This changeset modifies the metadata store to allow one to set a
"content sharing policy" that defines how blobs are shared between
namespaces in the content store.
The default mode "shared" will make blobs available in all namespaces
once it is pulled into any namespace. The blob will be pulled into
the namespace if a writer is opened with the "Expected" digest that
is already present in the backend.
The alternative mode, "isolated" requires that clients prove they have
access to the content by providing all of the content to the ingest
before the blob is added to the namespace.
Both modes share backing data, while "shared" will reduce total
bandwidth across namespaces, at the cost of allowing access to any
blob just by knowing its digest.
Note: Most functional codes and changelog of this commit originate from
Stephen J Day <stephen.day@docker.com>, see
40455aade8Fixes#1713Fixes#2865
Signed-off-by: Eric Lin <linxiulei@gmail.com>
When running containerd inside LXC, due to systemd being unable to execute
`modprobe overlay` inside the container (module is already loaded in host kernel).
This patch adds a `-` prefix to the `ExecStartPre` command, so that failures
are ignored, and the service can start as usual.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It is also useful when testing local changes, I just run:
sudo systemd-run -p Delegate=yes -p KillMode=process bin/containerd
Signed-off-by: Alban Crequy <alban@kinvolk.io>
This is needed for users on kernel older than 3.18 so they can avoid EBUSY
errors when trying to unlink, rename or remove a mountpoint that is present in
a shim namespace.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This adds an explaination to some of the config file settings and what
the accomplish in containerd.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
