Add volume.FromImage

OCI images can have multiple volumes. Orchestrators such as ECS import
the volumes from the images in addition to.

volume.FromImage() will be used to implement such a feature.

https://github.com/opencontainers/image-spec/blob/v1.0.2/config.md#properties
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bind-mounts.html#bind-mount-examples

Signed-off-by: Kazuyoshi Kato <[email protected]>

Author: kzys

runtime/volume_integ_test.go

@@ -174,3 +174,111 @@ func testVolumes(t *testing.T, runtime string) {
 	assert.Equal(t, "hello from host\nhello from c1\nhello from c2\n", stdout.String())
 	assert.Equal(t, "", stderr.String())
 }
+
+func TestVolumeFrom_Isolated(t *testing.T) {
+	integtest.Prepare(t)
+
+	runtimes := []string{firecrackerRuntime, "io.containerd.runc.v2"}
+
+	for _, rt := range runtimes {
+		t.Run(rt, func(t *testing.T) {
+			testVolumeFrom(t, rt)
+		})
+	}
+}
+
+func testVolumeFrom(t *testing.T, runtime string) {
+	const vmID = 0
+
+	ctx := namespaces.WithNamespace(context.Background(), "default")
+
+	client, err := containerd.New(integtest.ContainerdSockPath, containerd.WithDefaultRuntime(runtime))
+	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", integtest.ContainerdSockPath)
+	defer client.Close()
+
+	image, err := alpineImage(ctx, client, defaultSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
+
+	fcClient, err := integtest.NewFCControlClient(integtest.ContainerdSockPath)
+	require.NoError(t, err, "failed to create fccontrol client")
+
+	// TODO: Create and host own images with non-empty volumes.
+	ref := "docker.io/library/postgres:14.3"
+	vs := volume.NewSet(runtime)
+	provider := volume.FromImage(client, ref, "vfc-snapshot", volume.WithSnapshotter(defaultSnapshotterName))
+	defer func() {
+		err := provider.Delete(ctx)
+		require.NoError(t, err)
+	}()
+	err = vs.AddFrom(ctx, provider)
+	require.NoError(t, err)
+
+	containers := []string{"c1", "c2"}
+
+	if runtime == firecrackerRuntime {
+		mount, err := vs.PrepareDriveMount(ctx, 10*mib)
+		require.NoError(t, err)
+
+		_, err = fcClient.CreateVM(ctx, &proto.CreateVMRequest{
+			VMID:           strconv.Itoa(vmID),
+			ContainerCount: int32(len(containers)),
+			DriveMounts:    []*proto.FirecrackerDriveMount{mount},
+		})
+		require.NoError(t, err, "failed to create VM")
+	} else {
+		err := vs.PrepareDirectory(ctx)
+		require.NoError(t, err)
+	}
+
+	// Make volmes from a container.
+	volumesFromContainerImage, err := vs.WithMountsFromProvider(ref)
+	require.NoError(t, err)
+
+	dir := "/var/lib/postgresql/data"
+
+	for _, name := range containers {
+		snapshotName := fmt.Sprintf("%s-snapshot", name)
+
+		sh := fmt.Sprintf("echo hello from %s >> %s/hello.txt", name, dir)
+		container, err := client.NewContainer(ctx,
+			name,
+			containerd.WithSnapshotter(defaultSnapshotterName),
+			containerd.WithNewSnapshot(snapshotName, image),
+			containerd.WithNewSpec(
+				firecrackeroci.WithVMID(strconv.Itoa(vmID)),
+				oci.WithProcessArgs("sh", "-c", sh),
+				oci.WithDefaultPathEnv,
+				volumesFromContainerImage,
+			),
+		)
+		require.NoError(t, err, "failed to create container %s", name)
+		defer container.Delete(ctx, containerd.WithSnapshotCleanup)
+
+		result, err := integtest.RunTask(ctx, container)
+		require.NoError(t, err)
+		assert.Equalf(t, uint32(0), result.ExitCode, "stdout=%q stderr=%q", result.Stdout, result.Stderr)
+	}
+
+	name := "cat"
+	snapshotName := fmt.Sprintf("%s-snapshot", name)
+	container, err := client.NewContainer(ctx,
+		name,
+		containerd.WithSnapshotter(defaultSnapshotterName),
+		containerd.WithNewSnapshot(snapshotName, image),
+		containerd.WithNewSpec(
+			firecrackeroci.WithVMID(strconv.Itoa(vmID)),
+			oci.WithProcessArgs("cat", fmt.Sprintf("%s/hello.txt", dir)),
+			oci.WithDefaultPathEnv,
+			volumesFromContainerImage,
+		),
+	)
+	require.NoError(t, err, "failed to create container %s", name)
+	defer container.Delete(ctx, containerd.WithSnapshotCleanup)
+
+	result, err := integtest.RunTask(ctx, container)
+	require.NoError(t, err)
+
+	assert.Equal(t, uint32(0), result.ExitCode)
+	assert.Equal(t, "hello from c1\nhello from c2\n", result.Stdout)
+	assert.Equal(t, "", result.Stderr)
+}

