[#137] FreeBSD support

.github/workflows/test.yml

@@ -124,6 +124,8 @@ jobs:
     # nested virtualization is only available on macOS hosts
     runs-on: macos-10.15
     timeout-minutes: 40
+    env:
+      VAGRANT_VAGRANTFILE: hack/Vagrantfile.fedora34
     steps:
     - uses: actions/setup-go@v2
       with:
@@ -161,3 +163,24 @@ jobs:
         command: ssh default -- "CONTAINERD_SNAPSHOTTER=fuse-overlayfs /vagrant/nerdctl.test -test.v -test.kill-daemon"
     - name: "Uninstall rootless containerd"
       run: ssh default -- containerd-rootless-setuptool.sh uninstall
+
+  test-freebsd-amd64:
+    runs-on: macos-latest
+    env:
+      VAGRANT_VAGRANTFILE: hack/Vagrantfile.freebsd13
+      NERDCTL_RUN_ARGS: --net none knast/freebsd:13-STABLE echo "Nerdctl is up and running."
+    steps:
+      - name: Cache Vagrant boxes
+        uses: actions/cache@v2
+        with:
+          path: ~/.vagrant.d/boxes
+          key: ${{ runner.os }}-vagrant-${{ hashFiles('hack/Vagrantfile.freebsd13') }}
+          restore-keys: |
+            ${{ runner.os }}-vagrant-
+      - uses: actions/checkout@v2
+      - name: Set up vagrant
+        run: vagrant up
+      - name: "Run unit tests"
+        run: vagrant ssh -- "cd /vagrant; go test -v ./pkg/..."
+      - name: "Integration smoke test"
+        run: vagrant ssh -- "cd /vagrant/cmd/nerdctl; sudo go run . -- run $NERDCTL_RUN_ARGS | grep running"

Makefile

@@ -82,9 +82,11 @@ artifacts: clean
 
 	GOOS=windows GOARCH=amd64     make -C $(CURDIR) binaries
 	tar $(TAR_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-windows-amd64.tar.gz _output/nerdctl.exe
-
 	rm -f $(CURDIR)/_output/nerdctl $(CURDIR)/_output/nerdctl.exe
 
+	GOOS=freebsd GOARCH=amd64       make -C $(CURDIR)  binaries
+	tar $(TAR_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-freebsd-amd64.tar.gz   _output/nerdctl extras/rootless/*
+
 	$(call make_artifact_full_linux,amd64)
 	$(call make_artifact_full_linux,arm64)
 

README.md

@@ -86,6 +86,10 @@ $ lima nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
 
 NOTE: ARM Mac requires installing a patched version of QEMU, see [Lima](https://github.com/AkihiroSuda/lima) documentation.
 
+### FreeBSD
+
+See [`./docs/freebsd.md`](docs/freebsd.md).
+
 ### Windows
 
 - Linux containers: Known to work on WSL2
@@ -121,6 +125,7 @@ Minor:
 - Importing OCI archives as well as Docker archives: `nerdctl load` .
 - Specifying a non-image rootfs: `nerdctl run -it --rootfs <ROOTFS> /bin/sh` . The CLI syntax conforms to Podman convention.
 - Connecting a container to multiple networks at once: `nerdctl run --net foo --net bar`
+- Running [FreeBSD jails](./docs/freebsd.md).
 
 Trivial:
 - Inspecting raw OCI config: `nerdctl container inspect --mode=native` .
@@ -958,3 +963,4 @@ Others:
 - [`./docs/rootless.md`](./docs/rootless.md): Rootless mode
 - [`./docs/stargz.md`](./docs/stargz.md):     Lazy-pulling using Stargz Snapshotter
 - [`./docs/ocicrypt.md`](./docs/ocicrypt.md): Running encrypted images
+- [`./docs/freebsd.md`](./docs/freebsd.md):  Running FreeBSD jails

cmd/nerdctl/client_linux.go → cmd/nerdctl/client_unix.go

@@ -1,3 +1,6 @@
+//go:build freebsd || linux
+// +build freebsd linux
+
 /*
    Copyright The containerd Authors.
 

cmd/nerdctl/exec_freebsd.go

@@ -0,0 +1,26 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func setExecCapabilities(pspec *specs.Process) error {
+	//no op freebsd
+	return nil
+}

cmd/nerdctl/login_linux.go → cmd/nerdctl/login_unix.go

@@ -1,3 +1,6 @@
+//go:build freebsd || linux
+// +build freebsd linux
+
 /*
    Copyright The containerd Authors.
 

cmd/nerdctl/main_freebsd.go

@@ -0,0 +1,29 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/urfave/cli/v2"
+)
+
+func appNeedsRootlessParentMain(clicontext *cli.Context) bool {
+	return false
+}
+
+func appBashComplete(clicontext *cli.Context) {
+	return
+}

cmd/nerdctl/main_linux.go

@@ -20,10 +20,8 @@ import (
 	"fmt"
 
 	ncdefaults "github.com/containerd/nerdctl/pkg/defaults"
-	"github.com/containerd/nerdctl/pkg/infoutil"
 
 	"github.com/containerd/nerdctl/pkg/rootlessutil"
-	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 )
 
