Remove v1 runctypes

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2023-03-13 14:12:29 -07:00 · 2023-03-13 14:12:29 -07:00 · 07c2ae12e1
commit 07c2ae12e1
parent c50a3ef043
31 changed files with 106 additions and 2178 deletions
--- a/Protobuild.toml
+++ b/Protobuild.toml
@ -28,14 +28,6 @@ prefixes = [
 ]
 generators = ["go", "go-grpc"]
 # Lock down runc config
 [[descriptors]]
 prefix = "github.com/containerd/containerd/runtime/linux/runctypes"
 target = "runtime/linux/runctypes/next.pb.txt"
 ignore_files = [
 	"google/protobuf/descriptor.proto",
 ]
 [[descriptors]]
 prefix = "github.com/containerd/containerd/runtime/v2/runc/options"
 target = "runtime/v2/runc/options/next.pb.txt"
--- a/client.go
+++ b/client.go
@ -818,23 +818,6 @@ func (c *Client) getSnapshotter(ctx context.Context, name string) (snapshots.Sna
 	return s, nil
 }
 // CheckRuntime returns true if the current runtime matches the expected
 // runtime. Providing various parts of the runtime schema will match those
 // parts of the expected runtime
 func CheckRuntime(current, expected string) bool {
 	cp := strings.Split(current, ".")
 	l := len(cp)
 	for i, p := range strings.Split(expected, ".") {
 		if i > l {
 			return false
 		}
 		if p != cp[i] {
 			return false
 		}
 	}
 	return true
 }
 // GetSnapshotterSupportedPlatforms returns a platform matchers which represents the
 // supported platforms for the given snapshotters
 func (c *Client) GetSnapshotterSupportedPlatforms(ctx context.Context, snapshotterName string) (platforms.MatchComparer, error) {
--- a/cmd/ctr/commands/tasks/checkpoint.go
+++ b/cmd/ctr/commands/tasks/checkpoint.go
@ -22,8 +22,6 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cmd/ctr/commands"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/urfave/cli"
 )
@ -86,38 +84,21 @@ func withCheckpointOpts(rt string, context *cli.Context) containerd.CheckpointTa
 		imagePath := context.String("image-path")
 		workPath := context.String("work-path")
-		switch rt {
+		if r.Options == nil {
-		case plugin.RuntimeRuncV1, plugin.RuntimeRuncV2:
+			r.Options = &options.CheckpointOptions{}
 			if r.Options == nil {
 				r.Options = &options.CheckpointOptions{}
 			}
 			opts, _ := r.Options.(*options.CheckpointOptions)
 			if context.Bool("exit") {
 				opts.Exit = true
 			}
 			if imagePath != "" {
 				opts.ImagePath = imagePath
 			}
 			if workPath != "" {
 				opts.WorkPath = workPath
 			}
 		case plugin.RuntimeLinuxV1:
 			if r.Options == nil {
 				r.Options = &runctypes.CheckpointOptions{}
 			}
 			opts, _ := r.Options.(*runctypes.CheckpointOptions)
 			if context.Bool("exit") {
 				opts.Exit = true
 			}
 			if imagePath != "" {
 				opts.ImagePath = imagePath
 			}
 			if workPath != "" {
 				opts.WorkPath = workPath
 			}
 		}
 		opts, _ := r.Options.(*options.CheckpointOptions)
 		if context.Bool("exit") {
 			opts.Exit = true
 		}
 		if imagePath != "" {
 			opts.ImagePath = imagePath
 		}
 		if workPath != "" {
 			opts.WorkPath = workPath
 		}
 		return nil
 	}
 }
--- a/integration/client/container_checkpoint_test.go
+++ b/integration/client/container_checkpoint_test.go
@ -32,7 +32,6 @@ import (
 	. "github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/plugin"
 )
 const (
@ -48,9 +47,6 @@ func TestCheckpointRestorePTY(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer client.Close()
 	if client.Runtime() == plugin.RuntimeLinuxV1 {
 		t.Skip()
 	}
 	var (
 		ctx, cancel = testContext(t)
@ -174,9 +170,6 @@ func TestCheckpointRestore(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer client.Close()
 	if client.Runtime() == plugin.RuntimeLinuxV1 {
 		t.Skip()
 	}
 	var (
 		ctx, cancel = testContext(t)
@ -264,9 +257,6 @@ func TestCheckpointRestoreNewContainer(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer client.Close()
 	if client.Runtime() == plugin.RuntimeLinuxV1 {
 		t.Skip()
 	}
 	id := t.Name()
 	ctx, cancel := testContext(t)
@ -354,9 +344,6 @@ func TestCheckpointLeaveRunning(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer client.Close()
 	if client.Runtime() == plugin.RuntimeLinuxV1 {
 		t.Skip()
 	}
 	var (
 		ctx, cancel = testContext(t)
@ -538,9 +525,6 @@ func TestCheckpointOnPauseStatus(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer client.Close()
 	if client.Runtime() == plugin.RuntimeLinuxV1 {
 		t.Skip()
 	}
 	var (
 		ctx, cancel = testContext(t)
--- a/integration/client/container_linux_test.go
+++ b/integration/client/container_linux_test.go
@ -39,7 +39,6 @@ import (
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/containerd/sys"
 	"github.com/opencontainers/runtime-spec/specs-go"
@ -415,8 +414,6 @@ func writeToFile(t *testing.T, filePath, message string) {
 func getLogDirPath(runtimeVersion, id string) string {
 	switch runtimeVersion {
 	case "v1":
 		return filepath.Join(defaultRoot, plugin.RuntimeLinuxV1, testNamespace, id)
 	case "v2":
 		return filepath.Join(defaultState, "io.containerd.runtime.v2.task", testNamespace, id)
 	default:
@ -1005,49 +1002,6 @@ func TestDaemonRestartWithRunningShim(t *testing.T) {
 	}
 }
 func TestContainerRuntimeOptionsv1(t *testing.T) {
 	t.Parallel()
 	client, err := newClient(t, address)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer client.Close()
 	var (
 		image       Image
 		ctx, cancel = testContext(t)
 		id          = t.Name()
 	)
 	defer cancel()
 	image, err = client.GetImage(ctx, testImage)
 	if err != nil {
 		t.Fatal(err)
 	}
 	container, err := client.NewContainer(
 		ctx, id,
 		WithNewSnapshot(id, image),
 		WithNewSpec(oci.WithImageConfig(image), withExitStatus(7)),
 		WithRuntime(plugin.RuntimeLinuxV1, &runctypes.RuncOptions{Runtime: "no-runc"}),
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer container.Delete(ctx, WithSnapshotCleanup)
 	task, err := container.NewTask(ctx, empty())
 	if err == nil {
 		t.Errorf("task creation should have failed")
 		task.Delete(ctx)
 		return
 	}
 	if !strings.Contains(err.Error(), `"no-runc"`) {
 		t.Errorf("task creation should have failed because of lack of executable. Instead failed with: %v", err.Error())
 	}
 }
 func TestContainerRuntimeOptionsv2(t *testing.T) {
 	t.Parallel()
@ -1073,7 +1027,7 @@ func TestContainerRuntimeOptionsv2(t *testing.T) {
 		ctx, id,
 		WithNewSnapshot(id, image),
 		WithNewSpec(oci.WithImageConfig(image), withExitStatus(7)),
-		WithRuntime(plugin.RuntimeRuncV1, &options.Options{BinaryName: "no-runc"}),
+		WithRuntime(plugin.RuntimeRuncV2, &options.Options{BinaryName: "no-runc"}),
 	)
 	if err != nil {
 		t.Fatal(err)
@ -1161,17 +1115,9 @@ func testUserNamespaces(t *testing.T, readonlyRootFS bool) {
 	}
 	defer container.Delete(ctx, WithSnapshotCleanup)
-	var copts interface{}
+	copts := &options.Options{
-	if CheckRuntime(client.Runtime(), "io.containerd.runc") {
+		IoUid: 1000,
-		copts = &options.Options{
+		IoGid: 2000,
 			IoUid: 1000,
 			IoGid: 2000,
 		}
 	} else {
 		copts = &runctypes.CreateOptions{
 			IoUid: 1000,
 			IoGid: 2000,
 		}
 	}
 	task, err := container.NewTask(ctx, cio.NewCreator(cio.WithStdio), func(_ context.Context, client *Client, r *TaskInfo) error {
--- a/integration/client/container_test.go
+++ b/integration/client/container_test.go
@ -39,7 +39,6 @@ import (
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/containerd/plugin"
 	gogotypes "github.com/containerd/containerd/protobuf/types"
 	_ "github.com/containerd/containerd/runtime"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
@ -670,10 +669,6 @@ func TestKillContainerDeletedByRunc(t *testing.T) {
 	}
 	defer client.Close()
 	if client.Runtime() == plugin.RuntimeLinuxV1 {
 		t.Skip("test relies on runtime v2")
 	}
 	var (
 		image       Image
 		ctx, cancel = testContext(t)
--- a/integration/client/daemon_config_linux_test.go
+++ b/integration/client/daemon_config_linux_test.go
@ -55,7 +55,7 @@ version = 2
 	}
 	id := t.Name()
-	container, err := client.NewContainer(ctx, id, WithNewSnapshot(id, image), WithNewSpec(oci.WithImageConfig(image), withProcessArgs("top")), WithRuntime(plugin.RuntimeRuncV1, &options.Options{
+	container, err := client.NewContainer(ctx, id, WithNewSnapshot(id, image), WithNewSpec(oci.WithImageConfig(image), withProcessArgs("top")), WithRuntime(plugin.RuntimeRuncV2, &options.Options{
 		Root: runtimeRoot,
 	}))
 	if err != nil {
--- a/integration/client/task_opts_unix_test.go
+++ b/integration/client/task_opts_unix_test.go
@ -1,64 +0,0 @@
 //go:build !windows
 /*
   Copyright The containerd Authors.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 */
 package client
 import (
 	"context"
 	"testing"
 	. "github.com/containerd/containerd"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 )
 func TestWithNoNewKeyringAddsNoNewKeyringToOptions(t *testing.T) {
 	var taskInfo TaskInfo
 	var ctx context.Context
 	var client Client
 	err := WithNoNewKeyring(ctx, &client, &taskInfo)
 	if err != nil {
 		t.Fatal(err)
 	}
 	opts := taskInfo.Options.(*runctypes.CreateOptions)
 	if !opts.NoNewKeyring {
 		t.Fatal("NoNewKeyring set on WithNoNewKeyring")
 	}
 }
 func TestWithNoNewKeyringDoesNotOverwriteOtherOptions(t *testing.T) {
 	var taskInfo TaskInfo
 	var ctx context.Context
 	var client Client
 	taskInfo.Options = &runctypes.CreateOptions{NoPivotRoot: true}
 	err := WithNoNewKeyring(ctx, &client, &taskInfo)
 	if err != nil {
 		t.Fatal(err)
 	}
 	opts := taskInfo.Options.(*runctypes.CreateOptions)
 	if !opts.NoPivotRoot {
 		t.Fatal("WithNoNewKeyring overwrote other options")
 	}
 }
--- a/pkg/cri/config/config.go
+++ b/pkg/cri/config/config.go
@ -24,7 +24,6 @@ import (
 	"time"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/plugin"
 )
 type SandboxControllerMode string
@ -46,10 +45,6 @@ type Runtime struct {
 	// When specified, containerd will ignore runtime name field when resolving shim location.
 	// Path must be abs.
 	Path string `toml:"runtime_path" json:"runtimePath"`
 	// Engine is the name of the runtime engine used by containerd.
 	// This only works for runtime type "io.containerd.runtime.v1.linux".
 	// DEPRECATED: use Options instead. Remove when shim v1 is deprecated.
 	Engine string `toml:"runtime_engine" json:"runtimeEngine"`
 	// PodAnnotations is a list of pod annotations passed to both pod sandbox as well as
 	// container OCI annotations.
 	PodAnnotations []string `toml:"pod_annotations" json:"PodAnnotations"`
@ -57,10 +52,6 @@ type Runtime struct {
 	// Container annotations in CRI are usually generated by other Kubernetes node components (i.e., not users).
 	// Currently, only device plugins populate the annotations.
 	ContainerAnnotations []string `toml:"container_annotations" json:"ContainerAnnotations"`
 	// Root is the directory used by containerd for runtime state.
 	// DEPRECATED: use Options instead. Remove when shim v1 is deprecated.
 	// This only works for runtime type "io.containerd.runtime.v1.linux".
 	Root string `toml:"runtime_root" json:"runtimeRoot"`
 	// Options are config options for the runtime.
 	// If options is loaded from toml config, it will be map[string]interface{}.
 	// Options can be converted into toml.Tree using toml.TreeFromMap().
@ -99,19 +90,10 @@ type ContainerdConfig struct {
 	Snapshotter string `toml:"snapshotter" json:"snapshotter"`
 	// DefaultRuntimeName is the default runtime name to use from the runtimes table.
 	DefaultRuntimeName string `toml:"default_runtime_name" json:"defaultRuntimeName"`
-	// DefaultRuntime is the default runtime to use in containerd.
+
 	// This runtime is used when no runtime handler (or the empty string) is provided.
 	// DEPRECATED: use DefaultRuntimeName instead. Remove in containerd 1.4.
 	DefaultRuntime Runtime `toml:"default_runtime" json:"defaultRuntime"`
 	// UntrustedWorkloadRuntime is a runtime to run untrusted workloads on it.
 	// DEPRECATED: use `untrusted` runtime in Runtimes instead. Remove in containerd 1.4.
 	UntrustedWorkloadRuntime Runtime `toml:"untrusted_workload_runtime" json:"untrustedWorkloadRuntime"`
 	// Runtimes is a map from CRI RuntimeHandler strings, which specify types of runtime
 	// configurations, to the matching configurations.
 	Runtimes map[string]Runtime `toml:"runtimes" json:"runtimes"`
 	// NoPivot disables pivot-root (linux only), required when running a container in a RamDisk with runc
 	// This only works for runtime type "io.containerd.runtime.v1.linux".
 	NoPivot bool `toml:"no_pivot" json:"noPivot"`
 	// DisableSnapshotAnnotations disables to pass additional annotations (image
 	// related information) to snapshotters. These annotations are required by
@ -274,10 +256,6 @@ type PluginConfig struct {
 	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.
 	StatsCollectPeriod int `toml:"stats_collect_period" json:"statsCollectPeriod"`
 	// SystemdCgroup enables systemd cgroup support.
 	// This only works for runtime type "io.containerd.runtime.v1.linux".
 	// DEPRECATED: config runc runtime handler instead. Remove when shim v1 is deprecated.
 	SystemdCgroup bool `toml:"systemd_cgroup" json:"systemdCgroup"`
 	// EnableTLSStreaming indicates to enable the TLS streaming support.
 	EnableTLSStreaming bool `toml:"enable_tls_streaming" json:"enableTLSStreaming"`
 	// X509KeyPairStreaming is a x509 key pair used for TLS streaming
@ -401,22 +379,6 @@ func ValidatePluginConfig(ctx context.Context, c *PluginConfig) error {
 		c.ContainerdConfig.Runtimes = make(map[string]Runtime)
 	}
 	// Validation for deprecated untrusted_workload_runtime.
 	if c.ContainerdConfig.UntrustedWorkloadRuntime.Type != "" {
 		log.G(ctx).Warning("`untrusted_workload_runtime` is deprecated, please use `untrusted` runtime in `runtimes` instead")
 		if _, ok := c.ContainerdConfig.Runtimes[RuntimeUntrusted]; ok {
 			return fmt.Errorf("conflicting definitions: configuration includes both `untrusted_workload_runtime` and `runtimes[%q]`", RuntimeUntrusted)
 		}
 		c.ContainerdConfig.Runtimes[RuntimeUntrusted] = c.ContainerdConfig.UntrustedWorkloadRuntime
 	}
 	// Validation for deprecated default_runtime field.
 	if c.ContainerdConfig.DefaultRuntime.Type != "" {
 		log.G(ctx).Warning("`default_runtime` is deprecated, please use `default_runtime_name` to reference the default configuration you have defined in `runtimes`")
 		c.ContainerdConfig.DefaultRuntimeName = RuntimeDefault
 		c.ContainerdConfig.Runtimes[RuntimeDefault] = c.ContainerdConfig.DefaultRuntime
 	}
 	// Validation for default_runtime_name
 	if c.ContainerdConfig.DefaultRuntimeName == "" {
 		return errors.New("`default_runtime_name` is empty")
@ -425,33 +387,7 @@ func ValidatePluginConfig(ctx context.Context, c *PluginConfig) error {
 		return fmt.Errorf("no corresponding runtime configured in `containerd.runtimes` for `containerd` `default_runtime_name = \"%s\"", c.ContainerdConfig.DefaultRuntimeName)
 	}
 	// Validation for deprecated runtime options.
 	if c.SystemdCgroup {
 		if c.ContainerdConfig.Runtimes[c.ContainerdConfig.DefaultRuntimeName].Type != plugin.RuntimeLinuxV1 {
 			return fmt.Errorf("`systemd_cgroup` only works for runtime %s", plugin.RuntimeLinuxV1)
 		}
 		log.G(ctx).Warning("`systemd_cgroup` is deprecated, please use runtime `options` instead")
 	}
 	if c.NoPivot {
 		if c.ContainerdConfig.Runtimes[c.ContainerdConfig.DefaultRuntimeName].Type != plugin.RuntimeLinuxV1 {
 			return fmt.Errorf("`no_pivot` only works for runtime %s", plugin.RuntimeLinuxV1)
 		}
 		// NoPivot can't be deprecated yet, because there is no alternative config option
 		// for `io.containerd.runtime.v1.linux`.
 	}
 	for k, r := range c.ContainerdConfig.Runtimes {
 		if r.Engine != "" {
 			if r.Type != plugin.RuntimeLinuxV1 {
 				return fmt.Errorf("`runtime_engine` only works for runtime %s", plugin.RuntimeLinuxV1)
 			}
 			log.G(ctx).Warning("`runtime_engine` is deprecated, please use runtime `options` instead")
 		}
 		if r.Root != "" {
 			if r.Type != plugin.RuntimeLinuxV1 {
 				return fmt.Errorf("`runtime_root` only works for runtime %s", plugin.RuntimeLinuxV1)
 			}
 			log.G(ctx).Warning("`runtime_root` is deprecated, please use runtime `options` instead")
 		}
 		if !r.PrivilegedWithoutHostDevices && r.PrivilegedWithoutHostDevicesAllDevicesAllowed {
 			return errors.New("`privileged_without_host_devices_all_devices_allowed` requires `privileged_without_host_devices` to be enabled")
 		}
--- a/pkg/cri/config/config_test.go
+++ b/pkg/cri/config/config_test.go
@ -18,10 +18,8 @@ package config
 import (
 	"context"
 	"fmt"
 	"testing"
 	"github.com/containerd/containerd/plugin"
 	"github.com/stretchr/testify/assert"
 )
@ -31,81 +29,6 @@ func TestValidateConfig(t *testing.T) {
 		expectedErr string
 		expected    *PluginConfig
 	}{
 		"deprecated untrusted_workload_runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					UntrustedWorkloadRuntime: Runtime{
 						Type: "untrusted",
 					},
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type: "default",
 						},
 					},
 				},
 			},
 			expected: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					UntrustedWorkloadRuntime: Runtime{
 						Type: "untrusted",
 					},
 					Runtimes: map[string]Runtime{
 						RuntimeUntrusted: {
 							Type:        "untrusted",
 							SandboxMode: string(ModePodSandbox),
 						},
 						RuntimeDefault: {
 							Type:        "default",
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
 				},
 			},
 		},
 		"both untrusted_workload_runtime and runtime[untrusted]": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					UntrustedWorkloadRuntime: Runtime{
 						Type: "untrusted-1",
 					},
 					Runtimes: map[string]Runtime{
 						RuntimeUntrusted: {
 							Type: "untrusted-2",
 						},
 						RuntimeDefault: {
 							Type: "default",
 						},
 					},
 				},
 			},
 			expectedErr: fmt.Sprintf("conflicting definitions: configuration includes both `untrusted_workload_runtime` and `runtimes[%q]`", RuntimeUntrusted),
 		},
 		"deprecated default_runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntime: Runtime{
 						Type: "default",
 					},
 				},
 			},
 			expected: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntime: Runtime{
 						Type: "default",
 					},
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type:        "default",
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
 				},
 			},
 		},
 		"no default_runtime_name": {
 			config:      &PluginConfig{},
 			expectedErr: "`default_runtime_name` is empty",
@ -118,170 +41,13 @@ func TestValidateConfig(t *testing.T) {
 			},
 			expectedErr: "no corresponding runtime configured in `containerd.runtimes` for `containerd` `default_runtime_name = \"default\"",
 		},
-		"deprecated systemd_cgroup for v1 runtime": {
+
 			config: &PluginConfig{
 				SystemdCgroup: true,
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type: plugin.RuntimeLinuxV1,
 						},
 					},
 				},
 			},
 			expected: &PluginConfig{
 				SystemdCgroup: true,
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type:        plugin.RuntimeLinuxV1,
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
 				},
 			},
 		},
 		"deprecated systemd_cgroup for v2 runtime": {
 			config: &PluginConfig{
 				SystemdCgroup: true,
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type: plugin.RuntimeRuncV1,
 						},
 					},
 				},
 			},
 			expectedErr: fmt.Sprintf("`systemd_cgroup` only works for runtime %s", plugin.RuntimeLinuxV1),
 		},
 		"no_pivot for v1 runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					NoPivot:            true,
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type: plugin.RuntimeLinuxV1,
 						},
 					},
 				},
 			},
 			expected: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					NoPivot:            true,
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type:        plugin.RuntimeLinuxV1,
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
 				},
 			},
 		},
 		"no_pivot for v2 runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					NoPivot:            true,
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type: plugin.RuntimeRuncV1,
 						},
 					},
 				},
 			},
 			expectedErr: fmt.Sprintf("`no_pivot` only works for runtime %s", plugin.RuntimeLinuxV1),
 		},
 		"deprecated runtime_engine for v1 runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Engine: "runc",
 							Type:   plugin.RuntimeLinuxV1,
 						},
 					},
 				},
 			},
 			expected: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Engine:      "runc",
 							Type:        plugin.RuntimeLinuxV1,
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
 				},
 			},
 		},
 		"deprecated runtime_engine for v2 runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Engine: "runc",
 							Type:   plugin.RuntimeRuncV1,
 						},
 					},
 				},
 			},
 			expectedErr: fmt.Sprintf("`runtime_engine` only works for runtime %s", plugin.RuntimeLinuxV1),
 		},
 		"deprecated runtime_root for v1 runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Root: "/run/containerd/runc",
 							Type: plugin.RuntimeLinuxV1,
 						},
 					},
 				},
 			},
 			expected: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Root:        "/run/containerd/runc",
 							Type:        plugin.RuntimeLinuxV1,
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
 				},
 			},
 		},
 		"deprecated runtime_root for v2 runtime": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Root: "/run/containerd/runc",
 							Type: plugin.RuntimeRuncV1,
 						},
 					},
 				},
 			},
 			expectedErr: fmt.Sprintf("`runtime_root` only works for runtime %s", plugin.RuntimeLinuxV1),
 		},
 		"deprecated auths": {
 			config: &PluginConfig{
 				ContainerdConfig: ContainerdConfig{
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
-						RuntimeDefault: {
+						RuntimeDefault: {},
 							Type: plugin.RuntimeRuncV1,
 						},
 					},
 				},
 				Registry: Registry{
@ -295,7 +61,6 @@ func TestValidateConfig(t *testing.T) {
 					DefaultRuntimeName: RuntimeDefault,
 					Runtimes: map[string]Runtime{
 						RuntimeDefault: {
 							Type:        plugin.RuntimeRuncV1,
 							SandboxMode: string(ModePodSandbox),
 						},
 					},
--- a/pkg/cri/config/config_unix.go
+++ b/pkg/cri/config/config_unix.go
@ -29,9 +29,6 @@ import (
 // DefaultConfig returns default configurations of cri plugin.
