[WIP] Initial support for nerdbox

See docs/nerdbox.md

Fix issue 4571

WIP: Does not work yet

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

README.md

@@ -298,6 +298,7 @@ Experimental features:
 - [`./docs/freebsd.md`](./docs/freebsd.md):  Running FreeBSD jails
 - [`./docs/ipfs.md`](./docs/ipfs.md): Distributing images on IPFS
 - [`./docs/builder-debug.md`](./docs/builder-debug.md): Interactive debugging of Dockerfile
+- [`./docs/nerdbox.md`](./docs/nerdbox.md):   Running Linux containers on macOS using nerdbox
 
 Implementation details:
 

docs/nerdbox.md

@@ -0,0 +1,50 @@
+# nerdbox (experimental)
+
+| :zap: Requirement | nerdctl >= 2.2, containerd >= 2.2 |
+|-------------------|-----------------------------------|
+
+
+nerdctl supports [nerdbox](https://github.com/containerd/nerdbox) experimentally
+for running Linux containers, including non-Linux hosts such as macOS.
+
+## Prerequisites
+- [nerdbox](https://github.com/containerd/nerdbox) with its dependencies
+
+- `/var/lib/nerdctl` directory chowned for the current user:
+```bash
+sudo mkdir -p /var/lib/nerdctl
+sudo chown $(whoami):staff /var/lib/nerdctl
+```
+
+## Usage
+
+```bash
+nerdctl run \
+  --rm \
+  --snapshotter erofs \
+  --runtime io.containerd.nerdbox.v1 \
+  --platform=linux/arm64 \
+  --net=host \
+  --log-driver=none \
+  hello-world
+```
+
+Lots of CLI flags still do not work.
+
+## FAQ
+### How is nerdbox comparable to Lima ?
+
+The following table compares nerdbox and [Lima](https://lima-vm.io/)
+on macOS for running Linux containers:
+
+|                       | nerdbox | Lima        |
+|-----------------------|---------|-------------|
+| #VM : #Container      | 1:1     | 1:N         |
+| VM image              | minimal | full Ubuntu |
+| containerd running on | host    | inside VM   |
+| Low-level runtime     | krun    | runc        |
+| Snapshotter           | erofs   | overlayfs   |
+
+See also:
+- https://github.com/containerd/nerdbox
+- https://lima-vm.io/docs/examples/containers/containerd/

pkg/cmd/container/create.go

@@ -119,7 +119,7 @@ func Create(ctx context.Context, client *containerd.Client, args []string, netMa
 	}
 
 	opts = append(opts,
-		oci.WithDefaultSpec(),
+		oci.WithDefaultSpecForPlatform(options.Platform),
 	)
 
 	platformOpts, err := setPlatformOptions(ctx, client, id, netManager.NetworkOptions().UTSNamespace, &internalLabels, options)

pkg/cmd/container/run_mount.go

@@ -194,7 +194,8 @@ func generateMountOpts(ctx context.Context, client *containerd.Client, ensuredIm
 			}
 		}
 
-		if runtime.GOOS == "linux" {
+		switch runtime.GOOS {
+		case "linux":
 			defer unmounter(tempDir)
 			for _, m := range mounts {
 				m := m
@@ -213,7 +214,9 @@ func generateMountOpts(ctx context.Context, client *containerd.Client, ensuredIm
 					return nil, nil, nil, fmt.Errorf("failed to mount %+v on %q: %w", m, tempDir, err)
 				}
 			}
-		} else {
+		case "darwin":
+			// NOP
+		default:
 			defer unmounter(tempDir)
 			if err := mount.All(mounts, tempDir); err != nil {
 				if err := s.Remove(ctx, tempDir); err != nil && !errdefs.IsNotFound(err) {