Enable configuring containerd plugin runtime options

kate-goldenring · kate-goldenring · commit 352cfb4d1c4a · 2025-05-07T13:04:53.000-07:00
Signed-off-by: Kate Goldenring &lt;kate.goldenring@fermyon.com&gt;
diff --git a/api/v1alpha1/shim_types.go b/api/v1alpha1/shim_types.go
@@ -26,6 +26,9 @@ type ShimSpec struct {
 	FetchStrategy   FetchStrategy     `json:"fetchStrategy"`
 	RuntimeClass    RuntimeClassSpec  `json:"runtimeClass"`
 	RolloutStrategy RolloutStrategy   `json:"rolloutStrategy"`
+	// RuntimeOptions is a map of containerd runtime options for the shim plugin.
+	// See an example of configuring cgroup driver via runtime options: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+	RuntimeOptions map[string]string `json:"runtimeOptions"`
 }
 
 type FetchStrategy struct {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/cmd/node-installer/config.go b/cmd/node-installer/config.go
@@ -20,6 +20,10 @@ type Config struct {
 	Runtime struct {
 		Name       string
 		ConfigPath string
+		// Options is a map of containerd runtime options for the shim plugin.
+		// See an example of the cgroup drive option here:
+		// https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+		Options    map[string]string
 	}
 	RCM struct {
 		Path      string
diff --git a/cmd/node-installer/detect_test.go b/cmd/node-installer/detect_test.go
@@ -45,7 +45,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", preset.MicroK8s.ConfigPath},
+						Options    map[string]string
+					}{"containerd", preset.MicroK8s.ConfigPath, nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -64,7 +65,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", "/etc/containerd/not_found.toml"},
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/not_found.toml", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -83,7 +85,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -102,7 +105,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -121,7 +125,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -140,7 +145,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -159,7 +165,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -178,7 +185,8 @@ func Test_DetectDistro(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", ""},
+						Options    map[string]string
+					}{"containerd", "", nil},
 					struct {
 						Path      string
 						AssetPath string
diff --git a/cmd/node-installer/install.go b/cmd/node-installer/install.go
@@ -17,6 +17,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"io/fs"
 	"log/slog"
@@ -50,6 +51,16 @@ var installCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
+		optionsJson := os.Getenv("RUNTIME_OPTIONS")
+		config.Runtime.Options = make(map[string]string)
+		if optionsJson != "" {
+			err := json.Unmarshal([]byte(optionsJson), &config.Runtime.Options)
+			if err != nil {
+				slog.Error("Error unmarshaling runtime options JSON", "error", err)
+				return
+			}
+		}
+
 		if err := RunInstall(config, rootFs, hostFs, distro.Restarter); err != nil {
 			slog.Error("failed to install", "error", err)
 			os.Exit(1)
@@ -82,7 +93,7 @@ func RunInstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.Res
 		config.RCM.AssetPath = path.Dir(config.RCM.AssetPath)
 	}
 
-	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter)
+	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter, config.Runtime.Options)
 	shimConfig := shim.NewConfig(rootFs, hostFs, config.RCM.AssetPath, config.RCM.Path)
 
 	anythingChanged := false
diff --git a/cmd/node-installer/install_test.go b/cmd/node-installer/install_test.go
@@ -49,7 +49,8 @@ func Test_RunInstall(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", "/etc/containerd/config.toml"},
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/config.toml", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -68,7 +69,8 @@ func Test_RunInstall(t *testing.T) {
 					struct {
 						Name       string
 						ConfigPath string
-					}{"containerd", "/etc/containerd/config.toml"},
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/config.toml", nil},
 					struct {
 						Path      string
 						AssetPath string
@@ -80,6 +82,27 @@ func Test_RunInstall(t *testing.T) {
 			},
 			false,
 		},
+		{
+			// TODO figure out how to test that the runtime options are set in the config
+			"new shim with runtime options",
+			args{
+				main.Config{
+					struct {
+						Name       string
+						ConfigPath string
+						Options    map[string]string
+					}{"containerd", "/etc/containerd/config.toml", map[string]string{"SystemdCgroup": "true"}},
+					struct {
+						Path      string
+						AssetPath string
+					}{"/opt/rcm", "/assets"},
+					struct{ RootPath string }{"/containerd/missing-containerd-shim-config"},
+				},
+				tests.FixtureFs("../../testdata/node-installer"),
+				tests.FixtureFs("../../testdata/node-installer/containerd/missing-containerd-shim-config"),
+			},
+			false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/cmd/node-installer/uninstall.go b/cmd/node-installer/uninstall.go
@@ -17,6 +17,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
@@ -45,6 +46,16 @@ var uninstallCmd = &cobra.Command{
 
 		config.Runtime.ConfigPath = distro.ConfigPath
 
+		optionsJson := os.Getenv("RUNTIME_OPTIONS")
+		config.Runtime.Options = make(map[string]string)
+		if optionsJson != "" {
+			err := json.Unmarshal([]byte(optionsJson), &config.Runtime.Options)
+			if err != nil {
+				slog.Error("Error unmarshaling runtime options JSON", "error", err)
+				return
+			}
+		}
+
 		if err := RunUninstall(config, rootFs, hostFs, distro.Restarter); err != nil {
 			slog.Error("failed to uninstall", "error", err)
 			os.Exit(1)
@@ -61,7 +72,7 @@ func RunUninstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.R
 	shimName := config.Runtime.Name
 	runtimeName := path.Join(config.RCM.Path, "bin", shimName)
 
-	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter)
+	containerdConfig := containerd.NewConfig(hostFs, config.Runtime.ConfigPath, restarter, config.Runtime.Options)
 	shimConfig := shim.NewConfig(rootFs, hostFs, config.RCM.AssetPath, config.RCM.Path)
 
 	binPath, err := shimConfig.Uninstall(shimName)
diff --git a/config/crd/bases/runtime.spinkube.dev_shims.yaml b/config/crd/bases/runtime.spinkube.dev_shims.yaml
@@ -95,10 +95,18 @@ spec:
                 - handler
                 - name
                 type: object
+              runtimeOptions:
+                additionalProperties:
+                  type: string
+                description: |-
+                  RuntimeOptions is a map of containerd runtime options for the shim plugin.
+                  Read more here: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver
+                type: object
             required:
             - fetchStrategy
             - rolloutStrategy
             - runtimeClass
+            - runtimeOptions
             type: object
           status:
             description: ShimStatus defines the observed state of Shim
diff --git a/config/samples/test_shim_spin.yaml b/config/samples/test_shim_spin.yaml
@@ -17,6 +17,9 @@ spec:
     anonHttp:
       location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.19.0/containerd-shim-spin-v2-linux-aarch64.tar.gz"
 
+  runtimeOptions:
+    SystemdCgroup: "true"
+
   runtimeClass:
     # Note: this name is used by the Spin Operator project as its default:
     # https://github.com/spinframework/spin-operator/blob/main/config/samples/spin-shim-executor.yaml
diff --git a/internal/containerd/configure.go b/internal/containerd/configure.go
@@ -32,16 +32,18 @@ type Restarter interface {
 }
 
 type Config struct {
-	hostFs     afero.Fs
-	configPath string
-	restarter  Restarter
+	hostFs         afero.Fs
+	configPath     string
+	restarter      Restarter
+	runtimeOptions map[string]string
 }
 
-func NewConfig(hostFs afero.Fs, configPath string, restarter Restarter) *Config {
+func NewConfig(hostFs afero.Fs, configPath string, restarter Restarter, runtimeOptions map[string]string) *Config {
 	return &Config{
-		hostFs:     hostFs,
-		configPath: configPath,
-		restarter:  restarter,
+		hostFs:         hostFs,
+		configPath:     configPath,
+		restarter:      restarter,
+		runtimeOptions: runtimeOptions,
 	}
 }
 
@@ -61,7 +63,7 @@ func (c *Config) AddRuntime(shimPath string) error {
 		return nil
 	}
 
-	cfg := generateConfig(shimPath, runtimeName, data)
+	cfg := generateConfig(shimPath, runtimeName, c.runtimeOptions, data)
 
 	// Open file in append mode
 	file, err := c.hostFs.OpenFile(c.configPath, os.O_APPEND|os.O_WRONLY, 0o644) //nolint:mnd // file permissions
@@ -95,7 +97,7 @@ func (c *Config) RemoveRuntime(shimPath string) (changed bool, err error) {
 		return false, nil
 	}
 
-	cfg := generateConfig(shimPath, runtimeName, data)
+	cfg := generateConfig(shimPath, runtimeName, c.runtimeOptions, data)
 
 	// Convert the file data to a string and replace the target string with an empty string.
 	modifiedData := strings.ReplaceAll(string(data), cfg, "")
@@ -113,17 +115,27 @@ func (c *Config) RestartRuntime() error {
 	return c.restarter.Restart()
 }
 
-func generateConfig(shimPath string, runtimeName string, configData []byte) string {
+func generateConfig(shimPath string, runtimeName string, runtimeOptions map[string]string, configData []byte) string {
 	// Config domain for containerd 1.0 (config version 2)
 	domain := "io.containerd.grpc.v1.cri"
 	if strings.Contains(string(configData), "version = 3") {
 		// Config domain for containerd 2.0 (config version 3)
 		domain = "io.containerd.cri.v1.runtime"
 	}
 
-	return fmt.Sprintf(`
+	runtimeConfiguration := fmt.Sprintf(`
 # RCM runtime config for %s
 [plugins."%s".containerd.runtimes.%s]
 runtime_type = "%s"
 `, runtimeName, domain, runtimeName, shimPath)
+	// Add runtime options if any are provided
+	if len(runtimeOptions) > 0 {
+		options := fmt.Sprintf(`[plugins."%s".containerd.runtimes."%s".options]`, domain, runtimeName)
+		for k, v := range runtimeOptions {
+			options += fmt.Sprintf(`
+			%s = "%s"\n`, k, v)
+		}
+		runtimeConfiguration += "\n" + options
+	}
+	return runtimeConfiguration
 }
diff --git a/internal/controller/shim_controller.go b/internal/controller/shim_controller.go
@@ -18,6 +18,7 @@ package controller
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"math"
@@ -461,6 +462,19 @@ func (sr *ShimReconciler) createJobManifest(shim *rcmv1.Shim, node *corev1.Node,
 			},
 		},
 	}
+
+	if shim.Spec.RuntimeOptions != nil {
+		optionsJson, err := json.Marshal(shim.Spec.RuntimeOptions)
+		if err != nil {
+			log.Error().Msgf("Unable to marshal runtime options: %s", err)
+		} else {
+			job.Spec.Template.Spec.Containers[0].Env = append(job.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "RUNTIME_OPTIONS",
+				Value: string(optionsJson),
+			})
+		}
+	}
+	
 	// set ttl for the installer job only if specified by the user
 	if ttlStr := os.Getenv("SHIM_NODE_INSTALLER_JOB_TTL"); ttlStr != "" {
 		if ttl, err := strconv.ParseInt(ttlStr, 10, 32); err == nil && ttl > 0 {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@ type ShimSpec struct {`
`26`	`26`	FetchStrategy FetchStrategy `json:"fetchStrategy"`
`27`	`27`	RuntimeClass RuntimeClassSpec `json:"runtimeClass"`
`28`	`28`	RolloutStrategy RolloutStrategy `json:"rolloutStrategy"`
	`29`	`+ // RuntimeOptions is a map of containerd runtime options for the shim plugin.`
	`30`	`+ // See an example of configuring cgroup driver via runtime options: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#cgroup-driver`
	`31`	+ RuntimeOptions map[string]string `json:"runtimeOptions"`
`29`	`32`	`}`
`30`	`33`
`31`	`34`	`type FetchStrategy struct {`