From ca84aba6cc14f32c6eadbf7f60a3296a6a28d987 Mon Sep 17 00:00:00 2001
From: Krisztian Litkey <krisztian.litkey@intel.com>
Date: Thu, 28 Apr 2022 18:39:55 +0300
Subject: [PATCH] integration: add first NRI integration tests.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
---
 integration/image_pull_timeout_test.go        |    2 +-
 integration/nri_test.go                       | 1256 +++++++++++++++++
 script/test/utils.sh                          |   14 +
 .../containerd/nri/pkg/stub/stub.go           |  757 ++++++++++
 vendor/modules.txt                            |    1 +
 5 files changed, 2029 insertions(+), 1 deletion(-)
 create mode 100644 integration/nri_test.go
 create mode 100644 vendor/github.com/containerd/nri/pkg/stub/stub.go

diff --git a/integration/image_pull_timeout_test.go b/integration/image_pull_timeout_test.go
index 34fd9512a..a2473b181 100644
--- a/integration/image_pull_timeout_test.go
+++ b/integration/image_pull_timeout_test.go
@@ -471,5 +471,5 @@ func initLocalCRIPlugin(client *containerd.Client, tmpDir string, registryCfg cr
 		RootDir:           filepath.Join(criWorkDir, "root"),
 		StateDir:          filepath.Join(criWorkDir, "state"),
 	}
-	return criserver.NewCRIService(cfg, client)
+	return criserver.NewCRIService(cfg, client, nil)
 }
diff --git a/integration/nri_test.go b/integration/nri_test.go
new file mode 100644
index 000000000..4ec20f225
--- /dev/null
+++ b/integration/nri_test.go
@@ -0,0 +1,1256 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package integration
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	goruntime "runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+
+	cri "github.com/containerd/containerd/integration/cri-api/pkg/apis"
+	"github.com/containerd/nri/pkg/api"
+	"github.com/containerd/nri/pkg/stub"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
+
+	"github.com/containerd/containerd/integration/images"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	nriTestSocket        = "/var/run/nri-test.sock"
+	pluginSyncTimeout    = 3 * time.Second
+	containerStopTimeout = 10
+	onlineCpus           = "/sys/devices/system/cpu/online"
+	normalMems           = "/sys/devices/system/node/has_normal_memory"
+)
+
+var (
+	availableCpuset []string
+	availableMemset []string
+)
+
+// skipNriTestIfNecessary skips NRI tests if necessary.
+func skipNriTestIfNecessary(t *testing.T, extraSkipChecks ...map[string]bool) {
+	if goruntime.GOOS != "linux" {
+		t.Skip("Not running on linux")
+	}
+	_, err := os.Stat(nriTestSocket)
+	if err != nil {
+		t.Skip("Containerd test instance does not have NRI enabled")
+	}
+
+	for _, checks := range extraSkipChecks {
+		for check, skip := range checks {
+			if skip {
+				t.Skip(check)
+			}
+		}
+	}
+}
+
+// Test successful Nri plugin setup.
+func TestNriPluginSetup(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test that NRI plugins can connect and get set up.")
+
+	var (
+		tc = &nriTest{
+			t: t,
+			plugins: []*mockPlugin{
+				{},
+				{},
+				{},
+			},
+		}
+	)
+
+	tc.setup()
+}
+
+// Test NRI runtime/plugin state synchronization.
+func TestNriPluginSynchronization(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test that NRI plugins get properly synchronized with the runtime state.")
+
+	var (
+		tc = &nriTest{
+			t: t,
+		}
+		podCount  = 3
+		ctrPerPod = 2
+	)
+
+	tc.setup()
+
+	for i := 0; i < podCount; i++ {
+		podID := tc.runPod(fmt.Sprintf("pod%d", i))
+		for j := 0; j < ctrPerPod; j++ {
+			tc.startContainer(podID, fmt.Sprintf("ctr%d", j))
+		}
+	}
+
+	for _, plugin := range []*mockPlugin{{}, {}, {}} {
+		tc.connectNewPlugin(plugin)
+	}
+
+	for _, plugin := range tc.plugins {
+		err := plugin.Wait(PluginSynchronized, time.After(pluginSyncTimeout))
+		require.NoError(t, err, "plugin sync wait")
+	}
+
+	for _, id := range tc.pods {
+		for _, plugin := range tc.plugins {
+			_, ok := plugin.pods[id]
+			require.True(tc.t, ok, "runtime sync of pod "+id)
+		}
+	}
+
+	for _, id := range tc.ctrs {
+		for _, plugin := range tc.plugins {
+			_, ok := plugin.ctrs[id]
+			require.True(t, ok, "runtime sync of container "+id)
+		}
+	}
+}
+
+// Test mount injection into containers by NRI plugins.
+func TestNriMountInjection(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test that NRI plugins can inject mounts into containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		injectMount = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			adjust := &api.ContainerAdjustment{}
+			adjust.AddMount(&api.Mount{
+				Destination: "/out",
+				Source:      out,
+				Type:        "bind",
+				Options:     []string{"bind"},
+			})
+			return adjust, nil, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = injectMount
+	tc.setup()
+
+	msg := fmt.Sprintf("hello process %d", os.Getpid())
+	cmd := "echo " + msg + " > /out/result; sleep 3600"
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c", cmd),
+	)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+	require.Equal(t, msg+"\n", string(chk), "check result")
+}
+
+// Test environment variable injection by NRI plugins.
+func TestNriEnvironmentInjection(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test that NRI plugins can inject environment variables into containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		injectEnv = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			adjust := &api.ContainerAdjustment{}
+			adjust.AddMount(&api.Mount{
+				Destination: "/out",
+				Source:      out,
+				Type:        "bind",
+				Options:     []string{"bind"},
+			})
+			adjust.AddEnv("TEST_ENV_NAME", "TEST_ENV_VALUE")
+			return adjust, nil, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = injectEnv
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c", "echo $TEST_ENV_NAME > /out/result; sleep 3600"),
+	)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+	require.Equal(t, "TEST_ENV_VALUE\n", string(chk), "check result")
+}
+
+// Test annotation injection by NRI plugins.
+func TestNriAnnotationInjection(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test that NRI plugins can inject annotations into containers.")
+
+	var (
+		key   = "TEST_ANNOTATION_KEY"
+		value = "TEST_ANNOTATION_VALUE"
+		tc    = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		injectAnnotation = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			adjust := &api.ContainerAdjustment{}
+			adjust.AddAnnotation(key, value)
+			return adjust, nil, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = injectAnnotation
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	id := tc.startContainer(podID, "ctr0")
+
+	timeout := time.After(pluginSyncTimeout)
+	err := tc.plugins[0].Wait(ContainerEvent(tc.plugins[0].ctrs[id], PostCreateContainer), timeout)
+	require.NoError(t, err, "wait for container post-create event")
+	require.Equal(t, value, tc.plugins[0].ctrs[id].Annotations[key], "updated annotations")
+}
+
+// Test linux device injection by NRI plugins.
+func TestNriLinuxDeviceInjection(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test that NRI plugins can inject linux devices into containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		injectDev = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			adjust := &api.ContainerAdjustment{}
+			adjust.AddMount(&api.Mount{
+				Destination: "/out",
+				Source:      out,
+				Type:        "bind",
+				Options:     []string{"bind"},
+			})
+			adjust.AddDevice(&api.LinuxDevice{
+				Path:     "/dev/pie",
+				Type:     "c",
+				Major:    31,
+				Minor:    41,
+				Uid:      api.UInt32(uint32(11)),
+				Gid:      api.UInt32(uint32(22)),
+				FileMode: api.FileMode(uint32(0664)),
+			})
+			return adjust, nil, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = injectDev
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c", "stat -c %F-%a-%u:%g-%t:%T /dev/pie > /out/result; sleep 3600"),
+	)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+	require.Equal(t, "character special file-664-11:22-1f:29\n", string(chk), "check result")
+}
+
+// Test linux cpuset adjustment by NRI plugins.
