crio: add support for --imagestore

flouthoc · flouthoc · commit f22040da226d · 2023-10-04T17:01:58.000+05:30
Allow cri-o users to split the filesystem of containers vs image store, imagestore if configured will
pull images in image storage instead of the graphRoot while keeping the other parts still in the originally
configured graphRoot.

Signed-off-by: Aditya R &lt;arajan@redhat.com&gt;
diff --git a/completions/bash/crio b/completions/bash/crio
@@ -61,6 +61,7 @@ h
 --hooks-dir
 --hostnetwork-disable-selinux
 --image-volumes
+--imagestore
 --infra-ctr-cpuset
 --insecure-registry
 --internal-repair
diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish
@@ -88,6 +88,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l image-volumes -r -d 'Image
     2. bind: A directory is created inside container state directory and bind
        mounted into the container for the volumes.
 	3. ignore: All volumes are just ignored and no action is taken.'
+complete -c crio -n '__fish_crio_no_subcommand' -l imagestore -r -d 'Store newly pulled images in the specified path, rather than the path provided by --root.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l infra-ctr-cpuset -r -d 'CPU set to run infra containers, if not specified CRI-O will use all online CPUs to run infra containers.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l insecure-registry -r -d 'Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication.
     1. List of insecure registries can contain an element with CIDR notation to
diff --git a/completions/zsh/_crio b/completions/zsh/_crio
@@ -68,6 +68,7 @@ it later with **--config**. Global options will modify the output.'
         '--hooks-dir'
         '--hostnetwork-disable-selinux'
         '--image-volumes'
+        '--imagestore'
         '--infra-ctr-cpuset'
         '--insecure-registry'
         '--internal-repair'
diff --git a/docs/crio.8.md b/docs/crio.8.md
@@ -59,6 +59,7 @@ crio
 [--hooks-dir]=[value]
 [--hostnetwork-disable-selinux]
 [--image-volumes]=[value]
+[--imagestore]=[value]
 [--infra-ctr-cpuset]=[value]
 [--insecure-registry]=[value]
 [--internal-repair]
@@ -280,6 +281,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
        mounted into the container for the volumes.
 	3. ignore: All volumes are just ignored and no action is taken. (default: "mkdir")
 
+**--imagestore**="": Store newly pulled images in the specified path, rather than the path provided by --root.
+
 **--infra-ctr-cpuset**="": CPU set to run infra containers, if not specified CRI-O will use all online CPUs to run infra containers.
 
 **--insecure-registry**="": Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication.
diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -54,6 +54,9 @@ CRI-O reads its storage defaults from the containers-storage.conf(5) file locate
   It is used to check if crio wipe should wipe images, which should
   only happen when CRI-O has been upgraded
 
+**imagestore**=""
+  Store newly pulled images in the specified path, rather than the path provided by --root.
+
 **internal_wipe**=true
   **This option is currently DEPRECATED, and will be removed in the future.**
   Whether CRI-O should wipe containers after a reboot and images after an upgrade when the server starts.
diff --git a/internal/criocli/criocli.go b/internal/criocli/criocli.go
@@ -156,6 +156,9 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 	if ctx.IsSet("selinux") {
 		config.SELinux = ctx.Bool("selinux")
 	}
+	if ctx.IsSet("imagestore") {
+		config.ImageStore = ctx.String("imagestore")
+	}
 	if ctx.IsSet("seccomp-profile") {
 		config.SeccompProfile = ctx.String("seccomp-profile")
 	}
@@ -569,6 +572,13 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			EnvVars:   []string{"CONTAINER_RUNROOT"},
 			TakesFile: true,
 		},
+		&cli.StringFlag{
+			Name:      "imagestore",
+			Usage:     "Store newly pulled images in the specified path, rather than the path provided by --root.",
+			Value:     defConf.ImageStore,
+			EnvVars:   []string{"CONTAINER_IMAGESTORE"},
+			TakesFile: true,
+		},
 		&cli.StringFlag{
 			Name:    "storage-driver",
 			Aliases: []string{"s"},
diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -115,6 +115,11 @@ func initCrioTemplateConfig(c *Config) ([]*templateConfigValue, error) {
 			group:          crioRootConfig,
 			isDefaultValue: simpleEqual(dc.RunRoot, c.RunRoot),
 		},
+		{
+			templateString: templateStringCrioImageStore,
+			group:          crioRootConfig,
+			isDefaultValue: simpleEqual(dc.ImageStore, c.ImageStore),
+		},
 		{
 			templateString: templateStringCrioStorageDriver,
 			group:          crioRootConfig,
@@ -728,6 +733,11 @@ const templateStringCrioRunroot = `# Path to the "run directory". CRI-O stores a
 
 `
 
+const templateStringCrioImageStore = `# Path to the "imagestore". If CRI-O stores all of its images in this directory differently than Root.
+{{ $.Comment }}imagestore = "{{ .ImageStore }}"
+
+`
+
 const templateStringCrioStorageDriver = `# Storage driver used to manage the storage of images and containers. Please
 # refer to containers-storage.conf(5) to see all available storage drivers.
 {{ $.Comment }}storage_driver = "{{ .Storage }}"
diff --git a/test/image.bats b/test/image.bats
@@ -96,6 +96,32 @@ function teardown() {
 	cleanup_images
 }
 
+@test "image pull and list using imagestore" {
+	# Start crio with imagestore
+	mkdir -p "$TESTDIR/imagestore"
+	CONTAINER_IMAGESTORE="$TESTDIR/imagestore" start_crio
+
+	FEDORA="registry.fedoraproject.org/fedora"
+	crictl pull $FEDORA
+	imageid=$(crictl images --quiet "$FEDORA")
+	[ "$imageid" != "" ]
+
+	output=$(crictl images @"$imageid")
+	[[ "$output" == *"$FEDORA"* ]]
+
+	output=$(crictl images --quiet "$imageid")
+	[ "$output" != "" ]
+
+	stop_crio
+	unset CONTAINER_IMAGESTORE
+	# start crio without imagestore
+	start_crio
+	imageid=$(crictl images --quiet "$FEDORA")
+	# no image must be found on default root
+	[[ "$imageid" == "" ]]
+	cleanup_images
+}
+
 @test "image pull with signature" {
 	skip "registry has some issues"
 	start_crio
