studio/wfe
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 1 Activity
Files
496a192198341d59cf25fea38edfe980ea6f8eca
wfe/wfe-containerd/README.md
Sienna Meridian Satterwhite 30b26ca5f0 feat(wfe-buildkit, wfe-containerd): add container executor crates 
Standalone workspace crates for BuildKit image building and containerd
container execution. Config types, YAML schema integration, compiler
dispatch, validation rules, and mock-based unit tests.

Current implementation shells out to buildctl/nerdctl — will be
replaced with proper gRPC clients (buildkit-client, containerd protos)
in a follow-up. Config types, YAML integration, and test infrastructure
are stable and reusable.

wfe-buildkit: 60 tests, 97.9% library coverage
wfe-containerd: 61 tests, 97.8% library coverage
447 total workspace tests.
2026-03-26 10:28:53 +00:00

2.5 KiB
Raw Blame History

wfe-containerd

Containerd container runner executor for WFE.

What it does

wfe-containerd runs containers via nerdctl as workflow steps. It pulls images, manages registry authentication, and executes containers with configurable networking, resource limits, volume mounts, and TLS settings. Output is captured and parsed for ##wfe[output key=value] directives, following the same convention as the shell executor.

Quick start

Add a containerd step to your YAML workflow:

workflow:
  id: container-pipeline
  version: 1
  steps:
    - name: run-tests
      type: containerd
      config:
        image: node:20-alpine
        run: npm test
        network: none
        memory: 512m
        cpu: "1.0"
        timeout: 5m
        env:
          NODE_ENV: test
        volumes:
          - source: /workspace
            target: /app
            readonly: true

Enable the feature in wfe-yaml:

[dependencies]
wfe-yaml = { version = "1.0.0", features = ["containerd"] }

Configuration

Field Type Default Description
image String required Container image to run
run String - Shell command (uses sh -c)
command Vec<String> - Command array (mutually exclusive with run)
env HashMap {} Environment variables
volumes Vec<VolumeMount> [] Volume mounts
working_dir String - Working directory inside container
user String 65534:65534 User/group to run as (nobody by default)
network String none Network mode: none, host, or bridge
memory String - Memory limit (e.g. 512m, 1g)
cpu String - CPU limit (e.g. 1.0, 0.5)
pull String if-not-present Pull policy: always, if-not-present, never
containerd_addr String /run/containerd/containerd.sock Containerd socket address
tls TlsConfig - TLS configuration for containerd connection
registry_auth HashMap {} Registry authentication per registry hostname
timeout String - Execution timeout (e.g. 30s, 5m)

Output parsing

The step captures stdout and stderr. Lines matching ##wfe[output key=value] are extracted as workflow outputs. Raw stdout, stderr, and exit code are also available under {step_name}.stdout, {step_name}.stderr, and {step_name}.exit_code.

Security defaults

  • Runs as nobody (65534:65534) by default
  • Network disabled (none) by default
  • Containers are always --rm (removed after execution)
Reference in New Issue View Git Blame Copy Permalink