+func TestNriLinuxCpusetAdjustment(t *testing.T) {
+	skipNriTestIfNecessary(t,
+		map[string]bool{
+			"not enough online CPUs for test": len(getAvailableCpuset(t)) < 2,
+		},
+	)
+
+	t.Log("Test that NRI plugins can adjust linux cpusets of containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		adjustCpuset = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			adjust := &api.ContainerAdjustment{}
+			adjust.AddMount(&api.Mount{
+				Destination: "/out",
+				Source:      out,
+				Type:        "bind",
+				Options:     []string{"bind"},
+			})
+			adjust.SetLinuxCPUSetCPUs(availableCpuset[1])
+			return adjust, nil, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = adjustCpuset
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c", "grep Cpus_allowed_list: /proc/self/status > /out/result; "+
+			"sleep 3600"),
+	)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+
+	expected := "Cpus_allowed_list:\t" + availableCpuset[1] + "\n"
+	require.Equal(t, expected, string(chk), "check result")
+}
+
+// Test linux memset adjustment by NRI plugins.
+func TestNriLinuxMemsetAdjustment(t *testing.T) {
+	skipNriTestIfNecessary(t,
+		map[string]bool{
+			"not enough online memory nodes for test": len(getAvailableMemset(t)) < 2,
+		},
+	)
+
+	t.Log("Test that NRI plugins can adjust linux memsets of containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		adjustMemset = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			adjust := &api.ContainerAdjustment{}
+			adjust.AddMount(&api.Mount{
+				Destination: "/out",
+				Source:      out,
+				Type:        "bind",
+				Options:     []string{"bind"},
+			})
+			adjust.SetLinuxCPUSetMems(availableMemset[1])
+			return adjust, nil, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = adjustMemset
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c", "grep Mems_allowed_list: /proc/self/status > /out/result; "+
+			"sleep 3600"),
+	)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+
+	expected := "Mems_allowed_list:\t" + availableMemset[1] + "\n"
+	require.Equal(t, expected, string(chk), "check result")
+}
+
+// Test creation-time linux cpuset update of existing containers by NRI plugins.
+func TestNriLinuxCpusetAdjustmentUpdate(t *testing.T) {
+	skipNriTestIfNecessary(t,
+		map[string]bool{
+			"not enough online CPUs for test": len(getAvailableCpuset(t)) < 2,
+		},
+	)
+
+	t.Log("Test that NRI plugins can update linux cpusets of existing containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		ctr0         string
+		updateCpuset = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			var (
+				adjust *api.ContainerAdjustment
+				update []*api.ContainerUpdate
+			)
+			if ctr.Name == "ctr0" {
+				ctr0 = ctr.Id
+				adjust = &api.ContainerAdjustment{}
+				adjust.AddMount(&api.Mount{
+					Destination: "/out",
+					Source:      out,
+					Type:        "bind",
+					Options:     []string{"bind"},
+				})
+				adjust.SetLinuxCPUSetCPUs(availableCpuset[0])
+			} else {
+				update = []*api.ContainerUpdate{{}}
+				update[0].SetContainerId(ctr0)
+				update[0].SetLinuxCPUSetCPUs(availableCpuset[1])
+			}
+			return adjust, update, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = updateCpuset
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c",
+			`prev=""
+             while true; do
+                 cpus="$(grep Cpus_allowed_list: /proc/self/status)"
+                 [ "$cpus" != "$prev" ] && echo "$cpus" > /out/result
+                 cpus="$prev"
+                 sleep 0.2
+             done`),
+	)
+	tc.startContainer(podID, "ctr1",
+		WithCommand("/bin/sh", "-c", "sleep 3600"),
+	)
+
+	time.Sleep(1 * time.Second)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+
+	expected := "Cpus_allowed_list:\t" + availableCpuset[1] + "\n"
+	require.Equal(t, expected, string(chk), "check result")
+}
+
+// Test creation-time linux memset update of existing containers by NRI plugins.
+func TestNriLinuxMemsetAdjustmentUpdate(t *testing.T) {
+	skipNriTestIfNecessary(t,
+		map[string]bool{
+			"not enough online memory nodes for test": len(getAvailableMemset(t)) < 2,
+		},
+	)
+
+	t.Log("Test that NRI plugins can update linux memsets of existing containers.")
