containerd2: add updated multi-snapshotters support patch (#13881)

miz060 · web-flow · commit bc8a975de205 · 2025-06-19T22:38:46.000-07:00
diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec
@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: %{upstream_name}2
 Version: 2.0.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -21,6 +21,7 @@ Patch1:	CVE-2025-27144.patch
 Patch2:	CVE-2024-40635.patch
 Patch3:	CVE-2025-22872.patch
 Patch4:	CVE-2025-47291.patch
+Patch5:	multi-snapshotters-support.patch
 %{?systemd_requires}
 
 BuildRequires: golang
@@ -92,6 +93,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Tue Jun 10 2025 Mitch Zhu <mitchzhu@microsoft.com> - 2.0.0-11
+- Add updated multi-snapshotters-support patch
+
 * Fri May 30 2025 Durga Jagadeesh Palli <v-dpalli@microsoft.com> - 2.0.0-10
 - Patch CVE-2025-47291
 
diff --git a/SPECS/containerd2/multi-snapshotters-support.patch b/SPECS/containerd2/multi-snapshotters-support.patch
@@ -0,0 +1,279 @@
+From 5b8c263396b67acc8ea67e22d532e69e04085b35 Mon Sep 17 00:00:00 2001
+From: Mitch Zhu <mitchzhu@microsoft.com>
+Date: Thu, 22 May 2025 23:55:57 +0000
+Subject: [PATCH] Add multi-snapshotter support
+
+---
+ internal/cri/server/container_status_test.go  |  2 +-
+ internal/cri/server/images/image_pull.go      | 37 +++++++++++--------
+ internal/cri/server/images/image_pull_test.go |  2 +-
+ internal/cri/server/podsandbox/controller.go  |  2 +-
+ internal/cri/server/podsandbox/sandbox_run.go | 30 ++++++++-------
+ internal/cri/server/service.go                |  2 +-
+ internal/cri/store/image/image.go             | 29 ++++++++++++---
+ 7 files changed, 66 insertions(+), 38 deletions(-)
+
+diff --git a/internal/cri/server/container_status_test.go b/internal/cri/server/container_status_test.go
+index 05b1650..71dcc10 100644
+--- a/internal/cri/server/container_status_test.go
++++ b/internal/cri/server/container_status_test.go
+@@ -302,7 +302,7 @@ func (s *fakeImageService) LocalResolve(refOrID string) (imagestore.Image, error
+ 
+ func (s *fakeImageService) ImageFSPaths() map[string]string { return make(map[string]string) }
+ 
+-func (s *fakeImageService) PullImage(context.Context, string, func(string) (string, string, error), *runtime.PodSandboxConfig, string) (string, error) {
++func (s *fakeImageService) PullImage(context.Context, string, func(string) (string, string, error), *runtime.PodSandboxConfig, string, string) (string, error) {
+ 	return "", errors.New("not implemented")
+ }
+ 
+diff --git a/internal/cri/server/images/image_pull.go b/internal/cri/server/images/image_pull.go
+index e59b88b..f9c90b7 100644
+--- a/internal/cri/server/images/image_pull.go
++++ b/internal/cri/server/images/image_pull.go
+@@ -96,6 +96,15 @@ import (
+ 
+ // PullImage pulls an image with authentication config.
+ func (c *GRPCCRIImageService) PullImage(ctx context.Context, r *runtime.PullImageRequest) (_ *runtime.PullImageResponse, err error) {
++	imageRef := r.GetImage().GetImage()
++	snapshotter, err := c.snapshotterFromPodSandboxConfig(ctx, imageRef, r.SandboxConfig, r.GetImage().GetRuntimeHandler())
++	if err != nil {
++		return nil, err
++	}
++	return c.pullImage(ctx, r, snapshotter)
++}
++
++func (c *GRPCCRIImageService) pullImage(ctx context.Context, r *runtime.PullImageRequest, snapshotter string) (_ *runtime.PullImageResponse, err error) {
+ 
+ 	imageRef := r.GetImage().GetImage()
+ 
+@@ -110,14 +119,14 @@ func (c *GRPCCRIImageService) PullImage(ctx context.Context, r *runtime.PullImag
+ 		return ParseAuth(hostauth, host)
+ 	}
+ 
+-	ref, err := c.CRIImageService.PullImage(ctx, imageRef, credentials, r.SandboxConfig, r.GetImage().GetRuntimeHandler())
++	ref, err := c.CRIImageService.PullImage(ctx, imageRef, credentials, r.SandboxConfig, r.GetImage().GetRuntimeHandler(), snapshotter)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 	return &runtime.PullImageResponse{ImageRef: ref}, nil
+ }
+ 
+-func (c *CRIImageService) PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string) (_ string, err error) {
++func (c *CRIImageService) PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (_ string, err error) {
+ 	span := tracing.SpanFromContext(ctx)
+ 	defer func() {
+ 		// TODO: add domain label for imagePulls metrics, and we may need to provide a mechanism
+@@ -167,10 +176,6 @@ func (c *CRIImageService) PullImage(ctx context.Context, name string, credential
+ 	)
+ 
+ 	defer pcancel()
+-	snapshotter, err := c.snapshotterFromPodSandboxConfig(ctx, ref, sandboxConfig)
+-	if err != nil {
+-		return "", err
+-	}
+ 	log.G(ctx).Debugf("PullImage %q with snapshotter %s", ref, snapshotter)
+ 	span.SetAttributes(
+ 		tracing.Attribute("image.ref", ref),
+@@ -761,17 +766,19 @@ func (rt *pullRequestReporterRoundTripper) RoundTrip(req *http.Request) (*http.R
+ // Once we know the runtime, try to override default snapshotter if it is set for this runtime.
+ // See https://github.com/containerd/containerd/issues/6657
+ func (c *CRIImageService) snapshotterFromPodSandboxConfig(ctx context.Context, imageRef string,
+-	s *runtime.PodSandboxConfig) (string, error) {
++	s *runtime.PodSandboxConfig, runtimeHandler string) (string, error) {
+ 	snapshotter := c.config.Snapshotter
+-	if s == nil || s.Annotations == nil {
+-		return snapshotter, nil
+-	}
+ 
+-	// TODO(kiashok): honor the new CRI runtime handler field added to v0.29.0
+-	// for image pull per runtime class support.
+-	runtimeHandler, ok := s.Annotations[annotations.RuntimeHandler]
+-	if !ok {
+-		return snapshotter, nil
++	if runtimeHandler == "" {
++		if s == nil || s.Annotations == nil {
++			return snapshotter, nil
++		} else {
++			ok := false
++			runtimeHandler, ok = s.Annotations[annotations.RuntimeHandler]
++			if !ok {
++				return snapshotter, nil
++			}
++		}
+ 	}
+ 
+ 	// TODO: Ensure error is returned if runtime not found?
+diff --git a/internal/cri/server/images/image_pull_test.go b/internal/cri/server/images/image_pull_test.go
+index bc79e35..af6a451 100644
+--- a/internal/cri/server/images/image_pull_test.go
++++ b/internal/cri/server/images/image_pull_test.go
+@@ -429,7 +429,7 @@ func TestSnapshotterFromPodSandboxConfig(t *testing.T) {
+ 				Platform:    platforms.DefaultSpec(),
+ 				Snapshotter: runtimeSnapshotter,
+ 			}
+-			snapshotter, err := cri.snapshotterFromPodSandboxConfig(context.Background(), "test-image", tt.podSandboxConfig)
++			snapshotter, err := cri.snapshotterFromPodSandboxConfig(context.Background(), "test-image", tt.podSandboxConfig, "")
+ 			assert.Equal(t, tt.expectedSnapshotter, snapshotter)
+ 			if tt.expectedErr {
+ 				assert.Error(t, err)
+diff --git a/internal/cri/server/podsandbox/controller.go b/internal/cri/server/podsandbox/controller.go
+index a185a4c..8fd032b 100644
+--- a/internal/cri/server/podsandbox/controller.go
++++ b/internal/cri/server/podsandbox/controller.go
+@@ -110,7 +110,7 @@ type RuntimeService interface {
+ type ImageService interface {
+ 	LocalResolve(refOrID string) (imagestore.Image, error)
+ 	GetImage(id string) (imagestore.Image, error)
+-	PullImage(ctx context.Context, name string, creds func(string) (string, string, error), sc *runtime.PodSandboxConfig, runtimeHandler string) (string, error)
++	PullImage(ctx context.Context, name string, creds func(string) (string, string, error), sc *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (string, error)
+ 	RuntimeSnapshotter(ctx context.Context, ociRuntime criconfig.Runtime) string
+ 	PinnedImage(string) string
+ }
+diff --git a/internal/cri/server/podsandbox/sandbox_run.go b/internal/cri/server/podsandbox/sandbox_run.go
+index 53d949f..35e0075 100644
+--- a/internal/cri/server/podsandbox/sandbox_run.go
++++ b/internal/cri/server/podsandbox/sandbox_run.go
+@@ -77,23 +77,25 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
+ 
+ 	sandboxImage := c.getSandboxImageName()
+ 	// Ensure sandbox container image snapshot.
