Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement nerdctl run --annotation (introduced in Docker v24) #2906

Merged
merged 2 commits into from
Apr 3, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 31, 2024

Commit 1: Implement nerdctl run --annotation (introduced in Docker v24)

An OCI runtime (as well as nerdctl internal oci-hook) may consume an annotation and behave differently.
e.g., https://github.com/opencontainers/runc/blob/v1.1.12/docs/systemd.md#auxiliary-properties

nerdctl v1:

  • nerdctl run --annotation was not implemented.
  • nerdctl run --label is set as a containerd label and an OCI annotation.

nerdctl v2:

  • nerdctl run --annotation is only set as an OCI annotation.
  • nerdctl run --label is only set as a containerd label. A label with the nerdctl/ prefix can no longer be set manually, with an exception for nerdctl/bypass4netns. The nerdctl/bypass4netns label is still allowed and is propagated to an OCI annotation, for sake of compatibility.

Docker v23:

  • docker run --annotation was not implemented.
  • docker run --label is only set as a Docker label.

Docker v24 (implemented in docker/cli#4156, moby/moby#45025):

  • docker run --annotation is only set as an OCI annotation.
  • docker run --label is only set as a Docker label.

(In a nutshell, --annotation may change the behavior, while --label should not.)

Commit 2: annotations: add nerdctl/bypass4netns-ignore-subnets ([]string)

For experiments of additional bypass4netns --ignore

@AkihiroSuda AkihiroSuda added this to the v2.0.0 milestone Mar 31, 2024
@AkihiroSuda
Copy link
Member Author

cc @naoki9911

An OCI runtime (as well as `nerdctl internal oci-hook`) may consume an
annotation and behave differently.
e.g., https://github.com/opencontainers/runc/blob/v1.1.12/docs/systemd.md#auxiliary-properties

nerdctl v1:
- `nerdctl run --annotation` was not implemented.
- `nerdctl run --label` is set as a containerd label and an OCI annotation.

nerdctl v2:
- `nerdctl run --annotation` is only set as an OCI annotation.
- `nerdctl run --label` is only set as a containerd label.
  A label with the `nerdctl/` prefix can no longer be set manually,
  with an exception for `nerdctl/bypass4netns`.
  The `nerdctl/bypass4netns` label is still allowed and is propagated to
  an OCI annotation, for sake of compatibility.

Docker v23:
- `docker run --annotation` was not implemented.
- `docker run --label` is only set as a Docker label.

Docker v24 (implemented in docker/cli PR 4156, moby/moby PR 45025):
- `docker run --annotation` is only set as an OCI annotation.
- `docker run --label` is only set as a Docker label.

(In a nutshell, `--annotation` may change the behavior, while `--label` should not.)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
For experiments of additional `bypass4netns --ignore`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@yankay
Copy link
Contributor

yankay commented Apr 3, 2024

Thanks @AkihiroSuda
/lgtm

@AkihiroSuda AkihiroSuda merged commit 6cb911b into containerd:main Apr 3, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants