Make containerd installation configurable

Signed-off-by: Jan Dubois <[email protected]>

Author: jandubois

pkg/cidata/cidata.go

@@ -29,10 +29,11 @@ func GenerateISO9660(isoPath, name string, y *limayaml.LimaYAML) error {
 		return err
 	}
 	args := TemplateArgs{
-		Name:      name,
-		User:      u.Username,
-		UID:       uid,
-		Provision: y.Provision,
+		Name:       name,
+		User:       u.Username,
+		UID:        uid,
+		Provision:  y.Provision,
+		Containerd: Containerd{System: *y.Containerd.System, User: *y.Containerd.User},
 	}
 	for _, f := range sshutil.DefaultPubKeys() {
 		args.SSHPubKeys = append(args.SSHPubKeys, f.Content)

pkg/cidata/template.go

@@ -18,13 +18,18 @@ var (
 	metaDataTemplate string
 )
 
+type Containerd struct {
+	System bool
+	User   bool
+}
 type TemplateArgs struct {
 	Name       string // instance name
 	User       string // user name
 	UID        int
 	SSHPubKeys []string
 	Mounts     []string // abs path, accessible by the User
 	Provision  []limayaml.Provision
+	Containerd Containerd
 }
 
 func ValidateTemplateArgs(args TemplateArgs) error {

pkg/cidata/user-data.TEMPLATE

@@ -22,6 +22,7 @@ write_files:
       #!/bin/bash
       set -eux -o pipefail
 
+      {{- if .Containerd.User}}
       # Enable rootless containers
       if [ ! -e "/etc/systemd/system/[email protected]/lima.conf" ]; then
         mkdir -p "/etc/systemd/system/[email protected]"
@@ -47,6 +48,7 @@ write_files:
         grep -qw "{{.User}}" $f || echo "{{.User}}:100000:65536" >> $f
       done
       loginctl enable-linger "{{.User}}"
+      {{- end}}
 
       # Create mount points
       {{- range $val := .Mounts}}
@@ -67,23 +69,50 @@ write_files:
    # We do not use per-once.
    path: /var/lib/cloud/scripts/per-boot/00-base.boot.sh
    permissions: '0755'
+ {{- if or .Mounts .Containerd.User}}
  - content: |
       #!/bin/bash
       set -eux -o pipefail
       # Install minimum dependencies
       if command -v apt-get 2>&1 >/dev/null; then
         export DEBIAN_FRONTEND=noninteractive
         apt-get update
-        apt-get install -y sshfs uidmap
+        {{- if .Mounts}}
+        apt-get install -y sshfs
+        {{- end }}
+        {{- if .Containerd.User}}
+        apt-get install -y uidmap
+        {{- end }}
       elif command -v dnf 2>&1 >/dev/null; then
-        dnf install -y fuse-sshfs shadow-utils
+        : {{/* make sure the "elif" block is never empty */}}
+        {{- if .Mounts}}
+        dnf install -y fuse-sshfs
+        {{- end}}
+        {{- if .Containerd.User}}
+        dnf install -y shadow-utils
+        {{- end}}
       fi
    owner: root:root
    path: /var/lib/cloud/scripts/per-boot/10-install-packages.boot.sh
    permissions: '0755'
+{{- end}}
+{{- if or .Containerd.System .Containerd.User}}
  - content: |
       #!/bin/bash
       set -eux -o pipefail
+      if [ ! -x /usr/local/bin/nerdctl ]; then
+        version="0.8.3"
+        goarch="amd64"
+        if [ "$(uname -m )" = "aarch64 "]; then
+          goarch="arm64"
+        fi
+        curl -fsSL https://github.com/containerd/nerdctl/releases/download/v${version}/nerdctl-full-${version}-linux-${goarch}.tar.gz | tar Cxz /usr/local
+      fi
+      {{- if .Containerd.System}}
+      systemctl enable containerd
+      systemctl start containerd
+      {{- end}}
+      {{- if .Containerd.User}}
       modprobe tap || true
       if [ ! -e "/home/{{.User}}.linux/.config/containerd/config.toml" ]; then
         mkdir -p "/home/{{.User}}.linux/.config/containerd"
@@ -95,21 +124,17 @@ write_files:
       EOF
         chown -R "{{.User}}" "/home/{{.User}}.linux/.config"
       fi
-      if [ ! -x /usr/local/bin/nerdctl ]; then
-        version="0.8.3"
-        goarch="amd64"
-        if [ "$(uname -m )" = "aarch64 "]; then
-          goarch="arm64"
-        fi
-        curl -fsSL https://github.com/containerd/nerdctl/releases/download/v${version}/nerdctl-full-${version}-linux-${goarch}.tar.gz | tar Cxz /usr/local
+      if [ ! -e "/home/{{.User}}}}.linux/.config/systemd/user/containerd.service" ]; then
         until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
         sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install
         sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-buildkit
         sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-stargz
       fi
+      {{- end}}
    owner: root:root
    path: /var/lib/cloud/scripts/per-boot/20-install-containerd.boot.sh
    permissions: '0755'
+{{- end}}
 {{- if .Provision}}
  - content: |
       #!/bin/bash

