gVisor with container 2.1.0

### Description

Previous issue https://github.com/google/gvisor/issues/11319

What works:

* containerd 2.0 + https://github.com/siderolabs/pkgs/blob/release-1.10/containerd/patches/11741-not-set-sandbox-id-when-use-podsandbox-type.patch
* containerd 2.1 + hacky adapted same patch https://github.com/siderolabs/pkgs/blob/main/containerd/patches/11741-not-set-sandbox-id-when-use-podsandbox-type.patch

What doesn't work:

* containerd 2.1.0 (unpatched)

For the context:

* https://github.com/siderolabs/pkgs/pull/1235
* https://github.com/containerd/containerd/pull/11793

### Steps to reproduce the issue

Launch a pod with gVisor with containerd 2.1.0, let it terminate, and there is a stuck process which "leaks":

```
172.20.0.5  7490  S      9        0.02      1.3 GB   14 MB   system_u:system_r:pod_containerd_t:s0  /usr/local/bin/containerd-shim-runsc-v1 -namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd
```

This process holds references to some filesystems and causes reboot issues.

### Describe the results you received and expected

Expected runsc shim not to leak.

### What version of containerd are you using?

2.1.0

### Any other relevant information

CRI logs:

[cri.log](https://github.com/user-attachments/files/20347824/cri.log)


Runsc logs:

[runsc.tar.gz](https://github.com/user-attachments/files/20347811/runsc.tar.gz)

### Show configuration if it is related to CRI plugin.

```
version = 3

[plugins]
  [plugins.'io.containerd.cri.v1.images']
    discard_unpacked_layers = true
    use_local_image_pull = true

    [plugins.'io.containerd.cri.v1.images'.registry]
      config_path = '/etc/cri/conf.d/hosts'

      [plugins.'io.containerd.cri.v1.images'.registry.configs]

  [plugins.'io.containerd.cri.v1.runtime']
    [plugins.'io.containerd.cri.v1.runtime'.containerd]
      [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes]
        [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]
          base_runtime_spec = '/etc/cri/conf.d/base-spec.json'

        [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runsc]
          runtime_type = 'io.containerd.runsc.v1'

          [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runsc.options]
            ConfigPath = '/etc/cri/conf.d/runsc.toml'
            TypeUrl = 'io.containerd.runsc.v1.options'

        [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runsc-kvm]
          runtime_type = 'io.containerd.runsc.v1'

          [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runsc-kvm.options]
            ConfigPath = '/etc/cri/conf.d/runsc-kvm.toml'
            TypeUrl = 'io.containerd.runsc.v1.options'

  [plugins.'io.containerd.nri.v1.nri']
    disable = true
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gVisor with container 2.1.0 #11871

Description

Steps to reproduce the issue

Describe the results you received and expected

What version of containerd are you using?

Any other relevant information

Show configuration if it is related to CRI plugin.

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

gVisor with container 2.1.0 #11871

Description

Description

Steps to reproduce the issue

Describe the results you received and expected

What version of containerd are you using?

Any other relevant information

Show configuration if it is related to CRI plugin.

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions