Skip to content

Support custom OCI spec options in containerd executor#6206

Closed
Vigilans wants to merge 1 commit intomoby:masterfrom
Vigilans:vigilans/containerd-executor-spec-opts-support
Closed

Support custom OCI spec options in containerd executor#6206
Vigilans wants to merge 1 commit intomoby:masterfrom
Vigilans:vigilans/containerd-executor-spec-opts-support

Conversation

@Vigilans
Copy link
Contributor

@Vigilans Vigilans commented Sep 9, 2025

This PR is inherited from moby/moby#50942 in buildkit side.

We expose SpecOpts in ExecutorOptions to allow downstream user to provide custom OCI spec options when creating containers.

@Vigilans
Support custom OCI spec options in containerd executor
192e303 
Signed-off-by: Vigilans <vigilans@foxmail.com>
@Vigilans Vigilans mentioned this pull request Sep 9, 2025
Merged
tonistiigi
tonistiigi reviewed Sep 9, 2025
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'd prefer if we add bool for hyperv isolation instead, so nobody gets ideas to use this for something that we wouldn't like (for example, changing the security sandbox).

@tonistiigi
Copy link
Member

tonistiigi commented Sep 9, 2025

I guess the hyperv isolation mode should also be exposed in toml config (@profnandaa @gabriel-samfira)

@Vigilans
Copy link
Contributor Author

Vigilans commented Sep 12, 2025
edited
Loading

I guess the hyperv isolation mode should also be exposed in toml config

Should moby's Isolation type introduced into buildkit?

// Isolation modes for containers
const (
	IsolationEmpty   Isolation = ""        // IsolationEmpty is unspecified (same behavior as default)
	IsolationDefault Isolation = "default" // IsolationDefault is the default isolation mode on current daemon
	IsolationProcess Isolation = "process" // IsolationProcess is process isolation mode
	IsolationHyperV  Isolation = "hyperv"  // IsolationHyperV is HyperV isolation mode
)

I think I'd prefer if we add bool for hyperv isolation instead

I initially modified moby's vendor buildkit package to pass daemon's isolation type to buildkit executor, which just works like the boolean way, but with some more info (isolation mode string vs boolean).

However, since buildkit repository itself does not include github.com/moby/moby as dependency, if we want to introduce Isolation type we may find some other way.

@tonistiigi
Copy link
Member

tonistiigi commented Sep 12, 2025

Iiuc then in the containerd/oci level this is just passed with WithWindowsHyperV so looks like a bool to me. If moby has some extra definition for IsolationDefault then that can be left at moby side.

@Vigilans
Copy link
Contributor Author

Vigilans commented Sep 12, 2025

Isolation is a type with some test methods:

// Isolation represents the isolation technology of a container. The supported
// values are platform specific
type Isolation string

// Isolation modes for containers
const (
	IsolationEmpty   Isolation = ""        // IsolationEmpty is unspecified (same behavior as default)
	IsolationDefault Isolation = "default" // IsolationDefault is the default isolation mode on current daemon
	IsolationProcess Isolation = "process" // IsolationProcess is process isolation mode
	IsolationHyperV  Isolation = "hyperv"  // IsolationHyperV is HyperV isolation mode
)

// IsDefault indicates the default isolation technology of a container. On Linux this
// is the native driver. On Windows, this is a Windows Server Container.
func (i Isolation) IsDefault() bool {
	// TODO consider making isolation-mode strict (case-sensitive)
	v := Isolation(strings.ToLower(string(i)))
	return v == IsolationDefault || v == IsolationEmpty
}

// IsHyperV indicates the use of a Hyper-V partition for isolation
func (i Isolation) IsHyperV() bool {
	// TODO consider making isolation-mode strict (case-sensitive)
	return Isolation(strings.ToLower(string(i))) == IsolationHyperV
}

// IsProcess indicates the use of process isolation
func (i Isolation) IsProcess() bool {
	// TODO consider making isolation-mode strict (case-sensitive)
	return Isolation(strings.ToLower(string(i))) == IsolationProcess
}

IsolationDefault is only used in container creation that indicates daemon's default isolation mode should be used:
https://github.com/moby/moby/blob/af6d59ea486757853663bd1436d4c04dd549486f/daemon/create_windows.go#L15-L18

	if containertypes.Isolation.IsDefault(hostConfig.Isolation) {
		// Make sure the host config has the default daemon isolation if not specified by caller.
		hostConfig.Isolation = daemon.defaultIsolation
	}

In daemon's isolation mode there's only process and hyperv.

@tonistiigi
Copy link
Member

tonistiigi commented Sep 12, 2025

We shouldn't care about the extra wrapping or type definitions in Moby. If this is a bool in containerd then we should have a bool as well. We don't need to invent extra logic for this capability, just pass the value to containerd libs.

@Vigilans Vigilans mentioned this pull request Sep 15, 2025
Merged
@Vigilans
Copy link
Contributor Author

Vigilans commented Sep 15, 2025

We shouldn't care about the extra wrapping or type definitions in Moby. If this is a bool in containerd then we should have a bool as well. We don't need to invent extra logic for this capability, just pass the value to containerd libs.

containerd uses a --isolated flag to enable Hyper-V mode in its ctr command. According to it I've opened another PR #6224 for isolation option implementation.

@Vigilans Vigilans closed this Sep 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi left review comments

Assignees

@Vigilans Vigilans

Labels

area/executor area/windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vigilans @tonistiigi