From c854ba9ce38c92184ea3f9b90fa04c53c0648419 Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Mon, 25 Aug 2025 12:17:27 -0600 Subject: [PATCH 1/4] Update linuxkit/init to latest release: We were using an init container from a year ago. Signed-off-by: Jacob Weinstock --- linuxkit-templates/hook.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linuxkit-templates/hook.template.yaml b/linuxkit-templates/hook.template.yaml index 6d88398c..ae676f65 100644 --- a/linuxkit-templates/hook.template.yaml +++ b/linuxkit-templates/hook.template.yaml @@ -20,7 +20,7 @@ kernel: init: # this init container sha has support for volumes - - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b + - linuxkit/init:v1.1.0 - "${HOOK_CONTAINER_RUNC_IMAGE}" - "${HOOK_CONTAINER_CONTAINERD_IMAGE}" - linuxkit/ca-certificates:v1.0.0 From 2c83d2b8dadd050bd20f1babdd5c8d5e96ffd373 Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Mon, 25 Aug 2025 12:19:45 -0600 Subject: [PATCH 2/4] Rename containerd config, disable cri plugin: Linuxkit expects the containerd config file to be at /etc/runtime-config.toml. Rename the config so that the settings get picked up properly. Disable the containerd cri plugin. This is not needed for linuxkit. The cri plugin is a Kubernetes thing. This removes warning and error messages that show up and have confused users about real issues. Signed-off-by: Jacob Weinstock --- .../etc/containerd/{config.toml => runtime-config.toml} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename images/hook-containerd/etc/containerd/{config.toml => runtime-config.toml} (98%) diff --git a/images/hook-containerd/etc/containerd/config.toml b/images/hook-containerd/etc/containerd/runtime-config.toml similarity index 98% rename from images/hook-containerd/etc/containerd/config.toml rename to images/hook-containerd/etc/containerd/runtime-config.toml index e76a9b97..ce458e43 100644 --- a/images/hook-containerd/etc/containerd/config.toml +++ b/images/hook-containerd/etc/containerd/runtime-config.toml @@ -1,9 +1,10 @@ # default containerd configuration file, generated via `containerd config default` +# This file is named runtime-config.toml because thats the way linuxkit init service needs it. version = 3 root = '/var/lib/containerd' state = '/run/containerd' temp = '' -disabled_plugins = [] +disabled_plugins = ["cri"] required_plugins = [] oom_score = 0 imports = [] From 5a618338847495bdab85df8af2d6b529bac39e66 Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Mon, 25 Aug 2025 12:29:24 -0600 Subject: [PATCH 3/4] Fix container image build: The version of Go in that image needs updated. Signed-off-by: Jacob Weinstock --- images/hook-containerd/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/hook-containerd/Dockerfile b/images/hook-containerd/Dockerfile index 38447c71..c6f9c5e5 100644 --- a/images/hook-containerd/Dockerfile +++ b/images/hook-containerd/Dockerfile @@ -10,7 +10,7 @@ ENV CONTAINERD_REPO=https://github.com/containerd/containerd.git ENV CONTAINERD_COMMIT=v2.1.3 ENV NERDCTL_VERSION=2.1.2 ENV GOPATH=/go -RUN apk add go=1.24.4-r0 git +RUN apk add go=1.24.6-r0 git RUN mkdir -p $GOPATH/src/github.com/containerd && \ cd $GOPATH/src/github.com/containerd && \ git clone https://github.com/containerd/containerd.git && \ From 665a9071db3383eca0a0e19692de075370111a2a Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Mon, 25 Aug 2025 16:34:44 -0600 Subject: [PATCH 4/4] Split out the containerd config files: There is one file that linuxkit/init uses to configure the running of containerd and another that containerd uses to configure itself. Signed-off-by: Jacob Weinstock --- .../etc/containerd/config.toml | 246 +++++++++++++++++ .../etc/containerd/runtime-config.toml | 251 +----------------- 2 files changed, 250 insertions(+), 247 deletions(-) create mode 100644 images/hook-containerd/etc/containerd/config.toml diff --git a/images/hook-containerd/etc/containerd/config.toml b/images/hook-containerd/etc/containerd/config.toml new file mode 100644 index 00000000..72ba9b8f --- /dev/null +++ b/images/hook-containerd/etc/containerd/config.toml @@ -0,0 +1,246 @@ +# default containerd configuration file, generated via `containerd config default` +version = 3 +root = '/var/lib/containerd' +state = '/run/containerd' +temp = '' +disabled_plugins = ["io.containerd.grpc.v1.cri","io.containerd.internal.v1.opt"] +required_plugins = [] +oom_score = 0 +imports = [] + +[grpc] + address = '/run/containerd/containerd.sock' + tcp_address = '' + tcp_tls_ca = '' + tcp_tls_cert = '' + tcp_tls_key = '' + uid = 0 + gid = 0 + max_recv_message_size = 16777216 + max_send_message_size = 16777216 + +[ttrpc] + address = '' + uid = 0 + gid = 0 + +[debug] + address = '' + uid = 0 + gid = 0 + level = '' + format = '' + +[metrics] + address = '' + grpc_histogram = false + +[plugins] + [plugins.'io.containerd.cri.v1.images'] + snapshotter = 'overlayfs' + disable_snapshot_annotations = true + discard_unpacked_layers = false + max_concurrent_downloads = 3 + concurrent_layer_fetch_buffer = 0 + image_pull_progress_timeout = '5m0s' + image_pull_with_sync_fs = false + stats_collect_period = 10 + use_local_image_pull = false + + [plugins.'io.containerd.cri.v1.images'.pinned_images] + sandbox = 'registry.k8s.io/pause:3.10' + + [plugins.'io.containerd.cri.v1.images'.registry] + config_path = '' + + [plugins.'io.containerd.cri.v1.images'.image_decryption] + key_model = 'node' + + [plugins.'io.containerd.cri.v1.runtime'] + enable_selinux = false + selinux_category_range = 1024 + max_container_log_line_size = 16384 + disable_apparmor = false + restrict_oom_score_adj = false + disable_proc_mount = false + unset_seccomp_profile = '' + tolerate_missing_hugetlb_controller = true + disable_hugetlb_controller = true + device_ownership_from_security_context = false + ignore_image_defined_volumes = false + netns_mounts_under_state_dir = false + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + enable_cdi = true + cdi_spec_dirs = ['/etc/cdi', '/var/run/cdi'] + drain_exec_sync_io_timeout = '0s' + ignore_deprecation_warnings = [] + + [plugins.'io.containerd.cri.v1.runtime'.containerd] + default_runtime_name = 'runc' + ignore_blockio_not_enabled_errors = false + ignore_rdt_not_enabled_errors = false + + [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes] + [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc] + runtime_type = 'io.containerd.runc.v2' + runtime_path = '' + pod_annotations = [] + container_annotations = [] + privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false + cgroup_writable = false + base_runtime_spec = '' + cni_conf_dir = '' + cni_max_conf_num = 0 + snapshotter = '' + sandboxer = 'podsandbox' + io_type = '' + + [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options] + BinaryName = '' + CriuImagePath = '' + CriuWorkPath = '' + IoGid = 0 + IoUid = 0 + NoNewKeyring = false + Root = '' + ShimCgroup = '' + + [plugins.'io.containerd.cri.v1.runtime'.cni] + bin_dir = '' + bin_dirs = ['/opt/cni/bin'] + conf_dir = '/etc/cni/net.d' + max_conf_num = 1 + setup_serially = false + conf_template = '' + ip_pref = '' + use_internal_loopback = false + + [plugins.'io.containerd.differ.v1.erofs'] + mkfs_options = [] + + [plugins.'io.containerd.gc.v1.scheduler'] + pause_threshold = 0.02 + deletion_threshold = 0 + mutation_threshold = 100 + schedule_delay = '0s' + startup_delay = '100ms' + + [plugins.'io.containerd.grpc.v1.cri'] + disable_tcp_service = true + stream_server_address = '127.0.0.1' + stream_server_port = '0' + stream_idle_timeout = '4h0m0s' + enable_tls_streaming = false + + [plugins.'io.containerd.grpc.v1.cri'.x509_key_pair_streaming] + tls_cert_file = '' + tls_key_file = '' + + [plugins.'io.containerd.image-verifier.v1.bindir'] + bin_dir = '/opt/containerd/image-verifier/bin' + max_verifiers = 10 + per_verifier_timeout = '10s' + + [plugins.'io.containerd.internal.v1.opt'] + path = '/opt/containerd' + + [plugins.'io.containerd.internal.v1.tracing'] + + [plugins.'io.containerd.metadata.v1.bolt'] + content_sharing_policy = 'shared' + no_sync = false + + [plugins.'io.containerd.monitor.container.v1.restart'] + interval = '10s' + + [plugins.'io.containerd.monitor.task.v1.cgroups'] + no_prometheus = false + + [plugins.'io.containerd.nri.v1.nri'] + disable = false + socket_path = '/var/run/nri/nri.sock' + plugin_path = '/opt/nri/plugins' + plugin_config_path = '/etc/nri/conf.d' + plugin_registration_timeout = '5s' + plugin_request_timeout = '2s' + disable_connections = false + + [plugins.'io.containerd.runtime.v2.task'] + platforms = ['linux/amd64'] + + [plugins.'io.containerd.service.v1.diff-service'] + default = ['walking'] + sync_fs = false + + [plugins.'io.containerd.service.v1.tasks-service'] + blockio_config_file = '' + rdt_config_file = '' + + [plugins.'io.containerd.shim.v1.manager'] + env = [] + + [plugins.'io.containerd.snapshotter.v1.blockfile'] + root_path = '' + scratch_file = '' + fs_type = '' + mount_options = [] + recreate_scratch = false + + [plugins.'io.containerd.snapshotter.v1.btrfs'] + root_path = '' + + [plugins.'io.containerd.snapshotter.v1.erofs'] + root_path = '' + ovl_mount_options = [] + enable_fsverity = false + + [plugins.'io.containerd.snapshotter.v1.native'] + root_path = '' + + [plugins.'io.containerd.snapshotter.v1.overlayfs'] + root_path = '' + upperdir_label = false + sync_remove = false + slow_chown = false + mount_options = [] + + [plugins.'io.containerd.snapshotter.v1.zfs'] + root_path = '' + + [plugins.'io.containerd.tracing.processor.v1.otlp'] + + [plugins.'io.containerd.transfer.v1.local'] + max_concurrent_downloads = 3 + concurrent_layer_fetch_buffer = 0 + max_concurrent_uploaded_layers = 3 + check_platform_supported = false + config_path = '' + +[cgroup] + path = '' + +[timeouts] + 'io.containerd.timeout.bolt.open' = '0s' + 'io.containerd.timeout.cri.defercleanup' = '1m0s' + 'io.containerd.timeout.metrics.shimstats' = '2s' + 'io.containerd.timeout.shim.cleanup' = '5s' + 'io.containerd.timeout.shim.load' = '5s' + 'io.containerd.timeout.shim.shutdown' = '3s' + 'io.containerd.timeout.task.state' = '2s' + +[stream_processors] + [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar'] + accepts = ['application/vnd.oci.image.layer.v1.tar+encrypted'] + returns = 'application/vnd.oci.image.layer.v1.tar' + path = 'ctd-decoder' + args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys'] + env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf'] + + [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar.gzip'] + accepts = ['application/vnd.oci.image.layer.v1.tar+gzip+encrypted'] + returns = 'application/vnd.oci.image.layer.v1.tar+gzip' + path = 'ctd-decoder' + args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys'] + env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf'] diff --git a/images/hook-containerd/etc/containerd/runtime-config.toml