Skip to content

feature: containerd-shim socket path customization #10502

New issue
New issue
Closed
Closed
feature: containerd-shim socket path customization#10502
Labels
kind/feature
@etungsten

Description

@etungsten
etungsten
opened on Jul 24, 2024

What is the problem you're trying to solve

I am running multiple instances of the containerd daemon on my machine and each containerd instance has their own state directories. e.g. /run/containerd-foo and /run/containerd-bar, /run/containerd

containerd-shim however creates the shim socket under the default state directory which is set to /run/containerd:

containerd/pkg/shim/util_unix.go

Lines 76 to 90 in c3bed76

const socketRoot = defaults.DefaultStateDir
// SocketAddress returns a socket address
func SocketAddress(ctx context.Context, socketPath, id string, debug bool) (string, error) {
ns, err := namespaces.NamespaceRequired(ctx)
if err != nil {
return "", err
}
path := filepath.Join(socketPath, ns, id)
if debug {
path = filepath.Join(path, "debug")
}
d := sha256.Sum256([]byte(path))
return fmt.Sprintf("unix://%s/%x", filepath.Join(socketRoot, "s"), d), nil
}

This is an issue because I want some containerd daemon instances to start earlier than the regular containerd daemon and the os.MkdirAll call here to create the shim socket path will end up creating /run/containerd with perms 600 rather than the normal 711:

containerd/pkg/shim/util_unix.go

Lines 131 to 133 in c3bed76

if err := os.MkdirAll(filepath.Dir(path), perm); err != nil {
return nil, fmt.Errorf("mkdir failed for %s: %w", path, err)
}

Containers will then fail to start with the original containerd daemon due to permission issues on /run/containerd with errors like:

level=error msg="failed to determined container root: failed to open OCI spec file: open /run/containerd/io.containerd.runtime.v2.task/moby/cf617ef4ce00c3826b3b35b8b7b63797a536c016e47b0a2c6329889348e5e42e/config.json: permission denied": unknown

Describe the solution you'd like

A configuration option to override the state directory or where the shim socket directory should be located. This exists for creating the fifo queue directory: https://pkg.go.dev/github.com/containerd/containerd/[email protected]#WithFIFODir. I would like it for the shim sockets as well.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions