Merge pull request #493 from AkihiroSuda/ci-fedora35

Ci:  update Fedora to 35; update BuildKit (v0.9.2); update docs; nits

Author: AkihiroSuda

Diff for: .github/workflows/test.yml

@@ -131,7 +131,7 @@ jobs:
     runs-on: macos-10.15
     timeout-minutes: 40
     env:
-      VAGRANT_VAGRANTFILE: hack/Vagrantfile.fedora34
+      VAGRANT_VAGRANTFILE: hack/Vagrantfile.fedora
     steps:
     - uses: actions/setup-go@v2
       with:
@@ -148,24 +148,27 @@ jobs:
       run: |
         vagrant up
         vagrant ssh-config >> ~/.ssh/config
+    - name: "Show info"
+      run: ssh default -- sudo nerdctl info
     - name: "Run tests"
       uses: nick-invision/retry@v2
       with:
         timeout_minutes: 10
         retry_on: error
         max_attempts: 2
-        # TODO: enable -test.kill-daemon, after Fedora updates containerd to a recent version (Mar 2021)
+        # TODO: enable -test.kill-daemon
         command: ssh default -- "sudo /vagrant/nerdctl.test -test.v"
     - name: "Install rootless containerd"
       run: |
         ssh default -- containerd-rootless-setuptool.sh install
-        ssh default -- containerd-rootless-setuptool.sh install-fuse-overlayfs
+    - name: "Show info (rootless)"
+      run: ssh default -- nerdctl info
     - name: "Run tests (rootless)"
       uses: nick-invision/retry@v2
       with:
         timeout_minutes: 10
         retry_on: error
         max_attempts: 2
-        command: ssh default -- "CONTAINERD_SNAPSHOTTER=fuse-overlayfs /vagrant/nerdctl.test -test.v -test.kill-daemon"
+        command: ssh default -- "/vagrant/nerdctl.test -test.v -test.kill-daemon"
     - name: "Uninstall rootless containerd"
       run: ssh default -- containerd-rootless-setuptool.sh uninstall

Diff for: Dockerfile

@@ -23,11 +23,11 @@ ARG CNI_PLUGINS_VERSION=1.0.1
 # Extra deps: CNI isolation
 ARG CNI_ISOLATION_VERSION=0.0.4
 # Extra deps: Build
-ARG BUILDKIT_VERSION=0.9.1
+ARG BUILDKIT_VERSION=0.9.2
 # Extra deps: Lazy-pulling
 ARG STARGZ_SNAPSHOTTER_VERSION=0.9.0
 # Extra deps: Encryption
-ARG IMGCRYPT_VERSION=1.1.1
+ARG IMGCRYPT_VERSION=1.1.2
 # Extra deps: Rootless
 ARG ROOTLESSKIT_VERSION=0.14.5
 ARG SLIRP4NETNS_VERSION=1.1.12

Diff for: Dockerfile.d/SHA256SUMS.d/buildkit-0.9.1

@@ -0,0 +1,2 @@
+931d8bb6b461a396c54ed2ce4fa48a2d5eafeb6985a97823e39e549bc89bec27  buildkit-v0.9.2.linux-amd64.tar.gz
+d97d1e0380d715777875b3acf5b7d2d67b715b983b4827a385eb99f372f9538d  buildkit-v0.9.2.linux-arm64.tar.gz

Diff for: Dockerfile.d/SHA256SUMS.d/buildkit-0.9.2

@@ -52,5 +52,6 @@ func newContainerCommand() *cobra.Command {
 func containerLsCommand() *cobra.Command {
 	x := newPsCommand()
 	x.Use = "ls"
+	x.Aliases = []string{"list"}
 	return x
 }

Diff for: cmd/nerdctl/container.go

@@ -50,11 +50,13 @@ func newImageCommand() *cobra.Command {
 func imageLsCommand() *cobra.Command {
 	x := newImagesCommand()
 	x.Use = "ls"
+	x.Aliases = []string{"list"}
 	return x
 }
 
 func imageRmCommand() *cobra.Command {
 	x := newRmiCommand()
 	x.Use = "rm"
+	x.Aliases = []string{"remove"}
 	return x
 }

Diff for: cmd/nerdctl/image.go

@@ -6,6 +6,8 @@ e.g., ARM on Intel, and vice versa.
 ## Preparation: Register QEMU to `/proc/sys/fs/binfmt_misc`
 
 ```console
+$ sudo systemctl start containerd
+
 $ sudo nerdctl run --privileged --rm tonistiigi/binfmt --install all
 
 $ ls -1 /proc/sys/fs/binfmt_misc/qemu*
@@ -18,7 +20,10 @@ $ ls -1 /proc/sys/fs/binfmt_misc/qemu*
 /proc/sys/fs/binfmt_misc/qemu-s390x
 ```
 
-The `tonistiigi/binfmt` container must be executed with `--privileged`.
+The `tonistiigi/binfmt` container must be executed with `--privileged`, and with rootful mode (`sudo`).
+
+This container is not a daemon, and exits immediately after registering QEMU to `/proc/sys/fs/binfmt_misc`.
+Run `ls -1 /proc/sys/fs/binfmt_misc/qemu*` to confirm registration.
 
 See also https://github.com/tonistiigi/binfmt
 

Diff for: docs/multi-platform.md

@@ -44,15 +44,19 @@ To enable BuildKit, run the following command:
 $ containerd-rootless-setuptool.sh install-buildkit
 ```
 
-### FUSE-OverlayFS
+## Snapshotters
+
+### OverlayFS
 
-The `overlayfs` snapshotter only works on the following hosts:
-- Any distro, with kernel >= 5.11, and without SELinux
+The default `overlayfs` snapshotter only works on the following hosts:
+- Any distro, with kernel >= 5.13
+- Non-SELinux distro, with kernel >= 5.11
 - Ubuntu since 2015
-- Debian since 10
 
 For other hosts, [`fuse-overlayfs` snapshotter](https://github.com/containerd/fuse-overlayfs-snapshotter) needs to be used instead.
 
+### FUSE-OverlayFS
+
 To enable `fuse-overlayfs` snapshotter, run the following command:
 ```console
 $ containerd-rootless-setuptool.sh install-fuse-overlayfs
@@ -78,11 +82,6 @@ If `fuse-overlayfs` does not work, try `export CONTAINERD_SNAPSHOTTER=native`.
 ### Stargz Snapshotter
 [Stargz Snapshotter](./stargz.md) enables lazy-pulling of images.
 
-As of Stargz Snapshotter 0.5.0, Rootless Stargz Snapshotter supports the following hosts:
-- Any distro, with kernel >= 5.11
-- Ubuntu (>= 15.XX)
-- Debian (>= 10)
-
 To enable Stargz snapshotter, run the following command:
 ```console
 $ containerd-rootless-setuptool.sh install-stargz
@@ -108,4 +107,4 @@ See https://github.com/containerd/stargz-snapshotter/blob/master/docs/pre-conver
 ## Troubleshooting
 
 ### Hint to Fedora users
-- If SELinux is enabled on your host, you need to use [`fuse-overlayfs` instead of `overlayfs`](#fuse-overlayfs).
+- If SELinux is enabled on your host and your kernel is older than 5.13, you need to use [`fuse-overlayfs` instead of `overlayfs`](#fuse-overlayfs).

Diff for: docs/rootless.md

@@ -3,7 +3,7 @@
 
 # Vagrant box for testing cgroup v2
 Vagrant.configure("2") do |config|
-  config.vm.box = "fedora/34-cloud-base"
+  config.vm.box = "fedora/35-cloud-base"
   memory = 4096
   cpus = 2
   config.vm.provider :virtualbox do |v|
@@ -28,33 +28,19 @@ Vagrant.configure("2") do |config|
     fi
     GOARCH=amd64
 
-    # Install RPMs (TODO: remove fuse-overlayfs after release of Fedora 34)
     dnf install -y \
       make \
       containerd \
       containernetworking-plugins \
       iptables \
       slirp4netns \
-      fuse-overlayfs \
       openssl
     systemctl enable --now containerd
 
     # Install RootlessKit
-    ROOTLESSKIT_VERSION=0.14.2
+    ROOTLESSKIT_VERSION=0.14.5
     curl -sSL https://github.com/rootless-containers/rootlesskit/releases/download/v${ROOTLESSKIT_VERSION}/rootlesskit-$(uname -m).tar.gz | tar Cxzv /usr/local/bin
 
-    # Install containerd-fuse-overlayfs (required on SELinux hosts: https://github.com/moby/moby/issues/42333)
-    CONTAINERD_FUSE_OVERLAYFS_VERSION=1.0.2
-    curl -sSL https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/v${CONTAINERD_FUSE_OVERLAYFS_VERSION}/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}-linux-${GOARCH}.tar.gz | tar Cxzv /usr/local/bin
-    mkdir -p /home/vagrant/.config/containerd
-    cat <<EOF >/home/vagrant/.config/containerd/config.toml
-[proxy_plugins]
-  [proxy_plugins."fuse-overlayfs"]
-    type = "snapshot"
-    address = "/run/user/$(id -u vagrant)/containerd-fuse-overlayfs.sock"
-EOF
-    chown -R vagrant /home/vagrant/.config
-
     # Delegate cgroup v2 controllers
     mkdir -p /etc/systemd/system/[email protected]
     cat <<EOF >/etc/systemd/system/[email protected]/delegate.conf