WIP add containerd script

2022-10-24 23:41:41 -07:00 · 2022-10-24 23:41:41 -07:00 · db9b8b494f
parent 7cf345a69a
commit db9b8b494f
1 changed files with 643 additions and 0 deletions
--- a/assets/scripts/containerd.sh
+++ b/assets/scripts/containerd.sh
@ -0,0 +1,643 @@
+#!/bin/sh
+# vim: noexpandtab:
+# -----------------------------------------------------------------------------
+# Forked from https://github.com/containerd/nerdctl/blob/48f189a53a24c12838433f5bb5dd57f536816a8a/extras/rootless/containerd-rootless-setuptool.sh
+# Copyright Rin (Tamara Vassileva)
+# Licensed under the Apache License, Version 2.0
+# -----------------------------------------------------------------------------
+
+#   Copyright The containerd Authors.
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+# -----------------------------------------------------------------------------
+# Forked from https://github.com/moby/moby/blob/v20.10.3/contrib/dockerd-rootless-setuptool.sh
+# Copyright The Moby Authors.
+# Licensed under the Apache License, Version 2.0
+# NOTICE: https://github.com/moby/moby/blob/v20.10.3/NOTICE
+# -----------------------------------------------------------------------------
+
+# containerd-rootless-setuptool.sh: setup tool for containerd-rootless.sh
+# Needs to be executed as a non-root user.
+#
+# Typical usage: containerd-rootless-setuptool.sh install
+set -eu
+
+# utility functions
+INFO() {
+	# https://github.com/koalaman/shellcheck/issues/1593
+	# shellcheck disable=SC2039
+	/bin/echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m ${*}"
+}
+
+WARNING() {
+	# shellcheck disable=SC2039
+	/bin/echo >&2 -e "\e[101m\e[97m[WARNING]\e[49m\e[39m ${*}"
+}
+
+ERROR() {
+	# shellcheck disable=SC2039
+	/bin/echo >&2 -e "\e[101m\e[97m[ERROR]\e[49m\e[39m ${*}"
+}
+
+# constants
+CONTAINERD_ROOTLESS_SH="containerd-rootless.sh"
+SYSTEMD_CONTAINERD_UNIT="containerd.service"
+SYSTEMD_BUILDKIT_UNIT="buildkit.service"
+SYSTEMD_FUSE_OVERLAYFS_UNIT="containerd-fuse-overlayfs.service"
+SYSTEMD_STARGZ_UNIT="stargz-snapshotter.service"
+SYSTEMD_IPFS_UNIT="ipfs-daemon.service"
+SYSTEMD_BYPASS4NETNSD_UNIT="bypass4netnsd.service"
+
+# global vars
+ARG0="$0"
+REALPATH0="$(realpath "$ARG0")"
+BIN=""
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-$HOME/.config}"
+XDG_DATA_HOME="${XDG_DATA_HOME:-$HOME/.local/share}"
+
+# run checks and also initialize global vars (BIN)
+init() {
+	id="$(id -u)"
+	# User verification: deny running as root
+	if [ "$id" = "0" ]; then
+		ERROR "Refusing to install rootless containerd as the root user"
+		exit 1
+	fi
+
+	# set BIN
+	if ! BIN="$(command -v "$CONTAINERD_ROOTLESS_SH" 2>/dev/null)"; then
+		ERROR "$CONTAINERD_ROOTLESS_SH needs to be present under \$PATH"
+		exit 1
+	fi
+	BIN=$(dirname "$BIN")
+
+	# detect openrc
+	if ! rc-status >/dev/null 2>&1; then
+		ERROR "Needs OpenRC (rc-status)"
+		exit 1
+	fi
+
+	# HOME verification
+	if [ -z "${HOME:-}" ] || [ ! -d "$HOME" ]; then
+		ERROR "HOME needs to be set"
+		exit 1
+	fi
+	if [ ! -w "$HOME" ]; then
+		ERROR "HOME needs to be writable"
+		exit 1
+	fi
+
+	# Validate XDG_RUNTIME_DIR
+	if [ -z "${XDG_RUNTIME_DIR:-}" ] || [ ! -w "$XDG_RUNTIME_DIR" ]; then
+		ERROR "Aborting because but XDG_RUNTIME_DIR (\"$XDG_RUNTIME_DIR\") is not set, does not exist, or is not writable"
+		ERROR "Hint: this could happen if you changed users with 'su' or 'sudo'. To work around this:"
+		ERROR "- try again by first running with root privileges 'loginctl enable-linger <user>' where <user> is the unprivileged user and export XDG_RUNTIME_DIR to the value of RuntimePath as shown by 'loginctl show-user <user>'"
+		ERROR "- or simply log back in as the desired unprivileged user (ssh works for remote machines, machinectl shell works for local machines)"
+		ERROR "See also https://rootlesscontaine.rs/getting-started/common/login/ ."
+		exit 1
+	fi
+}
+
+# CLI subcommand: "check"
+cmd_entrypoint_check() {
+	init
+	INFO "Checking RootlessKit functionality"
+	if ! rootlesskit \
+		--net=slirp4netns \
+		--disable-host-loopback \
+		--copy-up=/etc --copy-up=/run --copy-up=/var/lib \
+		true; then
+		ERROR "RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ ."
+		exit 1
+	fi
+
+	INFO "Checking cgroup v2"
+	controllers="/sys/fs/cgroup/cgroup.controllers"
+	if [ ! -f "${controllers}" ]; then
+		WARNING "Enabling cgroup v2 is highly recommended, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ "
+	else
+		for f in cpu memory pids; do
+			if ! grep -qw "$f" "$controllers"; then
+				WARNING "The cgroup v2 controller \"$f\" is not delegated for the current user (\"$controllers\"), see https://rootlesscontaine.rs/getting-started/common/cgroup2/"
+			fi
+		done
+	fi
+
+	INFO "Checking overlayfs"
+	tmp=$(mktemp -d)
+	mkdir -p "${tmp}/l" "${tmp}/u" "${tmp}/w" "${tmp}/m"
+	if ! rootlesskit mount -t overlay -o lowerdir="${tmp}/l,upperdir=${tmp}/u,workdir=${tmp}/w" overlay "${tmp}/m"; then
+		WARNING "Overlayfs is not enabled, consider installing fuse-overlayfs snapshotter (\`$0 install-fuse-overlayfs\`), " \
+			"or see https://rootlesscontaine.rs/how-it-works/overlayfs/ to enable overlayfs."
+	fi
+	rm -rf "${tmp}"
+	INFO "Requirements are satisfied"
+}
+
+# CLI subcommand: "nsenter"
+cmd_entrypoint_nsenter() {
+	# No need to call init()
+	pid=$(cat "$XDG_RUNTIME_DIR/containerd-rootless/child_pid")
+	exec nsenter --no-fork --wd="$(pwd)" --preserve-credentials -m -n -U -t "$pid" -- "$@"
+}
+
+#WIP: TODO fix this errror message
+show_openrc_error() {
+	unit="$1"
+	n="20"
+	ERROR "Failed to start ${unit}. Run \`TODO SOMETHING GOES HERE\` to show the error log."
+	ERROR "Before retrying installation, you might need to uninstall the current setup: \`$0 uninstall -f ; ${BIN}/rootlesskit rm -rf ${HOME}/.local/share/containerd\`"
+}
+
+install_openrc_unit() {
+	unit="$1"
+	unit_file="${XDG_CONFIG_HOME}/openrc/user/${unit}"
+	if [ -f "${unit_file}" ]; then
+		WARNING "File already exists, skipping: ${unit_file}" #TODO Does this need changing?
+	else
+		INFO "Creating \"${unit_file}\""
+		mkdir -p "${XDG_CONFIG_HOME}/openrc/user"
+		cat >"${unit_file}"
+		systemctl --user daemon-reload #Is there a need for this on OpenRC? It should auto-read
+	fi
+	if ! systemctl --user --no-pager status "${unit}" >/dev/null 2>&1; then
+		INFO "Starting openrc unit \"${unit}\""
+		(
+			set -x
+			if ! rc-service start "${unit}"; then
+				set +x
+				show_openrc_error "${unit}"
+				exit 1
+			fi
+			sleep 3
+		)
+	fi
+	(
+		set -x
+		if ! systemctl --user --no-pager --full status "${unit}"; then
+			set +x
+			show_openrc_error "${unit}"
+			exit 1
+		fi
+		systemctl --user enable "${unit}"
+	)
+	INFO "Installed \"${unit}\" successfully."
+	INFO "To control \"${unit}\", run: \`rc-service ${unit} (start|stop|restart) \`"
+}
+
+uninstall_openrc_unit() {
+	unit="$1"
+	unit_file="${XDG_CONFIG_HOME}/openrc/user/${unit}"
+	if [ ! -f "${unit_file}" ]; then
+		INFO "Unit ${unit} is not installed"
+		return
+	fi
+	(
+		set -x
+		systemctl --user stop "${unit}"
+	) || :
+	(
+		set -x
+		systemctl --user disable "${unit}"
+	) || :
+	rm -f "${unit_file}"
+	INFO "Uninstalled \"${unit}\""
+}
+
+# CLI subcommand: "install"
+cmd_entrypoint_install() {
+	init
+	cmd_entrypoint_check
+	cat <<-EOT | install_openrc_unit "${SYSTEMD_CONTAINERD_UNIT}"
+		[Unit]
+		Description=containerd (Rootless)
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		Environment=CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS=${CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS:-}
+		ExecStart=$BIN/${CONTAINERD_ROOTLESS_SH}
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		TimeoutSec=0
+		RestartSec=2
+		Restart=always
+		StartLimitBurst=3
+		StartLimitInterval=60s
+		LimitNOFILE=infinity
+		LimitNPROC=infinity
+		LimitCORE=infinity
+		TasksMax=infinity
+		Delegate=yes
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+	systemctl --user daemon-reload
+	INFO "To run \"${SYSTEMD_CONTAINERD_UNIT}\" on system startup automatically, run: \`sudo loginctl enable-linger $(id -un)\`"
+	INFO "------------------------------------------------------------------------------------------"
+	INFO "Use \`nerdctl\` to connect to the rootless containerd."
+	INFO "You do NOT need to specify \$CONTAINERD_ADDRESS explicitly."
+}
+
+# CLI subcommand: "install-buildkit"
+cmd_entrypoint_install_buildkit() {
+	init
+	if ! command -v "buildkitd" >/dev/null 2>&1; then
+		ERROR "buildkitd (https://github.com/moby/buildkit) needs to be present under \$PATH"
+		exit 1
+	fi
+	if ! systemctl --user --no-pager status "${SYSTEMD_CONTAINERD_UNIT}" >/dev/null 2>&1; then
+		ERROR "Install containerd first (\`$ARG0 install\`)"
+		exit 1
+	fi
+	cat <<-EOT | install_openrc_unit "${SYSTEMD_BUILDKIT_UNIT}"
+		[Unit]
+		Description=BuildKit (Rootless)
+		PartOf=${SYSTEMD_CONTAINERD_UNIT}
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		ExecStart="$REALPATH0" nsenter buildkitd
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		RestartSec=2
+		Restart=always
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+}
+
+# CLI subcommand: "install-buildkit-containerd"
+cmd_entrypoint_install_buildkit_containerd() {
+	init
+	if ! command -v "buildkitd" >/dev/null 2>&1; then
+		ERROR "buildkitd (https://github.com/moby/buildkit) needs to be present under \$PATH"
+		exit 1
+	fi
+	if [ ! -f "${XDG_CONFIG_HOME}/buildkit/buildkitd.toml" ]; then
+		mkdir -p "${XDG_CONFIG_HOME}/buildkit"
+		cat <<-EOF > "${XDG_CONFIG_HOME}/buildkit/buildkitd.toml"
+			[worker.oci]
+			enabled = false
+
+			[worker.containerd]
+			enabled = true
+			rootless = true
+		EOF
+	fi
+	if ! systemctl --user --no-pager status "${SYSTEMD_CONTAINERD_UNIT}" >/dev/null 2>&1; then
+		ERROR "Install containerd first (\`$ARG0 install\`)"
+		exit 1
+	fi
+	UNIT_NAME=${SYSTEMD_BUILDKIT_UNIT}
+	BUILDKITD_FLAG=
+	if [ -n "${CONTAINERD_NAMESPACE:-}" ] ; then
+		UNIT_NAME="${CONTAINERD_NAMESPACE}-${SYSTEMD_BUILDKIT_UNIT}"
+		BUILDKITD_FLAG="${BUILDKITD_FLAG} --addr=unix://${XDG_RUNTIME_DIR}/buildkit-${CONTAINERD_NAMESPACE}/buildkitd.sock --root=${XDG_DATA_HOME}/buildkit-${CONTAINERD_NAMESPACE} --containerd-worker-namespace=${CONTAINERD_NAMESPACE}"
+	else
+		WARNING "buildkitd has access to images in \"buildkit\" namespace by default. If you want to give buildkitd access to the images in \"default\" namespace, run this command with CONTAINERD_NAMESPACE=default"
+	fi
+	if [ -n "${CONTAINERD_SNAPSHOTTER:-}" ] ; then
+		BULDKITD_FLAG="${BUILDKITD_FLAG} --containerd-worker-snapshotter=${CONTAINERD_SNAPSHOTTER}"
+	fi
+	cat <<-EOT | install_openrc_unit "${UNIT_NAME}"
+		[Unit]
+		Description=BuildKit (Rootless)
+		PartOf=${SYSTEMD_CONTAINERD_UNIT}
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		ExecStart="$REALPATH0" nsenter -- buildkitd ${BUILDKITD_FLAG}
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		RestartSec=2
+		Restart=always
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+}
+
+# CLI subcommand: "install-bypass4netnsd"
+cmd_entrypoint_install_bypass4netnsd() {
+	init
+	if ! command -v "bypass4netnsd" >/dev/null 2>&1; then
+		ERROR "bypass4netnsd (https://github.com/rootless-containers/bypass4netns) needs to be present under \$PATH"
+		exit 1
+	fi
+	command_v_bypass4netnsd="$(command -v bypass4netnsd)"
+	# FIXME: bail if bypass4netnsd is an alias
+	cat <<-EOT | install_openrc_unit "${SYSTEMD_BYPASS4NETNSD_UNIT}"
+		[Unit]
+		Description=bypass4netnsd (daemon for bypass4netns, accelerator for rootless containers)
+		# Not PartOf=${SYSTEMD_CONTAINERD_UNIT}
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		ExecStart="${command_v_bypass4netnsd}"
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		RestartSec=2
+		Restart=always
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+	INFO "To use bypass4netnsd, set the \"nerdctl/bypass4netns=true\" label on containers, e.g., \`nerdctl run --label nerdctl/bypass4netns=true\`"
+}
+
+# CLI subcommand: "install-fuse-overlayfs"
+cmd_entrypoint_install_fuse_overlayfs() {
+	init
+	if ! command -v "containerd-fuse-overlayfs-grpc" >/dev/null 2>&1; then
+		ERROR "containerd-fuse-overlayfs-grpc (https://github.com/containerd/fuse-overlayfs-snapshotter) needs to be present under \$PATH"
+		exit 1
+	fi
+	if ! command -v "fuse-overlayfs" >/dev/null 2>&1; then
+		ERROR "fuse-overlayfs (https://github.com/containers/fuse-overlayfs) needs to be present under \$PATH"
+		exit 1
+	fi
+	if ! systemctl --user --no-pager status "${SYSTEMD_CONTAINERD_UNIT}" >/dev/null 2>&1; then
+		ERROR "Install containerd first (\`$ARG0 install\`)"
+		exit 1
+	fi
+	cat <<-EOT | install_openrc_unit "${SYSTEMD_FUSE_OVERLAYFS_UNIT}"
+		[Unit]
+		Description=containerd-fuse-overlayfs (Rootless)
+		PartOf=${SYSTEMD_CONTAINERD_UNIT}
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		ExecStart="$REALPATH0" nsenter containerd-fuse-overlayfs-grpc "${XDG_RUNTIME_DIR}/containerd-fuse-overlayfs.sock" "${XDG_DATA_HOME}/containerd-fuse-overlayfs"
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		RestartSec=2
+		Restart=always
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+	INFO "Add the following lines to \"${XDG_CONFIG_HOME}/containerd/config.toml\" manually, and then run \`systemctl --user restart ${SYSTEMD_CONTAINERD_UNIT}\`:"
+	cat <<-EOT
+		### BEGIN ###
+		[proxy_plugins]
+		  [proxy_plugins."fuse-overlayfs"]
+		    type = "snapshot"
+		    address = "${XDG_RUNTIME_DIR}/containerd-fuse-overlayfs.sock"
+		###  END  ###
+	EOT
+	INFO "Set \`export CONTAINERD_SNAPSHOTTER=\"fuse-overlayfs\"\` to use the fuse-overlayfs snapshotter."
+}
+
+# CLI subcommand: "install-stargz"
+cmd_entrypoint_install_stargz() {
+	init
+	if ! command -v "containerd-stargz-grpc" >/dev/null 2>&1; then
+		ERROR "containerd-stargz-grpc (https://github.com/containerd/stargz-snapshotter) needs to be present under \$PATH"
+		exit 1
+	fi
+	if ! systemctl --user --no-pager status "${SYSTEMD_CONTAINERD_UNIT}" >/dev/null 2>&1; then
+		ERROR "Install containerd first (\`$ARG0 install\`)"
+		exit 1
+	fi
+	if [ ! -f "${XDG_CONFIG_HOME}/containerd-stargz-grpc/config.toml" ]; then
+		mkdir -p "${XDG_CONFIG_HOME}/containerd-stargz-grpc"
+		touch "${XDG_CONFIG_HOME}/containerd-stargz-grpc/config.toml"
+	fi
+	cat <<-EOT | install_openrc_unit "${SYSTEMD_STARGZ_UNIT}"
+		[Unit]
+		Description=stargz snapshotter (Rootless)
+		PartOf=${SYSTEMD_CONTAINERD_UNIT}
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		Environment=IPFS_PATH=${XDG_DATA_HOME}/ipfs
+		ExecStart="$REALPATH0" nsenter -- containerd-stargz-grpc -address "${XDG_RUNTIME_DIR}/containerd-stargz-grpc/containerd-stargz-grpc.sock" -root "${XDG_DATA_HOME}/containerd-stargz-grpc" -config "${XDG_CONFIG_HOME}/containerd-stargz-grpc/config.toml"
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		RestartSec=2
+		Restart=always
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+	INFO "Add the following lines to \"${XDG_CONFIG_HOME}/containerd/config.toml\" manually, and then run \`systemctl --user restart ${SYSTEMD_CONTAINERD_UNIT}\`:"
+	cat <<-EOT
+		### BEGIN ###
+		[proxy_plugins]
+		  [proxy_plugins."stargz"]
+		    type = "snapshot"
+		    address = "${XDG_RUNTIME_DIR}/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+		###  END  ###
+	EOT
+	INFO "Set \`export CONTAINERD_SNAPSHOTTER=\"stargz\"\` to use the stargz snapshotter."
+}
+
+# CLI subcommand: "install-ipfs"
+cmd_entrypoint_install_ipfs() {
+	init
+	if ! command -v "ipfs" >/dev/null 2>&1; then
+		ERROR "ipfs needs to be present under \$PATH"
+		exit 1
+	fi
+	if ! systemctl --user --no-pager status "${SYSTEMD_CONTAINERD_UNIT}" >/dev/null 2>&1; then
+		ERROR "Install containerd first (\`$ARG0 install\`)"
+		exit 1
+	fi
+	IPFS_PATH="${XDG_DATA_HOME}/ipfs"
+	mkdir -p "${IPFS_PATH}"
+	cat <<-EOT | install_openrc_unit "${SYSTEMD_IPFS_UNIT}"
+		[Unit]
+		Description=ipfs daemon for rootless nerdctl
+		PartOf=${SYSTEMD_CONTAINERD_UNIT}
+
+		[Service]
+		Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
+		Environment=IPFS_PATH=${IPFS_PATH}
+		ExecStart="$REALPATH0" nsenter -- ipfs daemon $@
+		ExecReload=/bin/kill -s HUP \$MAINPID
+		RestartSec=2
+		Restart=always
+		Type=simple
+		KillMode=mixed
+
+		[Install]
+		WantedBy=default.target
+	EOT
+
+	# Avoid using 5001(api)/8080(gateway) which are reserved by tests.
+	# TODO: support unix socket
+	systemctl --user stop "${SYSTEMD_IPFS_UNIT}"
+	sleep 3
+	IPFS_PATH=${IPFS_PATH} ipfs config Addresses.API "/ip4/127.0.0.1/tcp/5888"
+	IPFS_PATH=${IPFS_PATH} ipfs config Addresses.Gateway "/ip4/127.0.0.1/tcp/5889"
+	systemctl --user restart "${SYSTEMD_IPFS_UNIT}"
+	sleep 3
+
+	INFO "If you use stargz-snapshotter, add the following line to \"${XDG_CONFIG_HOME}/containerd-stargz-grpc/config.toml\" manually, and then run \`systemctl --user restart ${SYSTEMD_STARGZ_UNIT}\`:"
+	cat <<-EOT
+		### BEGIN ###
+		ipfs = true
+		###  END  ###
+	EOT
+	INFO "If you want to expose the port 4001 of ipfs daemon, re-install rootless containerd with CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS=\"--publish=0.0.0.0:4001:4001/tcp\" environment variable."
+	INFO "Set \`export IPFS_PATH=\"${IPFS_PATH}\"\` to use ipfs."
+}
+
+# CLI subcommand: "uninstall"
+cmd_entrypoint_uninstall() {
+	init
+	uninstall_openrc_unit "${SYSTEMD_BUILDKIT_UNIT}"
+	uninstall_openrc_unit "${SYSTEMD_FUSE_OVERLAYFS_UNIT}"
+	uninstall_openrc_unit "${SYSTEMD_CONTAINERD_UNIT}"
+
+	INFO "This uninstallation tool does NOT remove containerd binaries and data."
+	INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/containerd\`"
+}
+
+# CLI subcommand: "uninstall-buildkit"
+cmd_entrypoint_uninstall_buildkit() {
+	init
+	uninstall_openrc_unit "${SYSTEMD_BUILDKIT_UNIT}"
+	INFO "This uninstallation tool does NOT remove data."
+	INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/buildkit"
+}
+
+# CLI subcommand: "uninstall-buildkit-containerd"
+cmd_entrypoint_uninstall_buildkit_containerd() {
+	init
+	UNIT_NAME=${SYSTEMD_BUILDKIT_UNIT}
+	BUILDKIT_ROOT="${XDG_DATA_HOME}/buildkit"
+	if [ -n "${CONTAINERD_NAMESPACE:-}" ] ; then
+		UNIT_NAME="${CONTAINERD_NAMESPACE}-${SYSTEMD_BUILDKIT_UNIT}"
+		BUILDKIT_ROOT="${XDG_DATA_HOME}/buildkit-${CONTAINERD_NAMESPACE}"
+	fi
+	uninstall_openrc_unit "${UNIT_NAME}"
+	INFO "This uninstallation tool does NOT remove data."
+	INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${BUILDKIT_ROOT}\`"
+}
+
+# CLI subcommand: "uninstall-bypass4netnsd"
+cmd_entrypoint_uninstall_bypass4netnsd() {
+	init
+	uninstall_openrc_unit "${SYSTEMD_BYPASS4NETNSD_UNIT}"
+}
+
+# CLI subcommand: "uninstall-fuse-overlayfs"
+cmd_entrypoint_uninstall_fuse_overlayfs() {
+	init
+	uninstall_openrc_unit "${SYSTEMD_FUSE_OVERLAYFS_UNIT}"
+	INFO "This uninstallation tool does NOT remove data."
+	INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/containerd-fuse-overlayfs"
+}
+
+# CLI subcommand: "uninstall-stargz"
+cmd_entrypoint_uninstall_stargz() {
+	init
+	uninstall_openrc_unit "${SYSTEMD_STARGZ_UNIT}"
+	INFO "This uninstallation tool does NOT remove data."