+-	image, err := c.ensureImageExists(ctx, sandboxImage, config, metadata.RuntimeHandler)
++	ociRuntime, err := c.config.GetSandboxRuntime(config, metadata.RuntimeHandler)
+ 	if err != nil {
+-		return cin, fmt.Errorf("failed to get sandbox image %q: %w", sandboxImage, err)
++		return cin, fmt.Errorf("failed to get sandbox runtime: %w", err)
+ 	}
++	log.G(ctx).WithField("podsandboxid", id).Debugf("use OCI runtime %+v", ociRuntime)
+ 
+-	containerdImage, err := c.toContainerdImage(ctx, *image)
++	labels["oci_runtime_type"] = ociRuntime.Type
++
++	snapshotter := c.imageService.RuntimeSnapshotter(ctx, ociRuntime)
++
++	image, err := c.ensureImageExists(ctx, sandboxImage, config, metadata.RuntimeHandler, snapshotter)
+ 	if err != nil {
+-		return cin, fmt.Errorf("failed to get image from containerd %q: %w", image.ID, err)
++		return cin, fmt.Errorf("failed to get sandbox image %q: %w", sandboxImage, err)
+ 	}
+ 
+-	ociRuntime, err := c.config.GetSandboxRuntime(config, metadata.RuntimeHandler)
++	containerdImage, err := c.toContainerdImage(ctx, *image)
+ 	if err != nil {
+-		return cin, fmt.Errorf("failed to get sandbox runtime: %w", err)
++		return cin, fmt.Errorf("failed to get image from containerd %q: %w", image.ID, err)
+ 	}
+-	log.G(ctx).WithField("podsandboxid", id).Debugf("use OCI runtime %+v", ociRuntime)
+-
+-	labels["oci_runtime_type"] = ociRuntime.Type
+ 
+ 	// Create sandbox container root directories.
+ 	sandboxRootDir := c.getSandboxRootDir(id)
+@@ -173,7 +175,7 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
+ 	snapshotterOpt = append(snapshotterOpt, extraSOpts...)
+ 
+ 	opts := []containerd.NewContainerOpts{
+-		containerd.WithSnapshotter(c.imageService.RuntimeSnapshotter(ctx, ociRuntime)),
++		containerd.WithSnapshotter(snapshotter),
+ 		customopts.WithNewSnapshot(id, containerdImage, snapshotterOpt...),
+ 		containerd.WithSpec(spec, specOpts...),
+ 		containerd.WithContainerLabels(sandboxLabels),
+@@ -299,17 +301,19 @@ func (c *Controller) Create(_ctx context.Context, info sandbox.Sandbox, opts ...
