This document will walk through how to setup a nydus image service to work with containerd. It assumes that you already have containerd
installed. If not, please refer to containerd documents on how to install and set it up.
- Get
nydus-image
,nydusd
,nydusify
,nydusctl
andnydus-overlayfs
binaries from release page.
sudo install -D -m 755 nydusd nydus-image nydusify nydusctl nydus-overlayfs /usr/bin
- Get
containerd-nydus-grpc
(nydus snapshotter) binary from nydus-snapshotter release page.
sudo install -D -m 755 containerd-nydus-grpc /usr/bin
To make it easier to convert and run nydus images next, we can run a local registry service with docker:
sudo docker run -d --restart=always -p 5000:5000 registry
Nydus image can be created by converting from an existing OCI or docker v2 image stored in container registry or directly built from Dockerfile(with Buildkit)
Note: For private registry repo, please make sure you are authorized to pull and push the target registry. The basic method is to use docker pull
and docker push
to verify your access to the source or target registry.
sudo nydusify convert --source ubuntu --target localhost:5000/ubuntu-nydus
For more details about how to build nydus image, please refer to Nydusify conversion tool, Acceld conversion service or Nerdctl.
Nydus provides a containerd remote snapshotter containerd-nydus-grpc
(nydus snapshotter) to prepare container rootfs with nydus formatted images.
- Prepare a
nydusd
configuration to/etc/nydus/nydusd-config.fusedev.json
:
$ sudo tee /etc/nydus/nydusd-config.fusedev.json > /dev/null << EOF
{
"device": {
"backend": {
"type": "registry",
"config": {
"scheme": "",
"skip_verify": true,
"timeout": 5,
"connect_timeout": 5,
"retry_limit": 4,
"auth": ""
}
},
"cache": {
"type": "blobcache",
"config": {
"work_dir": "cache"
}
}
},
"mode": "direct",
"digest_validate": false,
"iostats_files": false,
"enable_xattr": true,
"fs_prefetch": {
"enable": true,
"threads_count": 4
}
}
EOF
Please refer to the nydusd doc to learn more options.
- The
device.backend.config.scheme
is the URL scheme for the registry. Leave it empty for automatic detection, or specifyhttps
orhttp
depending on your registry server configuration. - The
device.backend.config.auth
is the base64 encodedusername:password
authentication string required by nydusd to lazily pull image data from an authenticated registry. The nydus snapshotter will automatically read it from the$HOME/.docker/config.json
configuration file, or you can also fill it with your own. - The
device.backend.config.skip_verify
allows you to skip the insecure https certificate checks for the registry, only set it totrue
when necessary. Note that enabling this option is a security risk for the connection to registry, so you should only use this when you are sure it is safe. - The
fs_prefetch.enable
option enables nydusd to prefetch image data in background, which can make container startup faster when it needs to read a large amount of image data. Set this tofalse
if you don't need this functionality when it brings disk and network pressure.
- [Optional] Cleanup snapshotter environment:
Make sure the default nydus snapshotter root directory is clear.
sudo rm -rf /var/lib/containerd-nydus
- Start
containerd-nydus-grpc
(nydus snapshotter): Optionally, a TOML based nydus-snapshotter configuration file can be provided by appending--config <CONFIG>
when starting nydus-snapshotter if you want fine-grained control items. An example configuration file can be found here
sudo /usr/bin/containerd-nydus-grpc \
--nydusd-config /etc/nydus/nydusd-config.fusedev.json \
--log-to-stdout
Nydus depends on two features of Containerd:
- Support remote snapshotter plugin
- Support passing annotations to remote snapshotter
To enable them, add below configuration items to your containerd
configuration file (default path is /etc/containerd/config.toml
):
[proxy_plugins]
[proxy_plugins.nydus]
type = "snapshot"
address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
When working with Kubernetes CRI, please change the default snapshotter to nydus
and enable snapshot annotations like below:
For version 1 containerd config format:
[plugins.cri]
[plugins.cri.containerd]
snapshotter = "nydus"
disable_snapshot_annotations = false
discard_unpacked_layers = false
For version 2 containerd config format:
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "nydus"
disable_snapshot_annotations = false
discard_unpacked_layers = false
Then restart containerd, e.g.:
sudo systemctl restart containerd
Note: this way only works on CRI based scenario (for example crictl or kubernetes).
