc.v1.cri".containerd]
discard_unpacked_layers = false
disable_snapshot_annotations = false
snapshotter = "nydus"
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

重启 containerd

systemctl restart containerd

delete nydus-snapshot容器

再次创建即可

5.12.1. nydus镜像启动 nydus-snapshotter日志

nydus镜像会有.rs 输出,这部分是nydus代码用rust编写

time="2023-05-26T11:04:29.478658593Z" level=info msg="[Mounts] snapshot k8s.io/699/987c0c48cdfcbd8b451e7c892d2b922305c3c2fa07e2741ae5d003792dff96f9 ID 457 Kind Active"
time="2023-05-26T11:04:29.838641967Z" level=info msg="[Commit] snapshot with key \"k8s.io/700/extract-821649751-v57_ sha256:17f262ebfabe0a80a19356d4acdde01515c6488b4baf9f474ba805b205be6bcd\" snapshot id 458"
time="2023-05-26T11:04:29.862232365Z" level=info msg="[Commit] snapshot with key \"k8s.io/701/extract-848480697-roQj sha256:4969b12a639d311e01eb2997dca25b3ff4c15297cf1c4332246efc3da416ed90\" snapshot id 459"
time="2023-05-26T11:04:29.884272468Z" level=info msg="[Commit] snapshot with key \"k8s.io/702/extract-875046240-ES_o sha256:eea7439600aea67d552929f639492138db7736625ce46442b556a6773a7e65ad\" snapshot id 460"
time="2023-05-26T11:04:29.902972106Z" level=info msg="[Commit] snapshot with key \"k8s.io/703/extract-893877298-M0p7 sha256:995607f2a156cd5d860cc6cf21d5924430eea1497344c187cef6d8cb5958f08d\" snapshot id 461"
time="2023-05-26T11:04:29.930234997Z" level=info msg="[Commit] snapshot with key \"k8s.io/704/extract-921174867-zDfC sha256:977a5025ef78849159b33940f21f7bc078a4b449a197bf5a84809d18eafa2ecc\" snapshot id 462"
time="2023-05-26T11:04:29.953002744Z" level=info msg="[Commit] snapshot with key \"k8s.io/705/extract-940269515-m4B7 sha256:5008756b9b3af58134566161e811ab255d360cb9f6c03db6be9d1a82b10ea1ce\" snapshot id 463"
time="2023-05-26T11:04:29.985446333Z" level=info msg="[Commit] snapshot with key \"k8s.io/706/extract-963184826-zC2V sha256:dbb29c913fcddebd164aff00387b0cf2ae2605ca7c3ff8ae7fc81e3770c09d6d\" snapshot id 464"
time="2023-05-26T11:04:30.009608437Z" level=info msg="[Commit] snapshot with key \"k8s.io/707/extract-994808807-KS4S sha256:1dc2d75a8c5b4572fcaeb4ee74ee4a34f1f557cf380d85560bea88ddf8e656f1\" snapshot id 465"
time="2023-05-26T11:04:30.034452304Z" level=info msg="[Commit] snapshot with key \"k8s.io/708/extract-19386797-sAab sha256:2e352e3c2a94ff6a53bda70e8c78f1c0061bc5c09918d42f10ee42ca0ea6e05d\" snapshot id 466"
time="2023-05-26T11:04:30.051992401Z" level=info msg="[Commit] snapshot with key \"k8s.io/709/extract-43376118-0fYc sha256:c4655b7ee2454381d27aae6af1bbf99061da67f84943ebf11657db9841d2ce34\" snapshot id 467"
time="2023-05-26T11:04:30.069947216Z" level=info msg="[Commit] snapshot with key \"k8s.io/710/extract-61015950-IVNU sha256:c1775d8affc2abbc45ed4051e72fa8083f624f1a52f938e3dd4017ff2a551216\" snapshot id 468"
time="2023-05-26T11:04:30.088621057Z" level=info msg="[Commit] snapshot with key \"k8s.io/711/extract-79602317-8xBS sha256:7cd39c27735b21390c4f959ca1e12d38c2b73a5f173f5ffd1ee313fee85e317e\" snapshot id 469"
time="2023-05-26T11:04:30.107545892Z" level=info msg="[Commit] snapshot with key \"k8s.io/712/extract-98392114-LQ31 sha256:e835052588cf3a25d66b8a4f683b381ec2314cd293a61d7405861aedce7f1d8f\" snapshot id 470"
