How to install containerd with alpine-lima

[afbjorklund]

It's not fully clear how to add containerd to alpine, since the scripts require systemd:

ERRO[0018] [1 error occurred:
	* failed to satisfy the optional requirement 1 of 2 "systemd must be available": systemd is required to run containerd, but does not seem to be available.
Make sure that you use an image that supports systemd. If you do not want to run
containerd, please make sure that both 'container.system' and 'containerd.user'
are set to 'false' in the config file.

Installing containerd is quite simple, but packages for "nerdctl" and "buildkit" are missing...

provision:
  - mode: system
    script: |
      #!/bin/bash
      set -eux -o pipefail
      command -v containerd >/dev/null 2>&1 && exit 0
      apk add runc containerd cni-plugins
      sudo rc-update add containerd default
      sudo service containerd start

They can be added from the tarballs, but there doesn't seem to be any support available ?

That is, the current support is for nerdctl-full only (and not for nerdctl and buildkit archives)

---

Would it be better to make custom aports, or perhaps to add support for extra archives ?

containerd

• https://github.com/containerd/containerd/archive/v1.5.8.tar.gz
• https://github.com/alpinelinux/aports/tree/3.14-stable/community/containerd

nerdctl

• nerdctl-0.15.0-linux-amd64.tar.gz
• nerdctl-0.15.0-linux-arm64.tar.gz

buildkit

• buildkit-v0.9.3.linux-amd64.tar.gz
• buildkit-v0.9.3.linux-arm64.tar.gz
• buildkit.confd
• buildkit.initd

Both lima sudo nerdctl run and lima sudo nerdctl build seem to be doing just fine...

init-+-acpid
     |-7*[getty]
     |-sshd.pam---sshd.pam---sshd.pam-+-pstree
     |                                `-2*[sshfs---3*[{sshfs}]]
     |-supervise-daemo---lima-guestagent---7*[{lima-guestagent}]
     |-supervise-daemo---containerd---10*[{containerd}]
     |-supervise-daemo---buildkitd---8*[{buildkitd}]
     |-syslogd
     |-udevd
     `-udhcpc

[jandubois]

There is some minimal support for adding nerdctl and buildkit from the nerdctl-full tarball in the image builder. It is used by the rd edition (Rancher Desktop), but does not include the openrc script to run buildkitd. It is trivial to define additional "editions" by creating a config file in the edition/ subdirectory.

[jandubois]

Forgot to add: the rd edition does not include containerd because we use the version bundled with k3s.

[afbjorklund]

Okay, so the same tarballs as above would work (or the full download) - just have to be done in the image builder.

I couldn't find any existing APKBUILD, but then again there doesn't seem to be any .deb or .rpm available either...

My main question was if it needed extending.

containerd:
  # Enable system-wide (aka rootful)  containerd and its dependencies (BuildKit, Stargz Snapshotter)
  # Default: false
  system: false
  # Enable user-scoped (aka rootless) containerd and its dependencies (currently requires systemd)
  # Default: true
  user: false
#  # Override containerd archive
#  # Default: hard-coded URL with hard-coded digest (see the output of `limactl info | jq .defaultTemplate.containerd.archives`)
#  archives:
#    - location: "~/Downloads/nerdctl-full-X.Y.Z-linux-amd64.tar.gz"
#      arch: "x86_64"
#      digest: "sha256:..."

extras:
    - name: "nerdctl"
      location: "https://github.com/containerd/nerdctl/releases/download/v0.15.0/nerdctl-0.15.0-linux-amd64.tar.gz"
      arch: "x86_64"
      digest: "sha256:1371da3f6bd461f331946654f6dd3ef2ef4b9da0dd7bc5f78ed1166f32ad5adc"
      directory: "/usr/local/bin"
    - name: "nerdctl"
      location: "https://github.com/containerd/nerdctl/releases/download/v0.15.0/nerdctl-0.15.0-linux-arm64.tar.gz"
      arch: "aarch64"
      digest: "sha256:7b79e2e8fd88b71ed4e0563c7e7dd27008b7ac7990ad2206efb012def850d150"
      directory: "/usr/local/bin"
    - name: "buildkit"
      location: "https://github.com/moby/buildkit/releases/download/v0.9.3/buildkit-v0.9.3.linux-amd64.tar.gz" 
      arch: "x86_64"
      digest: "sha256:f60461abdf2aee8444a4cb0607e4766da3bd503859320819ea8c43fe4a02576c"
      directory: "/usr/local"
    - name: "buildkit"
      location: "https://github.com/moby/buildkit/releases/download/v0.9.3/buildkit-v0.9.3.linux-arm64.tar.gz" 
      arch: "aarch64"
      digest: "sha256:3ee57ac33f8ff6ab1d187e25a217f8f2358826b14d707fd8fe0df6f536613aaf"
      directory: "/usr/local"

But that doesn't add the buildkit init script, either.