pkg/hostagent/hostagent.go

@@ -54,7 +54,7 @@ func (a *HostAgent) Run(ctx context.Context) error {
 		return nil
 	})
 	var mErr error
-	if err := a.waitForRequirements(ctx, "essential", essentialRequirements); err != nil {
+	if err := a.waitForRequirements(ctx, "essential", a.essentialRequirements()); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
 	mounts, err := a.setupMounts(ctx)
@@ -71,7 +71,7 @@ func (a *HostAgent) Run(ctx context.Context) error {
 		return unmountMErr
 	})
 	go a.watchGuestAgentEvents(ctx)
-	if err := a.waitForRequirements(ctx, "optional", optionalRequirements); err != nil {
+	if err := a.waitForRequirements(ctx, "optional", a.optionalRequirements()); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
 	return mErr

pkg/hostagent/requirements.go

@@ -54,8 +54,9 @@ type requirement struct {
 	debugHint   string
 }
 
-var essentialRequirements = []requirement{
-	{
+func (a *HostAgent) essentialRequirements() []requirement {
+	req := make([]requirement, 0)
+	req = append(req, requirement{
 		description: "ssh",
 		script: `#!/bin/bash
 true
@@ -64,23 +65,25 @@ true
 Make sure that the YAML field "ssh.localPort" is not used by other processes on the host.
 If any private key under ~/.ssh is protected with a passphrase, you need to have ssh-agent to be running.
 `,
-	},
-	{
-		description: "sshfs binary to be installed",
-		script: `#!/bin/bash
+	})
+	if len(a.y.Mounts) > 0 {
+		req = append(req, requirement{
+			description: "sshfs binary to be installed",
+			script: `#!/bin/bash
 set -eux -o pipefail
 if ! timeout 30s bash -c "until command -v sshfs; do sleep 3; done"; then
 	echo >&2 "sshfs is not installed yet"
 	exit 1
 fi
 `,
-		debugHint: `The sshfs binary was not installed in the guest.
+			debugHint: `The sshfs binary was not installed in the guest.
 Make sure that you are using an officially supported image.
 Also see "/var/log/cloud-init-output.log" in the guest.
 A possible workaround is to run "apt-get install sshfs" in the guest.
 `,
-	},
-	{
+		})
+	}
+	req = append(req, requirement{
 		description: "the guest agent to be running",
 		script: `#!/bin/bash
 set -eux -o pipefail
@@ -95,22 +98,27 @@ Make sure that you are using an officially supported image.
 Also see "/var/log/cloud-init-output.log" in the guest.
 A possible workaround is to run "lima-guestagent install-systemd" in the guest.
 `,
-	},
+	})
+	return req
 }
 