+ 	return c.store.Save(podSandbox)
+ }
+ 
+-func (c *Controller) ensureImageExists(ctx context.Context, ref string, config *runtime.PodSandboxConfig, runtimeHandler string) (*imagestore.Image, error) {
++func (c *Controller) ensureImageExists(ctx context.Context, ref string, config *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (*imagestore.Image, error) {
+ 	image, err := c.imageService.LocalResolve(ref)
+ 	if err != nil && !errdefs.IsNotFound(err) {
+ 		return nil, fmt.Errorf("failed to get image %q: %w", ref, err)
+ 	}
+ 	if err == nil {
+-		return &image, nil
++		if _, ok := image.Snapshotters[snapshotter]; ok || len(image.Snapshotters) == 0 {
++			return &image, nil
++		}
+ 	}
+ 	// Pull image to ensure the image exists
+ 	// TODO: Cleaner interface
+-	imageID, err := c.imageService.PullImage(ctx, ref, nil, config, runtimeHandler)
++	imageID, err := c.imageService.PullImage(ctx, ref, nil, config, runtimeHandler, snapshotter)
+ 	if err != nil {
+ 		return nil, fmt.Errorf("failed to pull image %q: %w", ref, err)
+ 	}
+diff --git a/internal/cri/server/service.go b/internal/cri/server/service.go
+index 37d66f0..5d1546e 100644
+--- a/internal/cri/server/service.go
++++ b/internal/cri/server/service.go
+@@ -97,7 +97,7 @@ type RuntimeService interface {
+ type ImageService interface {
+ 	RuntimeSnapshotter(ctx context.Context, ociRuntime criconfig.Runtime) string
+ 
+-	PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string) (string, error)
++	PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (string, error)
+ 	UpdateImage(ctx context.Context, r string) error
+ 
+ 	CheckImages(ctx context.Context) error
+diff --git a/internal/cri/store/image/image.go b/internal/cri/store/image/image.go
+index 5887e75..43ecf0d 100644
+--- a/internal/cri/store/image/image.go
++++ b/internal/cri/store/image/image.go
+@@ -20,6 +20,7 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"fmt"
++	"strings"
+ 	"sync"
+ 
+ 	"github.com/containerd/containerd/v2/core/content"
+@@ -53,6 +54,8 @@ type Image struct {
+ 	ImageSpec imagespec.Image
+ 	// Pinned image to prevent it from garbage collection
+ 	Pinned bool
++	// Snapshotters is a map whose keys are snapshotters for which this image has a snapshot.
++	Snapshotters map[string]struct{}
+ }
+ 
+ // Getter is used to get images but does not make changes
+@@ -170,6 +173,19 @@ func (s *Store) getImage(ctx context.Context, i images.Image) (*Image, error) {
+ 		return nil, fmt.Errorf("read image config from content store: %w", err)
+ 	}
+ 
++	info, err := s.provider.Info(ctx, desc.Digest)
++	if err != nil {
++		return nil, fmt.Errorf("get content store config info: %w", err)
++	}
++
++	snapshotters := make(map[string]struct{})
++	for label := range info.Labels {
++		const Prefix = "containerd.io/gc.ref.snapshot."
++		if strings.HasPrefix(label, Prefix) {
++			snapshotters[label[len(Prefix):]] = struct{}{}
++		}
++	}
++
+ 	var spec imagespec.Image
+ 	if err := json.Unmarshal(blob, &spec); err != nil {
+ 		return nil, fmt.Errorf("unmarshal image config %s: %w", blob, err)
+@@ -178,12 +194,13 @@ func (s *Store) getImage(ctx context.Context, i images.Image) (*Image, error) {
+ 	pinned := i.Labels[labels.PinnedImageLabelKey] == labels.PinnedImageLabelValue
+ 
+ 	return &Image{
+-		ID:         id,
+-		References: []string{i.Name},
+-		ChainID:    chainID.String(),
+-		Size:       size,
+-		ImageSpec:  spec,
+-		Pinned:     pinned,
++		ID:           id,
++		References:   []string{i.Name},
++		ChainID:      chainID.String(),
++		Size:         size,
++		ImageSpec:    spec,
++		Pinned:       pinned,
++		Snapshotters: snapshotters,
+ 	}, nil
+ 
+ }
+-- 
+2.34.1
+