time="2023-05-26T11:04:30.138067726Z" level=info msg="[Commit] snapshot with key \"k8s.io/713/extract-129097712-x2We sha256:413163a369a3f699e6971333b345cb9655d22d8850e1713e20766dcc5fc6cf2d\" snapshot id 471"
time="2023-05-26T11:04:30.158431236Z" level=info msg="[Commit] snapshot with key \"k8s.io/714/extract-148574340-w72W sha256:856e93d9260062e3351e85ff977859c11f1c6fcaf4d7de56c50a4a40936ea6dc\" snapshot id 472"
time="2023-05-26T11:04:30.181674205Z" level=info msg="[Commit] snapshot with key \"k8s.io/715/extract-170870922-OaK7 sha256:bfdfb86a11099f8dfdcecb08a46dee87408cb00dedbb69d8c41bd4524e661fb6\" snapshot id 473"
time="2023-05-26T11:04:30.202089436Z" level=info msg="[Commit] snapshot with key \"k8s.io/716/extract-192117639-MjNO sha256:205b438eb857a4428cdfc1a492c3e9e445a7f6aad780f69b082e28471216c9a2\" snapshot id 474"
time="2023-05-26T11:04:30.224765412Z" level=info msg="[Commit] snapshot with key \"k8s.io/717/extract-214032149-U7eo sha256:a72248b4d79a6915f529bb00b97b576fec938895d81c0ebb125a02dd76f91169\" snapshot id 475"
time="2023-05-26T11:04:30.244866341Z" level=info msg="[Commit] snapshot with key \"k8s.io/718/extract-234486897-32MC sha256:f0fc4ec3e74f3762cc5c68435c8c93fb92fcac6ae34053cae00ae90dcafceab6\" snapshot id 476"
time="2023-05-26T11:04:30.428447831Z" level=info msg="[Commit] snapshot with key \"k8s.io/719/extract-255443005-VBbE sha256:3be1111cf1b2f35366acf9d164434690af4860fe8415c7be30faae3de1fde0f3\" snapshot id 477"
time="2023-05-26T11:04:30.495389473Z" level=info msg="Prepares active snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481, nydusd should start afterwards" key=k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 parent="k8s.io/720/sha256:3be1111cf1b2f35366acf9d164434690af4860fe8415c7be30faae3de1fde0f3"
time="2023-05-26T11:04:30.501028169Z" level=info msg="nydusd command: /usr/local/bin/nydusd fuse --config /var/lib/containerd-nydus/config/cho94flp707i10bb5ddg/config.json --bootstrap /var/lib/containerd-nydus/snapshots/477/fs/image/image.boot --mountpoint /var/lib/containerd-nydus/snapshots/477/mnt --apisock /var/lib/containerd-nydus/socket/cho94flp707i10bb5ddg/api.sock --log-level debug"
[2023-05-26 11:04:30.503482 +00:00] INFO [app/src/lib.rs:74] Program Version: v2.1.5, Git Commit: "ef2033c2e21d36938410069f07d32a5095a19398", Build Time: "2023-03-09T10:09:03.563891101Z", Profile: "release", Rustc Version: "rustc 1.61.0 (fe5b13d68 2022-05-18)"
[2023-05-26 11:04:30.503560 +00:00] INFO [src/bin/nydusd/main.rs:514] Set rlimit-nofile to 1000000, maximum 1048576
[2023-05-26 11:04:30.504138 +00:00] INFO [rafs/src/metadata/md_v6.rs:47] rafs superblock features: DIGESTER_BLAKE3 | EXPLICIT_UID_GID | HAS_XATTR | COMPRESS_ZSTD | PRESERVED_INLINED_CHUNK_DIGEST
[2023-05-26 11:04:30.504414 +00:00] INFO [storage/src/backend/connection.rs:263] backend config: ConnectionConfig { proxy: ProxyConfig { url: "", ping_url: "", fallback: false, check_interval: 5, use_http: false }, mirrors: [], skip_verify: false, timeout: 5, connect_timeout: 5, retry_limit: 2 }
[2023-05-26 11:04:30.631601 +00:00] INFO [storage/src/backend/registry.rs:271] cached bearer auth, next time: 1685100870
[2023-05-26 11:04:30.647334 +00:00] INFO [storage/src/backend/registry.rs:271] cached bearer auth, next time: 1685100870