-var optionalRequirements = []requirement{
-	{
-		description: "containerd binaries to be installed",
-		script: `#!/bin/bash
+func (a *HostAgent) optionalRequirements() []requirement {
+	req := make([]requirement, 0)
+	if *a.y.Containerd.System || *a.y.Containerd.User {
+		req = append(req, requirement{
+			description: "containerd binaries to be installed",
+			script: `#!/bin/bash
 set -eux -o pipefail
 if ! timeout 30s bash -c "until command -v nerdctl; do sleep 3; done"; then
 	echo >&2 "nerdctl is not installed yet"
 	exit 1
 fi
 `,
-		debugHint: `The nerdctl binary was not installed in the guest.
+			debugHint: `The nerdctl binary was not installed in the guest.
 Make sure that you are using an officially supported image.
 Also see "/var/log/cloud-init-output.log" in the guest.
 `,
-	},
+		})
+	}
+	return req
 }

pkg/limayaml/default.TEMPLATE.yaml

@@ -58,6 +58,16 @@ video:
   # Default: "none"
   display: "none"
 
+containerd:
+  # Enable system-wide containerd (systemctl enable containerd)
+  # Default: false
+  system: false
+  # Enable user-scoped containerd (systemctl --user enable containerd)
+  # Default: true
+  user: true
+
+# Provisioning scripts need to be idempotent because they might be called
+# multiple times, e.g. when the host VM is being restarted.
 # provision:
 #   # `system` is executed with the root privilege
 #   - mode: system
@@ -74,3 +84,4 @@ video:
 #       cat <<EOF > ~/.vimrc
 #       set number
 #       EOF
+

pkg/limayaml/defaults.go

@@ -28,6 +28,12 @@ func FillDefault(y *LimaYAML) {
 			provision.Mode = ProvisionModeSystem
 		}
 	}
+	if y.Containerd.System == nil {
+		y.Containerd.System = &[]bool{false}[0]
+	}
+	if y.Containerd.User == nil {
+		y.Containerd.User = &[]bool{true}[0]
+	}
 }
 
 func resolveArch(s string) Arch {

pkg/limayaml/limayaml.go

@@ -1,16 +1,17 @@
 package limayaml
 
 type LimaYAML struct {
-	Arch      Arch        `yaml:"arch,omitempty"`
-	Images    []Image     `yaml:"images"` // REQUIRED
-	CPUs      int         `yaml:"cpus,omitempty"`
-	Memory    string      `yaml:"memory,omitempty"` // go-units.RAMInBytes
-	Disk      string      `yaml:"disk,omitempty"`   // go-units.RAMInBytes
-	Mounts    []Mount     `yaml:"mounts,omitempty"`
-	SSH       SSH         `yaml:"ssh,omitempty"` // REQUIRED (FIXME)
-	Firmware  Firmware    `yaml:"firmware,omitempty"`
-	Video     Video       `yaml:"video,omitempty"`
-	Provision []Provision `yaml:"provision,omitempty"`
+	Arch       Arch        `yaml:"arch,omitempty"`
+	Images     []Image     `yaml:"images"` // REQUIRED
+	CPUs       int         `yaml:"cpus,omitempty"`
+	Memory     string      `yaml:"memory,omitempty"` // go-units.RAMInBytes
+	Disk       string      `yaml:"disk,omitempty"`   // go-units.RAMInBytes
+	Mounts     []Mount     `yaml:"mounts,omitempty"`
+	SSH        SSH         `yaml:"ssh,omitempty"` // REQUIRED (FIXME)
+	Firmware   Firmware    `yaml:"firmware,omitempty"`
+	Video      Video       `yaml:"video,omitempty"`
+	Provision  []Provision `yaml:"provision,omitempty"`
+	Containerd Containerd  `yaml:"containerd,omitempty"`
 }
 
 type Arch = string
@@ -56,3 +57,8 @@ type Provision struct {
 	Mode   ProvisionMode `yaml:"mode"` // default: "system"
 	Script string        `yaml:"script"`
 }
+
+type Containerd struct {
+	System *bool `yaml:"system,omitempty"`
+	User   *bool `yaml:"user,omitempty"`
+}

pkg/limayaml/validate.go

@@ -103,5 +103,14 @@ func ValidateRaw(y LimaYAML) error {
 
 	// y.Firmware.LegacyBIOS is ignored for aarch64, but not a fatal error.
 
+	for i, p := range y.Provision {
+		switch p.Mode {
+		case ProvisionModeSystem, ProvisionModeUser:
+		default:
+			return errors.Errorf("field `provision[%d].mode` must be either %q or %q",
+					i, ProvisionModeSystem, ProvisionModeUser)
+		}
+	}
+
 	return nil
 }