studio/wfe
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 2 Activity
Files
c58c5d3efffcf1058bbbd9b4af5e732ce85866c0
wfe/wfe-containerd
History
Sienna Meridian Satterwhite 272ddf17c2 fix(wfe-containerd): fix remote daemon support 
Four bugs fixed in the containerd gRPC executor:

- Snapshot parent: resolve image chain ID from content store instead of
  using empty parent, which created rootless containers with no binaries
- I/O capture: replace FIFOs with regular files for stdout/stderr since
  FIFOs don't work across virtiofs filesystem boundaries (Lima VMs)
- Capabilities: grant Docker-default capability set (SETUID, SETGID,
  CHOWN, etc.) when running as root so apt-get and similar tools work
- Shell path: use /bin/sh instead of sh in process args since container
  PATH may be empty

Also adds WFE_IO_DIR env var for shared filesystem support with remote
daemons, and documents the remote daemon setup in lib.rs.
2026-03-29 16:56:59 +01:00
..
src
fix(wfe-containerd): fix remote daemon support
2026-03-29 16:56:59 +01:00
tests
fix(wfe-containerd): fix remote daemon support
2026-03-29 16:56:59 +01:00
Cargo.toml
fix(wfe-containerd): fix remote daemon support
2026-03-29 16:56:59 +01:00
README.md
feat(wfe-buildkit, wfe-containerd): add container executor crates
2026-03-26 10:28:53 +00:00

README.md

wfe-containerd

Containerd container runner executor for WFE.

What it does

wfe-containerd runs containers via nerdctl as workflow steps. It pulls images, manages registry authentication, and executes containers with configurable networking, resource limits, volume mounts, and TLS settings. Output is captured and parsed for ##wfe[output key=value] directives, following the same convention as the shell executor.

Quick start

Add a containerd step to your YAML workflow:

workflow:
  id: container-pipeline
  version: 1
  steps:
    - name: run-tests
      type: containerd
      config:
        image: node:20-alpine
        run: npm test
        network: none
        memory: 512m
        cpu: "1.0"
        timeout: 5m
        env:
          NODE_ENV: test
        volumes:
          - source: /workspace
            target: /app
            readonly: true

Enable the feature in wfe-yaml:

[dependencies]
wfe-yaml = { version = "1.0.0", features = ["containerd"] }

Configuration

Field Type Default Description
image String required Container image to run
run String - Shell command (uses sh -c)
command Vec<String> - Command array (mutually exclusive with run)
env HashMap {} Environment variables
volumes Vec<VolumeMount> [] Volume mounts
working_dir String - Working directory inside container
user String 65534:65534 User/group to run as (nobody by default)
network String none Network mode: none, host, or bridge
memory String - Memory limit (e.g. 512m, 1g)
cpu String - CPU limit (e.g. 1.0, 0.5)
pull String if-not-present Pull policy: always, if-not-present, never
containerd_addr String /run/containerd/containerd.sock Containerd socket address
tls TlsConfig - TLS configuration for containerd connection
registry_auth HashMap {} Registry authentication per registry hostname
timeout String - Execution timeout (e.g. 30s, 5m)

Output parsing

The step captures stdout and stderr. Lines matching ##wfe[output key=value] are extracted as workflow outputs. Raw stdout, stderr, and exit code are also available under {step_name}.stdout, {step_name}.stderr, and {step_name}.exit_code.

Security defaults

  • Runs as nobody (65534:65534) by default
  • Network disabled (none) by default
  • Containers are always --rm (removed after execution)
Reference in New Issue View Git Blame Copy Permalink