image pulling inside sandbox

[bergwolf]

Motivation

We want to allow to pull container images inside sandbox for the following reasons:

• security: some users do not want their container image data to be present on the host
• isolation: hard multi-tenancy requires that different users' container image data must not be mixed together
• private registry: for cloud providers, it is possible that users are pulling from a private registry that is only accessible from within a user's VPC network
• charging: for cloud providers, it is important to charge network usage of container image

Architecture

There are two possibilities for image pulling inside sandbox. The first one is that we just pull container images inside the guest. The downside is that container images are not shared across sandboxes.

The other one is that we contine pulling container images on the host, but inside the sandox namespace/cgroups. The downside is that the image daemon is more complex to implement.

Changes to Shimv2 API

• Add PullImage API to ask the shim to pull a container image and provide necessary auth info to let it accomplish it
• PullImage(ctx context.Context, req *PullImageRequest)
• Change CreateContainer API to pass in an image reference so that the shim knows which image a container is using
• Add Image *ImageSpec field to CreateTaskRequest

Changes to agent API

• Add PullImage API to ask the agent to pull a container image to a specific location
• PullImage(ctx context.Context, req *PullImageRequest)

Containerd/CRI modification

• When pulling an image for a container, ask the shim to do it instead of handling it inside containerd
• When creating a container, send the container image reference to the shim instead of trying to resolve it into a local path inside containerd

Impact on Container Image Life Cycle Management

• containerd needs to query all shims to collect global status of container images on a host
• kubelet needs to be tenant-aware so that same image can exist for different users/sandboxes
• TBD.

[crosbymichael]

I think this is something we could make happen within containerd. Right now, the image/content/snapshot service is decoupled from tasks(runtime) so I don't think this would impact any of the existing APIs. Most of the work would be within the CRI plugin for this path.

[ariel-adam]

@bergwolf please review and decide if we still need this feature (if so remove the "needs-review" label).

[huoqifeng]

@bergwolf is this feature still in near plan? @crosbymichael if this happens within containerd, what about other high level runtime like https://github.com/cri-o/cri-o?

[fuweid]

/cc

[ashleyrobertson]

@bergwolf it looks like this issue has been closed due to the clean up action that was discussed here http://lists.katacontainers.io/pipermail/kata-dev/2021-April/001819.html

Do you plan to reopen this issue? I am working in the Z organisation at IBM and we are interested in this feature. Thanks

[magowan]

What would be the best way to link this to the Confidential Computing RFC [#1332]?
Open to suggestions/practices used here, as I see this as a possible Issue to cover part of the solution required for Confidential Computing?

[sameo]

What would be the best way to link this to the Confidential Computing RFC [#1332]?
Open to suggestions/practices used here, as I see this as a possible Issue to cover part of the solution required for Confidential Computing?

It's definitely linked to the confidential computing discussions, and the service offload toggle will hopefully come with the initial PR for it.

I believe the actual implementation can be done in parallel though, and I'm in favor of discussing about it through this issue.