Live CD: Investigate Nerdctl image storage

[yveszoundi]

Background

There's a desire to transition from podman to nerdctl on the Live CD, because it provides graceful apparmor support for rootless containers. The Live CD ISO image size should not get out of control though.

• There was a successful preliminary investigation for enabling apparmor on the Live CD #18
• Sadly, the ISO image size grew too much (800 MB to 1.4 GB)
  • We added some new apparmor DEB packages
  • We added few nerdctl related binaries
  • We're using fuse-overlayfs as "containerd snapshotter"

Objectives

• [x] Understand at a high level the nerdctl directory layout and typical storage size

• [x] Understand at a high level nerdctl snapshotters and relevant disk storage requirements

• [x] Evaluate opportunities to compress the container image "BLOB size" on the Live CD

[yveszoundi]

Nerdctl is a Docker compatible CLI for containerd. The concept of "snapshots" seems to be an integral part of how containerd works.

In order to create a container, the following must occur:

    The image and all its content must be loaded into the content store. This normally happens via download from the OCI registry, but you can load content in directly as well.
    Committed snapshots must be created from each layer of content for the image.
    An active snapshot must be created on top of the final layer of content for the image.

A container now can be created, with its root filesystem as the active snapshot.

Nerdctl directory layout

There are few interesting folders for Nerdctl "rootless" installations

• ~/.config/containerd
• ~/.local/share/nerdctl
• ~/.local/share/containerd
  • io.containerd.runtime.v1.linux,
  • io.containerd.runtime.v2.task
  • io.containerd.snapshotter.v1.btrfs
  • io.containerd.snapshotter.v1.native
  • tmpmounts
  • io.containerd.metadata.v1.bolt
  • io.containerd.content.v1.content
  • io.containerd.snapshotter.v1.overlayfs

Nerdctl snapshotters

There are several "snapshotters" that work with nerdctl including the native one, stargz, fuse-overlayfs, just to name a few. Apparently there's a gRPC contract implementation for using a given "snapshotter plugin".

Compressing image blobs

It is possible to compress images with nerdctl really well (slow process)

nerdctl image convert --estargz --oci <originalname> <newname>

Sadly, compressing images sadly doesn't address any disk storage concerns after removing the original uncompressed image.

The snapshot is still present and it's essentially a duplicate copy of the unpacked image contents. If using let's say the overlayfs snapshotter, we would have duplicated data in the snapshot folder.

• ~/.local/share/containerd/io.containerd.content.v1.content
  • ~/.local/share/containerd/io.containerd.snapshotter.v1.overlayfs