Enable configuring containerd plugin runtime options

Signed-off-by: Kate Goldenring <[email protected]>

Install and start D-Bus after configuring runtime options

Signed-off-by: Kate Goldenring <[email protected]>

Add D-Bus installation to restarter logic

Signed-off-by: Kate Goldenring <[email protected]>

Move latest shim CRD to helm chart

Signed-off-by: Kate Goldenring <[email protected]>

Author: kate-goldenring

api/v1alpha1/shim_types.go

@@ -26,6 +26,9 @@ type ShimSpec struct {
 	FetchStrategy   FetchStrategy     `json:"fetchStrategy"`
 	RuntimeClass    RuntimeClassSpec  `json:"runtimeClass"`
 	RolloutStrategy RolloutStrategy   `json:"rolloutStrategy"`
+	// RuntimeOptions is a map of containerd runtime options for the shim plugin.
+	// See an example of configuring cgroup driver via runtime options: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+	RuntimeOptions map[string]string `json:"runtimeOptions"`
 }
 
 type FetchStrategy struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -20,6 +20,10 @@ type Config struct {
 	Runtime struct {
 		Name       string
 		ConfigPath string
+		// Options is a map of containerd runtime options for the shim plugin.
+		// See an example of the cgroup drive option here:
+		// https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+		Options map[string]string
 	}
 	RCM struct {
 		Path      string

cmd/node-installer/config.go

@@ -45,7 +45,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", preset.MicroK8s.ConfigPath},
+						Options    map[string]string
+					}{"containerd", preset.MicroK8s.ConfigPath, nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -64,7 +65,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", "/etc/containerd/not_found.toml"},
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/not_found.toml", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -83,7 +85,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -102,7 +105,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -121,7 +125,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -140,7 +145,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -159,7 +165,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -178,7 +185,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string

cmd/node-installer/detect_test.go

@@ -17,6 +17,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"io/fs"
 	"log/slog"
@@ -50,6 +51,12 @@ var installCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
+		config.Runtime.Options, err = RuntimeOptions()
+		if err != nil {
+			slog.Error("failed to get runtime options", "error", err)
+			os.Exit(1)
+		}
+
 		if err := RunInstall(config, rootFs, hostFs, distro.Restarter); err != nil {
 			slog.Error("failed to install", "error", err)
 			os.Exit(1)
@@ -82,7 +89,7 @@ func RunInstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.Res
 		config.RCM.AssetPath = path.Dir(config.RCM.AssetPath)
 	}
 
-	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter)
+	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter, config.Runtime.Options)
 	shimConfig := shim.NewConfig(rootFs, hostFs, config.RCM.AssetPath, config.RCM.Path)
 
 	anythingChanged := false
@@ -117,3 +124,16 @@ func RunInstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.Res
 
 	return nil
 }
+
+func RuntimeOptions() (map[string]string, error) {
+	runtimeOptions := make(map[string]string)
+	optionsJSON := os.Getenv("RUNTIME_OPTIONS")
+	config.Runtime.Options = make(map[string]string)
+	if optionsJSON != "" {
+		err := json.Unmarshal([]byte(optionsJSON), &runtimeOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal runtime options JSON %s: %w", optionsJSON, err)
+		}
+	}
+	return runtimeOptions, nil
+}

cmd/node-installer/install.go

@@ -49,7 +49,8 @@ func Test_RunInstall(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", "/etc/containerd/config.toml"},
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/config.toml", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -68,7 +69,8 @@ func Test_RunInstall(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", "/etc/containerd/config.toml"},
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/config.toml", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -80,6 +82,27 @@ func Test_RunInstall(t *testing.T) {
 			},
 			false,
 		},
+		{
+			// TODO figure out how to test that the runtime options are set in the config
+			"new shim with runtime options",
+			args{
+				main.Config{
+					struct {
+						Name       string
+						ConfigPath string
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/config.toml", map[string]string{"SystemdCgroup": "true"}},
+					struct {
+						Path      string
+						AssetPath string
+					}{"/opt/rcm", "/assets"},
+					struct{ RootPath string }{"/containerd/missing-containerd-shim-config"},
+				},
+				tests.FixtureFs("../../testdata/node-installer"),
+				tests.FixtureFs("../../testdata/node-installer/containerd/missing-containerd-shim-config"),
+			},
+			false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

cmd/node-installer/install_test.go

@@ -45,6 +45,12 @@ var uninstallCmd = &cobra.Command{
 
 		config.Runtime.ConfigPath = distro.ConfigPath
 
+		config.Runtime.Options, err = RuntimeOptions()
+		if err != nil {
+			slog.Error("failed to get runtime options", "error", err)
+			os.Exit(1)
+		}
+
 		if err := RunUninstall(config, rootFs, hostFs, distro.Restarter); err != nil {
 			slog.Error("failed to uninstall", "error", err)
 			os.Exit(1)
@@ -61,7 +67,7 @@ func RunUninstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.R
 	shimName := config.Runtime.Name
 	runtimeName := path.Join(config.RCM.Path, "bin", shimName)
 
-	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter)
+	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter, config.Runtime.Options)
 	shimConfig := shim.NewConfig(rootFs, hostFs, config.RCM.AssetPath, config.RCM.Path)
 
 	binPath, err := shimConfig.Uninstall(shimName)

cmd/node-installer/uninstall.go

@@ -95,10 +95,18 @@ spec:
                 - handler
                 - name
                 type: object
+              runtimeOptions:
+                additionalProperties:
+                  type: string
+                description: |-
+                  RuntimeOptions is a map of containerd runtime options for the shim plugin.
+                  See an example of configuring cgroup driver via runtime options: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+                type: object
             required:
             - fetchStrategy
             - rolloutStrategy
             - runtimeClass
+            - runtimeOptions
             type: object
           status:
             description: ShimStatus defines the observed state of Shim

config/crd/bases/runtime.spinkube.dev_shims.yaml

@@ -17,6 +17,9 @@ spec:
     anonHttp:
       location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.19.0/containerd-shim-spin-v2-linux-aarch64.tar.gz"
 
+  runtimeOptions:
+    SystemdCgroup: "true"
+
   runtimeClass:
     # Note: this name is used by the Spin Operator project as its default:
     # https://github.com/spinframework/spin-operator/blob/main/config/samples/spin-shim-executor.yaml

config/samples/test_shim_spin.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: shims.runtime.spinkube.dev
 spec:
   group: runtime.spinkube.dev
@@ -30,14 +30,19 @@ spec:
         description: Shim is the Schema for the shims API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -90,53 +95,53 @@ spec:
                 - handler
                 - name
                 type: object
+              runtimeOptions:
+                additionalProperties:
+                  type: string
+                description: |-
+                  RuntimeOptions is a map of containerd runtime options for the shim plugin.
+                  See an example of configuring cgroup driver via runtime options: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+                type: object
             required:
             - fetchStrategy
             - rolloutStrategy
             - runtimeClass
+            - runtimeOptions
             type: object
           status:
             description: ShimStatus defines the observed state of Shim
             properties:
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -151,10 +156,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string