Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/containerd/nydus-snapshotter
[⬇️ Download] [📖 Website] [☸ Quick Start (Kubernetes)] [🤓 Quick Start (nerdctl)] [❓ FAQs & Troubleshooting]
Nydus-snapshotter is a non-core sub-project of containerd.
Nydus snapshotter is an external plugin of containerd for Nydus image service which implements a chunk-based content-addressable filesystem on top of a called RAFS (Registry Acceleration File System)
format that improves the current OCI image specification, in terms of container launching speed, image space, and network bandwidth efficiency, as well as data integrity with several runtime backends: FUSE, virtiofs and in-kernel EROFS.
Nydus supports lazy pulling feature since pulling image is one of the time-consuming steps in the container lifecycle. Lazy pulling here means a container can run even the image is partially available and necessary chunks of the image are fetched on-demand. Apart from that, Nydus also supports (e)Stargz and OCI (by using zran) lazy pulling directly WITHOUT any explicit conversion.
For more details about how to build Nydus container image, please refer to nydusify conversion tool and acceld.
Just invoke make
and check out the output executable binary ./bin/containerd-nydus-grpc
make
The following document will describe how to manually configure containerd + Nydus snapshotter. If you want to run Nydus snapshotter in Kubernetes cluster, you can try to use helm or run nydus snapshotter as a container. You can refer to this documentation.
Containerd provides a general mechanism to exploit different types of snapshotters. Please ensure your containerd's version is 1.4.0 or above.
Add Nydus as a proxy plugin into containerd's configuration file which may be located at /etc/containerd/config.toml
.
# The `address` field specifies through which socket snapshotter and containerd communicate.
[proxy_plugins]
[proxy_plugins.nydus]
type = "snapshot"
address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
Restart your containerd service making the change take effect. Assume that your node is systemd based, restart the service as below:
systemctl restart containerd
Get nydusd
nydus-image
and nydusctl
binaries from nydus releases page.
It's suggested to install the binaries to your system path. nydusd
is FUSE userspace daemon and a vhost-user-fs backend. Nydus-snapshotter
will fork a nydusd process when necessary.
Please follow instructions to configure nydus in order to make it work properly in your environment.
Nydus-snapshotter is implemented as a proxy plugin (containerd-nydus-grpc
) for containerd.
Assume your server is systemd based, install nydus-snapshotter:
Note: nydusd
and nydus-image
should be found from $PATH.
make install
systemctl restart containerd
Or you can start nydus-snapshotter manually.
# `--nydusd` specifies the path to nydusd binary. If `nydusd` and `nydus-image` are installed, `--nydusd` and `--nydus-image`can be omitted.
# Otherwise, provide them in below command line.
# `address` is the domain socket that you configured in containerd configuration file
# `--nydusd-config` is the path to `nydusd` configuration file
# The default nydus-snapshotter work directory is located at `/var/lib/containerd/io.containerd.snapshotter.v1.nydus`
$ sudo ./containerd-nydus-grpc --config /etc/nydus/config.toml --nydusd-config /etc/nydus/nydusd-config.json --log-to-stdout
Utilize containerd's ctr
CLI command to validate if nydus-snapshotter is set up successfully.
$ ctr -a /run/containerd/containerd.sock plugin ls
TYPE ID PLATFORMS STATUS
io.containerd.snapshotter.v1 nydus - ok
Nydus usually prefetch image data to local filesystem before a real user on-demand read. It helps to improve the performance and availability. A containerd NRI plugin container image optimizer can be used to generate nydus image building suggestions to optimize your nydus image making the nydusd runtime match your workload IO pattern. The optimized nydus image has a better performance.
Start container using nerdctl
(>=v0.22) which has native nydus support with nydus-snapshotter
.
# Start container by `nerdctl`
nerdctl --snapshotter nydus run ghcr.io/dragonflyoss/image-service/nginx:nydus-latest
Change containerd's CRI configuration:
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "nydus"
disable_snapshot_annotations = false
Use crictl
to debug starting container via Kubernetes CRI. Dry run steps of using crictl
can be found in documents.
We can also use the nydus-snapshotter
container image when we want to put Nydus stuffs inside a container. See the nydus-snapshotter example for how to setup and use it.
Nydus is a sub-project of Dragonfly. So it closely works with Dragonfly to distribute container images in a fast and efficient P2P fashion to reduce network latency and lower the pressure on a single-point of the registry.
We recommend using the Dragonfly P2P data distribution system to further improve the runtime performance of Nydus images.
If you want to deploy Dragonfly and Nydus at the same time, please refer to this Quick Start.
Dragonfly supports both mirror mode and HTTP proxy mode to boost the containers startup. It is suggested to use Dragonfly mirror mode. To integrate with Dragonfly in the mirror mode, please provide registry mirror in nydusd's json configuration file in section device.backend.mirrors
{
"mirrors": [
{
"host": "http://127.0.0.1:65001",
"headers": "https://index.docker.io/v1/"
}
]
}
In addition to setting the registry mirror in nydusd's json configuration file, nydus-snapshotter
also supports hot updating mirror configurations. You can set the configuration directory in nudus-snapshotter's toml configuration file with remote.mirrors_config.dir
. The empty remote.mirrors_config.dir
means disabling it.
[remote.mirrors_config]
dir = "/etc/nydus/certs.d"
Configuration file is compatible with containerd's configuration file in toml format.
[host]
[host."http://127.0.0.1:65001"]
[host."http://127.0.0.1:65001".header]
# NOTE: For Dragonfly, the HTTP scheme must be explicitly specified.
X-Dragonfly-Registry = ["https://p2p-nydus.com"]
Mirror configurations loaded from nydusd's json file will be overwritten before pulling image if the valid mirror configuration items loaded from remote.mirrors_config.dir
are greater than 0.
Nydus aims to form a vendor-neutral opensource image distribution solution to all communities. Questions, bug reports, technical discussion, feature requests and contribution are always welcomed!
We're very pleased to hear your use cases any time. Feel free to reach/join us via Slack and/or Dingtalk.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.