[afbjorklund]

I guess it needs some kind of "nerdctl" edition then, and then use that in the example instead of the "std" edition ?

https://github.com/lima-vm/alpine-lima#editions

[afbjorklund]

Added issue:

• Create edition with nerdctl installed alpine-lima#34

If that is done, there is no need to make packages.

I couldn't find any existing APKBUILD, but then again there doesn't seem to be any .deb or .rpm available either...

It would still be "nice to have", but separate issue...

• Make APKBUILD for buildkit alpine-lima#37

[jandubois]

I guess it needs some kind of "nerdctl" edition then, and then use that in the example instead of the "std" edition ?

It is not clear to me why this shouldn't just go into the std edition, which is the version that examples/lima.yaml is supposed to use. Is there a reason we need a separate edition for this?

[afbjorklund]

Is there a reason we need a separate edition for this?

I thought you wanted to avoid having containerd in std, so that it can be installed by lima (at runtime) or k3s ?

My original idea was just setting it to true, but it failed on systemd

containerd:
  system: true
  user: false

• Systemd requirement for running rootless containers #310

[jandubois]

I thought you wanted to avoid having containerd in std, so that it can be installed by lima (at runtime) or k3s ?

I don't want it to run automatically, but I think having it pre-installed, together with the required initd scripts would be fine.

I'll reserve final judgement when I know how much it adds to the size of the ISO. 😄

A long time ago I was contemplating to extend the rootless setup script to be able to create openrc scripts in addition to systemd units. But I didn't really needed it, so it is kind of low on my todo pile...

[afbjorklund]

I'll reserve final judgement when I know how much it adds to the size of the ISO. smile

It seems the ISO is around 100 MB, so that makes it 1500 MB smaller than the "default"

555M	/home/anders/.lima/default/basedisk
851M	/home/anders/.lima/default/diffdisk

But from what I can tell, the previous build was 50 MB so maybe worth leaving out then ?

Also not having to include nerdctl-full does make the cidata.iso a lot smaller, if that counts.

[jandubois]

But from what I can tell, the previous build was 50 MB so maybe worth leaving out then ?

Maybe, but what is the use case for the std edition if it is no longer the standard version for Lima?

Also not having to include nerdctl-full does make the cidata.iso a lot smaller, if that counts.

Maybe; I'll have to think about this some more. IIRC @AkihiroSuda was somewhat opposed to bundling nerdctl with the ISO image, and prefers that it is always installed by lima. Which has the advantage of being able to update nerdctl without releasing a new iso. (The use case is different for Rancher Desktop, where you cannot upgrade lima, qemu, nerdctl etc. independent of RD anyways).

[afbjorklund]

Well, it does work - as long as you don't want to run containers on it ? Then it needs more software.

But it doesn't have to go in the ISO, it could be added from tgz or from apk - as originally sketched...

[afbjorklund]

A long time ago I was contemplating to extend the rootless setup script to be able to create openrc scripts in addition to systemd units. But I didn't really needed it, so it is kind of low on my todo pile...

It would be perfectly fine if rootless continued to fail, it was just for installing the daemons for use with sudo.

And installing from nerdctl/buildkit instead of nerdctl-full would be a nice feature, but it is not required either.

9,7M	nerdctl-0.15.0-linux-amd64.tar.gz
31M	containerd-1.5.8-linux-amd64.tar.gz
46M	buildkit-v0.9.3.linux-amd64.tar.gz

193M	nerdctl-full-0.15.0-linux-amd64.tar.gz

I would prefer if buildkit was also installed from apk, it seems to already be required* for containerd to use apk.

* Since alpine uses a different C library, only static binaries will work. The dynamic ones have glibc dependencies.

lima-vm/alpine-lima#34 (comment)