 func DefaultConfig() PluginConfig {
 	defaultRuncV2Opts := `
 	# NoPivotRoot disables pivot root when creating a container.
 	NoPivotRoot = false
 	# NoNewKeyring disables new keyring for the container.
 	NoNewKeyring = false
@ -53,9 +50,6 @@ func DefaultConfig() PluginConfig {
 	# CriuPath is the criu binary path.
 	CriuPath = ""
 	# SystemdCgroup enables systemd cgroups.
 	SystemdCgroup = false
 	# CriuImagePath is the criu image path
 	CriuImagePath = ""
@ -74,7 +68,6 @@ func DefaultConfig() PluginConfig {
 		ContainerdConfig: ContainerdConfig{
 			Snapshotter:        containerd.DefaultSnapshotter,
 			DefaultRuntimeName: "runc",
 			NoPivot:            false,
 			Runtimes: map[string]Runtime{
 				"runc": {
 					Type:        "io.containerd.runc.v2",
@ -97,7 +90,6 @@ func DefaultConfig() PluginConfig {
 		},
 		SandboxImage:                     "registry.k8s.io/pause:3.8",
 		StatsCollectPeriod:               10,
 		SystemdCgroup:                    false,
 		MaxContainerLogLineSize:          16 * 1024,
 		MaxConcurrentDownloads:           3,
 		DisableProcMount:                 false,
--- a/pkg/cri/opts/task.go
+++ b/pkg/cri/opts/task.go
@ -1,38 +0,0 @@
 /*
   Copyright The containerd Authors.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 */
 package opts
 import (
 	"context"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 )
 // WithContainerdShimCgroup returns function that sets the containerd
 // shim cgroup path
 func WithContainerdShimCgroup(path string) containerd.NewTaskOpts {
 	return func(_ context.Context, _ *containerd.Client, r *containerd.TaskInfo) error {
 		r.Options = &runctypes.CreateOptions{
 			ShimCgroup: path,
 		}
 		return nil
 	}
 }
 //TODO: Since Options is an interface different WithXXX will be needed to set different
 // combinations of CreateOptions.
--- a/pkg/cri/sbserver/helpers.go
+++ b/pkg/cri/sbserver/helpers.go
@ -42,7 +42,6 @@ import (
 	runtimeoptions "github.com/containerd/containerd/pkg/runtimeoptions/v1"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/reference/docker"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
 	runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
@ -330,15 +329,7 @@ func parseImageReferences(refs []string) ([]string, []string) {
 // generateRuntimeOptions generates runtime options from cri plugin config.
 func generateRuntimeOptions(r criconfig.Runtime, c criconfig.Config) (interface{}, error) {
 	if r.Options == nil {
-		if r.Type != plugin.RuntimeLinuxV1 {
+		return nil, nil
 			return nil, nil
 		}
 		// This is a legacy config, generate runctypes.RuncOptions.
 		return &runctypes.RuncOptions{
 			Runtime:       r.Engine,
 			RuntimeRoot:   r.Root,
 			SystemdCgroup: c.SystemdCgroup,
 		}, nil
 	}
 	optionsTree, err := toml.TreeFromMap(r.Options)
 	if err != nil {
@ -364,12 +355,8 @@ func generateRuntimeOptions(r criconfig.Runtime, c criconfig.Config) (interface{
 // getRuntimeOptionsType gets empty runtime options by the runtime type name.
 func getRuntimeOptionsType(t string) interface{} {
 	switch t {
 	case plugin.RuntimeRuncV1:
 		fallthrough
 	case plugin.RuntimeRuncV2:
 		return &runcoptions.Options{}
 	case plugin.RuntimeLinuxV1:
 		return &runctypes.RuncOptions{}
 	case runtimeRunhcsV1:
 		return &runhcsoptions.Options{}
 	default:
--- a/pkg/cri/sbserver/helpers_test.go
+++ b/pkg/cri/sbserver/helpers_test.go
@ -35,7 +35,6 @@ import (
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/protobuf/types"
 	"github.com/containerd/containerd/reference/docker"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/typeurl/v2"
@ -210,10 +209,6 @@ systemd_cgroup = true
 [containerd]
  no_pivot = true
  default_runtime_name = "default"
 [containerd.runtimes.legacy]
  runtime_type = "` + plugin.RuntimeLinuxV1 + `"
 [containerd.runtimes.runc]
  runtime_type = "` + plugin.RuntimeRuncV1 + `"
 [containerd.runtimes.runcv2]
  runtime_type = "` + plugin.RuntimeRuncV2 + `"
 `
@ -222,13 +217,9 @@ systemd_cgroup = true
 [containerd]
  no_pivot = true
  default_runtime_name = "default"
 [containerd.runtimes.legacy]
  runtime_type = "` + plugin.RuntimeLinuxV1 + `"
 [containerd.runtimes.legacy.options]
  Runtime = "legacy"
  RuntimeRoot = "/legacy"
 [containerd.runtimes.runc]
  runtime_type = "` + plugin.RuntimeRuncV1 + `"
 [containerd.runtimes.runc.options]
  BinaryName = "runc"
  Root = "/runc"
@ -245,7 +236,7 @@ systemd_cgroup = true
 	require.NoError(t, err)
 	err = tree.Unmarshal(&nilOptsConfig)
 	require.NoError(t, err)
-	require.Len(t, nilOptsConfig.Runtimes, 3)
+	require.Len(t, nilOptsConfig.Runtimes, 1)
 	tree, err = toml.Load(nonNilOpts)
 	require.NoError(t, err)
@ -258,32 +249,11 @@ systemd_cgroup = true
 		c               criconfig.Config
 		expectedOptions interface{}
 	}{
 		"when options is nil, should return nil option for io.containerd.runc.v1": {
 			r:               nilOptsConfig.Runtimes["runc"],
 			c:               nilOptsConfig,
 			expectedOptions: nil,
 		},
 		"when options is nil, should return nil option for io.containerd.runc.v2": {
 			r:               nilOptsConfig.Runtimes["runcv2"],
 			c:               nilOptsConfig,
 			expectedOptions: nil,
 		},
 		"when options is nil, should use legacy fields for legacy runtime": {
 			r: nilOptsConfig.Runtimes["legacy"],
 			c: nilOptsConfig,
 			expectedOptions: &runctypes.RuncOptions{
 				SystemdCgroup: true,
 			},
 		},
 		"when options is not nil, should be able to decode for io.containerd.runc.v1": {
 			r: nonNilOptsConfig.Runtimes["runc"],
 			c: nonNilOptsConfig,
 			expectedOptions: &runcoptions.Options{
 				BinaryName:   "runc",
 				Root:         "/runc",
 				NoNewKeyring: true,
 			},
 		},
 		"when options is not nil, should be able to decode for io.containerd.runc.v2": {
 			r: nonNilOptsConfig.Runtimes["runcv2"],
 			c: nonNilOptsConfig,
@ -293,14 +263,6 @@ systemd_cgroup = true
 				NoNewKeyring: true,
 			},
 		},
 		"when options is not nil, should be able to decode for legacy runtime": {
 			r: nonNilOptsConfig.Runtimes["legacy"],
 			c: nonNilOptsConfig,
 			expectedOptions: &runctypes.RuncOptions{
 				Runtime:     "legacy",
 				RuntimeRoot: "/legacy",
 			},
 		},
 	} {
 		t.Run(desc, func(t *testing.T) {
 			opts, err := generateRuntimeOptions(test.r, test.c)
--- a/pkg/cri/server/helpers.go
+++ b/pkg/cri/server/helpers.go
@ -37,7 +37,6 @@ import (
 	runtimeoptions "github.com/containerd/containerd/pkg/runtimeoptions/v1"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/reference/docker"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/typeurl/v2"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
@ -338,15 +337,7 @@ func parseImageReferences(refs []string) ([]string, []string) {
 // generateRuntimeOptions generates runtime options from cri plugin config.
 func generateRuntimeOptions(r criconfig.Runtime, c criconfig.Config) (interface{}, error) {
 	if r.Options == nil {
-		if r.Type != plugin.RuntimeLinuxV1 {
+		return nil, nil
 			return nil, nil
 		}
 		// This is a legacy config, generate runctypes.RuncOptions.
 		return &runctypes.RuncOptions{
 			Runtime:       r.Engine,
 			RuntimeRoot:   r.Root,
 			SystemdCgroup: c.SystemdCgroup,
 		}, nil
 	}
 	optionsTree, err := toml.TreeFromMap(r.Options)
 	if err != nil {
@ -372,12 +363,8 @@ func generateRuntimeOptions(r criconfig.Runtime, c criconfig.Config) (interface{
 // getRuntimeOptionsType gets empty runtime options by the runtime type name.
