Allow to easily configure the containerd snapshotter with dind

[victornoel]

Hi,

I am using docker:25-dind in my Gitlab CI pipeline to build images (following this guide: https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker) and it is not possible in this situation to add or modify files from dind.

I would like to be able to use this feature: https://docs.docker.com/storage/containerd/#enable-containerd-image-store-on-docker-engine but there is no option for dockerd to enable the feature.

For now, I found a workaround by setting the environment variable TEST_INTEGRATION_USE_SNAPSHOTTER, which is originally how the moby project enable the feature when running their integration test 🙃 I would like instead to have an official way of doing that, either by improving the dind image, or if you tell me it's not possible, I will create an issue in the moby repository.

[tianon]

I totally agree: https://github.com/tianon/dockerfiles/blob/d3347e43ce001c98954b38fef5d894cc77742842/docker-master/Dockerfile.containerd 😭
(for my personal tianon/docker-master images, I maintain a whole second Dockerfile just to enable the containerd snapshotter correctly 😅)

@thaJeztah do you know if there's already an open issue for enabling "features" via flags to dockerd? 👀

[tianon]

moby/moby#48167 👀

(split off from moby/moby#48009 (comment) 😄)

[Selaron]

For me this gitlab dind pipeline job now successfully enables containerd image storage via --feature containerd-snapshotter=true commandline argument in my testing environment:

docker_build:
  image: docker:27
  services:
    - name: docker:27-dind
      command:
        - "--insecure-registry"
        - "gitlab.test.company.tld:5050"
        - "--feature"
        - "containerd-snapshotter=true"
  tags:
    - dind
  variables:
    DOCKER_TLS_CERTDIR: ""
  before_script:
    # update CA in order to trust self-signed certificate from /srv/gitlab/config/ssl/gitlab.test.company.tld.crt
    # else cache from image won't work complaining about untrusted certificate.
    - update-ca-certificates
  script:
    - docker info -f '{{ .DriverStatus }}'

Pipeline Output:

[[driver-type io.containerd.snapshotter.v1]]

The runner tagged dind is configured via config.toml like this:

# Docker runner that supports DIND
[[runners]]
  name = "test-runner-dind"
  url = "https://gitlab.test.company.tld/"
  token = "redacted"
  executor = "docker"
  output_limit = 102400
  tls-ca-file = "/etc/gitlab/ssl/gitlab.test.company.tld.crt"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    tls_verify = false
    image = "docker:26.0"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = true
    volumes = ["/cache", "/certs/client", "/srv/gitlab/config/ssl/gitlab.test.company.tld.crt:/usr/local/share/ca-certificates/gitlab.test.company.tld.crt:ro", "/some/caches/archives:/cache:rw"]
    shm_size = 0
    pull_policy = "if-not-present"
    cache_dir = "/path/to/cache"