容器启动加速-nydus

• 1. 概述
  • 1.1. 使用nydus需要考虑的问题
  • 1.2. 当前实践探索中遇到的问题
• 2. 容器集成nydus
  • 2.1. contanierd 集成【核心】
    • 2.1.1. 版本说明
    • 2.1.2. 概念说明
    • 2.1.3. 构建
      • 2.1.3.1. 构建 buildkitd
      • 2.1.3.2. 安装nydus
      • 2.1.3.3. 启动buildkitd进程
      • 2.1.3.4. 构建镜像
    • 2.1.4. 部署
      • 2.1.4.1. 部署nydus-snapshotter
      • 2.1.4.2. 配置containerd支持nydus snapshotter
    • 2.1.5. 使用nydus镜像启动containerd容器
  • 2.2. kubernertes集成
    • 2.2.1. 版本说明
    • 2.2.2. k8s集群准备
      • 2.2.2.1. 将k8s cri从docker替换为containerd
    • 2.2.3. 部署buildkit
      • 2.2.3.1. 构建buildkit镜像
      • 2.2.3.2. 按需修改yaml并部署
    • 2.2.4. 部署 nydus-snapshotter
      • 2.2.4.1. 更改nydus镜像
      • 2.2.4.2. 修改configmap
      • 2.2.4.3. 重启nydus-snapshotter
    • 2.2.5. 验证
      • 2.2.5.1. 在pod中构建nydus格式的镜像
      • 2.2.5.2. 使用pod启动nydus镜像容器
  • 2.3. docker 集成
• 3. CI集成 – skaffold集成nydus
• 4. nydus镜像启动pod与ociv1镜像启动pod效果对比
  • 4.1. wordpress镜像
    • 4.1.1. oci v1镜像容器pulling image时间
    • 4.1.2. nydus镜像容器pulling image时间
• 5. 问题记录
  • 5.1. 镜像无法构建
  • 5.2. containerd 命令速记
  • 5.3. 镜像无法下载
  • 5.4. 如何判断一个镜像是否是nydus镜像
    • 5.4.1. 通过本地manifest判断
    • 5.4.2. 通过nydusify check检查
  • 5.5. nydus snapshotter无法启动
  • 5.6. buildkit构建nydus镜像构建不成功
  • 5.7. dragonflyoss仓库的镜像无法 inspect
  • 5.8. nydus镜像与oci镜像manifest的区别
  • 5.9. 构建的镜像list时告警
  • 5.10. 问题 buildkit打的nydus镜像无法run ,run ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5 没问题
  • 5.11. 运行oci-ref镜像导致nydusd进程z状态
    • 5.11.1. 现象
    • 5.11.2. 解决方式
  • 5.12. nydus镜像和oci镜像拉取镜像时间相同
    • 5.12.1. nydus镜像启动 nydus-snapshotter日志
    • 5.12.2. oci镜像启动 nydus-snapshotter日志
• 6. 参考

1. 概述

Nydus是一个镜像加速器，主要通过容器启动时懒加载镜像提高启动速度, 大镜像可以秒级启动，后续的读写通过COW方式。以下是nydus的几个标签:

• Nydus是蚂蚁、阿里云、字节等共建的开源容器镜像加速项目
• CNCF孵化的项目Dragonfly中的一个子项目
• 新的镜像格式，不同于oci
• 良好的生态，兼容containerd、k8s、harbor、buildkit – 从构建、存储、部署、到CI集成，有丰富的解决方案
• erofs+fscache+cachefiles 缓存方案: 使用内核缓存和只读文件系统进行io加速
  • cachefiles: 获取文件缓存
  • fscache: 管理cachefiles的缓存内容
  • erofs: 将缓存以文件系统接口方式提供访问

用Nydus对容器进行加速，当前可用，可以使用(k8s+)buildkit构建镜像，使用(k8s+)containerd进行发布, 使用skaffold进行CI(但路途坎坷，该文档内容主要为这部分)；未来可期，使用fscache+erofs进行底层存储加速。

1.1. 使用nydus需要考虑的问题

如果要落地Nydus，需要考虑如下几个问题:

• 当前k8s container runtime 如果是docker，则需要切换成containerd，切换需要注意

  • pod服务可能会中断
  • 监控日志，原来通过docker接口，现在需要通过containerd接口 – 这部分k8s可以屏蔽

• CI如何处理原有的docker build方式和现在buildkit构建方式

• containerd功能相对简单，要用它来进行构建、运行等操作需要多个组件配合才行，要使用起来需要做不少操作:

  • containerd
  • nerdctl
  • buildkitd
  • buildctl …
  • nydus-snapshotter 要使用nydus镜像的话需要

• ⚠️性能问题，写时复制从远端拉取，例如从镜像仓库拉取的话需要考虑

  • 镜像仓库本身的IO性能
  • 从pod到仓库的网络带宽

• ⚠️容器化使用nydus-snapshotter有待改进
  现在nydus-snapshotter容器故障之后由于和容器启动需要nydus-snapshotter这样的循环依赖，所以无法自愈，需要

  • 删除containerd中的nydus-snapshotter配置
  • 重启containerd
  • 重新配置containerd

1.2. 当前实践探索中遇到的问题

在实践探索中主要有如下问题:

• 涉及项目多，各项目版本不明确，遇到较多版本兼容问题
• 文档分散，不易查阅
• 实践类文档较少
• 文档落后代码较多
• 部分项目CI部分代码落后于主体代码

正在解决中的问题

• 构建出来的本地镜像缺少layer无法run

2. 容器集成nydus

2.1. contanierd 集成【核心】

2.1.1. 版本说明

组件版本备注

内核	5.18.2-1.el7.elrepo.x86_64
containerd	containerd.io 1.6.6 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
buildkit	github.com/moby/buildkit 76aeaa55.m 76aeaa55ff4e1c575644bffbf0a43bea92215fbe.m	从https://github.com/nydusaccelerator/buildkit.git构建
nydus-image	v2.2.1
containerd-nydus-grpc	v0.8.0
nerdctl	1.3.1

2.1.2. 概念说明

• nydus镜像: nydus格式的镜像，不同于现在的ociv1 ociv2，在使用时可进行懒加载，加快容器启动速度

• nydus镜像构建

  • buildkitd: 构建nydus镜像的工具，需要增加nydus兼容配置, 一般以守护进程运行，客户端通过 buildctl 命令通过sock文件或tcp进行与服务端连接，也支持daemonless
  • nydus-image: nydus镜像工具，可以集成到buildkit中构建nydus格式的镜像，也可以单独使用进行nydus镜像构建、检查、导出等

• nydus镜像运行

  • containerd: 容器运行时
  • nydus-snapshotter: 是一个containerd插件，用来支持contanierd使用nydus格式的镜像¹

buidlkit+nydus构建完镜像之后推送到仓库，可以是docker registry，也可以是harbor等
运行的时候每启动一个nydus镜像的容器，containerd会调用 nydus-snapshotter 去查看本地有没有缓存，如果没有的话启动 nydusd 进程去拉取,如果有的话启动nydusd fuse进程作为文件服务器提供给容器挂载，这里是懒加载的关键，容器需要什么nydusd就会从仓库拉什么，启动对应的snapshotter挂载进程。

/usr/bin/nydusd fuse --thread-num 10 --config /var/lib/containerd-nydus/config/chmadgaihqqap9ldb1eg/config.json --bootstrap /var/lib/containerd-nydus/snapshots/833/fs/image/image.boot --mountpoint /var/lib/containerd-nydus/snapshots/833/mnt --apisock /var/lib/containerd-nydus/socket/chmadgaihqqap9ldb1eg/api.sock --log-level debug --log-file /var/lib/containerd-nydus/logs/chmadgaihqqap9ldb1eg/nydusd.log

架构图如下，这里用的是fuse文件系统, erofs的社区文档比较少，暂时先用fuse

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jMiUFnzf-1686298186600)(null)]

如果用erofs

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-vg8EBgO4-1686298186840)(null)]

2.1.3. 构建

2.1.3.1. 构建 buildkitd

官方社区仓库是 moby/buildkit, 这里用的nydusaccelerator的项目，是因为当前bug/新功能会先在nydusaccelerator发布，所以暂时先用这个项目

git clone https://github.com/nydusaccelerator/buildkit.gitcd buildkitgo build -tags=nydus -o ./bin/buildkitd ./cmd/buildkitdmv ./bin/buildkitd /usr/bin/chmod +x /usr/bin/buildkitd

2.1.3.2. 安装nydus

wget https://github.com/dragonflyoss/image-service/releases/download/v2.2.1/nydus-static-v2.2.1-linux-amd64.tgztar zxf nydus-static-v2.2.1-linux-amd64.tgzcd nydus-staticsudo install -D -m 755 nydusd nydus-image nydusify nydusctl nydus-overlayfs /usr/bin

2.1.3.3. 启动buildkitd进程

buildkit 配置²

cat > /etc/buildkit/buildkitd.toml <<EOFdebug = false[worker.oci]enabled = false[worker.containerd]enabled = true# 构建成功的之后的镜像存储位置namespace = "default"address = "/run/containerd/containerd.sock"enabled = trueplatforms = [ "linux/amd64", "linux/arm64" ]gc = true# gckeepstorage sets storage limit for default gc profile, in MB.gckeepstorage = 9000EOF cat > /etc/systemd/system/buildkitd.service << EOF[Unit]Description=BuildKitDocumentation=https://github.com/moby/buildkit[Service]Environment="NYDUS_BUILDER=/usr/bin/nydus-image"ExecStart=/usr/bin/buildkitd --config /etc/buildkit/buildkitd.toml[Install]WantedBy=multi-user.targetEOF systemctl enable buildkitdsystemctl start buildkitd

2.1.3.4. 构建镜像

构建一个简单的hello world镜像

• hello world程序

mkdir golang-helloworld

编辑 main.go

package mainimport "fmt"func main() {fmt.Println("Hello, world!")}

构建可执行文件

go build -o hello main.go

• Dockerfile

编辑dockerfile

FROM ubuntu:20.04COPY hello /ENTRYPOINT [ "/hello" ]

• 构建

这里会构建一个nydus格式的镜像 名称为reg.harbor.com/hello/hello-k8s:v0.0.4, push 为 true 则构建完成之后推送远端仓库

buildctl build --progress=plain \--frontend=dockerfile.v0 \--local context=. \--local dockerfile=. \--output type=image,name=reg.harbor.com/hello/hello-k8s:v0.0.4,compression=nydus,oci-mediatypes=true,push=true

