Support remote containerd management

containerd / nerdctl

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...

Apache License 2.0

7.89k stars 587 forks source link

Support remote containerd management #473

Open robberphex opened 2 years ago

robberphex commented 2 years ago

At current version of nerdctl and containerd, we can only manage local containerd instance.

nerdctl cannot manage containerd via remote socket.

How to try remote containerd management:

at machine running containerd, execute ./sockfwd -s 0.0.0.0:9090 -d unix:/run/containerd/containerd.sock.
at local machine, execute ./sockfwd -d 123.57.254.88:9090 -s unix:/tmp/containerd.sock
at local machine, execute ./_output/nerdctl --debug -a /tmp/containerd.sock run --network=none --rm -it alpine echo 1 and failed.

https://github.com/robberphex/sockfwd/

I think we need to modify containerd and nerdctl as well.

AkihiroSuda commented 2 years ago

Just forwarding the socket is not enough. The daemon and the client has to share the same filesystem for a bunch of stuffs such as nerdctl pull, nerdctl network create, nerdctl volume create.

AkihiroSuda commented 2 years ago

There is a WIP PR to move pull and push to the daemon side so that the filesystem does no longer need to be shared for pull/push (https://github.com/containerd/containerd/pull/5876), but we still need to share /var/lib/nerdctl for other operations.

robberphex commented 2 years ago

In the process of implementing the function of remote containerd management, I notice that the stdin/stderr/stdout cannot access via containerd grpc interface. I think the input/output stream should be listed.

And for nerdctl, we could make nerdctl as a docker alternatives, which means nerdctl could manage container instance of containerd remotely (including local virtual machine, and containerd in kubernetes cluster)

nerdctl could use containerd API and cri to manage the containers in unified cli interface. containerd API for manage containerd instance, CRI for manage other CRI instance, and nerdctl could be a tool for kubernetes ops.

afbjorklund commented 2 years ago

It seems like you currently need a local containerd, even when using build to talk to a remote buildkitd ?

robberphex commented 2 years ago

@AkihiroSuda nerdctl pull alpine --platform=linux/amd64 works for me, is there any problem for nerdctl pull to work remotely?

Maybe at macOS, nerdctl pull will try download alpine/darwin/amd64, is this the only issue for nerdctl pull?

fahedouch commented 2 years ago

The simple use case to confirm that forwarding socket is not enough is mouting containerd socket in a container. https://github.com/containerd/containerd/pull/5876 seems to be the solution so far May be we can enable the socket only for cmds that dosen't need filesystem sharing

mfittko commented 4 months ago

That would be super awesome for running remote docker builds on aws lambda - if TLS would also be available. Any chance that this will be implemented at any point?

afbjorklund commented 4 months ago

If you all you need is build and load, as compared to run etc, then you should be able to use nerdctld (over ssh).