Separate the CRI image config from the main plugin config

This change simplifies the CRI plugin dependencies by not requiring the
CRI image plugin to depend on any other CRI components. Since other CRI
plugins depend on the image plugin, this allows prevents a dependency
cycle for CRI configurations on a base plugin.

Signed-off-by: Derek McGowan <[email protected]>

Author: dmcgowan

cmd/containerd/builtins/cri.go

@@ -20,4 +20,5 @@ package builtins
 
 import (
 	_ "github.com/containerd/containerd/v2/pkg/cri"
+	_ "github.com/containerd/containerd/v2/plugins/cri/images"
 )

integration/build_local_containerd_helper_test.go

@@ -39,6 +39,7 @@ import (
 	_ "github.com/containerd/containerd/v2/gc/scheduler"
 	_ "github.com/containerd/containerd/v2/leases/plugin"
 	_ "github.com/containerd/containerd/v2/metadata/plugin"
+	_ "github.com/containerd/containerd/v2/plugins/cri/images"
 	_ "github.com/containerd/containerd/v2/runtime/v2"
 	_ "github.com/containerd/containerd/v2/runtime/v2/runc/options"
 	_ "github.com/containerd/containerd/v2/services/containers"
@@ -53,7 +54,7 @@ import (
 	_ "github.com/containerd/containerd/v2/services/tasks"
 	_ "github.com/containerd/containerd/v2/services/version"
 
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 var (
@@ -72,7 +73,7 @@ func buildLocalContainerdClient(t *testing.T, tmpDir string, tweakInitFn tweakPl
 	// load plugins
 	loadPluginOnce.Do(func() {
 		loadedPlugins, loadedPluginsErr = ctrdsrv.LoadPlugins(ctx, &srvconfig.Config{})
-		assert.NoError(t, loadedPluginsErr)
+		require.NoError(t, loadedPluginsErr)
 	})
 
 	// init plugins
@@ -104,7 +105,7 @@ func buildLocalContainerdClient(t *testing.T, tmpDir string, tweakInitFn tweakPl
 		// load the plugin specific configuration if it is provided
 		if p.Config != nil {
 			pc, err := config.Decode(ctx, p.URI(), p.Config)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
 			initContext.Config = pc
 		}
@@ -114,10 +115,10 @@ func buildLocalContainerdClient(t *testing.T, tmpDir string, tweakInitFn tweakPl
 		}
 
 		result := p.Init(initContext)
-		assert.NoError(t, initialized.Add(result))
+		require.NoError(t, initialized.Add(result))
 
 		_, err := result.Instance()
-		assert.NoError(t, err)
+		require.NoError(t, err)
 
 		lastInitContext = initContext
 	}
@@ -129,7 +130,7 @@ func buildLocalContainerdClient(t *testing.T, tmpDir string, tweakInitFn tweakPl
 		containerd.WithInMemoryServices(lastInitContext),
 		containerd.WithInMemorySandboxControllers(lastInitContext),
 	)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
 	return client
 }

pkg/cri/config/config.go

@@ -67,6 +67,9 @@ const (
 	ModePodSandbox SandboxControllerMode = "podsandbox"
 	// ModeShim means use whatever Controller implementation provided by shim.
 	ModeShim SandboxControllerMode = "shim"
+	// DefaultSandboxImage is the default image to use for sandboxes when empty or
+	// for default configurations.
+	DefaultSandboxImage = "registry.k8s.io/pause:3.9"
 )
 
 // Runtime struct to contain the type(ID), engine, and root variables for a default runtime
@@ -242,8 +245,12 @@ type ImageDecryption struct {
 // can be assumed. When platform is not provided, the default platform can
 // be assumed
 type ImagePlatform struct {
-	Platform    string
-	Snapshotter string
+	Platform string `toml:"platform" json:"platform"`
+	// Snapshotter setting snapshotter at runtime level instead of making it as a global configuration.
+	// An example use case is to use devmapper or other snapshotters in Kata containers for performance and security
+	// while using default snapshotters for operational simplicity.
+	// See https://github.com/containerd/containerd/issues/6657 for details.
+	Snapshotter string `toml:"snapshotter" json:"snapshotter"`
 }
 
 type ImageConfig struct {
@@ -261,18 +268,21 @@ type ImageConfig struct {
 	DiscardUnpackedLayers bool `toml:"discard_unpacked_layers" json:"discardUnpackedLayers"`
 
 	// PinnedImages are images which the CRI plugin uses and should not be
-	// removed by the CRI client.
+	// removed by the CRI client. The images have a key which can be used
+	// by other plugins to lookup the current image name.
 	// Image names should be full names including domain and tag
 	// Examples:
-	//   docker.io/library/ubuntu:latest
-	//   images.k8s.io/core/pause:1.55
-	PinnedImages []string
+	//   "sandbox": "k8s.gcr.io/pause:3.9"
+	//   "base": "docker.io/library/ubuntu:latest"
+	// Migrated from:
+	// (PluginConfig).SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
+	PinnedImages map[string]string
 
 	// RuntimePlatforms is map between the runtime and the image platform to
 	// use for that runtime. When resolving an image for a runtime, this
 	// mapping will be used to select the image for the platform and the
 	// snapshotter for unpacking.
-	RuntimePlatforms map[string]ImagePlatform
+	RuntimePlatforms map[string]ImagePlatform `toml:"runtime_platforms" json:"runtimePlatforms"`
 
 	// Registry contains config related to the registry
 	Registry Registry `toml:"registry" json:"registry"`
@@ -305,8 +315,6 @@ type ImageConfig struct {
 // PluginConfig contains toml config related to CRI plugin,
 // it is a subset of Config.
 type PluginConfig struct {
-	// ImageConfig is the image service configuration
-	ImageConfig
 	// ContainerdConfig contains config related to containerd
 	ContainerdConfig `toml:"containerd" json:"containerd"`
 	// CniConfig contains config related to cni
@@ -327,8 +335,6 @@ type PluginConfig struct {
 	// SelinuxCategoryRange allows the upper bound on the category range to be set.
 	// If not specified or set to 0, defaults to 1024 from the selinux package.
 	SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
-	// SandboxImage is the image used by sandbox container.
-	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// EnableTLSStreaming indicates to enable the TLS streaming support.
 	EnableTLSStreaming bool `toml:"enable_tls_streaming" json:"enableTLSStreaming"`
 	// X509KeyPairStreaming is a x509 key pair used for TLS streaming
@@ -437,31 +443,9 @@ const (
 	KeyModelNode = "node"
 )
 
-// ValidatePluginConfig validates the given plugin configuration.
-func ValidatePluginConfig(ctx context.Context, c *PluginConfig) ([]deprecation.Warning, error) {
+// ValidateImageConfig validates the given image configuration
+func ValidateImageConfig(ctx context.Context, c *ImageConfig) ([]deprecation.Warning, error) {
 	var warnings []deprecation.Warning
-	if c.ContainerdConfig.Runtimes == nil {
-		c.ContainerdConfig.Runtimes = make(map[string]Runtime)
-	}
-
-	// Validation for default_runtime_name
-	if c.ContainerdConfig.DefaultRuntimeName == "" {
-		return warnings, errors.New("`default_runtime_name` is empty")
-	}
-	if _, ok := c.ContainerdConfig.Runtimes[c.ContainerdConfig.DefaultRuntimeName]; !ok {
-		return warnings, fmt.Errorf("no corresponding runtime configured in `containerd.runtimes` for `containerd` `default_runtime_name = \"%s\"", c.ContainerdConfig.DefaultRuntimeName)
-	}
-
-	for k, r := range c.ContainerdConfig.Runtimes {
-		if !r.PrivilegedWithoutHostDevices && r.PrivilegedWithoutHostDevicesAllDevicesAllowed {
-			return warnings, errors.New("`privileged_without_host_devices_all_devices_allowed` requires `privileged_without_host_devices` to be enabled")
-		}
-		// If empty, use default podSandbox mode
-		if len(r.Sandboxer) == 0 {
-			r.Sandboxer = string(ModePodSandbox)
-			c.ContainerdConfig.Runtimes[k] = r
-		}
-	}
 
 	useConfigPath := c.Registry.ConfigPath != ""
 	if len(c.Registry.Mirrors) > 0 {
@@ -500,20 +484,49 @@ func ValidatePluginConfig(ctx context.Context, c *PluginConfig) ([]deprecation.W
 		log.G(ctx).Warning("`auths` is deprecated, please use `ImagePullSecrets` instead")
 	}
 
-	// Validation for stream_idle_timeout
-	if c.StreamIdleTimeout != "" {
-		if _, err := time.ParseDuration(c.StreamIdleTimeout); err != nil {
-			return warnings, fmt.Errorf("invalid stream idle timeout: %w", err)
-		}
-	}
-
 	// Validation for image_pull_progress_timeout
 	if c.ImagePullProgressTimeout != "" {
 		if _, err := time.ParseDuration(c.ImagePullProgressTimeout); err != nil {
 			return warnings, fmt.Errorf("invalid image pull progress timeout: %w", err)
 		}
 	}
 
+	return warnings, nil
+}
+
+// ValidatePluginConfig validates the given plugin configuration.
+func ValidatePluginConfig(ctx context.Context, c *PluginConfig) ([]deprecation.Warning, error) {
+	var warnings []deprecation.Warning
+	if c.ContainerdConfig.Runtimes == nil {
+		c.ContainerdConfig.Runtimes = make(map[string]Runtime)
+	}
+
+	// Validation for default_runtime_name
+	if c.ContainerdConfig.DefaultRuntimeName == "" {
+		return warnings, errors.New("`default_runtime_name` is empty")
+	}
+	if _, ok := c.ContainerdConfig.Runtimes[c.ContainerdConfig.DefaultRuntimeName]; !ok {
+		return warnings, fmt.Errorf("no corresponding runtime configured in `containerd.runtimes` for `containerd` `default_runtime_name = \"%s\"", c.ContainerdConfig.DefaultRuntimeName)
+	}
+
+	for k, r := range c.ContainerdConfig.Runtimes {
+		if !r.PrivilegedWithoutHostDevices && r.PrivilegedWithoutHostDevicesAllDevicesAllowed {
+			return warnings, errors.New("`privileged_without_host_devices_all_devices_allowed` requires `privileged_without_host_devices` to be enabled")
+		}
+		// If empty, use default podSandbox mode
+		if len(r.Sandboxer) == 0 {
+			r.Sandboxer = string(ModePodSandbox)
+			c.ContainerdConfig.Runtimes[k] = r
+		}
+	}
+
+	// Validation for stream_idle_timeout
+	if c.StreamIdleTimeout != "" {
+		if _, err := time.ParseDuration(c.StreamIdleTimeout); err != nil {
+			return warnings, fmt.Errorf("invalid stream idle timeout: %w", err)
+		}
+	}
+
 	// Validation for drain_exec_sync_io_timeout
 	if c.DrainExecSyncIOTimeout != "" {
 		if _, err := time.ParseDuration(c.DrainExecSyncIOTimeout); err != nil {