 func getRuntimeOptionsType(t string) interface{} {
 	switch t {
 	case plugin.RuntimeRuncV1:
 		fallthrough
 	case plugin.RuntimeRuncV2:
 		return &runcoptions.Options{}
 	case plugin.RuntimeLinuxV1:
 		return &runctypes.RuncOptions{}
 	case runtimeRunhcsV1:
 		return &runhcsoptions.Options{}
 	default:
--- a/pkg/cri/server/helpers_test.go
+++ b/pkg/cri/server/helpers_test.go
@ -33,7 +33,6 @@ import (
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/protobuf/types"
 	"github.com/containerd/containerd/reference/docker"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/typeurl/v2"
@ -210,10 +209,6 @@ systemd_cgroup = true
 [containerd]
  no_pivot = true
  default_runtime_name = "default"
 [containerd.runtimes.legacy]
  runtime_type = "` + plugin.RuntimeLinuxV1 + `"
 [containerd.runtimes.runc]
  runtime_type = "` + plugin.RuntimeRuncV1 + `"
 [containerd.runtimes.runcv2]
  runtime_type = "` + plugin.RuntimeRuncV2 + `"
 `
@ -222,13 +217,9 @@ systemd_cgroup = true
 [containerd]
  no_pivot = true
  default_runtime_name = "default"
 [containerd.runtimes.legacy]
  runtime_type = "` + plugin.RuntimeLinuxV1 + `"
 [containerd.runtimes.legacy.options]
  Runtime = "legacy"
  RuntimeRoot = "/legacy"
 [containerd.runtimes.runc]
  runtime_type = "` + plugin.RuntimeRuncV1 + `"
 [containerd.runtimes.runc.options]
  BinaryName = "runc"
  Root = "/runc"
@ -258,32 +249,11 @@ systemd_cgroup = true
 		c               criconfig.Config
 		expectedOptions interface{}
 	}{
 		"when options is nil, should return nil option for io.containerd.runc.v1": {
 			r:               nilOptsConfig.Runtimes["runc"],
 			c:               nilOptsConfig,
 			expectedOptions: nil,
 		},
 		"when options is nil, should return nil option for io.containerd.runc.v2": {
 			r:               nilOptsConfig.Runtimes["runcv2"],
 			c:               nilOptsConfig,
 			expectedOptions: nil,
 		},
 		"when options is nil, should use legacy fields for legacy runtime": {
 			r: nilOptsConfig.Runtimes["legacy"],
 			c: nilOptsConfig,
 			expectedOptions: &runctypes.RuncOptions{
 				SystemdCgroup: true,
 			},
 		},
 		"when options is not nil, should be able to decode for io.containerd.runc.v1": {
 			r: nonNilOptsConfig.Runtimes["runc"],
 			c: nonNilOptsConfig,
 			expectedOptions: &runcoptions.Options{
 				BinaryName:   "runc",
 				Root:         "/runc",
 				NoNewKeyring: true,
 			},
 		},
 		"when options is not nil, should be able to decode for io.containerd.runc.v2": {
 			r: nonNilOptsConfig.Runtimes["runcv2"],
 			c: nonNilOptsConfig,
@ -293,14 +263,6 @@ systemd_cgroup = true
 				NoNewKeyring: true,
 			},
 		},
 		"when options is not nil, should be able to decode for legacy runtime": {
 			r: nonNilOptsConfig.Runtimes["legacy"],
 			c: nonNilOptsConfig,
 			expectedOptions: &runctypes.RuncOptions{
 				Runtime:     "legacy",
 				RuntimeRoot: "/legacy",
 			},
 		},
 	} {
 		t.Run(desc, func(t *testing.T) {
 			opts, err := generateRuntimeOptions(test.r, test.c)
--- a/pkg/cri/server/sandbox_run_test.go
+++ b/pkg/cri/server/sandbox_run_test.go
@ -29,8 +29,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"github.com/containerd/containerd/pkg/cri/annotations"
 	criconfig "github.com/containerd/containerd/pkg/cri/config"
 	sandboxstore "github.com/containerd/containerd/pkg/cri/store/sandbox"
 )
@ -361,166 +359,3 @@ func TestHostAccessingSandbox(t *testing.T) {
 		})
 	}
 }
 func TestGetSandboxRuntime(t *testing.T) {
 	untrustedWorkloadRuntime := criconfig.Runtime{
 		Type:   "io.containerd.runtime.v1.linux",
 		Engine: "untrusted-workload-runtime",
 		Root:   "",
 	}
 	defaultRuntime := criconfig.Runtime{
 		Type:   "io.containerd.runtime.v1.linux",
 		Engine: "default-runtime",
 		Root:   "",
 	}
 	fooRuntime := criconfig.Runtime{
 		Type:   "io.containerd.runtime.v1.linux",
 		Engine: "foo-bar",
 		Root:   "",
 	}
 	for desc, test := range map[string]struct {
 		sandboxConfig   *runtime.PodSandboxConfig
 		runtimeHandler  string
 		runtimes        map[string]criconfig.Runtime
 		expectErr       bool
 		expectedRuntime criconfig.Runtime
 	}{
 		"should return error if untrusted workload requires host access": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Linux: &runtime.LinuxPodSandboxConfig{
 					SecurityContext: &runtime.LinuxSandboxSecurityContext{
 						Privileged: false,
 						NamespaceOptions: &runtime.NamespaceOption{
 							Network: runtime.NamespaceMode_NODE,
 							Pid:     runtime.NamespaceMode_NODE,
 							Ipc:     runtime.NamespaceMode_NODE,
 						},
 					},
 				},
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "true",
 				},
 			},
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 			},
 			expectErr: true,
 		},
 		"should use untrusted workload runtime for untrusted workload": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "true",
 				},
 			},
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 			},
 			expectedRuntime: untrustedWorkloadRuntime,
 		},
 		"should use default runtime for regular workload": {
 			sandboxConfig: &runtime.PodSandboxConfig{},
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault: defaultRuntime,
 			},
 			expectedRuntime: defaultRuntime,
 		},
 		"should use default runtime for trusted workload": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "false",
 				},
 			},
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 			},
 			expectedRuntime: defaultRuntime,
 		},
 		"should return error if untrusted workload runtime is required but not configured": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "true",
 				},
 			},
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault: defaultRuntime,
 			},
 			expectErr: true,
 		},
 		"should use 'untrusted' runtime for untrusted workload": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "true",
 				},
 			},
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 			},
 			expectedRuntime: untrustedWorkloadRuntime,
 		},
 		"should use 'untrusted' runtime for untrusted workload & handler": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "true",
 				},
 			},
 			runtimeHandler: "untrusted",
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 			},
 			expectedRuntime: untrustedWorkloadRuntime,
 		},
 		"should return an error if untrusted annotation with conflicting handler": {
 			sandboxConfig: &runtime.PodSandboxConfig{
 				Annotations: map[string]string{
 					annotations.UntrustedWorkload: "true",
 				},
 			},
 			runtimeHandler: "foo",
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 				"foo":                      fooRuntime,
 			},
 			expectErr: true,
 		},
 		"should use correct runtime for a runtime handler": {
 			sandboxConfig:  &runtime.PodSandboxConfig{},
 			runtimeHandler: "foo",
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault:   defaultRuntime,
 				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
 				"foo":                      fooRuntime,
 			},
 			expectedRuntime: fooRuntime,
 		},
 		"should return error if runtime handler is required but not configured": {
 			sandboxConfig:  &runtime.PodSandboxConfig{},
 			runtimeHandler: "bar",
 			runtimes: map[string]criconfig.Runtime{
 				criconfig.RuntimeDefault: defaultRuntime,
 				"foo":                    fooRuntime,
 			},
 			expectErr: true,
 		},
 	} {
 		t.Run(desc, func(t *testing.T) {
 			cri := newTestCRIService()
 			cri.config = criconfig.Config{
 				PluginConfig: criconfig.DefaultConfig(),
 			}
 			cri.config.ContainerdConfig.DefaultRuntimeName = criconfig.RuntimeDefault
 			cri.config.ContainerdConfig.Runtimes = test.runtimes
 			r, err := cri.getSandboxRuntime(test.sandboxConfig, test.runtimeHandler)
 			assert.Equal(t, test.expectErr, err != nil)
 			assert.Equal(t, test.expectedRuntime, r)
 		})
 	}
 }
--- a/plugin/plugin.go
+++ b/plugin/plugin.go
@ -93,10 +93,6 @@ const (
 )
 const (
 	// RuntimeLinuxV1 is the legacy linux runtime
 	RuntimeLinuxV1 = "io.containerd.runtime.v1.linux"
 	// RuntimeRuncV1 is the runc runtime that supports a single container
 	RuntimeRuncV1 = "io.containerd.runc.v1"
 	// RuntimeRuncV2 is the runc runtime that supports multiple containers per shim
 	RuntimeRuncV2 = "io.containerd.runc.v2"
 )
--- a/runtime/linux/runctypes/1.0.pb.txt
+++ b/runtime/linux/runctypes/1.0.pb.txt
@ -1,183 +0,0 @@
 file {
  name: "github.com/containerd/containerd/linux/runctypes/runc.proto"
  package: "containerd.linux.runc"
  dependency: "gogoproto/gogo.proto"
  message_type {
    name: "RuncOptions"
    field {
      name: "runtime"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "runtime"
    }
    field {
      name: "runtime_root"
      number: 2
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "runtimeRoot"
    }
    field {
      name: "criu_path"
      number: 3
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "criuPath"
    }
    field {
      name: "systemd_cgroup"
      number: 4
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "systemdCgroup"
    }
  }
  message_type {
    name: "CreateOptions"
    field {
      name: "no_pivot_root"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "noPivotRoot"
    }
    field {
      name: "open_tcp"
      number: 2
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "openTcp"
    }
    field {
      name: "external_unix_sockets"
      number: 3
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "externalUnixSockets"
    }
    field {
      name: "terminal"
      number: 4
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "terminal"
    }
    field {
      name: "file_locks"
      number: 5
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "fileLocks"
    }
    field {
      name: "empty_namespaces"
      number: 6
      label: LABEL_REPEATED
      type: TYPE_STRING
      json_name: "emptyNamespaces"
    }
    field {
      name: "cgroups_mode"
      number: 7
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "cgroupsMode"
    }
    field {
      name: "no_new_keyring"
      number: 8
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "noNewKeyring"
    }
    field {
      name: "shim_cgroup"
      number: 9
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "shimCgroup"
    }
    field {
      name: "io_uid"
      number: 10
      label: LABEL_OPTIONAL
      type: TYPE_UINT32
      json_name: "ioUid"
    }
    field {
      name: "io_gid"
      number: 11
      label: LABEL_OPTIONAL
      type: TYPE_UINT32
      json_name: "ioGid"
    }
  }
  message_type {
    name: "CheckpointOptions"
    field {
      name: "exit"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "exit"
    }
    field {
      name: "open_tcp"
      number: 2
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "openTcp"
    }
    field {
      name: "external_unix_sockets"
      number: 3
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "externalUnixSockets"
    }
    field {
      name: "terminal"
      number: 4
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "terminal"
    }
    field {
      name: "file_locks"
      number: 5
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "fileLocks"
    }
    field {
      name: "empty_namespaces"
      number: 6
      label: LABEL_REPEATED
      type: TYPE_STRING
      json_name: "emptyNamespaces"
    }
    field {
      name: "cgroups_mode"
      number: 7
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "cgroupsMode"
    }
  }
  message_type {
    name: "ProcessDetails"
    field {
      name: "exec_id"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "execId"
    }
  }
  options {
    go_package: "github.com/containerd/containerd/linux/runctypes;runctypes"
  }
  weak_dependency: 0
  syntax: "proto3"
 }
--- a/runtime/linux/runctypes/doc.go
+++ b/runtime/linux/runctypes/doc.go
@ -1,17 +0,0 @@