[2023-05-26 11:04:30.668014 +00:00] INFO [storage/src/backend/registry.rs:271] cached bearer auth, next time: 1685100870
[2023-05-26 11:04:30.918676 +00:00] INFO [src/bin/nydusd/fs_service.rs:206] Rafs imported
[2023-05-26 11:04:30.920073 +00:00] INFO [src/bin/nydusd/fs_service.rs:102] Rafs mounted at /
[2023-05-26 11:04:30.920318 +00:00] INFO [/cargo/registry/src/github.com-1ecc6299db9ec823/fuse-backend-rs-0.9.6/src/transport/fusedev/linux_session.rs:337] mount source rafs dest /var/lib/containerd-nydus/snapshots/477/mnt with fstype fuse opts default_permissions,allow_other,fd=3,rootmode=40000,user_id=0,group_id=0 fd 3
[2023-05-26 11:04:30.920759 +00:00] INFO [src/bin/nydusd/daemon.rs:330] State machine(pid=32141): from Init to Ready, input [Mount], output [None]
[2023-05-26 11:04:30.921167 +00:00] INFO [src/bin/nydusd/daemon.rs:330] State machine(pid=32141): from Ready to Running, input [Start], output [Some(StartService)]
[2023-05-26 11:04:30.921189 +00:00] INFO [src/bin/nydusd/fusedev.rs:318] start 4 fuse servers
[2023-05-26 11:04:30.930559 +00:00] INFO [/cargo/registry/src/github.com-1ecc6299db9ec823/fuse-backend-rs-0.9.6/src/api/server/sync_io.rs:614] FUSE INIT major 7 minor 23
[2023-05-26 11:04:30.930808 +00:00] INFO [src/bin/nydusd/main.rs:660] Fuse daemon started!
[2023-05-26 11:04:30.931000 +00:00] INFO [src/bin/nydusd/api_server_glue.rs:406] HTTP API server running at /var/lib/containerd-nydus/socket/cho94flp707i10bb5ddg/api.sock
[2023-05-26 11:04:30.931090 +00:00] INFO [api/src/http.rs:911] http server started
[2023-05-26 11:04:30.961941 +00:00] INFO [api/src/http.rs:816] <--- Get Uri { string: "/api/v1/daemon" }
[2023-05-26 11:04:30.962087 +00:00] INFO [api/src/http.rs:821] ---> Get Status Code: OK, Elapse: Ok(146.605µs), Body Size: 866
time="2023-05-26T11:04:30.962507763Z" level=info msg="Nydus remote snapshot 477 is ready"
time="2023-05-26T11:04:30.962543380Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"
time="2023-05-26T11:04:30.964003080Z" level=info msg="Subscribe daemon cho94flp707i10bb5ddg liveness event, path=/var/lib/containerd-nydus/socket/cho94flp707i10bb5ddg/api.sock."
time="2023-05-26T11:04:30.969335490Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"
time="2023-05-26T11:04:30.969369349Z" level=info msg="Nydus remote snapshot 477 is ready"
time="2023-05-26T11:04:30.969416607Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"
time="2023-05-26T11:04:31.124174858Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"
time="2023-05-26T11:04:31.124228061Z" level=info msg="Nydus remote snapshot 477 is ready"
time="2023-05-26T11:04:31.124290212Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"
time="2023-05-26T11:04:31.355843306Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"
time="2023-05-26T11:04:31.355922313Z" level=info msg="Nydus remote snapshot 477 is ready"
time="2023-05-26T11:04:31.355974771Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"
time="2023-05-26T11:04:31.558021456Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"
time="2023-05-26T11:04:31.558049891Z" level=info msg="Nydus remote snapshot 477 is ready"
time="2023-05-26T11:04:31.558096530Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"

