Merge pull request #569 from ginglis13/soci-config

ginglis13 · web-flow · commit 7392f0453d10 · 2025-07-23T15:00:16.000-07:00
Add configuration template for soci-snapshotter
diff --git a/packages/soci-snapshotter/etc-soci-snapshotter.mount.in b/packages/soci-snapshotter/etc-soci-snapshotter.mount.in
@@ -0,0 +1,16 @@
+[Unit]
+Description=SOCI Snapshotter GRPC Configuration Directory (/etc/soci-snapshotter)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
+
+[Mount]
+What=tmpfs
+Where=/etc/soci-snapshotter
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime,mode=0750,context=system_u:object_r:etc_secret_t:s0
+
+[Install]
+WantedBy=preconfigured.target
diff --git a/packages/soci-snapshotter/k8s-snapshotter-conf b/packages/soci-snapshotter/k8s-snapshotter-conf
@@ -0,0 +1,12 @@
+[required-extensions]
+container-runtime = "v1"
+std = { version = "v1" }
++++
+---
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+{{#if settings.container-runtime.snapshotter}}
+{{#if (eq settings.container-runtime.snapshotter "soci" )}}
+imageServiceEndpoint: unix:///run/soci-snapshotter/soci-snapshotter.sock
+{{/if}}
+{{/if}}
diff --git a/packages/soci-snapshotter/soci-config-toml b/packages/soci-snapshotter/soci-config-toml
@@ -0,0 +1,75 @@
+[required-extensions]
+container-registry = "v1"
+container-runtime-plugins = "v1"
+std = { version = "v1", helpers = ["default", "join_array"]}
++++
+[cri_keychain]
+# Make SOCI snapshotter act as a proxy ImageService
+# and cache credentials from requests to pull images.
+enable_keychain = true
+# This tells the SOCI snapshotter where containerd's ImageService is located.
+# The SOCI snapshotter will forward requests here after caching credentials.
+image_service_path="/run/containerd/containerd.sock"
+
+# Use the containerd content store such that SOCI artifacts are maintained through
+# containerd's garbage collector
+[content_store]
+type="containerd"
+
+{{#if settings.container-registry.mirrors}}
+{{#each settings.container-registry.mirrors}}
+[plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{registry}}"]
+endpoint = [{{join_array ", " endpoint }}]
+{{/each}}
+{{/if}}
+
+{{#if settings.container-registry.credentials}}
+{{#each settings.container-registry.credentials}}
+{{#if (eq registry "docker.io" )}}
+[registry.configs."registry-1.docker.io".auth]
+{{else}}
+[registry.configs."{{registry}}".auth]
+{{/if}}
+{{#if username}}
+username = "{{{username}}}"
+{{/if}}
+{{#if password}}
+password = "{{{password}}}"
+{{/if}}
+{{#if auth}}
+auth = "{{{auth}}}"
+{{/if}}
+{{#if identitytoken}}
+identitytoken = "{{{identitytoken}}}"
+{{/if}}
+{{/each}}
+{{/if}}
+
+[pull_modes.soci_v1]
+enable = false
+[pull_modes.soci_v2]
+enable = false
+
+[pull_modes.parallel_pull_unpack]
+enable = true
+{{#if settings.container-runtime-plugins.soci-snapshotter.parallel-pull-unpack}}
+{{#with settings.container-runtime-plugins.soci-snapshotter.parallel-pull-unpack}}
+max_concurrent_downloads = {{default -1 max-concurrent-downloads}}
+max_concurrent_downloads_per_image = {{default 3 max-concurrent-downloads-per-image}}
+{{#if concurrent-download-chunk-size}}
+{{#if (eq concurrent-download-chunk-size "unlimited" )}}
+concurrent_download_chunk_size = ""
+{{else}}
+concurrent_download_chunk_size = "{{default "" concurrent-download-chunk-size}}"
+{{/if}}
+{{/if}}
+max_concurrent_unpacks = {{default -1 max-concurrent-unpacks}}
+max_concurrent_unpacks_per_image = {{default 1 max-concurrent-unpacks-per-image}}
+discard_unpacked_layers = {{default false discard-unpacked-layers}}
+{{/with}}
+{{/if}}
+
+# Use a symlink to configure soci to use either igzip or unpigz depending on which was packaged.
+[pull_modes.parallel_pull_unpack.decompress_streams."gzip"]
+path = "/usr/bin/soci-gunzip"
+args = ["-d", "-c"]
diff --git a/packages/soci-snapshotter/soci-snapshotter.service b/packages/soci-snapshotter/soci-snapshotter.service
@@ -8,6 +8,7 @@ Before=containerd.service
 [Service]
 Type=notify
 EnvironmentFile=/etc/network/proxy.env
-ExecStart=/usr/bin/soci-snapshotter-grpc --address fd://
+ExecStart=/usr/bin/soci-snapshotter-grpc --address fd:// --config /etc/soci-snapshotter/config.toml --root /var/lib/soci-snapshotter
 Restart=always
 RestartSec=5
+SyslogIdentifier=soci-snapshotter
diff --git a/packages/soci-snapshotter/soci-snapshotter.socket b/packages/soci-snapshotter/soci-snapshotter.socket
@@ -4,7 +4,7 @@ PartOf=soci-snapshotter.service
 Documentation=https://github.com/awslabs/soci-snapshotter
 
 [Socket]
-ListenStream=/run/soci-snapshotter-grpc/soci-snapshotter-grpc.sock
+ListenStream=/run/soci-snapshotter/soci-snapshotter.sock
 SocketMode=0660
 
