genpolicy: add utility script for containerd pull #213
Conversation
Add script that helps adapt containerd and docker config for containerd pull feature to work as expected. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/add_util_setup_script
branch
from
c36d773 to
7f872b1
Compare
| You may specify `-d` to use existing `containerd` installation as image manager. This method supports a wider set of images (e.g., older images with `v1` manifest). Needs `sudo` permission to access socket - e.g., | ||
| # Use containerd to pull and manage images (required for managed identity based authentication) | ||
|
|
||
| Prereq: This features needs to run the following script to adapt your docker and containerd config (needs `sudo` access): |
There was a problem hiding this comment.
I think these changes are too intrusive to push average users to use this script.
For average users, I would prefer a list of steps in an MD file - similar to the steps from https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/containerd-kata.md. Also, I would like to update such doc Upstream instead of pushing just MSFT users in this direction.
But let's talk with other folks in our team too - maybe they have different opinions.
There was a problem hiding this comment.
I agree it's too much to require them to use this. This might exist for users that don't feel like doing all these steps, but they are also welcome to do them on their own. I'll add better instructions to the MD, and open a PR upstream with all squashed changes
There was a problem hiding this comment.
I disagree with:
- Calling this script a prerequisite. We should say something like: "if you need help with your containerd settings, see this doc for related tips".
- Hiding a bunch of details in a script. Users that want to perform these steps should review the doc and perform just those steps that look reasonable to them.
Signed-off-by: Saul Paredes <[email protected]>
Add guide on how to setup containerd and docker for genpolicy containerd pull feature. Signed-off-by: Saul Paredes <[email protected]>
| You may specify `-d` to use existing `containerd` installation as image manager. This method supports a wider set of images (e.g., older images with `v1` manifest). Needs `sudo` permission to access socket - e.g., | ||
| # Use containerd to pull and manage images (required for managed identity based authentication) | ||
|
|
||
| Prereq: This features needs to run the following script to adapt your docker and containerd config (needs `sudo` access): |
There was a problem hiding this comment.
I disagree with:
- Calling this script a prerequisite. We should say something like: "if you need help with your containerd settings, see this doc for related tips".
- Hiding a bunch of details in a script. Users that want to perform these steps should review the doc and perform just those steps that look reasonable to them.
| @@ -0,0 +1,96 @@ | |||
| # Manual Steps for Setting Up Containerd and Docker for Genpolicy Tool | |||
There was a problem hiding this comment.
The name of this doc should include "genpolicy".
| sudo apt-get install -y containerd | ||
| ``` | ||
|
|
||
| #### Using `tdnf` (for Photon OS-based systems) |
There was a problem hiding this comment.
This is not an automated script, so it's OK to keep just the Ubuntu example. That's one advantage of providing a doc instead a script.
| ## Steps | ||
|
|
||
| ### 1. Install Containerd | ||
|
|
There was a problem hiding this comment.
Add the OS version that you used for testing - because other versions might not work, and that's OK.
|
|
||
| The socket file is usually `/run/containerd/containerd.sock` or `/var/run/containerd/containerd.sock` | ||
|
|
||
| ### 6. Fix Containerd Socket File Permissions |
There was a problem hiding this comment.
This is not a "fix" - it's just something that might be useful for genpolicy users.
Add script that helps adapt containerd and docker config for containerd pull feature to work as expected.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Add script that helps adapt containerd and docker config for containerd pull feature to work as expected.
Test Methodology
Tested locally that I'm able to authenticate to private registry after running the script