@@ -64,45 +62,3 @@ func appBashComplete(clicontext *cli.Context) {
 		fmt.Fprintln(clicontext.App.Writer, subcomm.Name)
 	}
 }
-
-func bashCompleteNamespaceNames(clicontext *cli.Context) {
-	if rootlessutil.IsRootlessParent() {
-		_ = rootlessutil.ParentMain()
-		return
-	}
-
-	client, ctx, cancel, err := newClient(clicontext)
-	if err != nil {
-		return
-	}
-	defer cancel()
-	nsService := client.NamespaceService()
-	nsList, err := nsService.List(ctx)
-	if err != nil {
-		logrus.Warn(err)
-		return
-	}
-	for _, ns := range nsList {
-		fmt.Fprintln(clicontext.App.Writer, ns)
-	}
-}
-
-func bashCompleteSnapshotterNames(clicontext *cli.Context) {
-	if rootlessutil.IsRootlessParent() {
-		_ = rootlessutil.ParentMain()
-		return
-	}
-
-	client, ctx, cancel, err := newClient(clicontext)
-	if err != nil {
-		return
-	}
-	defer cancel()
-	snapshotterPlugins, err := infoutil.GetSnapshotterNames(ctx, client.IntrospectionService())
-	if err != nil {
-		return
-	}
-	for _, name := range snapshotterPlugins {
-		fmt.Fprintln(clicontext.App.Writer, name)
-	}
-}

cmd/nerdctl/main_unix.go

@@ -0,0 +1,72 @@
+//go:build freebsd || linux
+// +build freebsd linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/containerd/nerdctl/pkg/infoutil"
+
+	"github.com/containerd/nerdctl/pkg/rootlessutil"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+func bashCompleteNamespaceNames(clicontext *cli.Context) {
+	if rootlessutil.IsRootlessParent() {
+		_ = rootlessutil.ParentMain()
+		return
+	}
+
+	client, ctx, cancel, err := newClient(clicontext)
+	if err != nil {
+		return
+	}
+	defer cancel()
+	nsService := client.NamespaceService()
+	nsList, err := nsService.List(ctx)
+	if err != nil {
+		logrus.Warn(err)
+		return
+	}
+	for _, ns := range nsList {
+		fmt.Fprintln(clicontext.App.Writer, ns)
+	}
+}
+
+func bashCompleteSnapshotterNames(clicontext *cli.Context) {
+	if rootlessutil.IsRootlessParent() {
+		_ = rootlessutil.ParentMain()
+		return
+	}
+
+	client, ctx, cancel, err := newClient(clicontext)
+	if err != nil {
+		return
+	}
+	defer cancel()
+	snapshotterPlugins, err := infoutil.GetSnapshotterNames(ctx, client.IntrospectionService())
+	if err != nil {
+		return
+	}
+	for _, name := range snapshotterPlugins {
+		fmt.Fprintln(clicontext.App.Writer, name)
+	}
+}

cmd/nerdctl/run.go

@@ -25,6 +25,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"runtime"
 	"strings"
 
 	"github.com/containerd/console"
@@ -34,7 +35,6 @@ import (
 	"github.com/containerd/containerd/cmd/ctr/commands/tasks"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
-	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime/restart"
 	gocni "github.com/containerd/go-cni"
 	"github.com/containerd/nerdctl/pkg/defaults"
@@ -187,7 +187,7 @@ var runCommand = &cli.Command{
 		&cli.StringFlag{
 			Name:  "runtime",
 			Usage: "Runtime to use for this container, e.g. \"crun\", or \"io.containerd.runsc.v1\"",
-			Value: plugin.RuntimeRuncV2,
+			Value: defaults.Runtime,
 		},
 		&cli.StringSliceFlag{
 			Name:  "sysctl",
@@ -319,12 +319,16 @@ func runAction(clicontext *cli.Context) error {
 	opts = append(opts,
 		oci.WithDefaultSpec(),
 		oci.WithDefaultUnixDevices,
-		oci.WithMounts([]specs.Mount{
-			{Type: "cgroup", Source: "cgroup", Destination: "/sys/fs/cgroup", Options: []string{"ro", "nosuid", "noexec", "nodev"}},
-		}),
 		WithoutRunMount(), // unmount default tmpfs on "/run": https://github.com/containerd/nerdctl/issues/157
 	)
 
+	if runtime.GOOS == "linux" {
+		opts = append(opts,
+			oci.WithMounts([]specs.Mount{
+				{Type: "cgroup", Source: "cgroup", Destination: "/sys/fs/cgroup", Options: []string{"ro", "nosuid", "noexec", "nodev"}},
+			}))
+	}
+
 	rootfsOpts, rootfsCOpts, ensuredImage, err := generateRootfsOpts(ctx, client, clicontext, id)
 	if err != nil {
 		return err
@@ -757,7 +761,7 @@ func withCustomHosts(src string) func(context.Context, oci.Client, *containers.C
 }
 
 func generateLogURI(dataStore string) (*url.URL, error) {
-	selfExe, err := os.Readlink("/proc/self/exe")
+	selfExe, err := os.Executable()
 	if err != nil {
 		return nil, err
 	}

cmd/nerdctl/run_cgroup_freebsd.go

@@ -0,0 +1,26 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/containerd/containerd/oci"
+	"github.com/urfave/cli/v2"
+)
+
+func generateCgroupOpts(clicontext *cli.Context, id string) ([]oci.SpecOpts, error) {
+	return []oci.SpecOpts{}, nil
+}