• 校验

这里我们构建出来了nydus镜像，可以校验一下

nydusify check --target reg.harbor.com/hello/hello-k8s:v0.0.4INFO[2023-05-24T10:59:56+08:00] Parsing image reg.harbor.com/hello/hello-k8s:v0.0.4INFO[2023-05-24T10:59:56+08:00] Dumping OCI and Nydus manifests to ./output...INFO[2023-05-24T10:59:57+08:00] Verified Nydus image reg.harbor.com/hello/hello-k8s:v0.0.4

这里check的是远端镜像，一切符合预期,是nydus镜像³

cat output/nydus_manifest.json{"schemaVersion": 2,"mediaType": "application/vnd.oci.image.manifest.v1+json","config": {"mediaType": "application/vnd.oci.image.config.v1+json","digest": "sha256:3121880b13bcaf21d0748cc35139769cb353bdd8429e541da489d1833c0c9ea7","size": 6940},"layers": [{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a","size": 30779473,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}...{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab","size": 1067099,"annotations": {"containerd.io/snapshot/nydus-blob": "true"},{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","digest": "sha256:4c73ce0e2ddc066d200bc119cc2b6f39938fd136b93fb8d47a590788cc91c91c","size": 2258453,"annotations": {"containerd.io/snapshot/nydus-blob-ids": "[\"e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a\",\"15596146dcdb421faaf9881e63baa87731603f412d1f05aa78e2d8f5bb78f1d5\",\"68fb6d505c4733f3c39645876ab9ed30dbf46056b36630be2dafe48634af1e01\",\"32a3c81c8fb5b12c68d74e01b29cd02463d8e85c0296ac3e30874f0f38412ec9\",\"89fe8a5a29e872cb9afbdeffeb9307498e67f42a0d3fdeca754b7a55b8849083\",\"43f9d24cfd0900b5ccbc7030559df305d237932f5383f592128d165c723ca553\",\"5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab\"]","containerd.io/snapshot/nydus-bootstrap": "true","containerd.io/snapshot/nydus-fs-version": ""}}]}

本地镜像暂时无法使用,使用会报错(这里是部署了nydus snapshotter之后)

nerdctl run --rm reg.harbor.com/hello/hello-k8s:v0.0.4 --snapshotter=nydus INFO[0000] apply failure, attempting cleanup error="failed to extract layer sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: failed to get reader from content store: content digest sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: not found" key="extract-504360049-gvw0 sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a"FATA[0000] failed to extract layer sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: failed to get reader from content store: content digest sha256:e4aa28274bae00ca1bd04843009c93fba1f6cfae94fb9f60cc98e68e7dd0977a: not found

这里应该应该是nydus+fuse的bug，解决方法为在构建完成之后把本地镜像删除掉, 使用时通过远端拉取

nerdctl rmi reg.harbor.com/hello/hello-k8s:v0.0.4

本地镜像构建出来的manifest和远端一致，这里不能用是因为存储的时候少存储了snapshotter，具体问题待社区确认

2.1.4. 部署

2.1.4.1. 部署nydus-snapshotter

• 安装 containerd-nydus-grpc

wget https://github.com/containerd/nydus-snapshotter/releases/download/v0.8.0/nydus-snapshotter-v0.8.0-x86_64.tgztar zxf nydus-snapshotter-v0.8.0-x86_64.tgzinstall -D -m 755 nydus-snapshotter/containerd-nydus-grpc /usr/bin

• nydus-fusedev 配置

# nydus blob 缓存mkdir /opt/nydus/cache cat > /etc/nydus/nydusd-config.fusedev.json <<EOF{"device": {"backend": {"type": "registry","config": {"scheme": "https","skip_verify": true,"timeout": 5,"connect_timeout": 5,"retry_limit": 4}},"cache": {"type": "blobcache","config": {"work_dir": "/opt/nydus/cache"}}},"mode": "direct","digest_validate": false,"iostats_files": false,"enable_xattr": true,"fs_prefetch": {"enable": true,"threads_count": 4}}EOF

• nydus snapshotter 主进程配置⁴

cat /etc/nydus/config.tomlversion = 1address = "/run/containerd-nydus/containerd-nydus-grpc.sock"daemon_mode = "multiple"cleanup_on_close = false[system]enable = trueaddress = "/run/containerd-nydus/system.sock"[system.debug]daemon_cpu_profile_duration_secs = 5pprof_address = ""[daemon]nydusd_path = "/usr/bin/nydusd"nydusimage_path = "/usr/bin/nydus-image"# fusedev or fscachefs_driver = "fusedev"# How to process when daemon dies: "none", "restart" or "failover"recover_policy = "restart"# Specify a configuration file for nydusdnydusd_config = "/etc/nydus/nydusd-config.fusedev.json"# The fuse or fscache IO working threads started by nydusdthreads_number = 10[log]# Print logs to stdout rather than logging fileslog_to_stdout = falselevel = "debug"log_rotation_compress = truelog_rotation_local_time = truelog_rotation_max_age = 7log_rotation_max_backups = 5log_rotation_max_size = 1[metrics]# Enable by assigning an address, empty indicates metrics server is disabledaddress = ":9110"[remote]convert_vpc_registry = false[remote.mirrors_config]dir = ""[remote.auth]enable_kubeconfig_keychain = falsekubeconfig_path = ""enable_cri_keychain = falseimage_service_address = ""[snapshot]enable_nydus_overlayfs = falsesync_remove = false[cache_manager]disable = falsegc_period = "24h"cache_dir = "/opt/nydus/cache/"[image]public_key_file = ""validate_signature = false[experimental]enable_stargz = falseenable_referrer_detect = false cat > /etc/systemd/system/nydus-snapshotter.service <<EOF[Unit]Description=nydus snapshotterAfter=network.targetBefore=containerd.service[Service]Type=simpleEnvironment=HOME=/rootExecStart=/usr/local/bin/containerd-nydus-grpc --config /etc/nydus/config.tomlRestart=alwaysRestartSec=1KillMode=processOOMScoreAdjust=-999StandardOutput=journalStandardError=journal[Install]WantedBy=multi-user.targetEOF systemctl daemon-reloadsystemctl enable nydus-snapshottersystemctl start nydus-snapshotter

2.1.4.2. 配置containerd支持nydus snapshotter

编辑containerd配置 /etc/containerd/config.toml

version = 2state = "/run/containerd"[grpc]address = "/run/containerd/containerd.sock"uid = 0gid = 0max_recv_message_size = 16777216max_send_message_size = 16777216[timeouts]"io.containerd.timeout.shim.cleanup" = "5s""io.containerd.timeout.shim.load" = "5s""io.containerd.timeout.shim.shutdown" = "3s""io.containerd.timeout.task.state" = "2s"[plugins][plugins."io.containerd.grpc.v1.cri"]# k8s原来用的container runtime是docker，则需要配置pause镜像，否则runtime改编之后k8s原有pod无法启动sandbox_image = "reg.harbor.com/kubernetes/pause:3.6"[plugins."io.containerd.grpc.v1.cri".cni]# cni插件路径bin_dir = "/opt/cni/bin"conf_dir = "/etc/cni/net.d"max_conf_num = 1conf_template = ""[plugins."io.containerd.grpc.v1.cri".registry][plugins."io.containerd.grpc.v1.cri".registry.mirrors][plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]endpoint = ["https://registry-1.docker.io"]# Nydus插件主要配置[proxy_plugins][proxy_plugins.nydus]type = "snapshot"address = "/run/containerd-nydus/containerd-nydus-grpc.sock"[plugins."io.containerd.grpc.v1.cri".containerd]snapshotter = "nydus"disable_snapshot_annotations = falsediscard_unpacked_layers = false

修改完毕重启containerd

systemctl restart containerd

2.1.5. 使用nydus镜像启动containerd容器

containerd也有类似docker的命令行 nerdctl

• 安装 nerdctl

wget https://github.com/containerd/nerdctl/releases/download/v1.3.1/nerdctl-1.3.1-linux-amd64.tar.gztar zxvf nerdctl-1.3.1-linux-amd64.tar.gzinstall -D -m 755 nerdctl /usr/bin/

• 配置 nerdctl

默认使用 nydus-snapshotter

cat > /etc/nerdctl/nerdctl.toml <<EOFdebug = falsedebug_full = falseaddress = "unix:///var/run/containerd/containerd.sock"namespace = "default"snapshotter = "nydus"experimental = trueEOF

• 使用构建阶段产生的镜像运行容器

先删除本地镜像 nerdctl rmi reg.harbor.com/hello/hello-k8s:v0.0.4

nerdctl run --rm reg.harbor.com/hello/hello-k8s:v0.0.4# 输出reg.harbor.com/hello/hello-k8s:v0.0.4: resolved |++++++++++++++++++++++++++++++++++++++|manifest-sha256:c6ab4a56b80d503312322bda42fc31b038d6f6989d8d9e801c991787b8301132: exists |++++++++++++++++++++++++++++++++++++++|config-sha256:3121880b13bcaf21d0748cc35139769cb353bdd8429e541da489d1833c0c9ea7: exists |++++++++++++++++++++++++++++++++++++++|layer-sha256:4c73ce0e2ddc066d200bc119cc2b6f39938fd136b93fb8d47a590788cc91c91c: done |++++++++++++++++++++++++++++++++++++++|elapsed: 0.6 s total: 2.2 Mi (3.6 MiB/s)Hello, world!

