feat: support '--detach-keys' for 'nerdctl (run|start)'

[davidhsingyuchen]

Control Flow

1. Detect if the detach keys are present in stdin.
2. After detecting the detach keys, cancel the current I/O operations. This means that the underlying I/O FIFOs should be left intact, and containerd should keep writing to/reading from those FIFOs, but nerdctl should stop writing to/reading from them. It seems that cio.IO.Cancel() should be used for this, but there's an issue: IO.Cancel() becomes a no-op if the FIFOs are already opened containerd#8326.
3. After starting the task, we need to call IO.Wait, and after it returns, we need to see if the container exits or it's just the user detaching from the container by checking the state of the container.

Notes

• It may be better to support nerdctl exec --detach-keys in a follow-up PR so that we can minimize the changes needed in this PR as the control flow of it is a bit different from that of run|start.

TODOs

Before this PR can be merged, I need to:

• Revert the temporarily use the containerd feature branch commit and use the released containerd version.

[davidhsingyuchen]

@AkihiroSuda PTAL, thanks!

[fahedouch]

not sure if this condition is relevant here (is it possible to read from already closed (detached) stdin ?)

[davidhsingyuchen]

I think you're right. It turned out IO.Cancel() doesn't really close the FIFOs (containerd/containerd#8326), so if this check is removed, closer() will keep being called, and the debug logs (i.e., "Cancelling IO" and "IO cancelled") will overflow my screen. As a result, when term.EscapeError is detected, I'm returning a non-nil error for now , and I added a TODO to return a nil error afrer the issue is fixed and before this PR can be merged.

[fahedouch]

NewDetachableStdin returns a new detachableStdin which uses a TTY proxy reader to read specified detach keys from stdin, in which case closer will be called

[davidhsingyuchen]

Hmm, I'm not sure if we want to mention the underlying unexported struct here, maybe the users of this function shouldn't need to know that implementation detail?

[fahedouch]

LGTM, but just one thing was confusing me : NewDetachableStdin returns a new TTY proxy reader. In fact the NewDetachableStdin is not returning a TTY proxy reader but it is wrapping a a TTY proxy reader

[davidhsingyuchen]

Ah you're right! Updated the comment accordingly, plz let me know if it works for you :)

[fahedouch]

After detecting the detach keys, cancel the current I/O operations. This means that the underlying I/O FIFOs should be left intact, and containerd should keep writing to/reading from those FIFOs, but nerdctl should stop writing to/reading from them. It seems that cio.IO.Cancel() should work, but I'm not 100% sure due to the nil IO() thing below.

Cancel will aborts all current io operations ( from nerdctl and containerd). but nerdctl is fully controlling the io of the task (nerdctl is creating task with specefic io) , so I am wondering why not making task.CloseIO() ( this will abort io and clean fifos) , I also think that we no longer use the exsiting fifos after detach

[davidhsingyuchen]

After detecting the detach keys, cancel the current I/O operations. This means that the underlying I/O FIFOs should be left intact, and containerd should keep writing to/reading from those FIFOs, but nerdctl should stop writing to/reading from them. It seems that cio.IO.Cancel() should work, but I'm not 100% sure due to the nil IO() thing below.

Cancel will aborts all current io operations ( from nerdctl and containerd). but nerdctl is fully controlling the io of the task (nerdctl is creating task with specefic io) , so I am wondering why not making task.CloseIO() ( this will abort io and clean fifos) , I also think that we no longer use the exsiting fifos after detach

After we detach from a container, we should be able to reattach to it again. Docker:

➜  ~ docker attach test
/ #
/ #
/ # read escape sequence
➜  ~ docker attach test
/ #
/ #
/ # read escape sequence

[davidhsingyuchen]

@fahedouch Thanks a lot for the quick review! In the new revision, besides addressing the comments, I also made it print read detach keys when detaching from the container so that it's clearer to the users what's happening, and it's also aligned to UX of docker. Also updated e2e tests accordingly.

[davidhsingyuchen]

The latest revision: If I replace containerd/containerd in nerdctl's go.mod with the version from containerd/containerd#8334, it seems to be working.

davidhyc@lima-dev:/Users/davidhyc/dev/containerd/nerdctl$ ./_output/nerdctl run -it --name detach busybox
/ #
/ # INFO[0001] read detach keys
davidhyc@lima-dev:/Users/davidhyc/dev/containerd/nerdctl$ nerdctl ps -a
CONTAINER ID    IMAGE                               COMMAND    CREATED          STATUS    PORTS    NAMES
fd3b77abf607    docker.io/library/busybox:latest    "sh"       4 seconds ago    Up                 detach

[fahedouch]

@davidhsingyuchen

It seems that cio.IO.Cancel() should be used for this, but there's an issue: containerd/containerd#8326.

please see

[AkihiroSuda]

Needs rebase

[davidhsingyuchen]

@AkihiroSuda Thank you for the reminder. Could you help take a look at containerd/containerd#8326 and/or containerd/containerd#8334? I'll rebase the feature branch after the blocker is resolved, thanks!

[davidhsingyuchen]

@fahedouch PTAL, thanks! The failed jobs seem to be flaky as all the jobs pass at least once:

• https://github.com/containerd/nerdctl/actions/runs/5194348122
• https://github.com/containerd/nerdctl/actions/runs/5194508608

[AkihiroSuda]

Can we avoid mixing up v2 and v3?

[AkihiroSuda]

Can we use https://github.com/moby/term/releases/tag/v0.5.0

[davidhsingyuchen]

@AkihiroSuda Thanks for the reminder. Both are fixed.

[AkihiroSuda]

Thanks