Skip to content

Installing Finch optional components on Linux

Finch on Linux can make use of some optional components. On other Finch platforms, some of these optional components are installed at runtime. This works well for platforms where Finch has its own isolated VM environment, but runtime management of system dependencies on a shared system is more problematic, so these optional components must be installed and configured manually on Linux at this time.

SOCI snapshotter

The SOCI snapshotter ("SOCI" is short for "Seekable OCI", and is pronounced "so-CHEE") is a containerd snapshotter plugin which enables standard OCI images to be lazily loaded without requiring a build-time conversion step.

Follow the steps corresponding with your distribution in order to use the SOCI snapshotter with Finch on Linux.

Amazon Linux

SOCI is packaged in the standard Amazon Linux repositories. That means, installing SOCI is as easy as installing any other Amazon Linux package:

$ sudo dnf install soci-snapshotter
$ sudo amazon-linux-extras enable docker
$ sudo yum install soci-snapshotter

SOCI also requires a daemon, which can be started with systemd after package installation:

$ sudo systemctl start soci-snapshotter

Generic

  1. Download the SOCI binary archive corresponding to your system's architecture from the project's Releases tab, and extract it using a command like tar Cxzvvf /usr/local/bin soci-snapshotter-${SOCI_VERSION}-linux-amd64-static.tar.gz ./soci ./soci-snapshotter-grpc
  2. Run the SOCI snapshotter GRPC daemon system service using a service manager, like systemd, or directly. An example systemd service file can be found here.
  3. Configure containerd to contain a proxy_plugin config section for SOCI, by following these instructions.

ECR Credential Helper

The Amazon ECR Docker Credential Helper is a credential helper for the Docker daemon that makes it easier to use Amazon Elastic Container Registry. It removes the need to directly manage registry credentials via traditional login commands, making it easier to push/pull from authenticated ECR registries.

Amazon Linux

The ECR Credential Helper is packaged in the standard Amazon Linux repositories. That means, installing ECR Credential Helper is as easy as installing any other Amazon Linux package:

$ sudo dnf install amazon-ecr-credential-helper
$ sudo amazon-linux-extras enable docker
$ sudo yum install amazon-ecr-credential-helper

Generic

  1. Download the ECR Credential Helper binary corresponding to your system's architecture from the project's Releases tab, and set it's executable bit using chmod +x docker-credential-ecr-login.
  2. Move the executable to a location within the root user's PATH (e.g. mv docker-credential-ecr-login /bin/docker-credential-ecr-login)

Configuration

The ECR Credential Helper must also be configured for the root user's docker config, which can be found at /root/.docker/config.json. Follow the steps in this guide to configure the credential helper.

Running finch without sudo

By default, Finch requires sudo to run, since the containerd and buildkit daemons require root access. In order to avoid the need for typing sudo before every finch command, you can run the following:

```bash
# create a new group which will contain all users that can run finch without sudo
/usr/sbin/groupadd -r "finch"
# add your user to the group
/usr/sbin/usermod -a -G "finch" "${USER}"

# allow users to execute without using "sudo"
sudo chgrp "finch" /usr/local/bin/nerdctl
sudo chmod +s /usr/local/bin/nerdctl
sudo chgrp "finch" /usr/bin/finch
sudo chmod +s /usr/bin/finch
```

NOTE: this process does not remove the requirement for running the commands with root privileges, it simply sidesteps the need to type sudo every execution. Evaluate whether using chmod +s fits your security posture before using this configuration.

Reference: https://github.com/containerd/nerdctl/blob/main/docs/faq.md#does-nerdctl-have-an-equivalent-of-sudo-usermod--ag-docker-user-