search

NVIDIA / enroot

A simple yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.
Apache License 2.0
648 stars 94 forks source link

add crane support #117

Open aavbsouza opened 2 years ago

aavbsouza commented 2 years ago

Add option to import docker images using google crane. This schema is useful to import images without setting up docker or podman. Useful for CI/CD settings where could be complicated or not recommended to run dind (docker in docker) or podman in podman. The google crane only uses the authentication information of the repository with no needs for special configuration or permissions.

krono commented 2 years ago

Crane support sounds interesting, but I think there's something to be aware of:

_The docker:// scheme does not need docker or something installed._
There's the dockerd:// (n.b. with d), which needs docker or podman://, which needs podman.

Phrased differently, dockerd:// and podman:// are kind-of daemon based, while docker:// – and the propsed crane:// are kind-of registry based.

I would hence expect crane:// to be its own switch case in https://github.com/NVIDIA/enroot/blob/master/src/runtime.sh#L438, and not part of https://github.com/NVIDIA/enroot/blob/master/src/docker.sh

3XX0 commented 2 years ago

Yeah I tend to agree with @krono, it looks like crane is just talking OCI, so why not using docker://? You would also need to install crane so this kind of requires an extra dependency still.

aavbsouza commented 2 years ago

Hello @3XX0, would be possible to use the docker schema. However using crane is slight more convenient since it can use the same authentication files used by other tools like podman and kaniko.

For the position of the code it was chosen to minimize the number of changes. Despite of being very different than the docker daemon the workflow of importation is quite similar for the two methods. Also from the user point of view it appears as a different option.

The dependence on the crane executable is optional just like the dependencies on podman and docker

thanks

aavbsouza commented 2 years ago

Hello @3XX0 is there any changes to this pull request that would make it acceptable? thanks ?

3XX0 commented 2 years ago

I'm not a fan of having specific logic in dockerd to accommodate different CLIs. Maybe we need a separate command to just convert the config or something.

Also your patch breaks some images because of the fixperm being misplaced