Skip to content

Allow ProxyPlugins to declare capabilities #10313

Closed
#10337
Closed
Allow ProxyPlugins to declare capabilities#10313
#10337
Labels
kind/feature
@Kern--

Description

@Kern--
Kern--
opened on Jun 7, 2024

What is the problem you're trying to solve

When running containers with user namespaces, containerd uses os.Lchown to apply ID mapping to the container rootfs by default:

containerd/client/container_opts_unix.go

Line 114 in 378a502

return os.Lchown(path, u, g)

For fuse-based remote snapshotters like the SOCI snapshotter, the chown is extremely expensive. In my experience it's 10x more expensive than chown with the native overlay snapshotter (even with metacopy=on on the overlay mounts returned from the SOCI snapshotter).

There is an escape hatch here if the snapshotter has the capability to handle id mapping itself:

containerd/client/snapshotter_opts_unix.go

Lines 48 to 53 in 45bc430

for _, capab := range capabs {
if capab == capaRemapIDs {
// Snapshotter supports ID remapping, we don't need to do anything.
return parent, nil
}
}

The problem is that there is no way to advertise capabilities on proxy plugins, so the SOCI snapshotter cannot handle ID mapping itself.

containerd/cmd/containerd/server/config/config.go

Lines 235 to 241 in 378a502

// ProxyPlugin provides a proxy plugin configuration
type ProxyPlugin struct {
Type string `toml:"type"`
Address string `toml:"address"`
Platform string `toml:"platform"`
Exports map[string]string `toml:"exports"`
}

Describe the solution you'd like

I would like the ProxyPlugin config to support capabilities that get passed to the plugin registration.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions