Backport: feat(core): add dvcr config for containerd v2 (#1409)

feat(core): add dvcr config for containerd v2 (#1395)

- Support containerd v2 config layout: change NGC with dvcr registry.
- Support erofs tar unpacking: erofs strictly requires end-of-file tar marker.
- Fix creation time and add common fields in generated DVCR images manifests.

---------

Signed-off-by: Yaroslav Borbat <[email protected]>
Signed-off-by: Ivan Mikheykin <[email protected]>
Co-authored-by: Yaroslav Borbat <[email protected]>
Co-authored-by: Ivan Mikheykin <[email protected]>

Author: 3 people

images/dvcr-artifact/pkg/registry/registry.go

@@ -31,9 +31,11 @@ import (
 	"os/exec"
 	"path"
 	"strings"
+	"time"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -54,6 +56,11 @@ const (
 	imageLabelSourceImageSize        = "source-image-size"
 	imageLabelSourceImageVirtualSize = "source-image-virtual-size"
 	imageLabelSourceImageFormat      = "source-image-format"
+	imageLabelEROFSCompatible        = "erofs-compatible-layers"
+	imageArchitecture                = "amd64"
+	imageOS                          = "linux"
+	imageAuthor                      = "DVCR client"
+	imageWorkingDir                  = "/"
 )
 
 type ImportRes struct {
@@ -171,16 +178,36 @@ func (p DataProcessor) inspectAndStreamSourceImage(
 ) error {
 	var tarWriter *tar.Writer
 	{
+		now := time.Now()
+
 		tarWriter = tar.NewWriter(pipeWriter)
+		dirHeader := &tar.Header{
+			Name:       "disk",
+			Mode:       0o755,
+			Uid:        107,
+			Gid:        107,
+			AccessTime: now,
+			ChangeTime: now,
+			Typeflag:   tar.TypeDir,
+		}
+		if err := tarWriter.WriteHeader(dirHeader); err != nil {
+			return fmt.Errorf("error writing tar header [disk]: %w", err)
+		}
+
+		imagePath := path.Join("disk", sourceImageFilename)
 		header := &tar.Header{
-			Name:     path.Join("disk", sourceImageFilename),
-			Size:     int64(sourceImageSize),
-			Mode:     0o644,
-			Typeflag: tar.TypeReg,
+			Name:       imagePath,
+			Size:       int64(sourceImageSize),
+			Mode:       0o644,
+			Uid:        107,
+			Gid:        107,
+			AccessTime: now,
+			ChangeTime: now,
+			Typeflag:   tar.TypeReg,
 		}
 
 		if err := tarWriter.WriteHeader(header); err != nil {
-			return fmt.Errorf("error writing tar header: %w", err)
+			return fmt.Errorf("error writing tar header [%s]: %w", imagePath, err)
 		}
 	}
 
@@ -247,6 +274,12 @@ func (p DataProcessor) inspectAndStreamSourceImage(
 			}
 		}
 
+		// Append end-of-file marker for tar archive.
+		err = writeTarEOFMarker(pipeWriter)
+		if err != nil {
+			return fmt.Errorf("adding tar EOF marker: %w", err)
+		}
+
 		klog.Infoln("Source streaming completed")
 
 		return nil
@@ -305,7 +338,8 @@ func (p DataProcessor) uploadLayersAndImage(
 
 	klog.Infof("Got image info: virtual size: %d, format: %s", informer.GetVirtualSize(), informer.GetFormat())
 
-	cnf.Config.Labels = map[string]string{}
+	populateCommonConfigFields(cnf)
+
 	cnf.Config.Labels[imageLabelSourceImageVirtualSize] = fmt.Sprintf("%d", informer.GetVirtualSize())
 	cnf.Config.Labels[imageLabelSourceImageSize] = fmt.Sprintf("%d", sourceImageSize)
 	cnf.Config.Labels[imageLabelSourceImageFormat] = informer.GetFormat()
@@ -328,6 +362,29 @@ func (p DataProcessor) uploadLayersAndImage(
 	return nil
 }
 
