generate accessed files list for container with NRI plugin

[sctb512]

Generate an in-order accessed files list for container workload. The accessed files list can be set as prefetch-patterns when converting OCI images to nydus format images.

Related to dragonflyoss/nydus#807

Requirements

• NRI 2.0: Which has been integrated into containerd since v1.7.0-beta.1.

Workflow

1. Run the optimizer as an NRI plugin to run optimizer server when the StartContainer event occurs.
2. Optimizer server joins container mount namespace and starts fanotify server.
3. Optimizer server detects fanotify event and sends the accessed file descriptor to client.
4. Optimizer client converts file descriptor to path.
5. Generate list of accessed files on local disk.
6. Convert OCI images with accessed files list to nydus image.

Generate an accessed files list

To install the optimizer and optimizer-server, all you need is the command:

make optimizer && make install-optimizer

Install containerd that supports NRI 2.0：

VERSION=1.7.0-beta.3

CONTAINERD_DIR=$(cat /lib/systemd/system/containerd.service | grep "ExecStart=" | awk -F= '{gsub("/containerd","",$2); print $2}')

wget https://github.com/containerd/containerd/releases/download/$VERSION/containerd-$VERSION-linux-amd64.tar.gz
tar -zxvf containerd-$VERSION-linux-amd64.tar.gz

sudo install -D -m 755 bin/* $CONTAINERD_DIR
rm -rf bin
$CONTAINERD_DIR/containerd --version

Modify containerd's toml configuration file to enable NRI.

sudo tee -a /etc/containerd/config.toml <<- EOF
[plugins."io.containerd.nri.v1.nri"]
  config_file = "/etc/nri/nri.conf"
  disable = false
  plugin_path = "/opt/nri/plugins"
  socket_path = "/var/run/nri.sock"
EOF

sudo tee /etc/nri/nri.conf <<- EOF
disableConnections: false
EOF

sudo systemctl restart containerd

Now, just start a container workload and you will get the list of accessed files in persistDir.

sudo tee nginx.yaml <<- EOF
metadata:
  name: nginx
image:
  image: nginx:latest
log_path: nginx.0.log
linux: {}
EOF

sudo tee pod.yaml <<- EOF
metadata:
  name: nginx-sandbox
  namespace: default
  attempt: 1
  uid: hdishd83djaidwnduwk28bcsb
log_directory: /tmp
linux: {}
EOF

crictl run nginx.yaml pod.yaml

The result file for the nginx image is /opt/nri/optimiser/results/nginx:latest.

Optimize a nydus image

Nydus provides a nydusify CLI tool to convert OCI images from the source registry or local file system to nydus format and push them to the target registry.

We can install the nydusify cli tool from the nydus package.

VERSION=v2.1.3

wget https://github.com/dragonflyoss/image-service/releases/download/$VERSION/nydus-static-$VERSION-linux-amd64.tgz
tar -zxvf nydus-static-$VERSION-linux-amd64.tgz
sudo install -D -m 755 nydus-static/nydusify /usr/local/bin/nydusify
sudo install -D -m 755 nydus-static/nydus-image /usr/local/bin/nydus-image

With the --prefetch-patterns argument, we can specify the list of files to be written in the front of the nydus image and be prefetched in order when starting a container.

sudo nydusify convert --nydus-image $(which nydus-image) --source nginx --target sctb512/nginx:optimized-nydusv6 --fs-version 6 --prefetch-patterns < /opt/nri/optimizer/results/nginx:latest

Make sure the nydusd and nydus-snapshotter environments are installed correctly. Then, start a container with an optimized nydus image.

sudo nerdctl --snapshotter nydus run --rm --net host -it sctb512/nginx:optimized-nydusv6

Signed-off-by: Bin Tang tangbin.bin@bytedance.com

[codecov-commenter]

Codecov Report

Base: 29.26% // Head: 29.32% // Increases project coverage by +0.06% 🎉

Coverage data is based on head (969dcac) compared to base (b010060).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #349      +/-   ##
==========================================
+ Coverage   29.26%   29.32%   +0.06%     
==========================================
  Files          38       38              
  Lines        3810     3812       +2     
==========================================
+ Hits         1115     1118       +3     
+ Misses       2563     2562       -1     
  Partials      132      132              

Impacted Files	Coverage Δ
pkg/daemon/daemon.go	0.00% <0.00%> (ø)
pkg/blob/blob_manager.go	32.65% <0.00%> (+3.06%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[imeoer]

Hi @sctb512 , any doc for this? Does it work on nydus image?

[sctb512]

Hi @sctb512 , any doc for this? Does it work on nydus image?

Work in progress. This NRI plugin is image format independent. And it works on nydus image.

[changweige]

Could we have a new Makefile target for building the optimizer ? It will even better if we have its own Makefile

[changweige]

By default, we should not build the optimizer as developers may not have rust environment

[sctb512]

Yes, this is reasonable. Fixed it by adding build-optimizer. Is it acceptable?

[changweige]

Could we use the Linux naming style like log_file

[sctb512]

I followed this style in NRI's example code: https://github.com/containerd/nri/blob/main/plugins/logger/nri-logger.go#L33. Maybe we could keep the same style with them?

[sctb512]

Anyway. It makes sense to use the same parameter style in this project. Already fixed.

[changweige]

ditto

[changweige]

Moreover, toml is preferred

[sctb512]

Fixed.

[changweige]

When to close the file f

[sctb512]

Now the optimizer server will close the file descriptor after sending the path to the client.

[sctb512]

Emm... It is not the same issue. The file descriptor mentioned in last comment is created by optimizer server. So we close it after getting the path.

The file f should be closed before exiting this NRI plugin, i.e. in onClose event.

[changweige]

Please add license claim here

[sctb512]

Done.

[changweige]

We usually put std dependencies to the top position and then the third-party dependencies and then then project internal dependenecies

[sctb512]

Fixed it.

[changweige]

Could you please also add cargo clippy to lint the tool, which will give some wise suggestions.

[sctb512]

Good suggestion. I have added this.

[changweige]

Logs should be stored in /var/log or just stream it to syslog service rather than set a file as default on at /opt

[sctb512]

Now, we redirect it to the syslog service.

[changweige]

Can you use errors.Errorf and errors.Wrapf ? %w is deprecated now in Golang

[sctb512]

Fixed.

[changweige]

We should validate the image. Containerd already provides a package to validate image name.

[sctb512]

Done.

[changweige]

There exists a standard method comes from contanerd package to extract the tagged image name. Can you try to use it.

[changweige]

Try to avoid directly unwrap unless we be sure that it's safe

[sctb512]

Fixed it with match.

[changweige]

Should close the file f ?

[sctb512]

Yes, now we close it before exiting the server.

[changweige]

FAN_OPEN_EXEC
No need to monitor event FAN_CLOSE_WRITE

[sctb512]

Fixed it.

[changweige]

Thanks. This is indeed a useful tool to help us build more efficient nydus images