Question: How to enable the containerd image store feature?

tenzen-y commented 10 months ago

I would like to use the containerd image store feature in the GitHub actions.

So I modified the /etc/docker/daemon.json using the following action config since the setup-buildx-action seems not to support customizing /etc/docker/daemon.json:

  steps:
    - name: Setup QEMU
      uses: docker/setup-qemu-action@v2
      with:
        platforms: linux/amd64,linux/arm64

    - name: Set Up Docker Buildx
      uses: docker/setup-buildx-action@v2

    - name: Set Up contained image store
      shell: bash
      run: |
        cat /etc/docker/daemon.json | jq '. | .+{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
        cat /etc/docker/daemon.json
        sudo systemctl restart docker

        docker info -f '{{ .DriverStatus }}'

However, I could not enable the feature as I can see in the logs:

Run cat /etc/docker/daemon.json | jq '. | .+{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
  cat /etc/docker/daemon.json | jq '. | .+{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
  sudo systemctl restart docker

  docker info -f '{{ .DriverStatus }}'
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
{
  "exec-opts": [
    "native.cgroupdriver=cgroupfs"
  ],
  "cgroup-parent": "/actions_job",
  "features": {
    "containerd-snapshotter": true
  }
}
[[Backing Filesystem extfs] [Supports d_type true] [Using metacopy false] [Native Overlay Diff false] [userxattr false]]

Docker info

Docker info
  /usr/bin/docker version
  Client:
   Version:           23.0.6+azure-2
   API version:       1.42
   Go version:        go1.19.10
   Git commit:        ef23cbc4315ae76c744e02d687c09548ede461bd
   Built:             Thu May  4 10:51:27 UTC 2023
   OS/Arch:           linux/amd64
   Context:           default

  Server:
   Engine:
    Version:          23.0.6+azure-2
    API version:      1.42 (minimum version 1.12)
    Go version:       go1.19.10
    Git commit:       9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff
    Built:            Fri May  5 20:50:10 2023
    OS/Arch:          linux/amd64
    Experimental:     false
   containerd:
    Version:          1.6.22+azure-1
    GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
   runc:
    Version:          1.1.8
    GitCommit:        82f18fe0e44a[590](https://github.com/tenzen-y/mpi-operator/actions/runs/5892114383/job/15980667046#step:3:617)34f3e1f45e475fa5636e539aa
   docker-init:
    Version:          0.19.0
    GitCommit:        
  /usr/bin/docker info
  Client:
   Context:    default
   Debug Mode: false
   Plugins:
    buildx: Docker Buildx (Docker Inc.)
      Version:  0.11.2+azure-1
      Path:     /usr/libexec/docker/cli-plugins/docker-buildx
    compose: Docker Compose (Docker Inc.)
      Version:  2.20.2+azure-1
      Path:     /usr/libexec/docker/cli-plugins/docker-compose

  Server:
   Containers: 1
    Running: 0
    Paused: 0
    Stopped: 1
   Images: 18
   Server Version: 23.0.6+azure-2
   Storage Driver: overlay2
    Backing Filesystem: extfs
    Supports d_type: true
    Using metacopy: false
    Native Overlay Diff: false
    userxattr: false
   Logging Driver: json-file
   Cgroup Driver: cgroupfs
   Cgroup Version: 2
   Plugins:
    Volume: local
    Network: bridge host ipvlan macvlan null overlay
    Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
   Swarm: inactive
   Runtimes: io.containerd.runc.v2 runc
   Default Runtime: runc
   Init Binary: docker-init
   containerd version: 8165feabfdfe38c65b[599](https://github.com/tenzen-y/mpi-operator/actions/runs/5892114383/job/15980667046#step:3:626)c4993d227328c231fca
   runc version: 82f18fe0e44a59034f3e1f45e475fa5636e539aa
   init version: 
   Security Options:
    apparmor
    seccomp
     Profile: builtin
    cgroupns
   Kernel Version: 5.15.0-1042-azure
   Operating System: Ubuntu 22.04.3 LTS
   OSType: linux
   Architecture: x86_64
   CPUs: 2
   Total Memory: 6.769GiB
   Name: fv-az1114-138
   ID: 9ccb9e36-b5cb-4ddd-a032-56b201fccd3f
   Docker Root Dir: /var/lib/docker
   Debug Mode: false
   Username: githubactions
   Registry: https://index.docker.io/v1/
   Experimental: false
   Insecure Registries:
    127.0.0.0/8
   Live Restore Enabled: false

Q1. Can I set up the container image store feature using docker/setup-buildx-action? Q2. Can I update the /etc/docker/daemon.json when using docker/setup-buildx-action?

Thanks in advance.

crazy-max commented 10 months ago

It's available since Docker 24. You can use https://github.com/crazy-max/ghaction-setup-docker if you want to update Docker to latest 24 for testing:

      -
        name: Set up Docker
        uses: crazy-max/ghaction-setup-docker@v1
        with:
          version: v24.0.5

tenzen-y commented 10 months ago

@crazy-max Oh, I see. Thanks for helping!

crazy-max commented 10 months ago

Let us know how it goes, thanks! (cc @thaJeztah @neersighted)

tenzen-y commented 10 months ago

Sure. I tried to set up the beta feature using the following actions:

  steps:
    - name: Set up Docker
      uses: crazy-max/ghaction-setup-docker@v1
      with:
        version: v24.0.5

    - name: Setup QEMU
      uses: docker/setup-qemu-action@v2
      with:
        platforms: linux/amd64,linux/arm64

    - name: Set Up Docker Buildx
      uses: docker/setup-buildx-action@v2

    - name: Set Up contained image store
      shell: bash
      run: |
        cat /etc/docker/daemon.json | jq '. | .+{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
        cat /etc/docker/daemon.json
        sudo systemctl restart docker

        docker info -f '{{ .DriverStatus }}'
        docker info

However, the solution seems not to work well...

Run cat /etc/docker/daemon.json | jq '. | .+{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
  cat /etc/docker/daemon.json | jq '. | .+{"features": {"containerd-snapshotter": true}}' | sudo tee /etc/docker/daemon.json
  sudo systemctl restart docker

  docker info -f '{{ .DriverStatus }}'
  docker info
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
{
  "exec-opts": [
    "native.cgroupdriver=cgroupfs"
  ],
  "cgroup-parent": "/actions_job",
  "features": {
    "containerd-snapshotter": true
  }
}
[[Backing Filesystem extfs] [Supports d_type true] [Using metacopy false] [Native Overlay Diff false] [userxattr false]]

Client:
 Version:    24.0.5
 Context:    setup-docker-action
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.11.2+azure-1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.20.2+azure-1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b[599](https://github.com/tenzen-y/mpi-operator/actions/runs/5893044711/job/15983701939#step:3:619)c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-1041-azure
 Operating System: Ubuntu 22.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 6.769GiB
 Name: fv-az1232-886
 ID: 116e429b-2e73-4400-bf7a-91351907ea2e
 Docker Root Dir: /home/runner/setup-docker-action-08e1d0da-28c7-4066-9b67-d[611](https://github.com/tenzen-y/mpi-operator/actions/runs/5893044711/job/15983701939#step:3:631)0c1a0[613](https://github.com/tenzen-y/mpi-operator/actions/runs/5893044711/job/15983701939#step:3:633)/data
 Debug Mode: false
 Username: githubactions
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

crazy-max commented 10 months ago

However, the solution seems not to work well...

I will take a look and keep you posted

tenzen-y commented 10 months ago

Thanks!

tenzen-y commented 9 months ago

Just FYI. The below action works fine although I'm not sure the reason why the below is fine.

  steps:
      env:
        DOCKER_CLI_EXPERIMENTAL: enabled
      uses: crazy-max/ghaction-setup-docker@v2
      with:
        version: v24.0.6
        daemon-config: |
          {
            "features": {
              "containerd-snapshotter": true
            }
          }

    - name: Setup QEMU
      uses: docker/setup-qemu-action@v3
      with:
        platforms: linux/amd64,linux/arm64

    - name: Set Up Docker Buildx
      uses: docker/setup-buildx-action@v3

audunsolemdal commented 1 month ago

Just FYI. The below action works fine although I'm not sure the reason why the below is fine.

  steps:
      env:
        DOCKER_CLI_EXPERIMENTAL: enabled
      uses: crazy-max/ghaction-setup-docker@v2
      with:
        version: v24.0.6
        daemon-config: |
          {
            "features": {
              "containerd-snapshotter": true
            }
          }

    - name: Setup QEMU
      uses: docker/setup-qemu-action@v3
      with:
        platforms: linux/amd64,linux/arm64

    - name: Set Up Docker Buildx
      uses: docker/setup-buildx-action@v3

I am wondering if anyone has gotten aquasecurity/trivy-action to work after using crazy-max/ghaction-setup-docker previously in the workflow. I want to enable the containerd image store, but can't get trivy to detect my docker images if I do so.

docker / setup-buildx-action

Question: How to enable the containerd image store feature? #257