+	INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/containerd-stargz-grpc"
+}
+
+# CLI subcommand: "uninstall-ipfs"
+cmd_entrypoint_uninstall_ipfs() {
+	init
+	uninstall_openrc_unit "${SYSTEMD_IPFS_UNIT}"
+	INFO "This uninstallation tool does NOT remove data."
+	INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/ipfs"
+}
+
+# text for --help
+usage() {
+	echo "Usage: ${ARG0} [OPTIONS] COMMAND"
+	echo
+	echo "A setup tool for Rootless containerd (${CONTAINERD_ROOTLESS_SH})."
+	echo
+	echo "Commands:"
+	echo "  check        Check prerequisites"
+	echo "  nsenter      Enter into RootlessKit namespaces (mostly for debugging)"
+	echo "  install      Install openrc unit and show how to manage the service"
+	echo "  uninstall    Uninstall openrc unit"
+	echo
+	echo "Add-on commands (BuildKit):"
+	echo "  install-buildkit            Install the openrc unit for BuildKit"
+	echo "  uninstall-buildkit          Uninstall the openrc unit for BuildKit"
+	echo
+	echo "Add-on commands (bypass4netnsd):"
+	echo "  install-bypass4netnsd       Install the openrc unit for bypass4netnsd"
+	echo "  uninstall-bypass4netnsd     Uninstall the openrc unit for bypass4netnsd"
+	echo
+	echo "Add-on commands (fuse-overlayfs):"
+	echo "  install-fuse-overlayfs      Install the openrc unit for fuse-overlayfs snapshotter"
+	echo "  uninstall-fuse-overlayfs    Uninstall the openrc unit for fuse-overlayfs snapshotter"
+	echo
+	echo "Add-on commands (stargz):"
+	echo "  install-stargz              Install the openrc unit for stargz snapshotter"
+	echo "  uninstall-stargz            Uninstall the openrc unit for stargz snapshotter"
+	echo
+	echo "Add-on commands (ipfs):"
+	echo "  install-ipfs [ipfs-daemon-flags...]  Install the openrc unit for ipfs daemon. Specify \"--offline\" if run the daemon in offline mode"
+	echo "  uninstall-ipfs                       Uninstall the openrc unit for ipfs daemon"
+	echo
+	echo "Add-on commands (BuildKit containerd worker):"
+	echo "  install-buildkit-containerd   Install the openrc unit for BuildKit with CONTAINERD_NAMESPACE=${CONTAINERD_NAMESPACE:-} and CONTAINERD_SNAPSHOTTER=${CONTAINERD_SNAPSHOTTER:-}"
+	echo "  uninstall-buildkit-containerd Uninstall the openrc unit for BuildKit with CONTAINERD_NAMESPACE=${CONTAINERD_NAMESPACE:-} and CONTAINERD_SNAPSHOTTER=${CONTAINERD_SNAPSHOTTER:-}"
+}
+
+# parse CLI args
+if ! args="$(getopt -o h --long help -n "$ARG0" -- "$@")"; then
+	usage
+	exit 1
+fi
+eval set -- "$args"
+while [ "$#" -gt 0 ]; do
+	arg="$1"
+	shift
+	case "$arg" in
+	-h | --help)
+		usage
+		exit 0
+		;;
+	--)
+		break
+		;;
+	*)
+		# XXX this means we missed something in our "getopt" arguments above!
+		ERROR "Scripting error, unknown argument '$arg' when parsing script arguments."
+		exit 1
+		;;
+	esac
+done
+
+command=$(echo "${1:-}" | sed -e "s/-/_/g")
+if [ -z "$command" ]; then
+	ERROR "No command was specified. Run with --help to see the usage. Maybe you want to run \`$ARG0 install\`?"
+	exit 1
+fi
+
+if ! command -v "cmd_entrypoint_${command}" >/dev/null 2>&1; then
+	ERROR "Unknown command: ${command}. Run with --help to see the usage."
+	exit 1
+fi
+
+# main
+shift
+"cmd_entrypoint_${command}" "$@"