使用 nerdctl 命令时可能会遇到 failed to call cni.Setup: plugin type=\"bridge\" failed (add): incompatible CNI versions; config is \"1.0.0\", plugin supports [\"0.1.0\" \"0.2.0\" \"0.3.0\" \"0.3.1\" \"0.4.0\"]" cni不支持的问题，需要升级cni

https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-arm64-v1.1.1.tgztar zxf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin

升级完毕即可用

到这里使用nydus加速containerd容器启动，基本完成。使用erofs待探索

2.2. kubernertes集成

2.2.1. 版本说明

组件版本备注

k8s	v1.22.10
containerd	containerd.io 1.6.6 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
buildkitd	github.com/moby/buildkit 76aeaa55.m 76aeaa55ff4e1c575644bffbf0a43bea92215fbe.m	从https://github.com/nydusaccelerator/buildkit.git构建
nydus-snapshotter	v0.6.1	通过helm部署5,生产用的话需要更新下

2.2.2. k8s集群准备

首先需要一个 container runtime为containerd的集群

kubectl describe nodes |grep -i runtimeContainer Runtime Version: docker://20.10.8Container Runtime Version: docker://20.10.8Container Runtime Version: docker://20.10.8

如果是docker，则需要更改为containerd

2.2.2.1. 将k8s cri从docker替换为containerd

此处操作比较粗糙，生产切换请慎重

• 更改 kubelet 配置

编辑/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

增加/在KUBELET_EXTRA_ARGS追加如内容

Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock"

• 创建 containerd 配置

新建 ``

version = 2state = "/run/containerd"[plugins][plugins."io.containerd.grpc.v1.cri"]sandbox_image = "reg.harbor.com/kubernetes/pause:3.6"You have new mail in /var/spool/mail/root

重启containerd kubelet服务

systemctl daemon-reloadsystemctl restart containerd kubelet

如果 kubelet 启动失败，请查看日志做对应处理 journalctl -xu kubelet -f

启动成功之后检查如下输出之后说明切换成功

kubectl describe nodes |grep -i runtime# 三个节点Container Runtime Version: containerd://1.6.6Container Runtime Version: containerd://1.6.6Container Runtime Version: containerd://1.6.6

2.2.3. 部署buildkit

2.2.3.1. 构建buildkit镜像

社区的镜像不支持nydus，需要构建镜像

git clone https://github.com/nydusaccelerator/buildkit.gitcd buildkit

修改 Dockerfile

diff --git a/Dockerfile b/Dockerfileindex 8869138b..b006e584 100644--- a/Dockerfile+++ b/Dockerfile@@ -97,7 +97,7 @@ ARG TARGETPLATFORMRUN --mount=target=. --mount=target=/root/.cache,type=cache \--mount=target=/go/pkg/mod,type=cache \--mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildkit-version \- CGO_ENABLED=0 xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags '-static'" -tags "osusergo netgo static_build seccomp ${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \+ CGO_ENABLED=0 xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags '-static'" -tags "osusergo netgo nydus static_build seccomp ${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \xx-verify --static /usr/bin/buildkitdFROM scratch AS binaries-linux-helper@@ -176,6 +176,7 @@ ARG ROOTLESSKIT_VERSIONRUN git clone https://github.com/rootless-containers/rootlesskit.git /go/src/github.com/rootless-containers/rootlesskitWORKDIR /go/src/github.com/rootless-containers/rootlesskitARG TARGETPLATFORM+ENV GOPROXY "https://goproxy.cn,direct"RUN --mount=target=/root/.cache,type=cache \git checkout -q "$ROOTLESSKIT_VERSION" && \CGO_ENABLED=0 xx-go build -o /rootlesskit ./cmd/rootlesskit && \@@ -203,6 +204,7 @@ RUN mkdir -p /out/nydus-static && tar xzvf nydus-static-$NYDUS_VERSION-$TARGETOSFROM buildkit-export AS buildkit-linuxCOPY --link --from=binaries / /usr/bin/+COPY --from=nydus /out/nydus-static/* /usr/bin/ENTRYPOINT ["buildkitd"]FROM binaries AS buildkit-darwin

主要有三处修改:

• 编译增加nydus支持 – 必须
• 增加goproxy配置 – 国内拉依赖包会失败，需要配置goproxy
• 将nydus-image打入镜像，这步经测试可有可无

make build

会构建出两个镜像，我们只使用非rootless的 moby/buildkit:local

2.2.3.2. 按需修改yaml并部署

git clone https://github.com/nydusaccelerator/buildkit.gitcd buildkit

这里使用deployment+service.privileged ⁶

编辑 deployment+service.privileged.yaml，去掉了tls配置，增加了NYDUS_BUILDER环境变量，最终如下

镜像 shoery/buildkit:76aeaa55

apiVersion: apps/v1kind: Deploymentmetadata:labels:app: buildkitdname: buildkitdspec:replicas: 1selector:matchLabels:app: buildkitdtemplate:metadata:labels:app: buildkitdspec:containers:- name: buildkitdenv:- name: NYDUS_BUILDERvalue: /usr/bin/nydus-imageimage: shoery/buildkit:76aeaa55args:- --addr- unix:///run/buildkit/buildkitd.sock- --addr- tcp://0.0.0.0:1234# the probe below will only work after Release v0.6.3readinessProbe:exec:command:- buildctl- debug- workersinitialDelaySeconds: 5periodSeconds: 30# the probe below will only work after Release v0.6.3livenessProbe:exec:command:- buildctl- debug- workersinitialDelaySeconds: 5periodSeconds: 30securityContext:privileged: trueports:- containerPort: 1234---apiVersion: v1kind: Servicemetadata:labels:app: buildkitdname: buildkitdspec:ports:- port: 1234protocol: TCPselector:app: buildkitd

部署

kubectl apply -f examples/kubernetes/deployment+service.privileged.yaml

构建镜像时仅需客户端有 buildctl 即可, 通过 --addr tcp://0.0.0.0:1234 连接到 buildkitd

2.2.4. 部署 nydus-snapshotter

run_nydus_in_kubernetes

这里注意用 v0.8.2 以上的镜像版本

这里没太多修改的地方, 两个地方需要修改，其他按文档部署即可

git clone https://github.com/dragonflyoss/helm-charts.gitcd helm-charts

2.2.4.1. 更改nydus镜像

新建 config-nydus.yaml

name: nydus-snapshotterimage: ghcr.io/containerd/nydus-snapshottertag: v0.8.2pullPolicy: IfNotPresenthostNetwork: truedragonfly:enable: falsecontainerRuntime:containerd:enable: true

2.2.4.2. 修改configmap

如果不增加nydus.toml配置，懒加载不会生效

编辑 charts/nydus-snapshotter/templates/nydus-snapshotter/snapshotter-configmap.yaml

apiVersion: v1kind: ConfigMapmetadata:name: {{ template "nydus-snapshotter.fullname" . }}labels:app: {{ template "nydus-snapshotter.fullname" . }}chart: {{ .Chart.Name }}-{{ .Chart.Version }}release: {{ .Release.Name }}heritage: {{ .Release.Service }}component: {{ .Values.name }}data:config.json: |-{"device": {"backend": {"type": "registry","config": {{{- if .Values.dragonfly.enable }}"mirrors": {{ mustToJson .Values.dragonfly.mirrorConfig }},{{- end }}"timeout": 5,"connect_timeout": 5,"retry_limit": 2}},"cache": {"type": "blobcache","config": {"work_dir": "/var/lib/nydus/cache/"}}},"mode": "direct","digest_validate": false,"iostats_files": false,"enable_xattr": true,"fs_prefetch": {"enable": true,"threads_count": 8,"merging_size": 1048576,"prefetch_all": true}}nydus.toml: |-version = 1address = "/run/containerd-nydus/containerd-nydus-grpc.sock"daemon_mode = "multiple"cleanup_on_close = false[system]enable = trueaddress = "/run/containerd-nydus/system.sock"[system.debug]daemon_cpu_profile_duration_secs = 5pprof_address = ""[daemon]nydusd_path = "/usr/local/bin/nydusd"nydusimage_path = "/usr/local/bin/nydus-image"fs_driver = "fusedev"recover_policy = "restart"nydusd_config = "/etc/nydus/config.json"threads_number = 10[log]log_to_stdout = falselevel = "debug"log_rotation_compress = truelog_rotation_local_time = truelog_rotation_max_age = 7log_rotation_max_backups = 5log_rotation_max_size = 1[metrics]address = ":9110"[remote]convert_vpc_registry = false[remote.mirrors_config]dir = ""[remote.auth]enable_kubeconfig_keychain = falsekubeconfig_path = ""enable_cri_keychain = falseimage_service_address = ""[snapshot]enable_nydus_overlayfs = falsesync_remove = false[cache_manager]disable = falsegc_period = "24h"[image]public_key_file = ""validate_signature = false[experimental]enable_stargz = falseenable_referrer_detect = false

安装

helm install --wait --timeout 10m --dependency-update \--create-namespace --namespace nydus-system \-f config-nydus.yaml \nydus-snapshotter charts/nydus-snapshotter

2.2.4.3. 重启nydus-snapshotter

后续维护中可能会有重启 nydus-snapshotter 的需求

由于修改containerd配置使用nyduys snapshotter之后, containerd和snapshotter会互相依赖，重启nydus-snapshotter容器会起不来，所以，每次重启都先把 /etc/containerd/config.toml 中如下部分去掉

[plugins."io.containerd.grpc.v1.cri".containerd]discard_unpacked_layers = falsedisable_snapshot_annotations = falsesnapshotter = "nydus"[proxy_plugins][proxy_plugins.nydus]type = "snapshot"address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

重启 containerd
重新创建 nydus-snapshotter pod

2.2.5. 验证

验证点: 在pod中构建nydus格式的镜像，使用pod启动nydus镜像容器

2.2.5.1. 在pod中构建nydus格式的镜像

要挂载 /root/.docker, 否则push镜像可能会没权限

挂载golang-helloworld的目的是将 hello 和 Dockerfile挂载进去

创建 build-nydus-image.yaml

apiVersion: v1kind: Podmetadata:name: build-podspec:restartPolicy: Nevercontainers:- name: build-containerimage: buildkit:localcommand: ["buildctl", "--addr", "tcp://buildkitd.default:1234", "build", "--progress=plain", "--frontend=dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", "--output", "type=image,name=reg.harbor.com/hello/hello-k8s:v0.0.6,compression=nydus,oci-mediatypes=true,push=true"]volumeMounts:- name: host-path-volumemountPath: /opt/golang-helloworld- name: docker-config-volumemountPath: /root/.dockerworkingDir: /opt/golang-helloworldvolumes:- name: host-path-volumehostPath:path: /home/elrond/nydus/golang-helloworld- name: docker-config-volumehostPath:path: /root/.docker

命令说明

buildctl \# buildkitd的svc:port--addr tcp://default.buildkitd:1234 \build \# 输出的详细程度--progress=plain \# build frontend 类型--frontend=dockerfile.v0 \# 指定本地context路径--local context=. \# 制定本地dockerfile路径--local dockerfile=. \# 指定dockerfile文件，如果为空，默认值为Dockerfile--opt filename=hello.dockerfile# 镜像tag与类型、是否推送到远端--output type=image,name=reg.harbor.com/hello/hello-k8s:v0.0.6,compression=nydus,oci-mediatypes=true,push=true

