studio/wfe
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 2 Activity
Files
272ddf17c2faddf07b7b041dea75be26057586c7
wfe/wfe-containerd/src/lib.rs

53 lines
1.9 KiB
Rust
Raw Normal View History

fix(wfe-containerd): fix remote daemon support Four bugs fixed in the containerd gRPC executor: - Snapshot parent: resolve image chain ID from content store instead of using empty parent, which created rootless containers with no binaries - I/O capture: replace FIFOs with regular files for stdout/stderr since FIFOs don't work across virtiofs filesystem boundaries (Lima VMs) - Capabilities: grant Docker-default capability set (SETUID, SETGID, CHOWN, etc.) when running as root so apt-get and similar tools work - Shell path: use /bin/sh instead of sh in process args since container PATH may be empty Also adds WFE_IO_DIR env var for shared filesystem support with remote daemons, and documents the remote daemon setup in lib.rs.
2026-03-29 16:56:59 +01:00
//! Containerd container executor for WFE.
//!
//! Runs workflow steps as isolated OCI containers via the containerd gRPC API.
//!
//! # Remote daemon support
//!
//! The executor creates named pipes (FIFOs) on the **local** filesystem for
//! stdout/stderr capture, then passes those paths to the containerd task spec.
//! The containerd shim opens the FIFOs from **its** side. This means the FIFO
//! paths must be accessible to both the executor process and the containerd
//! daemon.
//!
//! When containerd runs on a different machine (e.g. a Lima VM), you need:
//!
//! 1. **Shared filesystem** — mount a host directory into the VM so both sides
//! see the same FIFO files. With Lima + virtiofs:
//! ```yaml
//! # lima config
//! mounts:
//! - location: /tmp/wfe-io
//! mountPoint: /tmp/wfe-io
//! writable: true
//! ```
//!
//! 2. **`WFE_IO_DIR` env var** — point the executor at the shared directory:
//! ```sh
//! export WFE_IO_DIR=/tmp/wfe-io
//! ```
//! Without this, FIFOs are created under `std::env::temp_dir()` which is
//! only visible to the host.
//!
//! 3. **gRPC transport** — Lima's Unix socket forwarding is unreliable for
//! HTTP/2 (gRPC). Use a TCP socat proxy inside the VM instead:
//! ```sh
//! # Inside the VM:
//! socat TCP4-LISTEN:2500,fork,reuseaddr UNIX-CONNECT:/run/containerd/containerd.sock &
//! ```
//! Then connect via `WFE_CONTAINERD_ADDR=http://127.0.0.1:2500` (Lima
//! auto-forwards guest TCP ports).
//!
//! 4. **FIFO permissions** — the FIFOs are created with mode `0666` and a
//! temporarily cleared umask so the remote shim (running as root) can open
//! them through the shared mount.
//!
//! See `test/lima/wfe-test.yaml` for a complete VM configuration that sets all
//! of this up.
feat(wfe-buildkit, wfe-containerd): add container executor crates Standalone workspace crates for BuildKit image building and containerd container execution. Config types, YAML schema integration, compiler dispatch, validation rules, and mock-based unit tests. Current implementation shells out to buildctl/nerdctl — will be replaced with proper gRPC clients (buildkit-client, containerd protos) in a follow-up. Config types, YAML integration, and test infrastructure are stable and reusable. wfe-buildkit: 60 tests, 97.9% library coverage wfe-containerd: 61 tests, 97.8% library coverage 447 total workspace tests.
2026-03-26 10:28:53 +00:00
pub mod config;
pub mod step;
pub use config::{ContainerdConfig, RegistryAuth, TlsConfig, VolumeMountConfig};
pub use step::ContainerdStep;
Reference in New Issue Copy Permalink