[v2.3.0-rc.0 regression] rootless: `"/run/containerd/containerd.sock": no such file or directory`

[AkihiroSuda]

Description

Starting with v2.3.0-rc.0, the rootless mode no longer works, as /run/containerd/containerd.sock is no longer created in the daemon's mount namespace (which is created with the daemon's user namespace, by RootlessKit):

$ nerdctl info
FATA[0000] cannot access containerd socket "/run/containerd/containerd.sock": no such file or directory

$ containerd-rootless-setuptool.sh nsenter -- ls /run/containerd
containerd.sock.ttrpc      io.containerd.mount-manager.v1.bolt  io.containerd.sandbox.controller.v1.shim
io.containerd.grpc.v1.cri  io.containerd.runtime.v2.task

This is a regression in c15ec2485 ("Add server plugins for grpc and ttrpc") from:

• Add plugins for server listeners #12562

Thanks to @haytok for bisecting:

• Dockerfile: bump containerd to v2.3.1 nerdctl#4887 (comment)

Steps to reproduce the issue

1. containerd-rootless.sh
2. nerdctl info

Describe the results you received and expected

Received: "/run/containerd/containerd.sock": no such file or directory
Expected: nerdctl should work, and "/run/containerd/containerd.sock" should be visible via containerd-rootless-setuptool.sh nsenter -- ls /run/containerd

What version of containerd are you using?

containerd github.com/containerd/containerd/v2 v2.3.0 2976f38

Any other relevant information

• Ubuntu 26.04
• nerdctl v2.3.0
• RootlessKit v3.0.0

Show configuration if it is related to CRI plugin.

No response

[AkihiroSuda]

Workaround

Disable the failing CRI plugin in ~/.config/containerd/config.toml:

version = 3                                                                   
disabled_plugins = ["io.containerd.grpc.v1.cri"] 

Cause of regression

Note

Written by Claude

15ec2485 moved the gRPC and TTRPC server initialization out of cmd/containerd/server/server.go into dedicated server plugins (plugins/server/grpc/plugin.go, plugins/server/ttrpc/plugin.go). Inside their InitFns the new plugins call ic.GetByType(plugins.GRPCPlugin) / ic.GetByType(plugins.TTRPCPlugin) to enumerate the services to register.

InitContext.GetByType (vendor/github.com/containerd/plugin/context.go:182) short-circuits on the first plugin whose Instance() returns an error — only plugin.ErrSkipPlugin is tolerated. Under rootless mode, the CRI plugin (io.containerd.grpc.v1.cri) fails because it cannot watch /etc/cni/net.d (permission denied). That single failure now propagates into the GRPC and TTRPC server plugins, so they never register and never call sys.GetLocalListener — hence containerd.sock is missing while sibling files (containerd.sock.ttrpc, the per-plugin state dirs) remain.

The pre-c15ec2485 path in server.go iterated loaded plugins itself, logged failures, and continued — failed plugins simply weren't appended to grpcServices / ttrpcServices, but the listeners were still created.