5.12.2. oci镜像启动 nydus-snapshotter日志

time="2023-05-26T11:06:30.246293363Z" level=info msg="[Mounts] snapshot k8s.io/722/3d4aa771e42ef99f0d65ce322670115c434297890eaf08bc260eecf2ec3461f7 ID 479 Kind Active"
time="2023-05-26T11:06:33.865401086Z" level=info msg="[Commit] snapshot with key \"k8s.io/723/extract-632530774-VjiP sha256:8cbe4b54fa88d8fc0198ea0cc3a5432aea41573e6a0ee26eca8c79f9fbfa40e3\" snapshot id 480"
time="2023-05-26T11:06:34.704875352Z" level=info msg="[Commit] snapshot with key \"k8s.io/725/extract-249815542-Zc-C sha256:61aba3d78f453ab50b4c0b687156ebb47b6d6dc290f57752d88b737f75a9835c\" snapshot id 481"
time="2023-05-26T11:06:37.941249262Z" level=info msg="[Commit] snapshot with key \"k8s.io/727/extract-722902017-GvJe sha256:d7027bd638e20f68a20d6ae247f2dda259aed1b46a6737bb70de28fa781a1769\" snapshot id 482"
time="2023-05-26T11:06:38.009096474Z" level=info msg="[Commit] snapshot with key \"k8s.io/729/extract-986715165-jE_Q sha256:f116aef2f51af904cebd6baaf86a911036f8540f0837f5081dff235b29135d32\" snapshot id 483"
time="2023-05-26T11:06:38.639504208Z" level=info msg="[Commit] snapshot with key \"k8s.io/731/extract-24233762-aGRw sha256:877496570f634566fc75289c3fd7cc9423f8b42f1b9cf3d5f1ed3703f0ec83e0\" snapshot id 484"
time="2023-05-26T11:06:38.676870045Z" level=info msg="[Commit] snapshot with key \"k8s.io/733/extract-661252421-FKvu sha256:41ca5e8fdea7603d4b22d1bd5dacf18cd8ae4a337c799224034fb38329be6428\" snapshot id 485"
time="2023-05-26T11:06:38.705044906Z" level=info msg="[Commit] snapshot with key \"k8s.io/735/extract-691144330-DHtG sha256:748bab432b39955f9824803e0fb9e2c838c1d82613f6331d4dd06806c6eb08a7\" snapshot id 486"
time="2023-05-26T11:06:38.790391324Z" level=info msg="[Commit] snapshot with key \"k8s.io/737/extract-721825026-kLLd sha256:a7317289186ffc46ccf46108f1a71012bda8de401a9772596b47ac2165279dde\" snapshot id 487"
time="2023-05-26T11:06:38.824921071Z" level=info msg="[Commit] snapshot with key \"k8s.io/739/extract-810354999-OX_U sha256:290e04ebe112a50211c9349710c52fcdba1e90c13c86b7d28fc9d5810fb4ff66\" snapshot id 488"
time="2023-05-26T11:06:39.284365821Z" level=info msg="[Commit] snapshot with key \"k8s.io/741/extract-838355879-06mH sha256:f56f832ba542550bd23ff7bd23bff350112f52c30a25fff73521d22231ae96d2\" snapshot id 489"
time="2023-05-26T11:06:39.318325143Z" level=info msg="[Commit] snapshot with key \"k8s.io/743/extract-302049626-ZzGp sha256:7edd07877746040a573221b32d42a30e71ac050a4b0b52e52637a109f125e07a\" snapshot id 490"
time="2023-05-26T11:06:39.346626770Z" level=info msg="[Commit] snapshot with key \"k8s.io/745/extract-332377616-20YV sha256:8e0edcf4b4ba88591fb18a3189e4ef180a3e907b3d3d374cec1688975c59210a\" snapshot id 491"
time="2023-05-26T11:06:39.373512591Z" level=info msg="[Commit] snapshot with key \"k8s.io/747/extract-359199786-wwaO sha256:0c386a4066a2ba95277419d44500293c0f4fdb017f83fc5f5c8e1047609bc057\" snapshot id 492"
time="2023-05-26T11:06:40.011031985Z" level=info msg="[Commit] snapshot with key \"k8s.io/749/extract-386775080-gUBX sha256:674062350681f3cc06dcc025867235baa315952732ac488d5692347118f5f027\" snapshot id 493"
time="2023-05-26T11:06:40.558428379Z" level=info msg="[Commit] snapshot with key \"k8s.io/751/extract-37315161-xwQT sha256:e723aac1be491e74d1de67af90ddff842b1428f56cc2b36e036c9bb1bf76fd99\" snapshot id 494"
time="2023-05-26T11:06:40.591120152Z" level=info msg="[Commit] snapshot with key \"k8s.io/753/extract-577254979-GuvE sha256:7ac16f932064276888bd1c8be5d3085c99fa945d1545f8b6e4969cc9ba7f932e\" snapshot id 495"
time="2023-05-26T11:06:40.617389492Z" level=info msg="[Commit] snapshot with key \"k8s.io/755/extract-604669307-p-5u sha256:4c8bfefa8feaa457402b6cfbb30bdb73dba02d105a432d4c3cdd3b4c02ba53d1\" snapshot id 496"
time="2023-05-26T11:06:40.650440923Z" level=info msg="[Commit] snapshot with key \"k8s.io/757/extract-630649889-v1Ai sha256:239e5e3542f395b783fe8f614b0299618c2e5fae5acff8d297f81b96bfb65384\" snapshot id 497"
time="2023-05-26T11:06:41.506705121Z" level=info msg="[Commit] snapshot with key \"k8s.io/759/extract-670259326-6llW sha256:bb99dc5df44865572a254bc0ee14ce436b1565097bb0b9010ad90f75dd4e9034\" snapshot id 498"
time="2023-05-26T11:06:41.551350458Z" level=info msg="[Commit] snapshot with key \"k8s.io/761/extract-536500627-OV2m sha256:057bf4d9b4e6fdb652c002e7fd7e34d86832392426ea9a6955fd02b803478958\" snapshot id 499"
time="2023-05-26T11:06:41.617638749Z" level=info msg="[Commit] snapshot with key \"k8s.io/763/extract-602137426-B0nU sha256:92125a743f1a248092f17a7e6e4dcaaa76483e6ff3f1b70ab362889b8c3833ed\" snapshot id 500"
time="2023-05-26T11:06:41.680736991Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"
time="2023-05-26T11:06:45.304017086Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"
time="2023-05-26T11:06:45.400978167Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"
time="2023-05-26T11:06:45.457585857Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"

6. 参考