开始构建

kubectl apply -f build-nydus-image.yaml

构建成功

k get poNAME READY STATUS RESTARTS AGEbuild-pod 0/1 Completed 0 23s

2.2.5.2. 使用pod启动nydus镜像容器

创建 nydus-pod.yaml

apiVersion: v1kind: Podmetadata:name: nydus-podspec:containers:- name: helloimage: reg.harbor.com/hello/hello-k8s:v0.0.6imagePullPolicy: Alwayscommand: ["sh", "-c"]args:- tail -f /dev/null

运行

kubectl apply -f nydus-pod.yaml

这里可能会因为构建的镜像不正常，导致pod起不来，可以使用标准镜像 ghcr.io/dragonflyoss/image-service/nginx:nydus-latest 做测试

到这里在k8s上完成了nydus镜像的构建，和nydus镜像格式容器的启动

2.3. docker 集成

参照docker-env-setup

docker-nydus-graphdriver 尚在 Experimental 状态，且k8s在转向containerd，云原生社区对docker支持变弱，所以后续不考虑使用docker

3. CI集成 – skaffold集成nydus

编辑 skaffold.yaml

apiVersion: skaffold/v4beta4kind: Configbuild:tagPolicy:envTemplate:template: "{{.FOO}}"artifacts:- image: reg.harbor.com/hello/hello-k8scustom:buildCommand: buildctl --addr tcp://10.233.98.169:1234 build --progress=plain --frontend=dockerfile.v0 --local context=. --local dockerfile=. --output type=image,name=reg.harbor.com/hello/hello-k8s:"{{.FOO}}",compression=nydus,oci-mediatypes=true,push=true --opt filename=hello.dockerfilelocal:push: true

入参:

• –addr tcp://10.233.98.169🔢 容器化的话，这个是svc的host和port
• –local dockerfile=.: dockerfile路径
• –output name=reg.harbor.com/hello/hello-k8s:“{{.FOO}}”: 镜像tag
• –opt filename: dockerfile文件名

其他都是默认值

4. nydus镜像启动pod与ociv1镜像启动pod效果对比

镜像ociv1拉取时间nydus拉取时间

wordpress	12.26946259s	1.879414943s

4.1. wordpress镜像

先把镜像拉下来,推送到自己的仓库，然后转化一下推送到自己的仓库，用镜像启动k8s pod

docker pull wordpress:latestdocker tag wordpress:latest reg.harbor.com/hello/wordpress:latestnydusify -D convert --nydus-image /usr/local/bin/nydus-image \--source reg.harbor.com/hello/wordpress:latest \--target reg.harbor.com/hello/wordpress:latest-nydus

4.1.1. oci v1镜像容器pulling image时间

新建 wordpress-ociv1.yaml

apiVersion: v1kind: Podmetadata:name: wordpress-ociv1spec:containers:- name: wordpressimage: reg.harbor.com/hello/wordpress:latestimagePullPolicy: Alwayscommand:- sleep- "36000000000"resources:limits:cpu: "0.5"memory: "256Mi" kubectl apply -f wordpress-ociv1.yamlkubectl describe po wordpress-ociv1 Normal Pulling 3m20s kubelet Pulling image "reg.harbor.com/hello/wordpress:latest"Normal Pulled 3m7s kubelet Successfully pulled image "reg.harbor.com/hello/wordpress:latest" in 12.26946259s

4.1.2. nydus镜像容器pulling image时间

新建 wordpress-nydus.yaml

apiVersion: v1kind: Podmetadata:name: wordpress-nydusspec:containers:- name: wordpressimage: reg.harbor.com/hello/wordpress:latest-nydusimagePullPolicy: Alwayscommand:- sleep- "36000000000"resources:limits:cpu: "0.5"memory: "256Mi" Normal Pulling 40s kubelet Pulling image "reg.harbor.com/hello/wordpress:latest-nydus"Normal Pulled 39s kubelet Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus" in 1.879414943s

5. 问题记录

5.1. 镜像无法构建

git clone https://github.com/nydusaccelerator/buildkit.gitcd buildkitgo build -tags=nydus -o ./bin/buildkitd ./cmd/buildkitdmv ./bin/buildkitd /usr/bin/chmod +x /usr/bin/buildkitd

• 原生的buildkit不支持nydus格式构建，需要重新编译支持
• 官方的buildkit对大镜像构建有bug，需要用nydus官方上游的仓库

5.2. containerd 命令速记

container与task⁷

主要用nerdctl工具

# 启动容器ctr run -d docker.io/library/nginx:alpine my-container# 容器列表ctr -n default c ls# task列表ctr -n default task ls# 删除容器ctr -n default delete xxxxx# 容器交互式命令ctr task exec --tty --exec-id my-container my-container bash# 镜像列表ctr -n default images ls# 获取contanierd镜像的manifest 先找到RepoDigests sha256nerdctl inspect d88ba62a3cbbcat /opt/docker/io.containerd.content.v1.content/blobs/sha256/d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3# 转换镜像并推送到仓库nydusify -D convert --nydus-image /usr/local/bin/nydus-image --source reg.harbor.com:443/library/golang@sha256:4b5cc6ca083856af8f58ab332f279b4401e1e46cc6d999957d5f88c563df24a7 --target reg.harbor.com:443/library/golang:1.18.7-nydusnydusify -D convert --nydus-image /usr/local/bin/nydus-image --source ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5 --target reg.harbor.com/hello/ubuntu:nydus-nightly-v6

5.3. 镜像无法下载

nerdctl pull ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5: resolved |++++++++++++++++++++++++++++++++++++++|index-sha256:cb13d8b2c3b275fd392991b610e31462ab5dc588d4735b0c469ff867f86f617f: exists |++++++++++++++++++++++++++++++++++++++|manifest-sha256:d9ea5e7108f5405da73ae48972441da2ab976da640264c4c06e07a473ebb86c3: exists |++++++++++++++++++++++++++++++++++++++|config-sha256:d2197022013289d923e5b5aa9c9e22ec60bcdfa236948a02d24106b525f6171e: exists |++++++++++++++++++++++++++++++++++++++|layer-sha256:f264de8a417d8927c431ef2a74286e24d716c3447a96ef7c7bd95d3af4ab3331: exists |++++++++++++++++++++++++++++++++++++++|layer-sha256:c279d170bbf5c24d3b0b80bc1b49d147098d0f9f3f62cb010e98295b8d0e1f7c: downloading |+++++++++++++++++++++++++++++++++++++-| 31.0 MiB/31.1 MiBdocker.io/library/alpine:latest: resolved |++++++++++++++++++++++++++++++++++++++|index-sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11: done |++++++++++++++++++++++++++++++++++++++|manifest-sha256:c0669ef34cdc14332c0f1ab0c2c01acb91d96014b172f1a76f3a39e63d1f0bda: done |++++++++++++++++++++++++++++++++++++++|config-sha256:5e2b554c1c45d22c9d1aa836828828e320a26011b76c08631ac896cbc3625e3e: done |++++++++++++++++++++++++++++++++++++++|layer-sha256:8a49fdb3b6a5ff2bd8ec6a86c05b2922a0f7454579ecc07637e94dfd1d0639b6: done |++++++++++++++++++++++++++++++++++++++|elapsed: 44.9s total: 3.2 Mi (73.9 KiB/s)FATA[0045] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2023-05-15T21:27:17+08:00" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): incompatible CNI versions; config is \"1.0.0\", plugin supports [\"0.1.0\" \"0.2.0\" \"0.3.0\" \"0.3.1\" \"0.4.0\"]"Failed to write to log, write /var/lib/nerdctl/1935db59/containers/default/286be294817095497aef32271dac13b13e02756166a010917420039060f9aa9c/oci-hook.createRuntime.log: file already closed: unknown

解决 升级cni到v1.1.1

5.4. 如何判断一个镜像是否是nydus镜像

如何判断一个镜像是否是nydus镜像⁸

5.4.1. 通过本地manifest判断

如果镜像在containerd上

nerdctl inspect d88ba62a3cbb# 找到RepoDigests sha256 d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3 [{"Id": "sha256:13afb147bdb4382b43a833b646765dca8bc6fca92cc2a60b02e4fc718b356d97","RepoTags": ["reg.harbor.com/hello/helloworld:v0.0.1"],"RepoDigests": ["reg.harbor.com/hello/helloworld@sha256:d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3"],"Comment": "buildkit.dockerfile.v0","Created": "2023-05-16T20:28:18.501558103+08:00","Author": "","Config": {"AttachStdin": false,"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Entrypoint": ["/hello"],"Labels": {"org.opencontainers.image.ref.name": "ubuntu","org.opencontainers.image.version": "22.04"}},"Architecture": "amd64","Os": "linux","Size": 79822848,"RootFS": {"Type": "layers","Layers": ["sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca","sha256:95fc9a6f9c1a1ef74f6545d70c96011577f05741079cd8793aa134f4b1f51006","sha256:719749732676f2e82e3baa4e1b0f5ea9cfa6aa83dde0c929a5ef8e78cacc7e24","sha256:ed593dc031518310cd5ea3a5b20bfb2c73f6108badffb30b080de9edc251476d"]},"Metadata": {"LastTagTime": "0001-01-01T00:00:00Z"}}]

查看manifest

# containerd的默认是/var/lib/containerdcat /var/lib/containerd/io.containerd.content.v1.content/blobs/sha256/d88ba62a3cbb999055927cbd8a3dfcb2396abc2ea168c44a9e4e16df03f1b3a3

mediaType是nydus就是nydus镜像

{"mediaType": "application/vnd.oci.image.manifest.v1+json","schemaVersion": 2,"config": {"mediaType": "application/vnd.oci.image.config.v1+json","digest": "sha256:13afb147bdb4382b43a833b646765dca8bc6fca92cc2a60b02e4fc718b356d97","size": 2137},"layers": [{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca","size": 32571260,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:95fc9a6f9c1a1ef74f6545d70c96011577f05741079cd8793aa134f4b1f51006","size": 295017,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:719749732676f2e82e3baa4e1b0f5ea9cfa6aa83dde0c929a5ef8e78cacc7e24","size": 1067099,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","digest": "sha256:bb55b253c36e5a008051aad37f2554a65ec6661476a08666d76e5ee1b84dbf4c","size": 297871,"annotations": {"containerd.io/snapshot/nydus-blob-ids": "[\"f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca\",\"95fc9a6f9c1a1ef74f6545d70c96011577f05741079cd8793aa134f4b1f51006\",\"719749732676f2e82e3baa4e1b0f5ea9cfa6aa83dde0c929a5ef8e78cacc7e24\"]","containerd.io/snapshot/nydus-bootstrap": "true","containerd.io/snapshot/nydus-fs-version": ""}}]}