+
+	var (
+		out = t.TempDir()
+		tc  = &nriTest{
+			t:       t,
+			plugins: []*mockPlugin{{}},
+		}
+		ctr0         string
+		updateMemset = func(p *mockPlugin, pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+			var (
+				adjust *api.ContainerAdjustment
+				update []*api.ContainerUpdate
+			)
+			if ctr.Name == "ctr0" {
+				ctr0 = ctr.Id
+				adjust = &api.ContainerAdjustment{}
+				adjust.AddMount(&api.Mount{
+					Destination: "/out",
+					Source:      out,
+					Type:        "bind",
+					Options:     []string{"bind"},
+				})
+				adjust.SetLinuxCPUSetMems(availableMemset[0])
+			} else {
+				update = []*api.ContainerUpdate{{}}
+				update[0].SetContainerId(ctr0)
+				update[0].SetLinuxCPUSetMems(availableMemset[1])
+			}
+			return adjust, update, nil
+		}
+	)
+
+	tc.plugins[0].createContainer = updateMemset
+	tc.setup()
+
+	podID := tc.runPod("pod0")
+	tc.startContainer(podID, "ctr0",
+		WithCommand("/bin/sh", "-c",
+			`prev=""
+             while true; do
+                 mems="$(grep Mems_allowed_list: /proc/self/status)"
+                 [ "$mems" != "$prev" ] && echo "$mems" > /out/result
+                 mems="$prev"
+                 sleep 0.2
+             done`),
+	)
+	tc.startContainer(podID, "ctr1",
+		WithCommand("/bin/sh", "-c", "sleep 3600"),
+	)
+
+	time.Sleep(1 * time.Second)
+
+	chk, err := waitForFileAndRead(filepath.Join(out, "result"), time.Second)
+	require.NoError(t, err, "read result")
+
+	expected := "Mems_allowed_list:\t" + availableMemset[1] + "\n"
+	require.Equal(t, expected, string(chk), "check result")
+}
+
+// Test NRI vs. containerd restart.
+func TestNriPluginContainerdRestart(t *testing.T) {
+	skipNriTestIfNecessary(t)
+
+	t.Log("Test NRI plugins vs. containerd restart.")
+
+	var (
+		tc = &nriTest{
+			t: t,
+		}
+		podCount  = 3
+		ctrPerPod = 2
+	)
+
+	tc.setup()
+
+	for i := 0; i < podCount; i++ {
+		podID := tc.runPod(fmt.Sprintf("pod%d", i))
+		for j := 0; j < ctrPerPod; j++ {
+			tc.startContainer(podID, fmt.Sprintf("ctr%d", j))
+		}
+	}
+
+	for _, plugin := range []*mockPlugin{{}, {}, {}} {
+		tc.connectNewPlugin(plugin)
+	}
+
+	for _, plugin := range tc.plugins {
+		err := plugin.Wait(PluginSynchronized, time.After(pluginSyncTimeout))
+		require.NoError(t, err, "plugin sync wait")
+	}
+
+	for _, id := range tc.pods {
+		for _, plugin := range tc.plugins {
+			_, ok := plugin.pods[id]
+			require.True(tc.t, ok, "runtime sync of pod "+id)
+		}
+	}
+
+	for _, id := range tc.ctrs {
+		for _, plugin := range tc.plugins {
+			_, ok := plugin.ctrs[id]
+			require.True(t, ok, "runtime sync of container "+id)
+		}
+	}
+
+	t.Logf("Restart containerd")
+	RestartContainerd(t, syscall.SIGTERM)
+
+	for _, plugin := range tc.plugins {
+		require.True(t, plugin.closed, "plugin connection closed")
+	}
+}
+
+// An NRI test along with its state.
+type nriTest struct {
+	t         *testing.T
+	name      string
+	prefix    string
+	runtime   cri.RuntimeService
+	plugins   []*mockPlugin
+	namespace string
+	sbCfg     map[string]*runtime.PodSandboxConfig
+	pods      []string
+	ctrs      []string
+}
+
+// setup prepares the test environment, connects all NRI plugins.