b/images/hook-containerd/etc/containerd/runtime-config.toml index ce458e43..74d4b1f2 100644 --- a/images/hook-containerd/etc/containerd/runtime-config.toml +++ b/images/hook-containerd/etc/containerd/runtime-config.toml @@ -1,247 +1,4 @@ -# default containerd configuration file, generated via `containerd config default` -# This file is named runtime-config.toml because thats the way linuxkit init service needs it. -version = 3 -root = '/var/lib/containerd' -state = '/run/containerd' -temp = '' -disabled_plugins = ["cri"] -required_plugins = [] -oom_score = 0 -imports = [] - -[grpc] - address = '/run/containerd/containerd.sock' - tcp_address = '' - tcp_tls_ca = '' - tcp_tls_cert = '' - tcp_tls_key = '' - uid = 0 - gid = 0 - max_recv_message_size = 16777216 - max_send_message_size = 16777216 - -[ttrpc] - address = '' - uid = 0 - gid = 0 - -[debug] - address = '' - uid = 0 - gid = 0 - level = '' - format = '' - -[metrics] - address = '' - grpc_histogram = false - -[plugins] - [plugins.'io.containerd.cri.v1.images'] - snapshotter = 'overlayfs' - disable_snapshot_annotations = true - discard_unpacked_layers = false - max_concurrent_downloads = 3 - concurrent_layer_fetch_buffer = 0 - image_pull_progress_timeout = '5m0s' - image_pull_with_sync_fs = false - stats_collect_period = 10 - use_local_image_pull = false - - [plugins.'io.containerd.cri.v1.images'.pinned_images] - sandbox = 'registry.k8s.io/pause:3.10' - - [plugins.'io.containerd.cri.v1.images'.registry] - config_path = '' - - [plugins.'io.containerd.cri.v1.images'.image_decryption] - key_model = 'node' - - [plugins.'io.containerd.cri.v1.runtime'] - enable_selinux = false - selinux_category_range = 1024 - max_container_log_line_size = 16384 - disable_apparmor = false - restrict_oom_score_adj = false - disable_proc_mount = false - unset_seccomp_profile = '' - tolerate_missing_hugetlb_controller = true - disable_hugetlb_controller = true - device_ownership_from_security_context = false - ignore_image_defined_volumes = false - netns_mounts_under_state_dir = false - enable_unprivileged_ports = true - enable_unprivileged_icmp = true - enable_cdi = true - cdi_spec_dirs = ['/etc/cdi', '/var/run/cdi'] - drain_exec_sync_io_timeout = '0s' - ignore_deprecation_warnings = [] - - [plugins.'io.containerd.cri.v1.runtime'.containerd] - default_runtime_name = 'runc' - ignore_blockio_not_enabled_errors = false - ignore_rdt_not_enabled_errors = false - - [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes] - [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc] - runtime_type = 'io.containerd.runc.v2' - runtime_path = '' - pod_annotations = [] - container_annotations = [] - privileged_without_host_devices = false - privileged_without_host_devices_all_devices_allowed = false - cgroup_writable = false - base_runtime_spec = '' - cni_conf_dir = '' - cni_max_conf_num = 0 - snapshotter = '' - sandboxer = 'podsandbox' - io_type = '' - - [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options] - BinaryName = '' - CriuImagePath = '' - CriuWorkPath = '' - IoGid = 0 - IoUid = 0 - NoNewKeyring = false - Root = '' - ShimCgroup = '' - - [plugins.'io.containerd.cri.v1.runtime'.cni] - bin_dir = '' - bin_dirs = ['/opt/cni/bin'] - conf_dir = '/etc/cni/net.d' - max_conf_num = 1 - setup_serially = false - conf_template = '' - ip_pref = '' - use_internal_loopback = false - - [plugins.'io.containerd.differ.v1.erofs'] - mkfs_options = [] - - [plugins.'io.containerd.gc.v1.scheduler'] - pause_threshold = 0.02 - deletion_threshold = 0 - mutation_threshold = 100 - schedule_delay = '0s' - startup_delay = '100ms' - - [plugins.'io.containerd.grpc.v1.cri'] - disable_tcp_service = true - stream_server_address = '127.0.0.1' - stream_server_port = '0' - stream_idle_timeout = '4h0m0s' - enable_tls_streaming = false - - [plugins.'io.containerd.grpc.v1.cri'.x509_key_pair_streaming] - tls_cert_file = '' - tls_key_file = '' - - [plugins.'io.containerd.image-verifier.v1.bindir'] - bin_dir = '/opt/containerd/image-verifier/bin' - max_verifiers = 10 - per_verifier_timeout = '10s' - - [plugins.'io.containerd.internal.v1.opt'] - path = '/opt/containerd' - - [plugins.'io.containerd.internal.v1.tracing'] - - [plugins.'io.containerd.metadata.v1.bolt'] - content_sharing_policy = 'shared' - no_sync = false - - [plugins.'io.containerd.monitor.container.v1.restart'] - interval = '10s' - - [plugins.'io.containerd.monitor.task.v1.cgroups'] - no_prometheus = false - - [plugins.'io.containerd.nri.v1.nri'] - disable = false - socket_path = '/var/run/nri/nri.sock' - plugin_path = '/opt/nri/plugins' - plugin_config_path = '/etc/nri/conf.d' - plugin_registration_timeout = '5s' - plugin_request_timeout = '2s' - disable_connections = false - - [plugins.'io.containerd.runtime.v2.task'] - platforms = ['linux/amd64'] - - [plugins.'io.containerd.service.v1.diff-service'] - default = ['walking'] - sync_fs = false - - [plugins.'io.containerd.service.v1.tasks-service'] - blockio_config_file = '' - rdt_config_file = '' - - [plugins.'io.containerd.shim.v1.manager'] - env = [] - - [plugins.'io.containerd.snapshotter.v1.blockfile'] - root_path = '' - scratch_file = '' - fs_type = '' - mount_options = [] - recreate_scratch = false - - [plugins.'io.containerd.snapshotter.v1.btrfs'] - root_path = '' - - [plugins.'io.containerd.snapshotter.v1.erofs'] - root_path = '' - ovl_mount_options = [] - enable_fsverity = false - - [plugins.'io.containerd.snapshotter.v1.native'] - root_path = '' - - [plugins.'io.containerd.snapshotter.v1.overlayfs'] - root_path = '' - upperdir_label = false - sync_remove = false - slow_chown = false - mount_options = [] - - [plugins.'io.containerd.snapshotter.v1.zfs'] - root_path = '' - - [plugins.'io.containerd.tracing.processor.v1.otlp'] - - [plugins.'io.containerd.transfer.v1.local'] - max_concurrent_downloads = 3 - concurrent_layer_fetch_buffer = 0 - max_concurrent_uploaded_layers = 3 - check_platform_supported = false - config_path = '' - -[cgroup] - path = '' - -[timeouts] - 'io.containerd.timeout.bolt.open' = '0s' - 'io.containerd.timeout.cri.defercleanup' = '1m0s' - 'io.containerd.timeout.metrics.shimstats' = '2s' - 'io.containerd.timeout.shim.cleanup' = '5s' - 'io.containerd.timeout.shim.load' = '5s' - 'io.containerd.timeout.shim.shutdown' = '3s' - 'io.containerd.timeout.task.state' = '2s' - -[stream_processors] - [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar'] - accepts = ['application/vnd.oci.image.layer.v1.tar+encrypted'] - returns = 'application/vnd.oci.image.layer.v1.tar' - path = 'ctd-decoder' - args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys'] - env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf'] - - [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar.gzip'] - accepts = ['application/vnd.oci.image.layer.v1.tar+gzip+encrypted'] - returns = 'application/vnd.oci.image.layer.v1.tar+gzip' - path = 'ctd-decoder' - args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys'] - env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf'] +# This file is used by linuxkit/init to configure the start up of containerd +# https://github.com/linuxkit/linuxkit/blob/master/pkg/init/cmd/service/system_init.go +stdout = "/var/log/containerd.out.log" +stderr = "/var/log/containerd.err.log" \ No newline at end of file