5.4.2. 通过nydusify check检查

nydusify check --target reg.harbor.com/hello/helloworld:v0.0.11-nydus-nightly-v5 INFO[2023-05-18T10:46:09+08:00] Parsing image reg.harbor.com/hello/helloworld:v0.0.11-nydus-nightly-v5INFO[2023-05-18T10:46:11+08:00] Dumping OCI and Nydus manifests to ./outputINFO[2023-05-18T10:46:11+08:00] Pulling Nydus bootstrap to output/nydus_bootstrapINFO[2023-05-18T10:46:11+08:00] Checking Nydus manifestINFO[2023-05-18T10:46:11+08:00] Checking Nydus bootstrapRAFS filesystem metadata is valid, referenced data blobs:0: f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca, compressed data size 0x1e5beec, compressed file size 0x1e5c0ec, uncompressed file size 0x49b715a, chunks: 0x9d4, features: cap_toc tar-header1: ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129, compressed data size 0x459da, compressed file size 0x45bda, uncompressed file size 0xb3c90, chunks: 0x1, features: cap_toc tar-header2: 5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab, compressed data size 0x102213, compressed file size 0x102413, uncompressed file size 0x1ad499, chunks: 0x2, features: cap_toc tar-headerINFO[2023-05-18T10:46:11+08:00] Verified Nydus image reg.harbor.com/hello/helloworld:v0.0.11-nydus-nightly-v5

查看nydus manifest

cat output/nydus_manifest.json {"schemaVersion": 2,"mediaType": "application/vnd.oci.image.manifest.v1+json","config": {"mediaType": "application/vnd.oci.image.config.v1+json","digest": "sha256:f259d1eb0bf769d60aac8c78e4811a8eeefd811a27c24f6db6c36f72ac5c2324","size": 2137},"layers": [{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca","size": 32571260,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129","size": 295018,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab","size": 1067099,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","digest": "sha256:e26163305101a9bc6d05ad80945a8d360d99a48b0d3ef070cf0c2137655b6115","size": 297868,"annotations": {"containerd.io/snapshot/nydus-blob-ids": "[\"f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca\",\"ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129\",\"5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab\"]","containerd.io/snapshot/nydus-bootstrap": "true","containerd.io/snapshot/nydus-fs-version": ""}}]}

5.5. nydus snapshotter无法启动

可能是有另一个 nydus-snapshotter进程在启动 ps -ef|grep containerd-nydus-grpc

/usr/local/bin/containerd-nydus-grpc --root /opt/docker/io.containerd.snapshotter.v1.nydus --config-path /etc/nydus/nydusd-config.fusedev.json --config /etc/nydus/config.toml --log-to-stdout --log-level traceINFO[2023-05-17T15:08:33.047605411+08:00] Start nydus-snapshotter. PID 25641 Version v0.8.0 FsDriver fusedev DaemonMode multipleFATA[2023-05-17T15:08:37.018373244+08:00] failed to start nydus-snapshotter error="failed to initialize snapshotter: create database: timeout"ß

5.6. buildkit构建nydus镜像构建不成功

buildctl build --progress=plain --frontend=dockerfile.v0 --local context=. --local dockerfile=. --output type=image,name=reg.harbor.com/hello/helloworld:v0.0.4-nydus-from-golang,compression=nydus,oci-mediatypes=true,push=true #6 [2/2] COPY hello /#6 ERROR: mount callback failed on /run/user/0/containerd-mount2534958279: apply nydus blob: unpack nydus blob: unpack nydus tar: unpack bootstrap from nydus: parse tar header: rpc error: code = OutOfRange desc = read past object length 54797046 bytes------> [2/2] COPY hello /:------Dockerfile:2--------------------1 | FROM reg.harbor.com/library/golang:1.18.7-nydus2 | >>> COPY hello /3 | ENTRYPOINT [ "/hello" ]4 |--------------------error: failed to solve: OutOfRange: failed to compute cache key: mount callback failed on /run/user/0/containerd-mount2534958279: apply nydus blob: unpack nydus blob: unpack nydus tar: unpack bootstrap from nydus: parse tar header: rpc error: code = OutOfRange desc = read past object length 54797046 bytes

nydus-image log

time="2023-05-17T15:34:24+08:00" level=debug msg="saved dapdgw7aeqou4bbcymhfxc94n as context:context:" span="[internal] load build context" spanID=7108c9f5c020f1dd traceID=3841af58efa9339c11d3c4107ad1e65atime="2023-05-17T15:34:24+08:00" level=error msg="/moby.buildkit.v1.Control/Solve returned error: rpc error: code = Unknown desc = failed to compute cache key: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown"failed to compute cache key: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown20015 0.0.0+unknown buildkitd --config /etc/buildkit/buildkitd.tomlgithub.com/moby/buildkit/solver.(*edge).createInputRequests.func1.1/root/buildkit/solver/edge.go:839github.com/moby/buildkit/solver/internal/pipe.NewWithFunction.func2/root/buildkit/solver/internal/pipe/pipe.go:82runtime.goexit/root/sdk/go1.18/src/runtime/asm_amd64.s:157120015 0.0.0+unknown buildkitd --config /etc/buildkit/buildkitd.tomlmain.unaryInterceptor.func1/root/buildkit/cmd/buildkitd/main.go:576github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1/root/buildkit/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:25github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1/root/buildkit/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:34github.com/moby/buildkit/api/services/control._Control_Solve_Handler/root/buildkit/api/services/control/control.pb.go:2440google.golang.org/grpc.(*Server).processUnaryRPC/root/buildkit/vendor/google.golang.org/grpc/server.go:1340google.golang.org/grpc.(*Server).handleStream/root/buildkit/vendor/google.golang.org/grpc/server.go:1713google.golang.org/grpc.(*Server).serveStreams.func1.2/root/buildkit/vendor/google.golang.org/grpc/server.go:965runtime.goexit/root/sdk/go1.18/src/runtime/asm_amd64.s:1571

使用 nydusaccelerator/buildkit 构建buildkit之后未复现

5.7. dragonflyoss仓库的镜像无法 inspect

nerdctl inspect ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5panic: runtime error: invalid memory address or nil pointer dereference[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xda8eb3]goroutine 1 [running]:github.com/containerd/nerdctl/pkg/inspecttypes/dockercompat.ImageFromNative(0xc0006cc000)/home/runner/work/nerdctl/nerdctl/pkg/inspecttypes/dockercompat/dockercompat.go:297 +0x253github.com/containerd/nerdctl/pkg/cmd/image.Inspect.func1({0x13f0190?, _}, {{{0xc0006b0280, 0x3a}, 0x0, {{0xc0006ae0c0, 0x27}, {0xc0006c0050, 0x47}, 0x248, ...}, ...}, ...})/home/runner/work/nerdctl/nerdctl/pkg/cmd/image/inspect.go:52 +0x205github.com/containerd/nerdctl/pkg/idutil/imagewalker.(*ImageWalker).Walk(0xc000547568, {0x13f0190, 0xc00014cd20}, {0x7ffc1ceb0732, 0x3a})/home/runner/work/nerdctl/nerdctl/pkg/idutil/imagewalker/imagewalker.go:81 +0x666github.com/containerd/nerdctl/pkg/idutil/imagewalker.(*ImageWalker).WalkAll(0x0?, {0x13f0190, 0xc00014cd20}, {0xc0005477c0?, 0x1, 0x103b5e0?}, 0x1)/home/runner/work/nerdctl/nerdctl/pkg/idutil/imagewalker/imagewalker.go:98 +0xeagithub.com/containerd/nerdctl/pkg/cmd/image.Inspect({_, _}, _, {_, _, _}, {{0x13e7d20, 0xc00012e008}, {0x0, 0x0, ...}, ...})/home/runner/work/nerdctl/nerdctl/pkg/cmd/image/inspect.go:64 +0x1a6main.inspectAction(0xc000382600, {0xc00034e040, 0x1, 0x1?})/home/runner/work/nerdctl/nerdctl/cmd/nerdctl/inspect.go:147 +0xb7cgithub.com/spf13/cobra.(*Command).execute(0xc000382600, {0xc000120170, 0x1, 0x1})/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:940 +0x862github.com/spf13/cobra.(*Command).ExecuteC(0xc000004300)/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3bdgithub.com/spf13/cobra.(*Command).Execute(...)/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:992main.xmain()/home/runner/work/nerdctl/nerdctl/cmd/nerdctl/main.go:136 +0x9fmain.main()/home/runner/work/nerdctl/nerdctl/cmd/nerdctl/main.go:119 +0x19

原因未知

5.8. nydus镜像与oci镜像manifest的区别

• ociv1⁹

{"schemaVersion": 2,"mediaType": "application/vnd.oci.image.manifest.v1+json","config": {"mediaType": "application/vnd.oci.image.config.v1+json","size": 7023,"digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"},"layers": [{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","size": 32654,"digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0"},{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","size": 16724,"digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"},{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","size": 73109,"digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"}],"subject": {"mediaType": "application/vnd.oci.image.manifest.v1+json","size": 7682,"digest": "sha256:5b0bcabd1ed22e9fb1310cf6c2dec7cdef19f0ad69efa1f392e94a4333501270"},"annotations": {"com.example.key1": "value1","com.example.key2": "value2"}}

• docker v2.2

{"schemaVersion": 2,"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json","manifests": [{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4710,"digest": "sha256:016db0f74f4d70593d50a571e76792f1223971e14fb791f9f6fbef3695846295","platform": {"architecture": "amd64","os": "linux"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4708,"digest": "sha256:1a3cd94d36b750c10782c41bf88458128686cf9b5b81da4bb136dae7c11e439f","platform": {"architecture": "arm","os": "linux","variant": "v5"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4708,"digest": "sha256:fac5d849d932a3a33d421f2918d6b36214fb8f048a04533e95bba5a1da263dc5","platform": {"architecture": "arm","os": "linux","variant": "v7"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4709,"digest": "sha256:6196a365b5ac3c585d65aeb73b68810fc9a24453d5e78ae6a8f229a0d8edf060","platform": {"architecture": "arm64","os": "linux","variant": "v8"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4710,"digest": "sha256:1703758d9c663476da8b6e3ae929a359633d93f2****bb75fc09bda99b46aa84","platform": {"architecture": "386","os": "linux"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4708,"digest": "sha256:d4089c75201a6f692e55a9b5480ab7bb94a58937d4452d444f06863324d1ccd5","platform": {"architecture": "mips64le","os": "linux"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4710,"digest": "sha256:bc495de2c53f8e0df08ee58ab06ef2e4fae9304826f649c8285c27a3ee9674eb","platform": {"architecture": "ppc64le","os": "linux"}},{"mediaType": "application/vnd.docker.distribution.manifest.v2+json","size": 4708,"digest": "sha256:bb98ee8ed8c2bf30b82a612775d9218cde446a7ea342d58b1826b2b29aeccaad","platform": {"architecture": "s390x","os": "linux"}}]}