+func (tc *nriTest) setup() {
+	if tc.name == "" {
+		tc.name = tc.t.Name()
+	}
+	if tc.prefix == "" {
+		tc.prefix = strings.ToLower(tc.name)
+	}
+	if tc.namespace == "" {
+		tc.namespace = tc.prefix + "-" + fmt.Sprintf("%d", os.Getpid())
+	}
+
+	tc.sbCfg = make(map[string]*runtime.PodSandboxConfig)
+	tc.runtime = runtimeService
+
+	for idx, p := range tc.plugins {
+		p.namespace = tc.namespace
+
+		if p.logf == nil {
+			p.logf = tc.t.Logf
+		}
+		if p.idx == "" {
+			p.idx = fmt.Sprintf("%02d", idx)
+		}
+
+		err := p.Start()
+		require.NoError(tc.t, err, "start plugin")
+
+		err = p.Wait(PluginSynchronized, time.After(pluginSyncTimeout))
+		require.NoError(tc.t, err, "wait for plugin setup")
+	}
+}
+
+// Connect a new NRI plugin to the runtime.
+func (tc *nriTest) connectNewPlugin(p *mockPlugin) {
+	p.namespace = tc.namespace
+
+	if p.logf == nil {
+		p.logf = tc.t.Logf
+	}
+	if p.idx == "" {
+		p.idx = fmt.Sprintf("%02d", len(tc.plugins))
+	}
+
+	tc.plugins = append(tc.plugins, p)
+
+	err := p.Start()
+	require.NoError(tc.t, err, "start plugin")
+
+	err = p.Wait(PluginSynchronized, time.After(pluginSyncTimeout))
+	require.NoError(tc.t, err, "wait for plugin setup")
+}
+
+// Create a pod in a namespace specific to the test case.
+func (tc *nriTest) runPod(name string) string {
+	id, cfg := PodSandboxConfigWithCleanup(tc.t, name, tc.namespace)
+	tc.sbCfg[id] = cfg
+	tc.pods = append(tc.pods, id)
+	return id
+}
+
+// Start a container in a (testcase-specific) pod.
+func (tc *nriTest) startContainer(podID, name string, opts ...ContainerOpts) string {
+	podCfg := tc.sbCfg[podID]
+	require.NotNil(tc.t, podCfg, "pod config for "+podID)
+
+	ctrCfg := ContainerConfig(name, "", opts...)
+	if ctrCfg.Image.Image == "" {
+		image := images.Get(images.BusyBox)
+		EnsureImageExists(tc.t, image)
+		ctrCfg.Image.Image = image
+	}
+
+	if len(ctrCfg.Command) == 0 {
+		WithCommand("/bin/sh", "-c", "sleep 3600")(ctrCfg)
+	}
+
+	ctrID, err := tc.runtime.CreateContainer(podID, ctrCfg, podCfg)
+	assert.NoError(tc.t, err, "create container")
+	assert.NoError(tc.t, tc.runtime.StartContainer(ctrID), "start container")
+
+	tc.ctrs = append(tc.ctrs, ctrID)
+
+	tc.t.Cleanup(func() {
+		assert.NoError(tc.t, tc.runtime.StopContainer(ctrID, containerStopTimeout))
+		assert.NoError(tc.t, tc.runtime.RemoveContainer(ctrID))
+	})
+
+	tc.t.Logf("created/started container %s/%s/%s with ID %s",
+		podCfg.Metadata.Namespace, podCfg.Metadata.Name, name, ctrID)
+
+	return ctrID
+}
+
+//
+// NRI plugin implementation for integration tests
+//
+
+type mockPlugin struct {
+	name string
+	idx  string
+	stub stub.Stub
+	mask stub.EventMask
+
+	q    *eventQ
+	pods map[string]*api.PodSandbox
+	ctrs map[string]*api.Container
+
+	closed              bool
+	namespace           string
+	logf                func(string, ...interface{})
+	synchronize         func(*mockPlugin, []*api.PodSandbox, []*api.Container) ([]*api.ContainerUpdate, error)
+	createContainer     func(*mockPlugin, *api.PodSandbox, *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error)
+	postCreateContainer func(*mockPlugin, *api.PodSandbox, *api.Container)
+	updateContainer     func(*mockPlugin, *api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error)
+	postUpdateContainer func(*mockPlugin, *api.PodSandbox, *api.Container)
+	stopContainer       func(*mockPlugin, *api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error)
