Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
lima-vm
GitHub Repository: lima-vm/lima
 Path: blob/master/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh
2655 views
1
#!/bin/bash

2


3
# SPDX-FileCopyrightText: Copyright The Lima Authors

4
# SPDX-License-Identifier: Apache-2.0

5


6
set -eux

7
: "${CONTAINERD_NAMESPACE:=default}"

8
# Overridable in .bashrc

9
: "${CONTAINERD_SNAPSHOTTER:=overlayfs}"

10


11
if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" != 1 ] && [ "${LIMA_CIDATA_CONTAINERD_USER}" != 1 ]; then

12
	exit 0

13
fi

14


15
# This script does not work unless systemd is available

16
command -v systemctl >/dev/null 2>&1 || exit 0

17


18
# Extract bin/nerdctl and compare whether it is newer than the current /usr/local/bin/nerdctl (if already exists).

19
# Takes 4-5 seconds. (FIXME: optimize)

20
tmp_extract_nerdctl="$(mktemp -d)"

21
tar Cxaf "${tmp_extract_nerdctl}" "${LIMA_CIDATA_MNT}"/"${LIMA_CIDATA_CONTAINERD_ARCHIVE}" bin/nerdctl

22


23
if [ ! -f "${LIMA_CIDATA_GUEST_INSTALL_PREFIX}"/bin/nerdctl ] || [[ "${tmp_extract_nerdctl}"/bin/nerdctl -nt "${LIMA_CIDATA_GUEST_INSTALL_PREFIX}"/bin/nerdctl ]]; then

24
	if [ -f "${LIMA_CIDATA_GUEST_INSTALL_PREFIX}"/bin/nerdctl ]; then

25
		(

26
			set +e

27
			echo "Upgrading existing nerdctl"

28
			echo "- Old: $("${LIMA_CIDATA_GUEST_INSTALL_PREFIX}"/bin/nerdctl --version)"

29
			echo "- New: $("${tmp_extract_nerdctl}"/bin/nerdctl --version)"

30
			systemctl disable --now containerd default-buildkit stargz-snapshotter

31
			sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "PATH=${PATH}" "CONTAINERD_NAMESPACE=${CONTAINERD_NAMESPACE}" containerd-rootless-setuptool.sh uninstall-buildkit-containerd

32
			sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "PATH=${PATH}" containerd-rootless-setuptool.sh uninstall

33
		)

34
	fi

35
	tar Cxaf "${LIMA_CIDATA_GUEST_INSTALL_PREFIX}" "${LIMA_CIDATA_MNT}"/"${LIMA_CIDATA_CONTAINERD_ARCHIVE}"

36


37
	mkdir -p /etc/bash_completion.d

38
	nerdctl completion bash >/etc/bash_completion.d/nerdctl

39
	# TODO: enable zsh completion too

40
fi

41


42
rm -rf "${tmp_extract_nerdctl}"

43


44
if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" = 1 ]; then

45
	if [ ! -e /etc/containerd/config.toml ]; then

46
		mkdir -p /etc/containerd

47
		cat >"/etc/containerd/config.toml" <<EOF

48
  version = 2

49
  # TODO: remove imports after upgrading containerd to v2.2, as

50
  # conf.d is set by default since v2.2.

51
  imports = ['/etc/containerd/conf.d/*.toml']

52
  [plugins."io.containerd.grpc.v1.cri"]

53
    enable_cdi = true

54
  [proxy_plugins]

55
    [proxy_plugins."stargz"]

56
      type = "snapshot"

57
      address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"

58
EOF

59
	fi

60
	if [ ! -e /etc/buildkit/buildkitd.toml ]; then

61
		mkdir -p /etc/buildkit

62
		cat >"/etc/buildkit/buildkitd.toml" <<EOF

63
[worker.oci]

64
  enabled = false

65


66
[worker.containerd]

67
  enabled = true

68
  namespace = "${CONTAINERD_NAMESPACE}"

