Open robberphex opened 2 years ago
Just forwarding the socket is not enough. The daemon and the client has to share the same filesystem for a bunch of stuffs such as nerdctl pull
, nerdctl network create
, nerdctl volume create
.
There is a WIP PR to move pull
and push
to the daemon side so that the filesystem does no longer need to be shared for pull
/push
(https://github.com/containerd/containerd/pull/5876), but we still need to share /var/lib/nerdctl
for other operations.
In the process of implementing the function of remote containerd management, I notice that the stdin/stderr/stdout cannot access via containerd grpc interface. I think the input/output stream should be listed.
And for nerdctl, we could make nerdctl as a docker alternatives, which means nerdctl could manage container instance of containerd remotely (including local virtual machine, and containerd in kubernetes cluster)
nerdctl could use containerd API and cri to manage the containers in unified cli interface. containerd API for manage containerd instance, CRI for manage other CRI instance, and nerdctl could be a tool for kubernetes ops.
It seems like you currently need a local containerd, even when using build
to talk to a remote buildkitd ?
@AkihiroSuda nerdctl pull alpine --platform=linux/amd64
works for me, is there any problem for nerdctl pull
to work remotely?
Maybe at macOS, nerdctl pull
will try download alpine/darwin/amd64, is this the only issue for nerdctl pull
?
The simple use case to confirm that forwarding socket is not enough is mouting containerd socket in a container. https://github.com/containerd/containerd/pull/5876 seems to be the solution so far May be we can enable the socket only for cmds that dosen't need filesystem sharing
That would be super awesome for running remote docker builds on aws lambda - if TLS would also be available. Any chance that this will be implemented at any point?
If you all you need is build
and load
, as compared to run
etc, then you should be able to use nerdctld (over ssh).
At current version of nerdctl and containerd, we can only manage local containerd instance.
nerdctl cannot manage containerd via remote socket.
How to try remote containerd management:
./sockfwd -s 0.0.0.0:9090 -d unix:/run/containerd/containerd.sock
../sockfwd -d 123.57.254.88:9090 -s unix:/tmp/containerd.sock
./_output/nerdctl --debug -a /tmp/containerd.sock run --network=none --rm -it alpine echo 1
and failed.https://github.com/robberphex/sockfwd/
I think we need to modify containerd and nerdctl as well.