Containerd (>= v1.7.0) supports configuring the runtime-level
snapshotter. By following the steps below, we can declare runtimes that use different snapshotters:
Patch: fixes the handle of sandbox run and container create for runtime-level snapshotter;
Only for version 2 containerd config format:
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
disable_snapshot_annotations = false
discard_unpacked_layers = false
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc-nydus]
snapshotter = "nydus"
[proxy_plugins]
[proxy_plugins.nydus]
type = "snapshot"
address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
Then restart containerd, e.g.:
sudo systemctl restart containerd
The annotation "io.containerd.cri.runtime-handler": "runc-nydus"
must be set in sandbox spec. The nydus-sandbox.yaml
looks like below:
metadata:
attempt: 1
name: nydus-sandbox
namespace: default
uid: nydus-sandbox-test
log_directory: /tmp
linux:
security_context:
namespace_options:
network: 2
annotations:
"io.containerd.cri.runtime-handler": "runc-nydus"
As shown above, the sandbox is declared with "io.containerd.cri.runtime-handler": "runc-nydus"
annotation will use the nydus
snapshotter, while others will use the default overlayfs
snapshotter.
err="failed to \"StartContainer\" for \"xxx\" with CreateContainerError: \"failed to create containerd container: error unpacking image: failed to extract layer sha256:yyy: failed to get reader from content store: content digest sha256:zzz: not found\""
One possible reason is some images in the Pod (including the Pause image) have used containerd's default snapshotter (such as the overlayfs
snapshotter), and the discard_unpacked_layers
option was previously set to true
in containerd config, containerd has already deleted the blobs from the content store. To resolve this issue, you should first ensure that discard_unpacked_layers=false
, then use the following command to restore the image:
ctr -n k8s.io content fetch pause:3.8
Please note that pause:3.8
is just an example image, you should also fetch all images used by the Pod to ensure that there are no issues.
Nydus snapshotter has been supported by nerdctl(requires >= v0.22), we can lazily start container with it.
$ sudo nerdctl --snapshotter nydus run --rm -it localhost:5000/ubuntu-nydus:latest bash
For example, use the following nydus-sandbox.yaml
and nydus-container.yaml
The nydus-sandbox.yaml
looks like below:
metadata:
attempt: 1
name: nydus-sandbox
namespace: default
uid: nydus-sandbox-test
log_directory: /tmp
linux:
security_context:
namespace_options:
network: 2
The nydus-container.yaml
looks like below:
metadata:
name: nydus-container
image:
image: localhost:5000/ubuntu-nydus:latest
command:
- /bin/sleep
args:
- 600
log_path: container.1.log
To create a pod with the just converted nydus image:
$ sudo crictl pull localhost:5000/ubuntu-nydus:latest
$ pod=`sudo crictl runp nydus-sandbox.yaml`
$ container=`sudo crictl create $pod nydus-container.yaml nydus-sandbox.yaml`
$ sudo crictl start $container
$ sudo crictl ps
CONTAINER ID IMAGE CREATED STATE NAME ATTEMPT POD ID
f4a6c6dc47e34 localhost:5000/ubuntu-nydus:latest 9 seconds ago Running nydus-container 0 21b91779d551e
Nydus is deeply integrated with Dragonfly P2P system, which can greatly reduce the network latency and the single point of network pressure for registry server, testing in the production environment shows that using Dragonfly can reduce network latency by more than 80%, to understand the performance test data and how to configure Nydus to use Dragonfly, please refer to the doc.