• nydus

{"schemaVersion": 2,"mediaType": "application/vnd.oci.image.manifest.v1+json","config": {"mediaType": "application/vnd.oci.image.config.v1+json","digest": "sha256:f259d1eb0bf769d60aac8c78e4811a8eeefd811a27c24f6db6c36f72ac5c2324","size": 2137},"layers": [{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca","size": 32571260,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129","size": 295018,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.nydus.blob.v1","digest": "sha256:5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab","size": 1067099,"annotations": {"containerd.io/snapshot/nydus-blob": "true"}},{"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip","digest": "sha256:e26163305101a9bc6d05ad80945a8d360d99a48b0d3ef070cf0c2137655b6115","size": 297868,"annotations": {"containerd.io/snapshot/nydus-blob-ids": "[\"f9ebd7c08b04c9dca8fd40cf8855097fb0f5285992224bfaa58afdf0cba82cca\",\"ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129\",\"5fdd275fe4099c6b7b4a3f8be50c2dc89bad3ab771d5fe454b9746471c6daaab\"]","containerd.io/snapshot/nydus-bootstrap": "true","containerd.io/snapshot/nydus-fs-version": ""}}]}

5.9. 构建的镜像list时告警

nerdctl imagesWARN[0000] failed to get unpacked size of image "reg.harbor.com/hello/helloworld:v0.0.7-nydus-nightly-v5" for platform "linux/amd64" error="snapshot sha256:0ee114e6b61fec8478b90a426bdcbbc145d5857d84822922152dc8e09111f391 does not exist: not found"REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZEreg.harbor.com/hello/helloworld v0.0.7-nydus-nightly-v5 484d07c284ad 33 seconds ago linux/amd64 0.0 B 345.5 MiB

本地镜像存储问题 删除本地镜像即可，具体问题尚未可知

5.10. 问题 buildkit打的nydus镜像无法run ,run ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5 没问题

• 现象:

buildkit打的nydus镜像无法run ,run ghcr.io/dragonflyoss/image-service/ubuntu:nydus-nightly-v5 没问题
使用nerdctl命令运行也一样

ctr run -d reg.harbor.com/hello/helloworld:v0.0.10-nydus-nightly-v5 hello

错误输出

INFO[0000] apply failure, attempting cleanup error="failed to extract layer sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown" key="extract-962072102-FeAw sha256:f5294af206581b011d1423a0b7c580b44338d6fb790eaf0ebdcc838fcb107d29"ctr: failed to extract layer sha256:ae29dc152fabfc7e6239b3a1f83501b5a48875711b7f53e6ebf7d96b22ad4129: failed to get stream processor for application/vnd.oci.image.layer.nydus.blob.v1: no processor for media-type: unknown

构建完使用 nerdctl命令查看有告警信息

nerdctl imagesWARN[0000] failed to get unpacked size of image "reg.harbor.com/hello/helloworld:v0.0.10-nydus-nightly-v5" for platform "linux/amd64" error="snapshot sha256:66e2cbc88c92b00741c687d56bedd11654d45c08dec2fcb38406683fb2695135 does not exist: not found"REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZExxxx/hello/helloworld v0.0.10-nydus-nightly-v5 b3faf19db1a6 11 minutes ago linux/amd64 0.0 B 32.6 MiB

containerd配置

[proxy_plugins][proxy_plugins.nydus]type = "snapshot"address = "/run/containerd-nydus/containerd-nydus-grpc.sock"[plugins."io.containerd.grpc.v1.cri".containerd]snapshotter = "nydus"disable_snapshot_annotations = falsediscard_unpacked_layers = false

• 环境说明

  • containerd containerd.io 1.6.6 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
  • buildkitd -v buildkitd github.com/moby/buildkit v0.0.0+unknown 是通过ttps://github.com/nydusaccelerator/buildkit.git 构建的
  • nerdctl -v nerdctl version 1.3.1 在 /etc/nerdctl/nerdctl.toml 指定了 snapshotter
  debug = falsedebug_full = falseaddress = "unix:///var/run/containerd/containerd.sock"namespace = "default"snapshotter = "nydus"experimental = true
  • buildkitd 启动命令
  NYDUS_BUILDER=/usr/bin/nydus-image buildkitd --oci-worker-snapshotter=nydus --config /etc/buildkit/buildkitd.toml`
  • 构建命令
  buildctl build --progress=plain --frontend=dockerfile.v0 --local context=. --local dockerfile=. --output type=image,name=xxxx/helloworld:v0.0.10-nydus-nightly-v5,compression=nydus,oci-mediatypes=true

本地镜像存储问题 删除本地镜像即可，问题同上，nydus-snapshotter+fusedev的问题，具体尚未可知，删除本地镜像使用远端镜像即可

5.11. 运行oci-ref镜像导致nydusd进程z状态

使用nydus zran artifact

使用zran artifact镜像启动容器导致nydusd进程d状态

5.11.1. 现象

• pod 无法启动，describe po信息

Events:Type Reason Age From Message---- ------ ---- ---- -------Normal Scheduled 33s default-scheduler Successfully assigned default/busybox-nydus-oci-ref to node1Normal Pulled 31s kubelet Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref" in 1.035131143sNormal Pulled 25s kubelet Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref" in 119.347118msWarning Failed 19s (x2 over 25s) kubelet Error: failed to create containerd container: wait until daemon is RUNNING: get daemon state: daemon socket /var/lib/containerd-nydus/socket/cho77etp707gng95ic00/api.sock: not foundNormal Pulling 5s (x3 over 32s) kubelet Pulling image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref"Normal Pulled 5s kubelet Successfully pulled image "reg.harbor.com/hello/wordpress:latest-nydus-oci-ref" in 101.618808ms

• 查看nydus-snapshotter log

2023-05-26 08:54:19.401685 +00:00] INFO [app/src/lib.rs:74] Program Version: v2.1.5, Git Commit: "ef2033c2e21d36938410069f07d32a5095a19398", Build Time: "2023-03-09T10:09:03.563891101Z", Profile: "release", Rustc Version: "rustc 1.61.0 (fe5b13d68 2022-05-18)"[2023-05-26 08:54:19.401791 +00:00] INFO [src/bin/nydusd/main.rs:514] Set rlimit-nofile to 1000000, maximum 1048576[2023-05-26 08:54:19.402224 +00:00] DEBUG [/cargo/registry/src/github.com-1ecc6299db9ec823/fuse-backend-rs-0.9.6/src/api/pseudo_fs.rs:161] pseudo fs iterate "/"[2023-05-26 08:54:19.402452 +00:00] INFO [rafs/src/metadata/md_v6.rs:47] rafs superblock features: DIGESTER_SHA256 | EXPLICIT_UID_GID | HAS_XATTR | COMPRESS_GZIP | PRESERVED_INLINED_CHUNK_DIGEST[2023-05-26 08:54:19.402573 +00:00] ERROR [rafs/src/metadata/layout/v6.rs:1375] RafsV6Blob: idx 0 invalid ci_digest[2023-05-26 08:54:19.402588 +00:00] ERROR [error/src/error.rs:21] Error:"invalid Rafs v6 blob entry"at rafs/src/metadata/layout/v6.rs:1495note: enable `RUST_BACKTRACE=1` env to display a backtrace[2023-05-26 08:54:19.402630 +00:00] ERROR [error/src/error.rs:21] Error:Rafs(FillSuperblock(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }))at src/bin/nydusd/daemon.rs:140note: enable `RUST_BACKTRACE=1` env to display a backtrace[2023-05-26 08:54:19.402669 +00:00] ERROR [src/bin/nydusd/main.rs:664] Failed in starting daemon: Invalid argument (os error 22)Error: Os { code: 22, kind: InvalidInput, message: "Invalid argument" }time="2023-05-26T08:54:19.404707985Z" level=error msg="Process 14029 has been a zombie"time="2023-05-26T08:54:19.404759638Z" level=error msg="Nydusd cho77etp707gng95ic00 probably not started"time="2023-05-26T08:54:19.412716804Z" level=error msg="Process 14029 has been a zombie"time="2023-05-26T08:54:19.579192096Z" level=error msg="Process 14029 has been a zombie"time="2023-05-26T08:54:19.719630411Z" level=error msg="Process 14029 has been a zombie"time="2023-05-26T08:54:19.853129550Z" level=error msg="Process 14029 has been a zombie"time="2023-05-26T08:54:20.023548928Z" level=error msg="Process 14029 has been a zombie"time="2023-05-26T08:54:20.181968604Z" level=error msg="Process 14029 has been a zombie"

• 查看进程进入z状态

[root@node1 nydus]# ps -ef|grep 14029root 14029 22492 0 08:54 ? 00:00:00 [nydusd] <defunct>root 16385 15474 0 08:56 pts/2 00:00:00 grep --color=auto 14029

5.11.2. 解决方式

oci ref 要求 nydus-image/nydusd 2.2

5.12. nydus镜像和oci镜像拉取镜像时间相同

nydus镜像容器创建时最开始只会加载最后一层，所以会很快

{"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip","digest": "sha256:ff67b2807cdb0005ac0137bb8d5a4cf453fead83247082f56351fa2ecc3acba0","size": 1134668,"annotations": {"containerd.io/snapshot/nydus-bootstrap": "true","containerd.io/snapshot/nydus-fs-version": "6"}}

对比的时候记得把已经在本地的镜像删除掉

• 编辑 configmap 增加nydus.toml配置

kubectl edit cm -n nydus-system nydus-snapshotter apiVersion: v1data:config.json: |-...nydus.toml: |-version = 1address = "/run/containerd-nydus/containerd-nydus-grpc.sock"daemon_mode = "multiple"cleanup_on_close = false[system]enable = trueaddress = "/run/containerd-nydus/system.sock"[system.debug]daemon_cpu_profile_duration_secs = 5pprof_address = ""[daemon]nydusd_path = "/usr/local/bin/nydusd"nydusimage_path = "/usr/local/bin/nydus-image"fs_driver = "fusedev"recover_policy = "restart"nydusd_config = "/etc/nydus/config.json"threads_number = 10[log]log_to_stdout = falselevel = "debug"log_rotation_compress = truelog_rotation_local_time = truelog_rotation_max_age = 7log_rotation_max_backups = 5log_rotation_max_size = 1[metrics]address = ":9110"[remote]convert_vpc_registry = false[remote.mirrors_config]dir = ""[remote.auth]enable_kubeconfig_keychain = falsekubeconfig_path = ""enable_cri_keychain = falseimage_service_address = ""[snapshot]enable_nydus_overlayfs = falsesync_remove = false[cache_manager]disable = falsegc_period = "24h"[image]public_key_file = ""validate_signature = false[experimental]enable_stargz = falseenable_referrer_detect = false