69
  snapshotter = "${CONTAINERD_SNAPSHOTTER}"

70
EOF

71
	fi

72
	systemctl enable --now containerd buildkit stargz-snapshotter

73
fi

74


75
if [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then

76
	if [ ! -e "${LIMA_CIDATA_HOME}/.config/containerd/config.toml" ]; then

77
		mkdir -p "${LIMA_CIDATA_HOME}/.config/containerd"

78
		cat >"${LIMA_CIDATA_HOME}/.config/containerd/config.toml" <<EOF

79
  version = 2

80
  [plugins."io.containerd.grpc.v1.cri"]

81
    enable_cdi = true

82
  [proxy_plugins]

83
    [proxy_plugins."fuse-overlayfs"]

84
      type = "snapshot"

85
      address = "/run/user/${LIMA_CIDATA_UID}/containerd-fuse-overlayfs.sock"

86
    [proxy_plugins."stargz"]

87
      type = "snapshot"

88
      address = "/run/user/${LIMA_CIDATA_UID}/containerd-stargz-grpc/containerd-stargz-grpc.sock"

89
EOF

90
		chown -R "${LIMA_CIDATA_USER}" "${LIMA_CIDATA_HOME}/.config"

91
	fi

92
	selinux=

93
	if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then

94
		selinux=1

95
	fi

96
	if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ] && [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then

97
		cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<EOF

98
# Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns

99
# to restrict unsharing user namespaces:

100
# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

101
#

102
# kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10,

103
# but it is expected to be enabled in future releases of Ubuntu.

104
abi <abi/4.0>,

105
include <tunables/global>

106


107
/usr/local/bin/rootlesskit flags=(unconfined) {

108
  userns,

109


110
  # Site-specific additions and overrides. See local/README for details.

111
  include if exists <local/usr.local.bin.rootlesskit>

112
}

113
EOF

114
		systemctl restart apparmor.service

115
	fi

116
	if [ ! -e "${LIMA_CIDATA_HOME}/.config/systemd/user/containerd.service" ]; then

117
		until [ -e "/run/user/${LIMA_CIDATA_UID}/systemd/private" ]; do sleep 3; done

118
		if [ -n "$selinux" ]; then

119
			echo "Temporarily disabling SELinux, during installing containerd units"

120
			setenforce 0

121
		fi

122
		if [ "$(sudo -iu "${LIMA_CIDATA_USER}" sh -ec 'systemctl --user show --property=RefuseManualStart --value dbus')" != "yes" ]; then

123
			sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" systemctl --user enable --now dbus

124
		fi

125
		sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "PATH=${PATH}" containerd-rootless-setuptool.sh install

126
		sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "PATH=${PATH}" \

127
			"CONTAINERD_NAMESPACE=${CONTAINERD_NAMESPACE}" "CONTAINERD_SNAPSHOTTER=${CONTAINERD_SNAPSHOTTER}" \

128
			containerd-rootless-setuptool.sh install-buildkit-containerd

129


130
		# $CONTAINERD_SNAPSHOTTER is configured in 20-rootless-base.sh, when the guest kernel is < 5.13, or the instance was created with Lima < 0.9.0.

131
		if [ "$(sudo -iu "${LIMA_CIDATA_USER}" sh -ec 'echo $CONTAINERD_SNAPSHOTTER')" = "fuse-overlayfs" ]; then

132
			sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "PATH=${PATH}" containerd-rootless-setuptool.sh install-fuse-overlayfs

133
		fi

134


135
		if compare_version.sh "$(uname -r)" -ge "5.13"; then

136
			sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "PATH=${PATH}" containerd-rootless-setuptool.sh install-stargz

137
		else

138
			echo >&2 "WARNING: the guest kernel seems older than 5.13. Skipping installing rootless stargz."

139
		fi

140
		if [ -n "$selinux" ]; then

141
			echo "Restoring SELinux"

142
			setenforce 1

143
		fi

144
	fi

145
fi

146


147