PR #10906 breaks when using gVisor

[lorenz]

Description

PR #10906 unconditionally adds pipe ownership options to runtimes, but these only work with runc as the option format is extensible and other runtimes like gVisor use a different one. This is also a breaking change for people using the 2.0 branch.

Steps to reproduce the issue

1. Use Kubernetes 1.31, gVisor 20241119 and containerd 2.0 with the cherry-pick of the referenced PR.
2. Use the following configuration snippet in containerd:

        [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runsc]
          runtime_type = "io.containerd.runsc.v1"
          privileged_without_host_devices = false
          privileged_without_host_devices_all_devices_allowed = false

          [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runsc.options]
            ConfigPath = "/containerd/conf/runsc.toml"
            TypeUrl = "io.containerd.runsc.v1.options"

3. Use the following K8s runtimeclass:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor 
handler: runsc 

4. Start a pod with that runtimeclass

Describe the results you received and expected

Error: failed to create containerd task: failed to create shim task: unsupported option type "containerd.runc.v1.Options"

This works with the 2.0 tag only.

What version of containerd are you using?

2.0 tag with that PR cherry-picked

Any other relevant information

runc 1.2.2, fairly default CRI config, Linux 6.6 LTS, K8s 1.31.3 all integrated into https://github.com/monogon-dev/monogon.

Show configuration if it is related to CRI plugin.

No response

[lorenz]

/cc @fuweid

[fuweid]

PR #10906 unconditionally adds pipe ownership options to runtimes,

That PR #10906 adds pipe ownership options to runtimes only if container needs to run in user namespace. It's not unconditional.
Please check out the following code in release 2.0.

containerd/internal/cri/server/container_start_linux.go

Lines 34 to 40 in 961cac9

	// FIXME(fuweid): Ideally, the pipe owner should be aligned with process owner.
	// No matter what user namespace container uses, it should work well. However,
	// it breaks the sig-node conformance case - [when querying /stats/summary should report resource usage through the stats api].
	// In order to keep compatible, the change should apply to user namespace only.
	if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetUsernsOptions() == nil {
	return nil, nil
	}

However, when kubelet enables UserNamespaceSupport feature gate, kubelet always uses non-empty UsernsOptions.

This is my local environment.

Details

➜  containerd git:(release/2.0) kubectl get node -o wide
NAME     STATUS   ROLES           AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
devbox   Ready    control-plane   11h   v1.31.0   10.0.0.4      <none>        Ubuntu 22.04.5 LTS   6.5.0-1025-azure   containerd://2.0.0-25-g961cac9aa

➜  containerd git:(release/2.0) containerd-shim-runsc-v1 -v
containerd-shim-runsc-v1:
  Version:  1.6.36+unknown
  Revision:
  Go version: go1.23.2 X:nocoverageredesign

➜  containerd git:(release/2.0) runsc --version
runsc version release-20241118.0
spec: 1.1.0-rc.1

➜  containerd git:(release/2.0) sudo crictl info | grep runsc
      "name": "runsc"
        "runsc": {
          "runtimeType": "io.containerd.runsc.v1",
            "ConfigPath": "/etc/containerd/runsc.toml",
            "TypeUrl": "io.containerd.runsc.v1.options"


➜  containerd git:(release/2.0) cat /etc/containerd/runsc.toml
log_path = "/var/log/runsc/%ID%/shim.log"
log_level = "debug"
[runsc_config]
  debug = "true"
  debug-log = "/var/log/runsc/%ID%/gvisor.%COMMAND%.log"

This is that pod spec I try to create.

➜  containerd git:(release/2.0) cat /tmp/pods.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx:1.14.2
    ports:
    - containerPort: 80
    - 
➜  containerd git:(release/2.0) kubectl get pods -o wide
No resources found in default namespace.

➜  containerd git:(release/2.0) kubectl apply -f /tmp/pods.yaml
runtimeclass.node.k8s.io/gvisor unchanged
pod/nginx-gvisor created

➜  containerd git:(release/2.0) kubectl get pods -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP           NODE     NOMINATED NODE   READINESS GATES
nginx-gvisor   1/1     Running   0          3s    10.88.1.40   devbox   <none>           <none>

When I try to enable UserNamespaceSupport feature gate in kubelet, it will be like

➜  containerd git:(release/2.0) kubectl apply -f /tmp/pods.yaml
runtimeclass.node.k8s.io/gvisor unchanged
pod/nginx-gvisor created

➜  containerd git:(release/2.0) kubectl get pods -o wide
NAME           READY   STATUS              RESTARTS   AGE   IP       NODE     NOMINATED NODE   READINESS GATES
nginx-gvisor   0/1     RunContainerError   0          3s    <none>   devbox   <none>           <none>

➜  containerd git:(release/2.0) kubectl get events | grep runc.v1
4s          Warning   Failed                    pod/nginx-gvisor   Error: failed to create containerd task: failed to create shim task: type with url containerd.runc.v1.Options: not found

I can file pull request to add check if UsernsOptions is not nil and it's for node level userns. Or the user namespace IO ownership only works for builtin shimv2.

---

However, I don't think it's breaking change. After shimv2 introduced since v1.2, both containerd client SDK and CRI are using those options named by runc. The name might be confusing but it's API and abstract level. If gVisor shim doesn't need the option, just don't read it.

If you check the gVisor code closely, there is copy version for the runc options.

https://github.com/google/gvisor/blob/b78f2ee7c4c393990a84298dd0f200e927b18dab/pkg/shim/runsc/options.go#L20

[kzys]

Resolving? #11104 is merged and cherry-picked into release/2.0.

[lorenz]

Confirming fixed in 2.0.1, thanks everyone!