tools/docker/Dockerfile.integ-test

@@ -46,7 +46,8 @@ RUN --mount=type=bind,target=/src \
   ln -sv /usr/local/bin/firecracker-ctr /usr/local/bin/ctr
 RUN containerd 2>/dev/null & \
   ctr --address /run/firecracker-containerd/containerd.sock content fetch docker.io/library/alpine:3.10.1 >/dev/null && \
-  ctr --address /run/firecracker-containerd/containerd.sock content fetch docker.io/mlabbe/iperf3:3.6-r0 >/dev/null
+  ctr --address /run/firecracker-containerd/containerd.sock content fetch docker.io/mlabbe/iperf3:3.6-r0 >/dev/null && \
+  ctr --address /run/firecracker-containerd/containerd.sock content fetch docker.io/library/postgres:14.3 >/dev/null
 
 # Install critest
 ENV VERSION="v1.23.0"

volume/image.go

@@ -0,0 +1,188 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package volume
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/snapshots"
+	"github.com/containerd/continuity/fs"
+	"github.com/hashicorp/go-multierror"
+	"github.com/opencontainers/image-spec/identity"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type imageVolumeProvider struct {
+	client      *containerd.Client
+	image       string
+	target      string
+	snapshotter string
+	snapshot    string
+}
+
+// ImageOpt allows setting optional properties of the provider.
+type ImageOpt func(*imageVolumeProvider)
+
+// WithSnapshotter sets the snapshotter to pull images.
+func WithSnapshotter(ss string) ImageOpt {
+	return func(p *imageVolumeProvider) {
+		p.snapshotter = ss
+	}
+}
+
+func getV1ImageConfig(ctx context.Context, image containerd.Image) (*v1.Image, error) {
+	var result v1.Image
+
+	ic, err := image.Config(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	switch ic.MediaType {
+	case v1.MediaTypeImageConfig, images.MediaTypeDockerSchema2Config:
+		p, err := content.ReadBlob(ctx, image.ContentStore(), ic)
+		if err != nil {
+			return nil, err
+		}
+		if err := json.Unmarshal(p, &result); err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("unknown type: %s", ic.MediaType)
+	}
+	return &result, nil
+}
+
+// FromImage returns a new provider to that expose the volumes on the given image.
+func FromImage(client *containerd.Client, image, snapshot string, opts ...ImageOpt) Provider {
+	p := imageVolumeProvider{
+		snapshotter: containerd.DefaultSnapshotter,
+		client:      client,
+		image:       image,
+		snapshot:    snapshot,
+	}
+
+	for _, opt := range opts {
+		opt(&p)
+	}
+
+	return &p
+}
+
+func (p *imageVolumeProvider) Name() string {
+	return p.image
+}
+
+func (p *imageVolumeProvider) Delete(ctx context.Context) error {
+	var retErr error
+
+	if p.target != "" {
+		retErr = mount.UnmountAll(p.target, 0)
+	}
+
+	ss := p.client.SnapshotService(p.snapshotter)
+	err := ss.Remove(ctx, p.snapshot)
+	if err != nil {
+		retErr = multierror.Append(retErr, err)
+	}
+	defer ss.Close()
+
+	return retErr
+}
+
+func (p *imageVolumeProvider) CreateVolumesUnder(ctx context.Context, tempDir string) ([]*Volume, error) {
+	image, err := p.client.GetImage(ctx, p.image)
+	if err != nil {
+		return nil, err
+	}
+
+	unpacked, err := image.IsUnpacked(ctx, p.snapshotter)
+	if err != nil {
+		return nil, err
+	}
+
+	if !unpacked {
+		err := image.Unpack(ctx, p.snapshotter)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	config, err := getV1ImageConfig(ctx, image)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(config.Config.Volumes) == 0 {
+		return nil, nil
+	}
+
+	root, err := p.mountImage(ctx, tempDir)
+	if err != nil {
+		return nil, err
+	}
+	p.target = root
+
+	result := make([]*Volume, 0, len(config.Config.Volumes))
+	for path := range config.Config.Volumes {
+		hostPath, err := fs.RootPath(root, path)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, &Volume{hostPath: hostPath, containerPath: path})
+	}
+	return result, nil
+}
+
+func (p *imageVolumeProvider) mountImage(ctx context.Context, tempDir string) (string, error) {
+	image, err := p.client.GetImage(ctx, p.image)
+	if err != nil {
+		return "", err
+	}
+
+	ids, err := image.RootFS(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	parent := identity.ChainID(ids).String()
+
+	ss := p.client.SnapshotService(p.snapshotter)
+	mounts, err := ss.View(ctx, p.snapshot, parent, snapshots.WithLabels(map[string]string{
+		"containerd.io/gc.root": time.Now().UTC().Format(time.RFC3339),
+	}))
+	if err != nil {
+		return "", err
+	}
+	defer ss.Close()
+
+	target, err := os.MkdirTemp(tempDir, "mount")
+	if err != nil {
+		return "", err
+	}
+	err = mount.All(mounts, target)
+	if err != nil {
+		return "", err
+	}
+
+	return target, nil
+}