Skip to content

Clarification on kata-containers support #637

New issue
New issue
Open
Open
Clarification on kata-containers support#637
@Fricounet

Description

@Fricounet
Fricounet
opened on May 13, 2025

Hello folks, I'm trying to wrap my head around how can nydus work wtih kata-containers.
I'm a bit confused because I can find 2 different references that indicate that nydus supports kata but in different ways:

  • this doc in the kata project indicates that I need to configure enable_nydus_overlayfs in the nydus-snapshotter + use virtio-fs-nydus in kata
  • this PR added a enable_kata_volume and a proxy mode to the snapshotter which seems to respectively pass the mounted image using EROFS or to let the guest VM mount the image

On the other hand, I tried pulling a nydus image in a kata container but without any of the above configured (so just a plain regular nydus config) and it just worked somehow. At least I couldn't notice a big issue and the image was pulled at regular nydus speed. So I'm really confused on whether all the above configs are needed at all?

I would really appreciate your thoughts on this and if you could indicate what's the difference and benefits/drawbacks for each approach.

For a bit of context on what I'm running:

  • containerd v2.1.0 with bits to use the transfer service
version = 3

[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    # Required by the kubelet's imageServiceEndpoint
    address = "/run/containerd/image-service.sock"

  [proxy_plugins.nydus.exports]
    enable_remote_snapshot_annotations = "true"

[plugins]
  # Use nydus snapshotter through CRI
  [plugins."io.containerd.cri.v1.images"]
    snapshotter = "nydus"
    disable_snapshot_annotations = false
    discard_unpacked_layers = false

	[plugins."io.containerd.cri.v1.images".pinned_images]
  	# need sandbox_image entry here otherwise it's overwritten when importing the file
  	# sandbox_image is the image used by sandbox container.
  	sandbox = "pause"

  # Use nydus snapshotter through containerd transfer service
  [[plugins."io.containerd.transfer.v1.local".unpack_config]]
    snapshotter = "nydus"
    # need platform entry here otherwise there is no default used in containerd
    platform = "linux/amd64"

  # This is the default entry, which is removed if we specify another one, so we need to add it back explicitely
  [[plugins."io.containerd.transfer.v1.local".unpack_config]]
    snapshotter = "overlayfs"
    platform = "linux/amd64"
    differ = ""
  • nydusd v2.3.1 with default config
{
  "device": {
    "backend": {
      "type": "registry",
      "config": {
        "timeout": 15,
        "connect_timeout": 15,
        "retry_limit": 5
      }
    },
    "cache": {
      "type": "blobcache",
      "config": {
        "work_dir": "cache"
      }
    }
  },
  "mode": "direct",
  "digest_validate": false,
  "iostats_files": false,
  "enable_xattr": true,
  "fs_prefetch": {
    "enable": true,
    "threads_count": 4
  }
}
  • nydus-snapshotter v0.15.0 with basic config + enable_referrer_detect
version = 1

[system]
# Snapshotter's debug and trace HTTP server interface
enable = true

[remote.auth]
# Fetch the private registry auth as CRI image service proxy
enable_cri_keychain = true
image_service_address = "/run/containerd/containerd.sock"

[experimental]
# Whether to enable referrers support
# The option enables trying to fetch the Nydus image associated with the OCI image and run it.
# Also see https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers
enable_referrer_detect = true

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions