windows: libcontainer: prefer bundled containerd.exe

[thaJeztah]

• follow-up to Windows: Run containerd as managed process #43893

This removes the bit I commented on in #43893 (comment)

I'm a bit on the fence on this part. I can see pros (install them together and be sure we're not running some other version), but also "cons"; as I wrote on #43892 (comment), we're looking at decoupling the docker and containerd packages more, and perhaps we should consider to be flexible as well on "how" someone installed containerd (which could be through some other package).

TL;DR it's not a "yes" or "no", but perhaps it's good to move this part of the PR to a separate PR and discuss it separately (I think this PR would still work without this change, so moving it separate would prevent it from being blocked pending that discussion)

---

Prefer a containerd binary that's installed next to the dockerd
binary. This prevents running a containerd executable that was installed through
other means instead of the bundled one, in cases where the docker is installed
using the static binaries.

Also see this MicroSoft blog-post about this approach;
https://devblogs.microsoft.com/oldnewthing/20110620-00/?p=10393

This patch impements a WithDetectLocalBinary() DaemonOpt, which is set by
default on Windows (we can consider using the same on other platforms).

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

We could change this to make this a "preferred" binary;

• look for containerd.exe in the same path as dockerd.exe; if found, use that
• otherwise use containerd.exe from $PATH (as before this patch)

[tianon]

+1; I like that 👍

[corhere]

That approach is Raymond Chen approved, too! https://devblogs.microsoft.com/oldnewthing/20110620-00/?p=10393

[thaJeztah]

I moved the detection to the initialisation as a DaemonOpt; this approach made it slightly more flexible (on Windows we use this option, on Linux not (yet?)); performing the lookup during initialisation stores the result in the supervisor's config.

The previous iteration performed the lookup during startContainerd(), which is called in monitorDaemon(), which re-starts containerd if it would fail, and (theoretically) would mean that deleting the containerd.exe binary would cause dockerd to lookup the binary again, and switch from a bundled containerd to a system containerd. I think that is undesirable, so it's better to fail in that case than to switch to a different binary.

moby/libcontainerd/supervisor/remote_daemon.go

Line 298 in 3a7fda7

if err := r.startContainerd(); err != nil {

[tianon]

I think we probably shouldn't use this on Linux unless we also disable it for the case of dockerd in a common path like /usr/bin, /usr/sbin, etc. 😅

(This seems like a sane approach regardless though, to be clear 👍)

[thaJeztah]

Worth noting that os.Executable() does not resolve symlinks. I think that's what we expect, but thought I'd leave a comment just in case there's concerns about that. https://github.com/golang/go/blob/8cb350d69a1b0765c1c81301583d6fd99fb9d74b/src/os/executable.go#L7-L14

// Executable returns the path name for the executable that started
// the current process. There is no guarantee that the path is still
// pointing to the correct executable. If a symlink was used to start
// the process, depending on the operating system, the result might
// be the symlink or the path it pointed to. If a stable result is
// needed, path/filepath.EvalSymlinks might help.
//
// Executable returns an absolute path unless an error occurred.
//
// The main use case is finding resources located relative to an
// executable.

[tianon]

I don't totally understand the intent of the .github/workflows/windows.yml changes, but the rest seems like a good approach IMO 👍