+// populateCommonConfigFields adds some required fields according to the document:
+// https://github.com/opencontainers/image-spec/blob/main/config.md
+func populateCommonConfigFields(cnf *v1.ConfigFile) {
+	now := time.Now().UTC()
+	cnf.Created = v1.Time{Time: now}
+	cnf.Architecture = imageArchitecture
+	cnf.OS = imageOS
+	cnf.Author = imageAuthor
+
+	// Initialize labels, add label to distinguish from previous images with non-complete tar archives.
+	cnf.Config.Labels = make(map[string]string)
+	cnf.Config.Labels[imageLabelEROFSCompatible] = "true"
+
+	cnf.Config.WorkingDir = imageWorkingDir
+
+	cnf.History = append(cnf.History, v1.History{
+		Author:     imageAuthor,
+		Created:    v1.Time{Time: now},
+		Comment:    "streamed from the datasource",
+		EmptyLayer: false,
+	})
+}
+
 func getImageInfo(ctx context.Context, sourceReader io.ReadCloser) (ImageInfo, error) {
 	formatSourceReaders, err := importer.NewFormatReaders(sourceReader, 0)
 	if err != nil {

images/dvcr-artifact/pkg/registry/tar.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"fmt"
+	"io"
+)
+
+const (
+	tarRecordSize     = 512
+	tarEOFMarkerCount = 2
+)
+
+var zero = []byte{0x00}
+
+// writeTarEOFMarker writes EOF marker into Writer.
+// The EOF marker for tar is simply two 512-byte blocks of zeros.
+func writeTarEOFMarker(w io.Writer) error {
+	for i := 0; i < tarRecordSize*tarEOFMarkerCount; i++ {
+		n, err := w.Write(zero)
+		if n != 1 {
+			return fmt.Errorf("error writing zero byte to writer")
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

templates/dvcr/ nodegroupconfiguration.yaml

@@ -16,25 +16,46 @@ spec:
   bundles: ["*"]
   content: |
     # Copyright 2023 Flant JSC
-        # Licensed under the Apache License, Version 2.0 (the "License");
+    # Licensed under the Apache License, Version 2.0 (the "License");
     # you may not use this file except in compliance with the License.
     # You may obtain a copy of the License at
-        #     http://www.apache.org/licenses/LICENSE-2.0
-        # Unless required by applicable law or agreed to in writing, software
+    #      http://www.apache.org/licenses/LICENSE-2.0
+    # Unless required by applicable law or agreed to in writing, software
     # distributed under the License is distributed on an "AS IS" BASIS,
     # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     # See the License for the specific language governing permissions and
     # limitations under the License.
 
-    mkdir -p /etc/containerd/conf.d
     bb-event-on 'registry-ca-changed' '_restart_containerd'
     bb-event-on 'containerd-config-changed' '_restart_containerd'
     _restart_containerd() {
         bb-flag-set containerd-need-restart
     }
+
+    {{ "{{- if eq .cri \"ContainerdV2\" }}" }}
+
+    mkdir -p "/etc/containerd/registry.d/{{ $registry }}"
+    mkdir -p "/etc/containerd/certs.d/{{ $registry }}"
+    bb-sync-file "/etc/containerd/certs.d/{{ $registry }}/ca.crt" - registry-ca-changed << "EOF"
+    {{- $ca | nindent 4 }}
+    EOF
+
+    bb-sync-file "/etc/containerd/registry.d/{{ $registry }}/hosts.toml" - containerd-config-changed << "EOF"
+    server = "https://{{ $registry }}"
+    [host."https://{{ $endpoint }}"]
+      capabilities = ["pull", "resolve"]
+      ca = "/etc/containerd/certs.d/{{ $registry }}/ca.crt"
+    [host."https://{{ $endpoint }}".auth]
+      auth = {{  $password | quote }}
+    EOF
+
+    {{ "{{- else }}" }}
+
+    mkdir -p /etc/containerd/conf.d
     bb-sync-file /etc/containerd/conf.d/dvcr-ca.crt - registry-ca-changed << "EOF"
     {{- $ca | nindent 4 }}
     EOF
+
     bb-sync-file /etc/containerd/conf.d/dvcr.toml - containerd-config-changed << "EOF"
     [plugins]
       [plugins."io.containerd.grpc.v1.cri"]
@@ -50,4 +71,7 @@ spec:
             [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ $registry }}"]
               endpoint = ["https://{{ $endpoint }}"]
     EOF
+
+    {{ "{{- end }}" }}
+
 {{- end }}