 /*
   Copyright The containerd Authors.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 */
 package runctypes
--- a/runtime/linux/runctypes/next.pb.txt
+++ b/runtime/linux/runctypes/next.pb.txt
@ -1,212 +0,0 @@
 file {
  name: "github.com/containerd/containerd/runtime/linux/runctypes/runc.proto"
  package: "containerd.linux.runc"
  message_type {
    name: "RuncOptions"
    field {
      name: "runtime"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "runtime"
    }
    field {
      name: "runtime_root"
      number: 2
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "runtimeRoot"
    }
    field {
      name: "criu_path"
      number: 3
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      options {
        deprecated: true
      }
      json_name: "criuPath"
    }
    field {
      name: "systemd_cgroup"
      number: 4
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "systemdCgroup"
    }
  }
  message_type {
    name: "CreateOptions"
    field {
      name: "no_pivot_root"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "noPivotRoot"
    }
    field {
      name: "open_tcp"
      number: 2
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "openTcp"
    }
    field {
      name: "external_unix_sockets"
      number: 3
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "externalUnixSockets"
    }
    field {
      name: "terminal"
      number: 4
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "terminal"
    }
    field {
      name: "file_locks"
      number: 5
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "fileLocks"
    }
    field {
      name: "empty_namespaces"
      number: 6
      label: LABEL_REPEATED
      type: TYPE_STRING
      json_name: "emptyNamespaces"
    }
    field {
      name: "cgroups_mode"
      number: 7
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "cgroupsMode"
    }
    field {
      name: "no_new_keyring"
      number: 8
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "noNewKeyring"
    }
    field {
      name: "shim_cgroup"
      number: 9
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "shimCgroup"
    }
    field {
      name: "io_uid"
      number: 10
      label: LABEL_OPTIONAL
      type: TYPE_UINT32
      json_name: "ioUid"
    }
    field {
      name: "io_gid"
      number: 11
      label: LABEL_OPTIONAL
      type: TYPE_UINT32
      json_name: "ioGid"
    }
    field {
      name: "criu_work_path"
      number: 12
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "criuWorkPath"
    }
    field {
      name: "criu_image_path"
      number: 13
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "criuImagePath"
    }
  }
  message_type {
    name: "CheckpointOptions"
    field {
      name: "exit"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "exit"
    }
    field {
      name: "open_tcp"
      number: 2
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "openTcp"
    }
    field {
      name: "external_unix_sockets"
      number: 3
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "externalUnixSockets"
    }
    field {
      name: "terminal"
      number: 4
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "terminal"
    }
    field {
      name: "file_locks"
      number: 5
      label: LABEL_OPTIONAL
      type: TYPE_BOOL
      json_name: "fileLocks"
    }
    field {
      name: "empty_namespaces"
      number: 6
      label: LABEL_REPEATED
      type: TYPE_STRING
      json_name: "emptyNamespaces"
    }
    field {
      name: "cgroups_mode"
      number: 7
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "cgroupsMode"
    }
    field {
      name: "work_path"
      number: 8
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "workPath"
    }
    field {
      name: "image_path"
      number: 9
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "imagePath"
    }
  }
  message_type {
    name: "ProcessDetails"
    field {
      name: "exec_id"
      number: 1
      label: LABEL_OPTIONAL
      type: TYPE_STRING
      json_name: "execId"
    }
  }
  options {
    go_package: "github.com/containerd/containerd/runtime/linux/runctypes;runctypes"
  }
  syntax: "proto3"
 }
--- a/runtime/linux/runctypes/runc.pb.go
+++ b/runtime/linux/runctypes/runc.pb.go
@ -1,581 +0,0 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.28.1
 // 	protoc        v3.20.1
 // source: github.com/containerd/containerd/runtime/linux/runctypes/runc.proto
 package runctypes
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
 )
 const (
 	// Verify that this generated code is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
 	// Verify that runtime/protoimpl is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 type RuncOptions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Runtime     string `protobuf:"bytes,1,opt,name=runtime,proto3" json:"runtime,omitempty"`
 	RuntimeRoot string `protobuf:"bytes,2,opt,name=runtime_root,json=runtimeRoot,proto3" json:"runtime_root,omitempty"`
 	// criu binary path.
 	//
 	// Deprecated: runc option --criu is now ignored (with a warning), and the
 	// option will be removed entirely in a future release. Users who need a non-
 	// standard criu binary should rely on the standard way of looking up binaries
 	// in $PATH.
 	//
 	// Deprecated: Do not use.
 	CriuPath      string `protobuf:"bytes,3,opt,name=criu_path,json=criuPath,proto3" json:"criu_path,omitempty"`
 	SystemdCgroup bool   `protobuf:"varint,4,opt,name=systemd_cgroup,json=systemdCgroup,proto3" json:"systemd_cgroup,omitempty"`
 }
 func (x *RuncOptions) Reset() {
 	*x = RuncOptions{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *RuncOptions) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*RuncOptions) ProtoMessage() {}
 func (x *RuncOptions) ProtoReflect() protoreflect.Message {
 	mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use RuncOptions.ProtoReflect.Descriptor instead.
 func (*RuncOptions) Descriptor() ([]byte, []int) {
 	return file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescGZIP(), []int{0}
 }
 func (x *RuncOptions) GetRuntime() string {
 	if x != nil {
 		return x.Runtime
 	}
 	return ""
 }
 func (x *RuncOptions) GetRuntimeRoot() string {
 	if x != nil {
 		return x.RuntimeRoot
 	}
 	return ""
 }
 // Deprecated: Do not use.
 func (x *RuncOptions) GetCriuPath() string {
 	if x != nil {
 		return x.CriuPath
 	}
 	return ""
 }
 func (x *RuncOptions) GetSystemdCgroup() bool {
 	if x != nil {
 		return x.SystemdCgroup
 	}
 	return false
 }
 type CreateOptions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	NoPivotRoot         bool     `protobuf:"varint,1,opt,name=no_pivot_root,json=noPivotRoot,proto3" json:"no_pivot_root,omitempty"`
 	OpenTcp             bool     `protobuf:"varint,2,opt,name=open_tcp,json=openTcp,proto3" json:"open_tcp,omitempty"`
 	ExternalUnixSockets bool     `protobuf:"varint,3,opt,name=external_unix_sockets,json=externalUnixSockets,proto3" json:"external_unix_sockets,omitempty"`
 	Terminal            bool     `protobuf:"varint,4,opt,name=terminal,proto3" json:"terminal,omitempty"`
 	FileLocks           bool     `protobuf:"varint,5,opt,name=file_locks,json=fileLocks,proto3" json:"file_locks,omitempty"`
 	EmptyNamespaces     []string `protobuf:"bytes,6,rep,name=empty_namespaces,json=emptyNamespaces,proto3" json:"empty_namespaces,omitempty"`
 	CgroupsMode         string   `protobuf:"bytes,7,opt,name=cgroups_mode,json=cgroupsMode,proto3" json:"cgroups_mode,omitempty"`
 	NoNewKeyring        bool     `protobuf:"varint,8,opt,name=no_new_keyring,json=noNewKeyring,proto3" json:"no_new_keyring,omitempty"`
 	ShimCgroup          string   `protobuf:"bytes,9,opt,name=shim_cgroup,json=shimCgroup,proto3" json:"shim_cgroup,omitempty"`
 	IoUid               uint32   `protobuf:"varint,10,opt,name=io_uid,json=ioUid,proto3" json:"io_uid,omitempty"`
 	IoGid               uint32   `protobuf:"varint,11,opt,name=io_gid,json=ioGid,proto3" json:"io_gid,omitempty"`
 	CriuWorkPath        string   `protobuf:"bytes,12,opt,name=criu_work_path,json=criuWorkPath,proto3" json:"criu_work_path,omitempty"`
 	CriuImagePath       string   `protobuf:"bytes,13,opt,name=criu_image_path,json=criuImagePath,proto3" json:"criu_image_path,omitempty"`
 }
 func (x *CreateOptions) Reset() {
 	*x = CreateOptions{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *CreateOptions) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*CreateOptions) ProtoMessage() {}
 func (x *CreateOptions) ProtoReflect() protoreflect.Message {
 	mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use CreateOptions.ProtoReflect.Descriptor instead.
 func (*CreateOptions) Descriptor() ([]byte, []int) {
 	return file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescGZIP(), []int{1}
 }
 func (x *CreateOptions) GetNoPivotRoot() bool {
 	if x != nil {
 		return x.NoPivotRoot
 	}
 	return false
 }
 func (x *CreateOptions) GetOpenTcp() bool {
 	if x != nil {
 		return x.OpenTcp
 	}
 	return false
 }
 func (x *CreateOptions) GetExternalUnixSockets() bool {
 	if x != nil {
 		return x.ExternalUnixSockets
 	}
 	return false
 }
 func (x *CreateOptions) GetTerminal() bool {
 	if x != nil {
 		return x.Terminal
 	}
 	return false
 }
 func (x *CreateOptions) GetFileLocks() bool {
 	if x != nil {
 		return x.FileLocks
 	}
 	return false
 }
 func (x *CreateOptions) GetEmptyNamespaces() []string {
 	if x != nil {
 		return x.EmptyNamespaces
 	}
 	return nil
 }
 func (x *CreateOptions) GetCgroupsMode() string {
 	if x != nil {
 		return x.CgroupsMode
 	}
 	return ""
 }
 func (x *CreateOptions) GetNoNewKeyring() bool {
 	if x != nil {
 		return x.NoNewKeyring
 	}
 	return false
 }
 func (x *CreateOptions) GetShimCgroup() string {
 	if x != nil {
 		return x.ShimCgroup
 	}
 	return ""
 }
 func (x *CreateOptions) GetIoUid() uint32 {
 	if x != nil {
 		return x.IoUid
 	}
 	return 0
 }
 func (x *CreateOptions) GetIoGid() uint32 {
 	if x != nil {
 		return x.IoGid
 	}
 	return 0
 }
 func (x *CreateOptions) GetCriuWorkPath() string {
 	if x != nil {
 		return x.CriuWorkPath
 	}
 	return ""
 }
 func (x *CreateOptions) GetCriuImagePath() string {
 	if x != nil {
 		return x.CriuImagePath
 	}
 	return ""
 }
 type CheckpointOptions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Exit                bool     `protobuf:"varint,1,opt,name=exit,proto3" json:"exit,omitempty"`
 	OpenTcp             bool     `protobuf:"varint,2,opt,name=open_tcp,json=openTcp,proto3" json:"open_tcp,omitempty"`
 	ExternalUnixSockets bool     `protobuf:"varint,3,opt,name=external_unix_sockets,json=externalUnixSockets,proto3" json:"external_unix_sockets,omitempty"`
 	Terminal            bool     `protobuf:"varint,4,opt,name=terminal,proto3" json:"terminal,omitempty"`
 	FileLocks           bool     `protobuf:"varint,5,opt,name=file_locks,json=fileLocks,proto3" json:"file_locks,omitempty"`
 	EmptyNamespaces     []string `protobuf:"bytes,6,rep,name=empty_namespaces,json=emptyNamespaces,proto3" json:"empty_namespaces,omitempty"`
 	CgroupsMode         string   `protobuf:"bytes,7,opt,name=cgroups_mode,json=cgroupsMode,proto3" json:"cgroups_mode,omitempty"`
 	WorkPath            string   `protobuf:"bytes,8,opt,name=work_path,json=workPath,proto3" json:"work_path,omitempty"`
 	ImagePath           string   `protobuf:"bytes,9,opt,name=image_path,json=imagePath,proto3" json:"image_path,omitempty"`
 }
 func (x *CheckpointOptions) Reset() {
 	*x = CheckpointOptions{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *CheckpointOptions) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*CheckpointOptions) ProtoMessage() {}
 func (x *CheckpointOptions) ProtoReflect() protoreflect.Message {
 	mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use CheckpointOptions.ProtoReflect.Descriptor instead.
