Skip to main content

wfe_containerd/
lib.rs

1//! Containerd container executor for WFE.
2//!
3//! Runs workflow steps as isolated OCI containers via the containerd gRPC API.
4//!
5//! # Remote daemon support
6//!
7//! The executor creates named pipes (FIFOs) on the **local** filesystem for
8//! stdout/stderr capture, then passes those paths to the containerd task spec.
9//! The containerd shim opens the FIFOs from **its** side. This means the FIFO
10//! paths must be accessible to both the executor process and the containerd
11//! daemon.
12//!
13//! When containerd runs on a different machine (e.g. a Lima VM), you need:
14//!
15//! 1. **Shared filesystem** — mount a host directory into the VM so both sides
16//!    see the same FIFO files. With Lima + virtiofs:
17//!    ```yaml
18//!    # lima config
19//!    mounts:
20//!      - location: /tmp/wfe-io
21//!        mountPoint: /tmp/wfe-io
22//!        writable: true
23//!    ```
24//!
25//! 2. **`WFE_IO_DIR` env var** — point the executor at the shared directory:
26//!    ```sh
27//!    export WFE_IO_DIR=/tmp/wfe-io
28//!    ```
29//!    Without this, FIFOs are created under `std::env::temp_dir()` which is
30//!    only visible to the host.
31//!
32//! 3. **gRPC transport** — Lima's Unix socket forwarding is unreliable for
33//!    HTTP/2 (gRPC). Use a TCP socat proxy inside the VM instead:
34//!    ```sh
35//!    # Inside the VM:
36//!    socat TCP4-LISTEN:2500,fork,reuseaddr UNIX-CONNECT:/run/containerd/containerd.sock &
37//!    ```
38//!    Then connect via `WFE_CONTAINERD_ADDR=http://127.0.0.1:2500` (Lima
39//!    auto-forwards guest TCP ports).
40//!
41//! 4. **FIFO permissions** — the FIFOs are created with mode `0666` and a
42//!    temporarily cleared umask so the remote shim (running as root) can open
43//!    them through the shared mount.
44//!
45//! See `test/lima/wfe-test.yaml` for a complete VM configuration that sets all
46//! of this up.
47
48pub mod config;
49/// Service provider.
50pub mod service_provider;
51/// Step.
52pub mod step;
53
54pub use config::{ContainerdConfig, RegistryAuth, TlsConfig, VolumeMountConfig};
55pub use service_provider::ContainerdServiceProvider;
56pub use step::ContainerdStep;