daemon: use shim v2 by default

[AkihiroSuda]

- What I did

containerd has three shim binaries:

• containerd-shim: implements shim API v1.
• containerd-shim-runc-v1: implements shim API v2. Introduced in containerd v1.2.
• containerd-shim-runc-v2: implements shim API v2. Introduced in containerd v1.3.

We have been using containerd-shim on cgroup v1 mode, containerd-shim-runc-v2 on cgroup v2 mode.

This commit changes the daemon to use containerd-shim-runc-v2 by default regardless to the cgroup mode.

To provide a workaround for potential regression issues, the daemon supports switching back to shim v1 mode via an env var MOBY_DISABLE_SHIM_V2=1.

The env var is only intended to be used as a workaround and is deprecated from its birth.
(So there is no daemon.json flag and no output in docker info)

The env var is discarded on cgroup v2 hosts, as shim v1 does not support cgroup v2.

Fix #41107

- How I did it
Updated *Daemon.useShimV2() to use shim v2 by default.

Requires containerd v1.3.0 or later. Using v1.3.5 or later is recommended. v1.3.0-v1.3.4 doesn't pass TestContainerStartOnDaemonRestart due to lack of containerd/containerd#4329 .

- How to verify it

• Run some containers, and make sure containerd-shim-runc-v2 processes are launched.
• Make sure it can be switched back to containerd-shim by launching dockerd with MOBY_DISABLE_SHIM_V2=1.

- Description for the changelog

daemon: use shim v2 by default. Requires containerd v1.3.0 or later. Using v1.3.5 or later is recommended.

- A picture of a cute animal (not mandatory but encouraged)
🐧

[AkihiroSuda]

=== RUN   TestContainerStartOnDaemonRestart
=== PAUSE TestContainerStartOnDaemonRestart
=== CONT  TestContainerStartOnDaemonRestart
--- FAIL: TestContainerStartOnDaemonRestart (3.14s)
    daemon_linux_test.go:67: assertion failed: error is not nil: Error response from daemon: OCI runtime create failed: container with id exists: d7a842b6fb87a16b16d8b887237a653c89a4733bf50a51f5491d7914c348edff: unknown: failed to start test container

Fix: containerd/containerd#4327

[thaJeztah]

left some suggestions

[cpuguy83]

I think we need to revisit how we are handling this.

I would prefer to rely on the containerd config for this.
This might be able to be shoe-horned into the runtime concept that we already have.
Maybe add a field to the runtiume config we already have for shim?

Packagers can set the preferred runtime configuration in the containerd packaging, or rely on containerd's default.

[AkihiroSuda]

I would prefer to rely on the containerd config for this.

No, containerd daemon doesn't have any concept of "default runtime".

This might be able to be shoe-horned into the runtime concept that we already have.

Yes, but it is a separate topic.

[cpuguy83]

Right, the default is determined by the client. But I can create and run a container without manually specifying a runtime. What I'm really getting at, is all the extra env var and function arguments to determine which shim to use does not seem right. We should be able to change the default and if someone wants something different they should be able to configure that in the runtime config.

[cpuguy83]

Discussed on the maintainers call with @thaJeztah and @tonistiigi

I think we agreed it would be best to remove all the configuration we have regarding v1 vs v2 shim. Just use the v2 shim only, and then we can follow up by allowing the runtime config to specify a shim name.

[AkihiroSuda]

Ready for review/merge

[thaJeztah]

I think we agreed it would be best to remove all the configuration we have regarding v1 vs v2 shim. Just use the v2 shim only, and then we can follow up by allowing the runtime config to specify a shim name.

Did you want that in this PR? Looks like the current implementation still adds the env-var

[AkihiroSuda]

Looks like the current implementation still adds the env-var

I interpreted remove all the configuration to just remove daemon.json fields

[cpuguy83]

I interpreted remove all the configuration to just remove daemon.json fields

I was referring to the env var to disable, and passing bools around on what shim to use.
So, let's just use shim v2 then we can provide a way to configure that per runtime.

[AkihiroSuda]

Don't we need to provide a workaround for potential regression?

[cpuguy83]

The work-around would be to allow configuring it at the runtime level.

[AkihiroSuda]

What is runtime level?

[cpuguy83]

dockerd has a config for custom runtimes, and users can specify which runtime with docker run --runtime

[AkihiroSuda]

--runtime flags could be extended for specifying third party shim v2 runtimes such as io.containerd.kata.v2, but I don't think we should mix up the workaround flag for rolling back shim API to v1 there.

If we are confident that shim v2 is already matured enough, we can go ahead without any rollback knob.

[cpuguy83]

@AkihiroSuda I don't think we're mixing anything up here.
We are switching to the v2 shim, if people want to roll back then they should specify the v1 shim.

[thaJeztah]

Discussing in the maintainers meeting with @cpuguy83 @tonistiigi.

• the (already existing) booleans aren't great, and we should try to get rid of them
• the env-vars could (potentially) be useful during RC's for 20.0x, but ideally should be gone in 20.0x-GA, and replaced by a runtime option

@cpuguy83 wants to have a look at a runtime option; if that works out, I'd say wait with merging until we have the alternative

[cpuguy83]

#41182

After #41182, default becomes a one line change and fallback to v1 is possible by specifying --runtime=com.docker.runtime.runc.v1

[AkihiroSuda]

new PR: #41210