Add NerdctlClient for Finch and nerdctl support #327
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds full support for AWS Finch as a container runtime, enabling the VS Code Docker extension to work with Finch-managed containers. ## What is Finch? Finch is an open source container development tool from AWS that provides a simple, native client for building, running, and managing containers. It uses containerd and nerdctl under the hood. - Homepage: https://aws.amazon.com/finch/ - GitHub: https://github.com/runfinch/finch - Documentation: https://runfinch.com/docs/ ## Implementation Details ### Core Client (`FinchClient.ts`) - Extends PodmanLikeClient since Finch/nerdctl share similar CLI patterns - Handles containerd-native event format (different from Docker's format) - Implements file read/write using temp file workaround (Finch's cp doesn't support stdio streaming yet) - Custom port exposure argument handling for nerdctl compatibility ### Event Stream Support Finch outputs containerd native events, NOT Docker-compatible events: - Uses `Topic` field (e.g., `/containers/create`) instead of `Type`/`Action` - Event payload is a nested JSON string in the `Event` field - Client-side filtering for types, actions, since/until parameters ### Zod Schemas for CLI Output Parsing - `FinchListContainerRecord` - Container listing - `FinchListImageRecord` - Image listing - `FinchListNetworkRecord` - Network listing - `FinchInspectContainerRecord` - Container inspection - `FinchInspectImageRecord` - Image inspection with date validation - `FinchInspectNetworkRecord` - Network inspection - `FinchInspectVolumeRecord` - Volume inspection - `FinchVersionRecord` - Version information - `FinchEventRecord` - containerd native event format ### Compose Support (`FinchComposeClient.ts`) Uses Finch's built-in compose command (`finch compose`) which is provided by nerdctl's compose implementation. ## Testing E2E tests updated to support Finch via `CONTAINER_CLIENT=finch` env var. All container operations tested and passing: - Container lifecycle (create, start, stop, remove, exec, attach, logs) - Image operations (pull, build, tag, push, remove, inspect) - Network and volume management - File system operations (stat, read, write) using temp file workaround - Event streaming with containerd format parsing - Compose operations (up, down, start, stop, restart, logs, config) - Login/logout with registry credentials ### Known Limitations - Context commands skipped (Docker-only feature) - File streaming uses temp files (Finch cp doesn't support stdin/stdout) - Event filtering done client-side (Finch doesn't support --since/--until) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Author
|
@microsoft-github-policy-service agree |
Fixes based on CODEX_REVIEW.md recommendations:
**High-Priority Fixes:**
1. Fix parseEventTimestamp - relative time math was inverted
- "1m" now correctly means 1 minute ago (in the past)
- "-1s" now correctly means 1 second from now (in the future)
2. Fix inspect parsing for multi-target calls
- Added parseJsonArrayOrLines() helper to handle both:
- JSON arrays (nerdctl default behavior)
- Newline-separated JSON objects (when --format used)
3. Fix shell injection risks in readFile/writeFile
- Use /bin/sh instead of bash for portability
- Added shellEscapeSingleQuote() for proper path escaping
- Properly escape container paths and command names
**Medium-Priority Improvements:**
4. Fix incorrect override parameter types
- Changed parseInspectNetworksCommandOutput to use InspectNetworksCommandOptions
- Changed parseInspectVolumesCommandOutput to use InspectVolumesCommandOptions
5. Improve epoch fallbacks
- Use new Date() instead of new Date(0) as fallback (less misleading)
- In strict mode, throw errors for missing/invalid dates
6. Fix volume label parsing
- Use parseDockerLikeLabels() to properly handle "key=value" string format
7. Deduplicate size parsing
- Use tryParseSize() utility in FinchListImageRecord for consistency
8. Handle unsupported labels filter in getEventStream
- Throw CommandNotSupportedError when labels filter is provided
- Document limitation clearly in JSDoc
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This was referenced Jan 11, 2026
Collaborator
|
Given that Finch is basically just nerdctl, I think it would make more sense for this to be a nerdctl client, but with the ability to accept a different configured command name (i.e. nerdctl support has also been requested previously: microsoft/vscode-containers#119 Can you rename the classes/etc. accordingly? |
Since Finch is essentially a wrapper around nerdctl, rename the client
to NerdctlClient for broader applicability. The client now:
- Defaults to 'nerdctl' command (was 'finch')
- Accepts configurable command name via constructor parameter
- Supports both nerdctl and finch (via `new NerdctlClient('finch')`)
This change addresses review feedback and enables support for both
direct nerdctl users and AWS Finch users with the same codebase.
Renamed files:
- FinchClient → NerdctlClient
- FinchComposeClient → NerdctlComposeClient
- All supporting record/schema files
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
tinovyatkin
force-pushed
the
feature/add-finch-support
branch
from
f49d1cc to
63b293a
Compare
- NerdctlComposeClient: Override getUpCommandArgs to exclude unsupported flags (--timeout, --no-start, --wait, --watch) - NerdctlComposeClient: Override getDownCommandArgs to exclude --timeout - Export withCommonOrchestratorArgs and withComposeArg from base class - Update orchestrator E2E tests: - Fix version check regex to match docker/podman/nerdctl compose outputs - Skip --no-start tests for finch (not supported) - Skip config --images/--profiles/--volumes for non-Docker clients - Use SIGTERM-responsive containers for faster shutdown Test results: - Docker: 55 passing, 2 pending - Podman: 46 passing, 11 pending - Finch: 40 passing, 10 pending, 7 failing (pre-existing nerdctl issues) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
In nerdctl/finch, containers that exit immediately lose their port mappings and can't be used for exec/filesystem operations. Fixed by: - Add entrypoint/command to keep test containers running - Use SIGTERM trap for fast graceful shutdown - Fix LogsForContainerCommand to use simple echo entrypoint All tests now pass for Docker, Podman, and Finch. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Author
|
Thanks @bwateratmsft! Great suggestion - you're right that Finch is essentially nerdctl under the hood. I've refactored as suggested:
The client can now support any nerdctl-based CLI: // For Finch
new NerdctlClient('finch', 'Finch', 'Runs container commands using the Finch CLI');
// For nerdctl directly
new NerdctlClient(); // defaults to 'nerdctl'I also added overrides in All E2E tests pass for Docker, Podman, and Finch. |
tinovyatkin
changed the title
- Use Zod transform to parse nested Event JSON string during schema validation - Replace passthrough() with looseObject() per Zod v4 migration guide - Rename parseContainerdEventPayload to getActorFromEventPayload since Event is now pre-parsed - Simplify actor extraction logic using nullish coalescing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Create ZodTransforms.ts with reusable transformation schemas: - dateStringSchema / dateStringWithFallbackSchema for date parsing - booleanStringSchema for "true"/"false" string to boolean - labelsStringSchema / labelsSchema for Docker-like label parsing - osTypeStringSchema, architectureStringSchema for enum normalization - protocolStringSchema, numericStringSchema, containerStateStringSchema Apply transforms to Nerdctl record files: - NerdctlListNetworkRecord: boolean strings, labels, dates - NerdctlInspectVolumeRecord: labels, dates - NerdctlInspectNetworkRecord: dates - NerdctlListContainerRecord: labels - NerdctlListImageRecord: dates - NerdctlInspectContainerRecord: dates - NerdctlInspectImageRecord: dates, architecture, OS This moves transformation logic from normalize functions into Zod schemas, leveraging Zod's transform() for cleaner, more declarative parsing. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use UTC fallback in dateStringWithFallbackSchema for consistency - Validate EventType and EventAction against schemas before returning from parseContainerdTopic to ensure type safety Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for Finch and other nerdctl-based container runtimes, enabling the VS Code Docker extension to work with these alternative container engines.
Architecture
Following reviewer feedback, the implementation uses a generic
NerdctlClientwith configurable command name rather than a Finch-specific client. This allows supporting any nerdctl-based CLI:What is Finch?
Finch is an open source tool for local container development, originally released by AWS in November 2022. It uses containerd and nerdctl under the hood.
Documentation:
Key Implementation Details
containerd Native Events
Finch/nerdctl outputs containerd native events (NOT Docker-compatible):
{ "Timestamp": "2026-01-10T23:38:26.737324778Z", "Topic": "/containers/create", "Event": "{\"id\":\"...\",\"image\":\"...\"}" }The client translates between these formats and performs client-side filtering since nerdctl doesn't support
--since/--untilflags.Compose Limitations
NerdctlComposeClient overrides command generation to exclude unsupported flags:
up: excludes--timeout,--no-start,--wait,--watchdown: excludes--timeoutconfig: only--servicesis supported (not--images,--profiles,--volumes)File Operations Workaround
Nerdctl's
cpcommand advertises stdin/stdout support (-) but it's not fully implemented. This PR uses a temp file workaround.Test Results
All E2E tests pass for all three container clients:
Test Coverage
Known Limitations (reflected in pending tests)
🤖 Generated with Claude Code