mirror repository rewrites

[dweomer]

Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"

And then subsequently invoke crictl pull alpine:3.13 it will pull
content from docker.io/my-org/alpine:3.13 but still show up as
docker.io/library/alpine:3.13 in the crictl images listing.

Signed-off-by: Jacob Blain Christen jacob@rancher.com

[k8s-ci-robot]

Hi @dweomer. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dweomer]

Containerd folks: this is something of a magic trick / hack that we will likely be carrying a patch for in the k3s-io/containerd fork specifically for RKE2 and I wanted to at least share with upstream. I am open to alternative methods of achieving the desired functionality.

Additional caveat: only works for images pulled via CRI.

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 40s (non-voting)

[Martin-Weiss]

Cool - love this PR!!

Do you think this can be used or enhanced in a way that we can also rewrite based on the source namespace/path?

I.e. rewrite

1. registry.example.com:5000/namespace1/directory1/image:123 -> own.registry.local:5000/abc/def/image:123

AND at the same time (source is only different in namespace but on same source registry)

2. registry.example.com:5000/namespace99/directory5/image:456 -> own.registry.local:5000/xyz/aaa/image:456

[dweomer]

@Martin-Weiss these use cases are supported as the rewrite rules are regular expressions for matching/replacing anything after the registry root path for actual resources (typically /v2).

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 40s (non-voting)

[samuelkarp]

This feature feels to me like it stretches the scope of the containerd project, as it's a bit of higher-level feature. Since the CRI plugin is now a core part of containerd, I think it makes sense for the CRI plugin to stay as close to just implementing CRI as possible rather than adding additional non-standard features.

I am open to alternative methods of achieving the desired functionality.

I have two ideas here that might be alternatives:

1. Because this is focused on CRI/K8s, have you considered doing this as a mutating webhook? It would then be independent of the ultimate container runtime on the node and could be controlled at the cluster level instead of on an individual node.
2. Rather than building something specific for rewriting the image name, there might be an opportunity to introduce a new extension point into containerd that could allow one plugin to modify an incoming API request, similar to the concept of "middleware" in a web app. If this extension point existed, you could then write a image rewrite plugin that used that mechanism.

[Martin-Weiss]

Trying to give some additional thoughts - please forgive me if these are invalid because I am not deep enough into the details..

This feature feels to me like it stretches the scope of the containerd project, as it's a bit of higher-level feature. Since the CRI plugin is now a core part of containerd, I think it makes sense for the CRI plugin to stay as close to just implementing CRI as possible rather than adding additional non-standard features.

I am open to alternative methods of achieving the desired functionality.

I have two ideas here that might be alternatives:

1. Because this is focused on CRI/K8s, have you considered doing this as a mutating webhook?  It would then be independent of the ultimate container runtime on the node and could be controlled at the cluster level instead of on an individual node.

One challenge is that we need the "rewrite" before k8s is up and running at all - so it must be "below". So I am not sure if this makes sense on a higher level that is not yet available when we have to bootstrap / load initial images and containers into containerd.

2. Rather than building something specific for rewriting the image name, there might be an opportunity to introduce a new extension point into containerd that could allow one plugin to modify an incoming API request, similar to the concept of "middleware" in a web app.  If this extension point existed, you could then write a image rewrite plugin that used that mechanism.

Basically the "registry mirror" feature is "just" missing functionality we need in on premise deployments where we just have one central registry with namespaces and where we have to map "external registry/namespace/image to an internal registry/other namespace".
So "enhancing" the registry mirror" by supporting namespaces was the idea.. in case of adding a new extension point - could it be that this increases testing complexity? Is supporting "namespaces" for images on the registry not part of the scope?

[relyt0925]

@mikebrow do we still think this can get accepted?

[relyt0925]

For reference cri-o provides the equivalent logic in their container runtime

[mikebrow]

this would need some edits to the .md over here:
https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-endpoint

note that the older mirrors mechanism has been deprecated:
https://github.com/containerd/containerd/blame/main/docs/cri/config.md#L293-L294

see:
https://github.com/containerd/containerd/blob/main/docs/hosts.md

we'll need to consider if/how to add rewrites to the new hosts model...

[mikebrow]

@dmcgowan heads up... let's discuss

[morningspace]

Wonder if this PR is still valid, because I see it's remained open w/o any update quite long time. I'm having the same problem where I need to map the image into a different namespace.

[mikebrow]

Wonder if this PR is still valid, because I see it's remained open w/o any update quite long time. I'm having the same problem where I need to map the image into a different namespace.

PR would need to be ported to the hosts model ..

[morningspace]

Thanks @mikebrow ! Do you know when this will be done?

[mikebrow]

Thanks @mikebrow ! Do you know when this will be done?

no I don't

[dweomer]

Hadn't checked in on this one in a while, folks, my apologies. I should have the time next week to incorporate requested changes and any necessary contortions to accommodate the newer config model.

[dweomer]

2. Rather than building something specific for rewriting the image name, there might be an opportunity to introduce a new extension point into containerd that could allow one plugin to modify an incoming API request, similar to the concept of "middleware" in a web app. If this extension point existed, you could then write a image rewrite plugin that used that mechanism.

So, 14 months later, I like this idea! @samuelkarp has there been any work on such an effort you could point me to? (I am looking to dial into this project once again but I haven't done a full review of what I have "missed". Any pointers appreciated!)

[samuelkarp]

has there been any work on such an effort you could point me to?

I'm not aware of any right now, but I've also been somewhat disconnected while between employers.

[dweomer]

So, apologies again, after avoiding the 'rona for over 2 years it has overrun my home. Will be looking to get this refactor off my plate as soon as I am able.

[dweomer]

I've decided to not work on this. If you need this functionality it is carried on the k3s fork at https://github.com/k3s-io/containerd/tree/k3s-release/1.5

[dweomer]

I've decided to not work on this. If you need this functionality it is carried on the k3s fork at https://github.com/k3s-io/containerd/tree/k3s-release/1.5

Some pointers on getting the k3s fork of containerd:

• Built for RKE2 via https://github.com/rancher/image-build-containerd (with goboring on linux/amd64)
  • Pushed to Docker Hub: https://hub.docker.com/r/rancher/hardened-containerd/tags (all binaries in /usr/local/bin)
• Built for K3s via https://github.com/k3s-io/k3s/blob/master/scripts/build (used to be embedded but is now shipped as distinct executable)
  • Pushed to Docker Hub: https://hub.docker.com/r/rancher/k3s/tags (/bin/{containerd/containerd-shim-runc-v2})

[golimix]

good idea