 [Install]
diff --git a/packages/soci-snapshotter/soci-snapshotter.spec b/packages/soci-snapshotter/soci-snapshotter.spec
@@ -13,6 +13,9 @@ URL: https://github.com/awslabs/soci-snapshotter
 Source0: https://github.com/awslabs/soci-snapshotter/archive/v%{gover}/soci-snapshotter-%{gover}.tar.gz
 Source1: bundled-soci-snapshotter-%{gover}.tar.gz
 Source2: bundled-cmd.tar.gz
+Source3: soci-config-toml
+Source4: k8s-snapshotter-conf
+Source100: etc-soci-snapshotter.mount.in
 Source101: soci-snapshotter.service
 Source102: soci-snapshotter.socket
 Source1000: clarify.toml
@@ -24,12 +27,14 @@ Patch1003: 1003-hard-fail-on-config-parsing-errors.patch
 BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libz-devel
 Requires: %{name}(binaries)
+Requires: (%{name}-k8s if %{_cross_os}variant-runtime(k8s))
+Requires: %{name}(optimized-gunzip)
 
 %description
 %{summary}.
 
 %package bin
-Summary: Remote management agent binaries
+Summary: A remote snapshotter for containerd
 Provides: %{name}(binaries)
 Requires: (%{_cross_os}image-feature(no-fips) and %{name})
 Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
@@ -38,14 +43,45 @@ Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
 %{summary}.
 
 %package fips-bin
-Summary: Remote management agent binaries, FIPS edition
+Summary: A remote snapshotter for containerd, FIPS edition
 Provides: %{name}(binaries)
 Requires: (%{_cross_os}image-feature(fips) and %{name})
 Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
 
 %description fips-bin
 %{summary}.
 
+%package pigz
+Summary: Prefer pigz for gzip decompression
+Requires: %{_cross_os}pigz
+Requires: %{name}
+Provides: %{name}(optimized-gunzip) = 1:
+Conflicts: %{name}-igzip
+
+%description pigz
+%{summary}.
+
+%package igzip
+Summary: Prefer igzip for gzip decompression
+Requires: %{_cross_os}igzip
+Requires: %{name}
+Conflicts: %{name}-pigz
+%if "%{_cross_arch}" == "x86_64"
+Provides: %{name}(optimized-gunzip) = 2:
+%else
+Provides: %{name}(optimized-gunzip) = 0:
+%endif
+
+%description igzip
+%{summary}.
+
+%package k8s
+Summary: Drop-ins to override the kubelet's configuration
+Provides: %{name}(k8s)
+
+%description k8s
+%{summary}.
+
 %prep
 %autosetup -n %{gorepo}-%{gover} -p1
 %setup -T -D -n %{gorepo}-%{gover} -b 1 -q
@@ -58,37 +94,56 @@ export LD_VERSION="-X github.com/awslabs/soci-snapshotter/version.Version=v%{gov
 export LD_REVISION="-X github.com/awslabs/soci-snapshotter/version.Revision=%{gitrev}"
 
 go build -C cmd -ldflags="${GOLDFLAGS} ${LD_VERSION} ${LD_REVISION}" -o "../out/soci-snapshotter-grpc" ./soci-snapshotter-grpc
-go build -C cmd -ldflags="${GOLDFLAGS} ${LD_VERSION} ${LD_REVISION}" -o "../out/soci" ./soci
 
 gofips build -C cmd -ldflags="${GOLDFLAGS} ${LD_VERSION} ${LD_REVISION}" -o "../out/fips/soci-snapshotter-grpc" ./soci-snapshotter-grpc
-gofips build -C cmd -ldflags="${GOLDFLAGS} ${LD_VERSION} ${LD_REVISION}" -o "../out/fips/soci" ./soci
 
 %install
 install -d %{buildroot}%{_cross_bindir}
 install -d %{buildroot}%{_cross_fips_bindir}
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0755 out/soci-snapshotter-grpc %{buildroot}%{_cross_bindir}
-install -p -m 0755 out/soci %{buildroot}%{_cross_bindir}
 install -p -m 0755 out/fips/soci-snapshotter-grpc %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 out/fips/soci %{buildroot}%{_cross_fips_bindir}
+
+SOCIMOUNTPATH=$(systemd-escape --path /etc/soci-snapshotter)
+install -p -m 0644 %{S:100} %{buildroot}%{_cross_unitdir}/${SOCIMOUNTPATH}.mount
+
 install -D -p -m 0644 %{S:101} %{buildroot}%{_cross_unitdir}
 install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_unitdir}
 
+install -d %{buildroot}%{_cross_templatedir}
+install -p -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/soci-config-toml
+install -p -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/k8s-snapshotter-conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
+%post igzip -p <lua>
+posix.symlink("%{_cross_bindir}/igzip", "%{_cross_bindir}/soci-gunzip")
+
+%post pigz -p <lua>
+posix.symlink("%{_cross_bindir}/unpigz", "%{_cross_bindir}/soci-gunzip")
+
 %files
 %license LICENSE NOTICE.md
 %{_cross_unitdir}/soci-snapshotter.service
 %{_cross_unitdir}/soci-snapshotter.socket
+%{_cross_unitdir}/etc-soci\x2dsnapshotter.mount
 %{_cross_attribution_vendor_dir}
 %{_cross_attribution_file}
+%{_cross_templatedir}/soci-config-toml
 
 %files bin
 %{_cross_bindir}/soci-snapshotter-grpc
-%{_cross_bindir}/soci
 
 %files fips-bin
 %{_cross_fips_bindir}/soci-snapshotter-grpc
-%{_cross_fips_bindir}/soci
+
+%files pigz
+# No files provided by pigz but required for packaging.
+
+%files igzip
+# No files provided by igzip but required for packaging.
+
+%files k8s
+%{_cross_templatedir}/k8s-snapshotter-conf
 
 %changelog