 func (*CheckpointOptions) Descriptor() ([]byte, []int) {
 	return file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescGZIP(), []int{2}
 }
 func (x *CheckpointOptions) GetExit() bool {
 	if x != nil {
 		return x.Exit
 	}
 	return false
 }
 func (x *CheckpointOptions) GetOpenTcp() bool {
 	if x != nil {
 		return x.OpenTcp
 	}
 	return false
 }
 func (x *CheckpointOptions) GetExternalUnixSockets() bool {
 	if x != nil {
 		return x.ExternalUnixSockets
 	}
 	return false
 }
 func (x *CheckpointOptions) GetTerminal() bool {
 	if x != nil {
 		return x.Terminal
 	}
 	return false
 }
 func (x *CheckpointOptions) GetFileLocks() bool {
 	if x != nil {
 		return x.FileLocks
 	}
 	return false
 }
 func (x *CheckpointOptions) GetEmptyNamespaces() []string {
 	if x != nil {
 		return x.EmptyNamespaces
 	}
 	return nil
 }
 func (x *CheckpointOptions) GetCgroupsMode() string {
 	if x != nil {
 		return x.CgroupsMode
 	}
 	return ""
 }
 func (x *CheckpointOptions) GetWorkPath() string {
 	if x != nil {
 		return x.WorkPath
 	}
 	return ""
 }
 func (x *CheckpointOptions) GetImagePath() string {
 	if x != nil {
 		return x.ImagePath
 	}
 	return ""
 }
 type ProcessDetails struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	ExecID string `protobuf:"bytes,1,opt,name=exec_id,json=execId,proto3" json:"exec_id,omitempty"`
 }
 func (x *ProcessDetails) Reset() {
 	*x = ProcessDetails{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *ProcessDetails) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*ProcessDetails) ProtoMessage() {}
 func (x *ProcessDetails) ProtoReflect() protoreflect.Message {
 	mi := &file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use ProcessDetails.ProtoReflect.Descriptor instead.
 func (*ProcessDetails) Descriptor() ([]byte, []int) {
 	return file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescGZIP(), []int{3}
 }
 func (x *ProcessDetails) GetExecID() string {
 	if x != nil {
 		return x.ExecID
 	}
 	return ""
 }
 var File_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto protoreflect.FileDescriptor
 var file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDesc = []byte{
 	0x0a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6f, 0x6e,
 	0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x64, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65,
 	0x72, 0x64, 0x2f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x2f, 0x6c, 0x69, 0x6e, 0x75, 0x78,
 	0x2f, 0x72, 0x75, 0x6e, 0x63, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x63, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72,
 	0x64, 0x2e, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x2e, 0x72, 0x75, 0x6e, 0x63, 0x22, 0x92, 0x01, 0x0a,
 	0x0b, 0x52, 0x75, 0x6e, 0x63, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x18, 0x0a, 0x07,
 	0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x72,
 	0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d,
 	0x65, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x72, 0x75,
 	0x6e, 0x74, 0x69, 0x6d, 0x65, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x1f, 0x0a, 0x09, 0x63, 0x72, 0x69,
 	0x75, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01,
 	0x52, 0x08, 0x63, 0x72, 0x69, 0x75, 0x50, 0x61, 0x74, 0x68, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x79,
 	0x73, 0x74, 0x65, 0x6d, 0x64, 0x5f, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x04, 0x20, 0x01,
 	0x28, 0x08, 0x52, 0x0d, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x43, 0x67, 0x72, 0x6f, 0x75,
 	0x70, 0x22, 0xce, 0x03, 0x0a, 0x0d, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4f, 0x70, 0x74, 0x69,
 	0x6f, 0x6e, 0x73, 0x12, 0x22, 0x0a, 0x0d, 0x6e, 0x6f, 0x5f, 0x70, 0x69, 0x76, 0x6f, 0x74, 0x5f,
 	0x72, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x6e, 0x6f, 0x50, 0x69,
 	0x76, 0x6f, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x70, 0x65, 0x6e, 0x5f,
 	0x74, 0x63, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x6f, 0x70, 0x65, 0x6e, 0x54,
 	0x63, 0x70, 0x12, 0x32, 0x0a, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x75,
 	0x6e, 0x69, 0x78, 0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
 	0x08, 0x52, 0x13, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x78, 0x53,
 	0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e,
 	0x61, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e,
 	0x61, 0x6c, 0x12, 0x1d, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x6c, 0x6f, 0x63, 0x6b, 0x73,
 	0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x6f, 0x63, 0x6b,
 	0x73, 0x12, 0x29, 0x0a, 0x10, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73,
 	0x70, 0x61, 0x63, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x65, 0x6d, 0x70,
 	0x74, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x12, 0x21, 0x0a, 0x0c,
 	0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x07, 0x20, 0x01,
 	0x28, 0x09, 0x52, 0x0b, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x4d, 0x6f, 0x64, 0x65, 0x12,
 	0x24, 0x0a, 0x0e, 0x6e, 0x6f, 0x5f, 0x6e, 0x65, 0x77, 0x5f, 0x6b, 0x65, 0x79, 0x72, 0x69, 0x6e,
 	0x67, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x6e, 0x6f, 0x4e, 0x65, 0x77, 0x4b, 0x65,
 	0x79, 0x72, 0x69, 0x6e, 0x67, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x68, 0x69, 0x6d, 0x5f, 0x63, 0x67,
 	0x72, 0x6f, 0x75, 0x70, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x68, 0x69, 0x6d,
 	0x43, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x15, 0x0a, 0x06, 0x69, 0x6f, 0x5f, 0x75, 0x69, 0x64,
 	0x18, 0x0a, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x69, 0x6f, 0x55, 0x69, 0x64, 0x12, 0x15, 0x0a,
 	0x06, 0x69, 0x6f, 0x5f, 0x67, 0x69, 0x64, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x69,
 	0x6f, 0x47, 0x69, 0x64, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x72, 0x69, 0x75, 0x5f, 0x77, 0x6f, 0x72,
 	0x6b, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x72,
 	0x69, 0x75, 0x57, 0x6f, 0x72, 0x6b, 0x50, 0x61, 0x74, 0x68, 0x12, 0x26, 0x0a, 0x0f, 0x63, 0x72,
 	0x69, 0x75, 0x5f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x0d, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x72, 0x69, 0x75, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x61,
 	0x74, 0x68, 0x22, 0xbb, 0x02, 0x0a, 0x11, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e,
 	0x74, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x65, 0x78, 0x69, 0x74,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x65, 0x78, 0x69, 0x74, 0x12, 0x19, 0x0a, 0x08,
 	0x6f, 0x70, 0x65, 0x6e, 0x5f, 0x74, 0x63, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07,
 	0x6f, 0x70, 0x65, 0x6e, 0x54, 0x63, 0x70, 0x12, 0x32, 0x0a, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72,
 	0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x6e, 0x69, 0x78, 0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73,
 	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c,
 	0x55, 0x6e, 0x69, 0x78, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x74,
 	0x65, 0x72, 0x6d, 0x69, 0x6e, 0x61, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x74,
 	0x65, 0x72, 0x6d, 0x69, 0x6e, 0x61, 0x6c, 0x12, 0x1d, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x5f,
 	0x6c, 0x6f, 0x63, 0x6b, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x66, 0x69, 0x6c,
 	0x65, 0x4c, 0x6f, 0x63, 0x6b, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x5f,
 	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09,
 	0x52, 0x0f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
 	0x73, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x5f, 0x6d, 0x6f, 0x64,
 	0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73,
 	0x4d, 0x6f, 0x64, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x77, 0x6f, 0x72, 0x6b, 0x5f, 0x70, 0x61, 0x74,
 	0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x61, 0x74,
 	0x68, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18,
 	0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x61, 0x74, 0x68,
 	0x22, 0x29, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x44, 0x65, 0x74, 0x61, 0x69,
 	0x6c, 0x73, 0x12, 0x17, 0x0a, 0x07, 0x65, 0x78, 0x65, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x06, 0x65, 0x78, 0x65, 0x63, 0x49, 0x64, 0x42, 0x44, 0x5a, 0x42, 0x67,
 	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69,
 	0x6e, 0x65, 0x72, 0x64, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x64, 0x2f,
 	0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x2f, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x2f, 0x72, 0x75,
 	0x6e, 0x63, 0x74, 0x79, 0x70, 0x65, 0x73, 0x3b, 0x72, 0x75, 0x6e, 0x63, 0x74, 0x79, 0x70, 0x65,
 	0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
 	file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescOnce sync.Once
 	file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescData = file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDesc
 )
 func file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescGZIP() []byte {
 	file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescOnce.Do(func() {
 		file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescData = protoimpl.X.CompressGZIP(file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescData)
 	})
 	return file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDescData
 }
 var file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
 var file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_goTypes = []interface{}{
 	(*RuncOptions)(nil),       // 0: containerd.linux.runc.RuncOptions
 	(*CreateOptions)(nil),     // 1: containerd.linux.runc.CreateOptions
 	(*CheckpointOptions)(nil), // 2: containerd.linux.runc.CheckpointOptions
 	(*ProcessDetails)(nil),    // 3: containerd.linux.runc.ProcessDetails
 }
 var file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_depIdxs = []int32{
 	0, // [0:0] is the sub-list for method output_type
 	0, // [0:0] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
 	0, // [0:0] is the sub-list for extension extendee
 	0, // [0:0] is the sub-list for field type_name
 }
 func init() { file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_init() }
 func file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_init() {
 	if File_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto != nil {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RuncOptions); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*CreateOptions); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*CheckpointOptions); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ProcessDetails); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDesc,
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
 		GoTypes:           file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_goTypes,
 		DependencyIndexes: file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_depIdxs,
 		MessageInfos:      file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_msgTypes,
 	}.Build()
 	File_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto = out.File
 	file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_rawDesc = nil
 	file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_goTypes = nil
 	file_github_com_containerd_containerd_runtime_linux_runctypes_runc_proto_depIdxs = nil
 }
--- a/runtime/linux/runctypes/runc.proto
+++ b/runtime/linux/runctypes/runc.proto
@ -1,50 +0,0 @@
 syntax = "proto3";
 package containerd.linux.runc;
 option go_package = "github.com/containerd/containerd/runtime/linux/runctypes;runctypes";
 message RuncOptions {
 	string runtime = 1;
 	string runtime_root = 2;
 	// criu binary path.