• 重启nydus-snapshotter

去掉 /etc/containerd/config.toml 中的

[plugins."io.containerd.grpc.v1.cri".containerd]discard_unpacked_layers = falsedisable_snapshot_annotations = falsesnapshotter = "nydus"[proxy_plugins][proxy_plugins.nydus]type = "snapshot"address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

重启 containerd

systemctl restart containerd

delete nydus-snapshot容器

再次创建即可

5.12.1. nydus镜像启动 nydus-snapshotter日志

nydus镜像会有.rs 输出，这部分是nydus代码用rust编写

time="2023-05-26T11:04:29.478658593Z" level=info msg="[Mounts] snapshot k8s.io/699/987c0c48cdfcbd8b451e7c892d2b922305c3c2fa07e2741ae5d003792dff96f9 ID 457 Kind Active"time="2023-05-26T11:04:29.838641967Z" level=info msg="[Commit] snapshot with key \"k8s.io/700/extract-821649751-v57_ sha256:17f262ebfabe0a80a19356d4acdde01515c6488b4baf9f474ba805b205be6bcd\" snapshot id 458"time="2023-05-26T11:04:29.862232365Z" level=info msg="[Commit] snapshot with key \"k8s.io/701/extract-848480697-roQj sha256:4969b12a639d311e01eb2997dca25b3ff4c15297cf1c4332246efc3da416ed90\" snapshot id 459"time="2023-05-26T11:04:29.884272468Z" level=info msg="[Commit] snapshot with key \"k8s.io/702/extract-875046240-ES_o sha256:eea7439600aea67d552929f639492138db7736625ce46442b556a6773a7e65ad\" snapshot id 460"time="2023-05-26T11:04:29.902972106Z" level=info msg="[Commit] snapshot with key \"k8s.io/703/extract-893877298-M0p7 sha256:995607f2a156cd5d860cc6cf21d5924430eea1497344c187cef6d8cb5958f08d\" snapshot id 461"time="2023-05-26T11:04:29.930234997Z" level=info msg="[Commit] snapshot with key \"k8s.io/704/extract-921174867-zDfC sha256:977a5025ef78849159b33940f21f7bc078a4b449a197bf5a84809d18eafa2ecc\" snapshot id 462"time="2023-05-26T11:04:29.953002744Z" level=info msg="[Commit] snapshot with key \"k8s.io/705/extract-940269515-m4B7 sha256:5008756b9b3af58134566161e811ab255d360cb9f6c03db6be9d1a82b10ea1ce\" snapshot id 463"time="2023-05-26T11:04:29.985446333Z" level=info msg="[Commit] snapshot with key \"k8s.io/706/extract-963184826-zC2V sha256:dbb29c913fcddebd164aff00387b0cf2ae2605ca7c3ff8ae7fc81e3770c09d6d\" snapshot id 464"time="2023-05-26T11:04:30.009608437Z" level=info msg="[Commit] snapshot with key \"k8s.io/707/extract-994808807-KS4S sha256:1dc2d75a8c5b4572fcaeb4ee74ee4a34f1f557cf380d85560bea88ddf8e656f1\" snapshot id 465"time="2023-05-26T11:04:30.034452304Z" level=info msg="[Commit] snapshot with key \"k8s.io/708/extract-19386797-sAab sha256:2e352e3c2a94ff6a53bda70e8c78f1c0061bc5c09918d42f10ee42ca0ea6e05d\" snapshot id 466"time="2023-05-26T11:04:30.051992401Z" level=info msg="[Commit] snapshot with key \"k8s.io/709/extract-43376118-0fYc sha256:c4655b7ee2454381d27aae6af1bbf99061da67f84943ebf11657db9841d2ce34\" snapshot id 467"time="2023-05-26T11:04:30.069947216Z" level=info msg="[Commit] snapshot with key \"k8s.io/710/extract-61015950-IVNU sha256:c1775d8affc2abbc45ed4051e72fa8083f624f1a52f938e3dd4017ff2a551216\" snapshot id 468"time="2023-05-26T11:04:30.088621057Z" level=info msg="[Commit] snapshot with key \"k8s.io/711/extract-79602317-8xBS sha256:7cd39c27735b21390c4f959ca1e12d38c2b73a5f173f5ffd1ee313fee85e317e\" snapshot id 469"time="2023-05-26T11:04:30.107545892Z" level=info msg="[Commit] snapshot with key \"k8s.io/712/extract-98392114-LQ31 sha256:e835052588cf3a25d66b8a4f683b381ec2314cd293a61d7405861aedce7f1d8f\" snapshot id 470"time="2023-05-26T11:04:30.138067726Z" level=info msg="[Commit] snapshot with key \"k8s.io/713/extract-129097712-x2We sha256:413163a369a3f699e6971333b345cb9655d22d8850e1713e20766dcc5fc6cf2d\" snapshot id 471"time="2023-05-26T11:04:30.158431236Z" level=info msg="[Commit] snapshot with key \"k8s.io/714/extract-148574340-w72W sha256:856e93d9260062e3351e85ff977859c11f1c6fcaf4d7de56c50a4a40936ea6dc\" snapshot id 472"time="2023-05-26T11:04:30.181674205Z" level=info msg="[Commit] snapshot with key \"k8s.io/715/extract-170870922-OaK7 sha256:bfdfb86a11099f8dfdcecb08a46dee87408cb00dedbb69d8c41bd4524e661fb6\" snapshot id 473"time="2023-05-26T11:04:30.202089436Z" level=info msg="[Commit] snapshot with key \"k8s.io/716/extract-192117639-MjNO sha256:205b438eb857a4428cdfc1a492c3e9e445a7f6aad780f69b082e28471216c9a2\" snapshot id 474"time="2023-05-26T11:04:30.224765412Z" level=info msg="[Commit] snapshot with key \"k8s.io/717/extract-214032149-U7eo sha256:a72248b4d79a6915f529bb00b97b576fec938895d81c0ebb125a02dd76f91169\" snapshot id 475"time="2023-05-26T11:04:30.244866341Z" level=info msg="[Commit] snapshot with key \"k8s.io/718/extract-234486897-32MC sha256:f0fc4ec3e74f3762cc5c68435c8c93fb92fcac6ae34053cae00ae90dcafceab6\" snapshot id 476"time="2023-05-26T11:04:30.428447831Z" level=info msg="[Commit] snapshot with key \"k8s.io/719/extract-255443005-VBbE sha256:3be1111cf1b2f35366acf9d164434690af4860fe8415c7be30faae3de1fde0f3\" snapshot id 477"time="2023-05-26T11:04:30.495389473Z" level=info msg="Prepares active snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481, nydusd should start afterwards" key=k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 parent="k8s.io/720/sha256:3be1111cf1b2f35366acf9d164434690af4860fe8415c7be30faae3de1fde0f3"time="2023-05-26T11:04:30.501028169Z" level=info msg="nydusd command: /usr/local/bin/nydusd fuse --config /var/lib/containerd-nydus/config/cho94flp707i10bb5ddg/config.json --bootstrap /var/lib/containerd-nydus/snapshots/477/fs/image/image.boot --mountpoint /var/lib/containerd-nydus/snapshots/477/mnt --apisock /var/lib/containerd-nydus/socket/cho94flp707i10bb5ddg/api.sock --log-level debug"[2023-05-26 11:04:30.503482 +00:00] INFO [app/src/lib.rs:74] Program Version: v2.1.5, Git Commit: "ef2033c2e21d36938410069f07d32a5095a19398", Build Time: "2023-03-09T10:09:03.563891101Z", Profile: "release", Rustc Version: "rustc 1.61.0 (fe5b13d68 2022-05-18)"[2023-05-26 11:04:30.503560 +00:00] INFO [src/bin/nydusd/main.rs:514] Set rlimit-nofile to 1000000, maximum 1048576[2023-05-26 11:04:30.504138 +00:00] INFO [rafs/src/metadata/md_v6.rs:47] rafs superblock features: DIGESTER_BLAKE3 | EXPLICIT_UID_GID | HAS_XATTR | COMPRESS_ZSTD | PRESERVED_INLINED_CHUNK_DIGEST[2023-05-26 11:04:30.504414 +00:00] INFO [storage/src/backend/connection.rs:263] backend config: ConnectionConfig { proxy: ProxyConfig { url: "", ping_url: "", fallback: false, check_interval: 5, use_http: false }, mirrors: [], skip_verify: false, timeout: 5, connect_timeout: 5, retry_limit: 2 }[2023-05-26 11:04:30.631601 +00:00] INFO [storage/src/backend/registry.rs:271] cached bearer auth, next time: 1685100870[2023-05-26 11:04:30.647334 +00:00] INFO [storage/src/backend/registry.rs:271] cached bearer auth, next time: 1685100870[2023-05-26 11:04:30.668014 +00:00] INFO [storage/src/backend/registry.rs:271] cached bearer auth, next time: 1685100870[2023-05-26 11:04:30.918676 +00:00] INFO [src/bin/nydusd/fs_service.rs:206] Rafs imported[2023-05-26 11:04:30.920073 +00:00] INFO [src/bin/nydusd/fs_service.rs:102] Rafs mounted at /[2023-05-26 11:04:30.920318 +00:00] INFO [/cargo/registry/src/github.com-1ecc6299db9ec823/fuse-backend-rs-0.9.6/src/transport/fusedev/linux_session.rs:337] mount source rafs dest /var/lib/containerd-nydus/snapshots/477/mnt with fstype fuse opts default_permissions,allow_other,fd=3,rootmode=40000,user_id=0,group_id=0 fd 3[2023-05-26 11:04:30.920759 +00:00] INFO [src/bin/nydusd/daemon.rs:330] State machine(pid=32141): from Init to Ready, input [Mount], output [None][2023-05-26 11:04:30.921167 +00:00] INFO [src/bin/nydusd/daemon.rs:330] State machine(pid=32141): from Ready to Running, input [Start], output [Some(StartService)][2023-05-26 11:04:30.921189 +00:00] INFO [src/bin/nydusd/fusedev.rs:318] start 4 fuse servers[2023-05-26 11:04:30.930559 +00:00] INFO [/cargo/registry/src/github.com-1ecc6299db9ec823/fuse-backend-rs-0.9.6/src/api/server/sync_io.rs:614] FUSE INIT major 7 minor 23[2023-05-26 11:04:30.930808 +00:00] INFO [src/bin/nydusd/main.rs:660] Fuse daemon started![2023-05-26 11:04:30.931000 +00:00] INFO [src/bin/nydusd/api_server_glue.rs:406] HTTP API server running at /var/lib/containerd-nydus/socket/cho94flp707i10bb5ddg/api.sock[2023-05-26 11:04:30.931090 +00:00] INFO [api/src/http.rs:911] http server started[2023-05-26 11:04:30.961941 +00:00] INFO [api/src/http.rs:816] <--- Get Uri { string: "/api/v1/daemon" }[2023-05-26 11:04:30.962087 +00:00] INFO [api/src/http.rs:821] ---> Get Status Code: OK, Elapse: Ok(146.605µs), Body Size: 866time="2023-05-26T11:04:30.962507763Z" level=info msg="Nydus remote snapshot 477 is ready"time="2023-05-26T11:04:30.962543380Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"time="2023-05-26T11:04:30.964003080Z" level=info msg="Subscribe daemon cho94flp707i10bb5ddg liveness event, path=/var/lib/containerd-nydus/socket/cho94flp707i10bb5ddg/api.sock."time="2023-05-26T11:04:30.969335490Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"time="2023-05-26T11:04:30.969369349Z" level=info msg="Nydus remote snapshot 477 is ready"time="2023-05-26T11:04:30.969416607Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"time="2023-05-26T11:04:31.124174858Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"time="2023-05-26T11:04:31.124228061Z" level=info msg="Nydus remote snapshot 477 is ready"time="2023-05-26T11:04:31.124290212Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"time="2023-05-26T11:04:31.355843306Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"time="2023-05-26T11:04:31.355922313Z" level=info msg="Nydus remote snapshot 477 is ready"time="2023-05-26T11:04:31.355974771Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"time="2023-05-26T11:04:31.558021456Z" level=info msg="[Mounts] snapshot k8s.io/721/a779624ddf92028254a90857bb598a256a309433088bde9e57c23b0a214a5481 ID 478 Kind Active"time="2023-05-26T11:04:31.558049891Z" level=info msg="Nydus remote snapshot 477 is ready"time="2023-05-26T11:04:31.558096530Z" level=info msg="remote mount options [workdir=/var/lib/containerd-nydus/snapshots/478/work upperdir=/var/lib/containerd-nydus/snapshots/478/fs lowerdir=/var/lib/containerd-nydus/snapshots/477/mnt]"

5.12.2. oci镜像启动 nydus-snapshotter日志

time="2023-05-26T11:06:30.246293363Z" level=info msg="[Mounts] snapshot k8s.io/722/3d4aa771e42ef99f0d65ce322670115c434297890eaf08bc260eecf2ec3461f7 ID 479 Kind Active"time="2023-05-26T11:06:33.865401086Z" level=info msg="[Commit] snapshot with key \"k8s.io/723/extract-632530774-VjiP sha256:8cbe4b54fa88d8fc0198ea0cc3a5432aea41573e6a0ee26eca8c79f9fbfa40e3\" snapshot id 480"time="2023-05-26T11:06:34.704875352Z" level=info msg="[Commit] snapshot with key \"k8s.io/725/extract-249815542-Zc-C sha256:61aba3d78f453ab50b4c0b687156ebb47b6d6dc290f57752d88b737f75a9835c\" snapshot id 481"time="2023-05-26T11:06:37.941249262Z" level=info msg="[Commit] snapshot with key \"k8s.io/727/extract-722902017-GvJe sha256:d7027bd638e20f68a20d6ae247f2dda259aed1b46a6737bb70de28fa781a1769\" snapshot id 482"time="2023-05-26T11:06:38.009096474Z" level=info msg="[Commit] snapshot with key \"k8s.io/729/extract-986715165-jE_Q sha256:f116aef2f51af904cebd6baaf86a911036f8540f0837f5081dff235b29135d32\" snapshot id 483"time="2023-05-26T11:06:38.639504208Z" level=info msg="[Commit] snapshot with key \"k8s.io/731/extract-24233762-aGRw sha256:877496570f634566fc75289c3fd7cc9423f8b42f1b9cf3d5f1ed3703f0ec83e0\" snapshot id 484"time="2023-05-26T11:06:38.676870045Z" level=info msg="[Commit] snapshot with key \"k8s.io/733/extract-661252421-FKvu sha256:41ca5e8fdea7603d4b22d1bd5dacf18cd8ae4a337c799224034fb38329be6428\" snapshot id 485"time="2023-05-26T11:06:38.705044906Z" level=info msg="[Commit] snapshot with key \"k8s.io/735/extract-691144330-DHtG sha256:748bab432b39955f9824803e0fb9e2c838c1d82613f6331d4dd06806c6eb08a7\" snapshot id 486"time="2023-05-26T11:06:38.790391324Z" level=info msg="[Commit] snapshot with key \"k8s.io/737/extract-721825026-kLLd sha256:a7317289186ffc46ccf46108f1a71012bda8de401a9772596b47ac2165279dde\" snapshot id 487"time="2023-05-26T11:06:38.824921071Z" level=info msg="[Commit] snapshot with key \"k8s.io/739/extract-810354999-OX_U sha256:290e04ebe112a50211c9349710c52fcdba1e90c13c86b7d28fc9d5810fb4ff66\" snapshot id 488"time="2023-05-26T11:06:39.284365821Z" level=info msg="[Commit] snapshot with key \"k8s.io/741/extract-838355879-06mH sha256:f56f832ba542550bd23ff7bd23bff350112f52c30a25fff73521d22231ae96d2\" snapshot id 489"time="2023-05-26T11:06:39.318325143Z" level=info msg="[Commit] snapshot with key \"k8s.io/743/extract-302049626-ZzGp sha256:7edd07877746040a573221b32d42a30e71ac050a4b0b52e52637a109f125e07a\" snapshot id 490"time="2023-05-26T11:06:39.346626770Z" level=info msg="[Commit] snapshot with key \"k8s.io/745/extract-332377616-20YV sha256:8e0edcf4b4ba88591fb18a3189e4ef180a3e907b3d3d374cec1688975c59210a\" snapshot id 491"time="2023-05-26T11:06:39.373512591Z" level=info msg="[Commit] snapshot with key \"k8s.io/747/extract-359199786-wwaO sha256:0c386a4066a2ba95277419d44500293c0f4fdb017f83fc5f5c8e1047609bc057\" snapshot id 492"time="2023-05-26T11:06:40.011031985Z" level=info msg="[Commit] snapshot with key \"k8s.io/749/extract-386775080-gUBX sha256:674062350681f3cc06dcc025867235baa315952732ac488d5692347118f5f027\" snapshot id 493"time="2023-05-26T11:06:40.558428379Z" level=info msg="[Commit] snapshot with key \"k8s.io/751/extract-37315161-xwQT sha256:e723aac1be491e74d1de67af90ddff842b1428f56cc2b36e036c9bb1bf76fd99\" snapshot id 494"time="2023-05-26T11:06:40.591120152Z" level=info msg="[Commit] snapshot with key \"k8s.io/753/extract-577254979-GuvE sha256:7ac16f932064276888bd1c8be5d3085c99fa945d1545f8b6e4969cc9ba7f932e\" snapshot id 495"time="2023-05-26T11:06:40.617389492Z" level=info msg="[Commit] snapshot with key \"k8s.io/755/extract-604669307-p-5u sha256:4c8bfefa8feaa457402b6cfbb30bdb73dba02d105a432d4c3cdd3b4c02ba53d1\" snapshot id 496"time="2023-05-26T11:06:40.650440923Z" level=info msg="[Commit] snapshot with key \"k8s.io/757/extract-630649889-v1Ai sha256:239e5e3542f395b783fe8f614b0299618c2e5fae5acff8d297f81b96bfb65384\" snapshot id 497"time="2023-05-26T11:06:41.506705121Z" level=info msg="[Commit] snapshot with key \"k8s.io/759/extract-670259326-6llW sha256:bb99dc5df44865572a254bc0ee14ce436b1565097bb0b9010ad90f75dd4e9034\" snapshot id 498"time="2023-05-26T11:06:41.551350458Z" level=info msg="[Commit] snapshot with key \"k8s.io/761/extract-536500627-OV2m sha256:057bf4d9b4e6fdb652c002e7fd7e34d86832392426ea9a6955fd02b803478958\" snapshot id 499"time="2023-05-26T11:06:41.617638749Z" level=info msg="[Commit] snapshot with key \"k8s.io/763/extract-602137426-B0nU sha256:92125a743f1a248092f17a7e6e4dcaaa76483e6ff3f1b70ab362889b8c3833ed\" snapshot id 500"time="2023-05-26T11:06:41.680736991Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"time="2023-05-26T11:06:45.304017086Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"time="2023-05-26T11:06:45.400978167Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"time="2023-05-26T11:06:45.457585857Z" level=info msg="[Mounts] snapshot k8s.io/765/20e960589f1230a38b64c5677fd8eb75a06a0dc704944321b364f78fca4e8f10 ID 501 Kind Active"

6. 参考

• 参考链接

  • docker使用nydus启动容器暂不支持
  • buildkit-laily-fetch
  • How to understand the ‘task’ concept in containerd
  • Nerdctl 原生支持 Nydus 加速镜像
  • Nydus | 容器镜像基础
  • Install nydus for containerd
  • how to check image manifest in containerd?
  • run_nydus_in_kubernetes
  • nydus社区钉钉支持
  • v2list.manifest

• 主要涉及的github项目

  • image-service
  • moby/buildkit
  • nydusaccelerator/buildkit
  • nydus-snapshotter

---

nydus-snapshotter ↩︎

buildkitd.toml ↩︎

nydus-design ↩︎

nydus ↩︎

run_nydus_in_kubernetes ↩︎

buildkit-k8s-example ↩︎

How-to-understand-the-‘task’-concept-in-containerd ↩︎

how-to-check-image-manifest-in-containerd? ↩︎

opencontainers/image-spec ↩︎