 	//
 	// Deprecated: runc option --criu is now ignored (with a warning), and the
 	// option will be removed entirely in a future release. Users who need a non-
 	// standard criu binary should rely on the standard way of looking up binaries
 	// in $PATH.
 	string criu_path = 3 [deprecated = true];
 	bool systemd_cgroup = 4;
 }
 message CreateOptions {
 	bool no_pivot_root = 1;
 	bool open_tcp = 2;
 	bool external_unix_sockets = 3;
 	bool terminal = 4;
 	bool file_locks = 5;
 	repeated string empty_namespaces = 6;
 	string cgroups_mode = 7;
 	bool no_new_keyring = 8;
 	string shim_cgroup = 9;
 	uint32 io_uid = 10;
 	uint32 io_gid = 11;
 	string criu_work_path = 12;
 	string criu_image_path = 13;
 }
 message CheckpointOptions {
 	bool exit = 1;
 	bool open_tcp = 2;
 	bool external_unix_sockets = 3;
 	bool terminal = 4;
 	bool file_locks = 5;
 	repeated string empty_namespaces = 6;
 	string cgroups_mode = 7;
 	string work_path = 8;
 	string image_path = 9;
 }
 message ProcessDetails {
 	string exec_id = 1;
 }
--- a/services/tasks/local.go
+++ b/services/tasks/local.go
@ -23,7 +23,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	api "github.com/containerd/containerd/api/services/tasks/v1"
@ -47,7 +46,6 @@ import (
 	"github.com/containerd/containerd/protobuf/proto"
 	ptypes "github.com/containerd/containerd/protobuf/types"
 	"github.com/containerd/containerd/runtime"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/containerd/services"
 	"github.com/containerd/typeurl/v2"
@ -89,10 +87,6 @@ func init() {
 func initFunc(ic *plugin.InitContext) (interface{}, error) {
 	config := ic.Config.(*Config)
 	runtimes, err := loadV1Runtimes(ic)
 	if err != nil {
 		return nil, err
 	}
 	v2r, err := ic.GetByID(plugin.RuntimePluginV2, "task")
 	if err != nil {
@ -119,22 +113,13 @@ func initFunc(ic *plugin.InitContext) (interface{}, error) {
 	db := m.(*metadata.DB)
 	l := &local{
 		runtimes:   runtimes,
 		containers: metadata.NewContainerStore(db),
 		store:      db.ContentStore(),
 		publisher:  ep.(events.Publisher),
 		monitor:    monitor.(runtime.TaskMonitor),
 		v2Runtime:  v2r.(runtime.PlatformRuntime),
 	}
-	for _, r := range runtimes {
+
 		tasks, err := r.Tasks(ic.Context, true)
 		if err != nil {
 			return nil, err
 		}
 		for _, t := range tasks {
 			l.monitor.Monitor(t, nil)
 		}
 	}
 	v2Tasks, err := l.v2Runtime.Tasks(ic.Context, true)
 	if err != nil {
 		return nil, err
@ -154,7 +139,6 @@ func initFunc(ic *plugin.InitContext) (interface{}, error) {
 }
 type local struct {
 	runtimes   map[string]runtime.PlatformRuntime
 	containers containers.Store
 	store      content.Store
 	publisher  events.Publisher
@ -221,15 +205,9 @@ func (l *local) Create(ctx context.Context, r *api.CreateTaskRequest, _ ...grpc.
 			Options: m.Options,
 		})
 	}
-	if strings.HasPrefix(container.Runtime.Name, "io.containerd.runtime.v1.") {
+
-		log.G(ctx).Warn("runtime v1 is deprecated since containerd v1.4, consider using runtime v2")
+	rtime := l.v2Runtime
-	} else if container.Runtime.Name == plugin.RuntimeRuncV1 {
+
 		log.G(ctx).Warnf("%q is deprecated since containerd v1.4, consider using %q", plugin.RuntimeRuncV1, plugin.RuntimeRuncV2)
 	}
 	rtime, err := l.getRuntime(container.Runtime.Name)
 	if err != nil {
 		return nil, err
 	}
 	_, err = rtime.Get(ctx, r.ContainerID)
 	if err != nil && !errdefs.IsNotFound(err) {
 		return nil, errdefs.ToGRPC(err)
@ -284,14 +262,8 @@ func (l *local) Delete(ctx context.Context, r *api.DeleteTaskRequest, _ ...grpc.
 		return nil, err
 	}
 	// Find runtime manager
 	rtime, err := l.getRuntime(container.Runtime.Name)
 	if err != nil {
 		return nil, err
 	}
 	// Get task object
-	t, err := rtime.Get(ctx, container.ID)
+	t, err := l.v2Runtime.Get(ctx, container.ID)
 	if err != nil {
 		return nil, status.Errorf(codes.NotFound, "task %v not found", container.ID)
 	}
@ -300,7 +272,7 @@ func (l *local) Delete(ctx context.Context, r *api.DeleteTaskRequest, _ ...grpc.
 		return nil, err
 	}
-	exit, err := rtime.Delete(ctx, r.ContainerID)
+	exit, err := l.v2Runtime.Delete(ctx, r.ContainerID)
 	if err != nil {
 		return nil, errdefs.ToGRPC(err)
 	}
@ -394,13 +366,11 @@ func (l *local) Get(ctx context.Context, r *api.GetRequest, _ ...grpc.CallOption
 func (l *local) List(ctx context.Context, r *api.ListTasksRequest, _ ...grpc.CallOption) (*api.ListTasksResponse, error) {
 	resp := &api.ListTasksResponse{}
-	for _, r := range l.allRuntimes() {
+	tasks, err := l.v2Runtime.Tasks(ctx, false)
-		tasks, err := r.Tasks(ctx, false)
+	if err != nil {
-		if err != nil {
+		return nil, errdefs.ToGRPC(err)
 			return nil, errdefs.ToGRPC(err)
 		}
 		addTasks(ctx, resp, tasks)
 	}
 	addTasks(ctx, resp, tasks)
 	return resp, nil
 }
@ -623,13 +593,11 @@ func (l *local) Metrics(ctx context.Context, r *api.MetricsRequest, _ ...grpc.Ca
 		return nil, err
 	}
 	var resp api.MetricsResponse
-	for _, r := range l.allRuntimes() {
+	tasks, err := l.v2Runtime.Tasks(ctx, false)
-		tasks, err := r.Tasks(ctx, false)
+	if err != nil {
-		if err != nil {
+		return nil, err
 			return nil, err
 		}
 		getTasksMetrics(ctx, filter, tasks, &resp)
 	}
 	getTasksMetrics(ctx, filter, tasks, &resp)
 	return &resp, nil
 }
@ -725,34 +693,13 @@ func (l *local) getTask(ctx context.Context, id string) (runtime.Task, error) {
 }
 func (l *local) getTaskFromContainer(ctx context.Context, container *containers.Container) (runtime.Task, error) {
-	runtime, err := l.getRuntime(container.Runtime.Name)
+	t, err := l.v2Runtime.Get(ctx, container.ID)
 	if err != nil {
 		return nil, errdefs.ToGRPCf(err, "runtime for task %s", container.Runtime.Name)
 	}
 	t, err := runtime.Get(ctx, container.ID)
 	if err != nil {
 		return nil, status.Errorf(codes.NotFound, "task %v not found", container.ID)
 	}
 	return t, nil
 }
 func (l *local) getRuntime(name string) (runtime.PlatformRuntime, error) {
 	runtime, ok := l.runtimes[name]
 	if !ok {
 		// one runtime to rule them all
 		return l.v2Runtime, nil
 	}
 	return runtime, nil
 }
 func (l *local) allRuntimes() (o []runtime.PlatformRuntime) {
 	for _, r := range l.runtimes {
 		o = append(o, r)
 	}
 	o = append(o, l.v2Runtime)
 	return o
 }
 // getCheckpointPath only suitable for runc runtime now
 func getCheckpointPath(runtime string, option *ptypes.Any) (string, error) {
 	if option == nil {
@ -760,29 +707,15 @@ func getCheckpointPath(runtime string, option *ptypes.Any) (string, error) {
 	}
 	var checkpointPath string
-	switch {
+	v, err := typeurl.UnmarshalAny(option)
-	case checkRuntime(runtime, "io.containerd.runc"):
+	if err != nil {
-		v, err := typeurl.UnmarshalAny(option)
+		return "", err
 		if err != nil {
 			return "", err
 		}
 		opts, ok := v.(*options.CheckpointOptions)
 		if !ok {
 			return "", fmt.Errorf("invalid task checkpoint option for %s", runtime)
 		}
 		checkpointPath = opts.ImagePath
 	case runtime == plugin.RuntimeLinuxV1:
 		v, err := typeurl.UnmarshalAny(option)
 		if err != nil {
 			return "", err
 		}
 		opts, ok := v.(*runctypes.CheckpointOptions)
 		if !ok {
 			return "", fmt.Errorf("invalid task checkpoint option for %s", runtime)
 		}
 		checkpointPath = opts.ImagePath
 	}
 	opts, ok := v.(*options.CheckpointOptions)
 	if !ok {
 		return "", fmt.Errorf("invalid task checkpoint option for %s", runtime)
 	}
 	checkpointPath = opts.ImagePath
 	return checkpointPath, nil
 }
@ -794,45 +727,15 @@ func getRestorePath(runtime string, option *ptypes.Any) (string, error) {
 	}
 	var restorePath string
-	switch {
+	v, err := typeurl.UnmarshalAny(option)
-	case checkRuntime(runtime, "io.containerd.runc"):
+	if err != nil {
-		v, err := typeurl.UnmarshalAny(option)
+		return "", err
 		if err != nil {
 			return "", err
 		}
 		opts, ok := v.(*options.Options)
 		if !ok {
 			return "", fmt.Errorf("invalid task create option for %s", runtime)
 		}
 		restorePath = opts.CriuImagePath
 	case runtime == plugin.RuntimeLinuxV1:
 		v, err := typeurl.UnmarshalAny(option)
 		if err != nil {
 			return "", err
 		}
 		opts, ok := v.(*runctypes.CreateOptions)
 		if !ok {
 			return "", fmt.Errorf("invalid task create option for %s", runtime)
 		}
 		restorePath = opts.CriuImagePath
 	}
 	opts, ok := v.(*options.Options)
 	if !ok {
 		return "", fmt.Errorf("invalid task create option for %s", runtime)
 	}
 	restorePath = opts.CriuImagePath
 	return restorePath, nil
 }
 // checkRuntime returns true if the current runtime matches the expected
 // runtime. Providing various parts of the runtime schema will match those
 // parts of the expected runtime
 func checkRuntime(current, expected string) bool {
 	cp := strings.Split(current, ".")
 	l := len(cp)
 	for i, p := range strings.Split(expected, ".") {
 		if i > l {
 			return false
 		}
 		if p != cp[i] {
 			return false
 		}
 	}
 	return true
 }
--- a/services/tasks/local_darwin.go
+++ b/services/tasks/local_darwin.go
@ -20,7 +20,6 @@ package tasks
 import (
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime"
 )
 var tasksServiceRequires = []plugin.Type{
@ -28,8 +27,3 @@ var tasksServiceRequires = []plugin.Type{
 	plugin.MetadataPlugin,
 	plugin.TaskMonitorPlugin,
 }
 // loadV1Runtimes on darwin returns an empty map. There are no v1 runtimes
 func loadV1Runtimes(ic *plugin.InitContext) (map[string]runtime.PlatformRuntime, error) {
 	return make(map[string]runtime.PlatformRuntime), nil
 }
--- a/services/tasks/local_freebsd.go
+++ b/services/tasks/local_freebsd.go
@ -18,7 +18,6 @@ package tasks
 import (
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime"
 )
 var tasksServiceRequires = []plugin.Type{
@ -27,8 +26,3 @@ var tasksServiceRequires = []plugin.Type{
 	plugin.MetadataPlugin,
 	plugin.TaskMonitorPlugin,
 }
 // loadV1Runtimes on FreeBSD returns an empty map. There are no v1 runtimes
 func loadV1Runtimes(ic *plugin.InitContext) (map[string]runtime.PlatformRuntime, error) {
 	return make(map[string]runtime.PlatformRuntime), nil
 }
--- a/services/tasks/local_unix.go
+++ b/services/tasks/local_unix.go
@ -19,11 +19,7 @@
 package tasks
 import (
 	"errors"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime"
 )
 var tasksServiceRequires = []plugin.Type{
@ -33,26 +29,3 @@ var tasksServiceRequires = []plugin.Type{
 	plugin.MetadataPlugin,
 	plugin.TaskMonitorPlugin,
 }
 func loadV1Runtimes(ic *plugin.InitContext) (map[string]runtime.PlatformRuntime, error) {
 	rt, err := ic.GetByType(plugin.RuntimePlugin)
 	if err != nil {
 		return nil, err
 	}
 	runtimes := make(map[string]runtime.PlatformRuntime)
 	for _, rr := range rt {
 		ri, err := rr.Instance()
 		if err != nil {
 			log.G(ic.Context).WithError(err).Warn("could not load runtime instance due to initialization error")
 			continue
 		}
 		r := ri.(runtime.PlatformRuntime)
 		runtimes[r.ID()] = r
 	}
 	if len(runtimes) == 0 {
 		return nil, errors.New("no runtimes available to create task service")
 	}
 	return runtimes, nil
 }
--- a/services/tasks/local_windows.go
+++ b/services/tasks/local_windows.go
@ -18,7 +18,6 @@ package tasks
 import (
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/runtime"
 )
 var tasksServiceRequires = []plugin.Type{
@ -27,8 +26,3 @@ var tasksServiceRequires = []plugin.Type{
 	plugin.MetadataPlugin,
 	plugin.TaskMonitorPlugin,
 }
 // loadV1Runtimes on Windows V2 returns an empty map. There are no v1 runtimes
 func loadV1Runtimes(ic *plugin.InitContext) (map[string]runtime.PlatformRuntime, error) {
 	return make(map[string]runtime.PlatformRuntime), nil
 }
--- a/task.go
+++ b/task.go
@ -41,7 +41,6 @@ import (
 	"github.com/containerd/containerd/protobuf"
 	google_protobuf "github.com/containerd/containerd/protobuf/types"
 	"github.com/containerd/containerd/rootfs"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/typeurl/v2"
 	digest "github.com/opencontainers/go-digest"
@ -691,15 +690,10 @@ func isCheckpointPathExist(runtime string, v interface{}) bool {
 	}
 	switch runtime {
-	case plugin.RuntimeRuncV1, plugin.RuntimeRuncV2:
+	case plugin.RuntimeRuncV2:
 		if opts, ok := v.(*options.CheckpointOptions); ok && opts.ImagePath != "" {
 			return true
 		}
 	case plugin.RuntimeLinuxV1:
 		if opts, ok := v.(*runctypes.CheckpointOptions); ok && opts.ImagePath != "" {
 			return true
 		}
 	}
 	return false
--- a/task_opts.go
+++ b/task_opts.go
@ -28,7 +28,6 @@ import (
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/runtime-spec/specs-go"
@ -104,25 +103,14 @@ func WithCheckpointName(name string) CheckpointTaskOpts {
 // WithCheckpointImagePath sets image path for checkpoint option
 func WithCheckpointImagePath(path string) CheckpointTaskOpts {
 	return func(r *CheckpointTaskInfo) error {
-		if CheckRuntime(r.Runtime(), "io.containerd.runc") {
+		if r.Options == nil {
-			if r.Options == nil {
+			r.Options = &options.CheckpointOptions{}
 				r.Options = &options.CheckpointOptions{}
 			}
 			opts, ok := r.Options.(*options.CheckpointOptions)
 			if !ok {
 				return errors.New("invalid v2 shim checkpoint options format")
 			}
 			opts.ImagePath = path
 		} else {
 			if r.Options == nil {
 				r.Options = &runctypes.CheckpointOptions{}
 			}
 			opts, ok := r.Options.(*runctypes.CheckpointOptions)
 			if !ok {
 				return errors.New("invalid v1 shim checkpoint options format")
 			}
 			opts.ImagePath = path
 		}
 		opts, ok := r.Options.(*options.CheckpointOptions)
 		if !ok {
 			return errors.New("invalid v2 shim checkpoint options format")
 		}
 		opts.ImagePath = path
 		return nil
 	}
 }
@ -130,25 +118,14 @@ func WithCheckpointImagePath(path string) CheckpointTaskOpts {
 // WithRestoreImagePath sets image path for create option
 func WithRestoreImagePath(path string) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		if CheckRuntime(ti.Runtime(), "io.containerd.runc") {
+		if ti.Options == nil {
-			if ti.Options == nil {
+			ti.Options = &options.Options{}
 				ti.Options = &options.Options{}
 			}
 			opts, ok := ti.Options.(*options.Options)
 			if !ok {
 				return errors.New("invalid v2 shim create options format")
 			}
 			opts.CriuImagePath = path
 		} else {
 			if ti.Options == nil {
 				ti.Options = &runctypes.CreateOptions{}
 			}
 			opts, ok := ti.Options.(*runctypes.CreateOptions)
 			if !ok {
 				return errors.New("invalid v1 shim create options format")
 			}
 			opts.CriuImagePath = path
 		}
 		opts, ok := ti.Options.(*options.Options)
 		if !ok {
 			return errors.New("invalid v2 shim create options format")
 		}
 		opts.CriuImagePath = path
 		return nil
 	}
 }
--- a/task_opts_unix.go
+++ b/task_opts_unix.go
@ -22,84 +22,47 @@ import (
 	"context"
 	"errors"
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 )
 // WithNoNewKeyring causes tasks not to be created with a new keyring for secret storage.
 // There is an upper limit on the number of keyrings in a linux system
 func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error {
-	if CheckRuntime(ti.Runtime(), "io.containerd.runc") {
+	if ti.Options == nil {
-		if ti.Options == nil {
+		ti.Options = &options.Options{}
 			ti.Options = &options.Options{}
 		}
 		opts, ok := ti.Options.(*options.Options)
 		if !ok {
 			return errors.New("invalid v2 shim create options format")
 		}
 		opts.NoNewKeyring = true
 	} else {
 		if ti.Options == nil {
 			ti.Options = &runctypes.CreateOptions{}
 		}
 		opts, ok := ti.Options.(*runctypes.CreateOptions)
 		if !ok {
 			return errors.New("could not cast TaskInfo Options to CreateOptions")
 		}
 		opts.NoNewKeyring = true
 	}
 	opts, ok := ti.Options.(*options.Options)
 	if !ok {
 		return errors.New("invalid v2 shim create options format")
 	}
 	opts.NoNewKeyring = true
 	return nil
 }
 // WithNoPivotRoot instructs the runtime not to you pivot_root
 func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error {
-	if CheckRuntime(ti.Runtime(), "io.containerd.runc") {
+	if ti.Options == nil {
-		if ti.Options == nil {
+		ti.Options = &options.Options{}
 			ti.Options = &options.Options{}
 		}
 		opts, ok := ti.Options.(*options.Options)
 		if !ok {
 			return errors.New("invalid v2 shim create options format")
 		}
 		opts.NoPivotRoot = true
 	} else {
 		if ti.Options == nil {
 			ti.Options = &runctypes.CreateOptions{
 				NoPivotRoot: true,
 			}
 			return nil
 		}
 		opts, ok := ti.Options.(*runctypes.CreateOptions)
 		if !ok {
 			return errors.New("invalid options type, expected runctypes.CreateOptions")
 		}
 		opts.NoPivotRoot = true
 	}
 	opts, ok := ti.Options.(*options.Options)
 	if !ok {
 		return errors.New("invalid v2 shim create options format")
 	}
 	opts.NoPivotRoot = true
 	return nil
 }
 // WithShimCgroup sets the existing cgroup for the shim
 func WithShimCgroup(path string) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		if CheckRuntime(ti.Runtime(), "io.containerd.runc") {
+		if ti.Options == nil {
-			if ti.Options == nil {
+			ti.Options = &options.Options{}
 				ti.Options = &options.Options{}
 			}
 			opts, ok := ti.Options.(*options.Options)
 			if !ok {
 				return errors.New("invalid v2 shim create options format")
 			}
 			opts.ShimCgroup = path
 		} else {
 			if ti.Options == nil {
 				ti.Options = &runctypes.CreateOptions{}
 			}
 			opts, ok := ti.Options.(*runctypes.CreateOptions)
 			if !ok {
 				return errors.New("could not cast TaskInfo Options to CreateOptions")
 			}
 			opts.ShimCgroup = path
 		}
 		opts, ok := ti.Options.(*options.Options)
 		if !ok {
 			return errors.New("invalid v2 shim create options format")
 		}
 		opts.ShimCgroup = path
 		return nil
 	}
 }
@ -107,25 +70,14 @@ func WithShimCgroup(path string) NewTaskOpts {
 // WithUIDOwner allows console I/O to work with the remapped UID in user namespace
 func WithUIDOwner(uid uint32) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		if CheckRuntime(ti.Runtime(), "io.containerd.runc") {
+		if ti.Options == nil {
-			if ti.Options == nil {
+			ti.Options = &options.Options{}
 				ti.Options = &options.Options{}
 			}
 			opts, ok := ti.Options.(*options.Options)
 			if !ok {
 				return errors.New("invalid v2 shim create options format")
 			}
 			opts.IoUid = uid
 		} else {
 			if ti.Options == nil {
 				ti.Options = &runctypes.CreateOptions{}
 			}
 			opts, ok := ti.Options.(*runctypes.CreateOptions)
 			if !ok {
 				return errors.New("could not cast TaskInfo Options to CreateOptions")
 			}
 			opts.IoUid = uid
 		}
 		opts, ok := ti.Options.(*options.Options)
 		if !ok {
 			return errors.New("invalid v2 shim create options format")
 		}
 		opts.IoUid = uid
 		return nil
 	}
 }
@ -133,25 +85,14 @@ func WithUIDOwner(uid uint32) NewTaskOpts {
 // WithGIDOwner allows console I/O to work with the remapped GID in user namespace
 func WithGIDOwner(gid uint32) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		if CheckRuntime(ti.Runtime(), "io.containerd.runc") {
+		if ti.Options == nil {
-			if ti.Options == nil {
+			ti.Options = &options.Options{}
 				ti.Options = &options.Options{}
 			}
 			opts, ok := ti.Options.(*options.Options)
 			if !ok {
 				return errors.New("invalid v2 shim create options format")
 			}
 			opts.IoGid = gid
 		} else {
 			if ti.Options == nil {
 				ti.Options = &runctypes.CreateOptions{}
 			}
 			opts, ok := ti.Options.(*runctypes.CreateOptions)
 			if !ok {
 				return errors.New("could not cast TaskInfo Options to CreateOptions")
 			}
 			opts.IoGid = gid
 		}
 		opts, ok := ti.Options.(*options.Options)
 		if !ok {
 			return errors.New("invalid v2 shim create options format")
 		}
 		opts.IoGid = gid
 		return nil
 	}
 }