+}
+
+func (m *mockPlugin) Start() error {
+	var err error
+
+	if m.name == "" {
+		m.name = "mock-plugin"
+	}
+	if m.idx == "" {
+		m.idx = "00"
+	}
+
+	if m.mask == 0 {
+		m.mask.Set(
+			api.Event_RUN_POD_SANDBOX,
+			api.Event_STOP_POD_SANDBOX,
+			api.Event_REMOVE_POD_SANDBOX,
+			api.Event_CREATE_CONTAINER,
+			api.Event_POST_CREATE_CONTAINER,
+			api.Event_START_CONTAINER,
+			api.Event_POST_START_CONTAINER,
+			api.Event_UPDATE_CONTAINER,
+			api.Event_POST_UPDATE_CONTAINER,
+			api.Event_STOP_CONTAINER,
+			api.Event_REMOVE_CONTAINER,
+		)
+	}
+
+	m.stub, err = stub.New(m,
+		stub.WithPluginName(m.name),
+		stub.WithPluginIdx(m.idx),
+		stub.WithSocketPath(nriTestSocket),
+		stub.WithOnClose(m.onClose),
+	)
+	if err != nil {
+		return err
+	}
+
+	if m.logf == nil {
+		m.logf = func(format string, args ...interface{}) {
+			fmt.Printf(format+"\n", args...)
+		}
+	}
+
+	if m.synchronize == nil {
+		m.synchronize = nopSynchronize
+	}
+	if m.createContainer == nil {
+		m.createContainer = nopCreateContainer
+	}
+	if m.postCreateContainer == nil {
+		m.postCreateContainer = nopEvent
+	}
+	if m.updateContainer == nil {
+		m.updateContainer = nopUpdateContainer
+	}
+	if m.postUpdateContainer == nil {
+		m.postUpdateContainer = nopEvent
+	}
+	if m.stopContainer == nil {
+		m.stopContainer = nopStopContainer
+	}
+
+	m.q = &eventQ{}
+	m.pods = make(map[string]*api.PodSandbox)
+	m.ctrs = make(map[string]*api.Container)
+
+	err = m.stub.Start(context.Background())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *mockPlugin) Stop() {
+	if m.stub != nil {
+		m.stub.Stop()
+		m.stub.Wait()
+	}
+}
+
+func (m *mockPlugin) onClose() {
+	m.closed = true
+	if m.stub != nil {
+		m.stub.Stop()
+		m.stub.Wait()
+	}
+}
+
+func (m *mockPlugin) inNamespace(namespace string) bool {
+	return strings.HasPrefix(namespace, m.namespace)
+}
+
+func (m *mockPlugin) Log(format string, args ...interface{}) {
+	m.logf(fmt.Sprintf("[plugin:%s-%s] ", m.idx, m.name)+format, args...)
+}
+
+func (m *mockPlugin) Configure(cfg string) (stub.EventMask, error) {
+	return m.mask, nil
+}
+
+func (m *mockPlugin) Synchronize(pods []*api.PodSandbox, ctrs []*api.Container) ([]*api.ContainerUpdate, error) {
+	m.Log("Synchronize")
+	for _, pod := range pods {
+		m.Log("  - pod %s", pod.Id)
+		m.pods[pod.Id] = pod
+	}
+	for _, ctr := range ctrs {
+		m.Log("  - ctr %s", ctr.Id)
+		m.ctrs[ctr.Id] = ctr
+	}
+
+	m.q.Add(PluginSynchronized)
+
+	return m.synchronize(m, pods, ctrs)
+}
+
+func (m *mockPlugin) Shutdown() {
+	m.Log("Shutdown")
+}
+
+func (m *mockPlugin) RunPodSandbox(pod *api.PodSandbox) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("RunPodSandbox %s/%s", pod.Namespace, pod.Name)
+	m.pods[pod.Id] = pod
+	m.q.Add(PodSandboxEvent(pod, RunPodSandbox))
+	return nil
+}
+
+func (m *mockPlugin) StopPodSandbox(pod *api.PodSandbox) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("StopPodSandbox %s/%s", pod.Namespace, pod.Name)
+	m.pods[pod.Id] = pod
+	m.q.Add(PodSandboxEvent(pod, StopPodSandbox))
+	return nil
+}
+
+func (m *mockPlugin) RemovePodSandbox(pod *api.PodSandbox) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("RemovePodSandbox %s/%s", pod.Namespace, pod.Name)
+	delete(m.pods, pod.Id)
+	m.q.Add(PodSandboxEvent(pod, RemovePodSandbox))
+	return nil
+}
+
+func (m *mockPlugin) CreateContainer(pod *api.PodSandbox, ctr *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+	if !m.inNamespace(pod.Namespace) {
+		return nil, nil, nil
+	}
+
+	m.Log("CreateContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, CreateContainer))
+
+	return m.createContainer(m, pod, ctr)
+}
+
+func (m *mockPlugin) PostCreateContainer(pod *api.PodSandbox, ctr *api.Container) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("PostCreateContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, PostCreateContainer))
+	m.postCreateContainer(m, pod, ctr)
+	return nil
+}
+
+func (m *mockPlugin) StartContainer(pod *api.PodSandbox, ctr *api.Container) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("StartContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, StartContainer))
+	return nil
+}
+
+func (m *mockPlugin) PostStartContainer(pod *api.PodSandbox, ctr *api.Container) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("PostStartContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, PostStartContainer))
+	return nil
+}
+
+func (m *mockPlugin) UpdateContainer(pod *api.PodSandbox, ctr *api.Container) ([]*api.ContainerUpdate, error) {
+	if !m.inNamespace(pod.Namespace) {
+		return nil, nil
+	}
+
+	m.Log("UpdateContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, UpdateContainer))
+	return m.updateContainer(m, pod, ctr)
+}
+
+func (m *mockPlugin) PostUpdateContainer(pod *api.PodSandbox, ctr *api.Container) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("PostUpdateContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, PostUpdateContainer))
+	m.postUpdateContainer(m, pod, ctr)
+	return nil
+}
+
+func (m *mockPlugin) StopContainer(pod *api.PodSandbox, ctr *api.Container) ([]*api.ContainerUpdate, error) {
+	if !m.inNamespace(pod.Namespace) {
+		return nil, nil
+	}
+
+	m.Log("StopContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	m.pods[pod.Id] = pod
+	m.ctrs[ctr.Id] = ctr
+	m.q.Add(ContainerEvent(ctr, StopContainer))
+	return m.stopContainer(m, pod, ctr)
+}
+
+func (m *mockPlugin) RemoveContainer(pod *api.PodSandbox, ctr *api.Container) error {
+	if !m.inNamespace(pod.Namespace) {
+		return nil
+	}
+
+	m.Log("RemoveContainer %s/%s/%s", pod.Namespace, pod.Name, ctr.Name)
+	delete(m.pods, pod.Id)
+	delete(m.ctrs, ctr.Id)
+	m.q.Add(ContainerEvent(ctr, RemoveContainer))
+	return nil
+}
+
+func (m *mockPlugin) Wait(e *Event, deadline <-chan time.Time) error {
+	_, err := m.q.Wait(e, deadline)
+	return err
+}
+
+func nopSynchronize(*mockPlugin, []*api.PodSandbox, []*api.Container) ([]*api.ContainerUpdate, error) {
+	return nil, nil
+}
+
+func nopCreateContainer(*mockPlugin, *api.PodSandbox, *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error) {
+	return nil, nil, nil
+}
+
+func nopUpdateContainer(*mockPlugin, *api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error) {
+	return nil, nil
+}
+
+func nopStopContainer(*mockPlugin, *api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error) {
+	return nil, nil
+}
+
+func nopEvent(*mockPlugin, *api.PodSandbox, *api.Container) {
+}
+
+//
+// plugin event and event recording
+//
+
+type EventType string
+
+const (
+	Configured   = "configured"
+	Synchronized = "synchronized"
+	StartupError = "startup-error"
+	Shutdown     = "shutdown"
+	Disconnected = "closed"
+	Stopped      = "stopped"
+
+	RunPodSandbox       = "RunPodSandbox"
+	StopPodSandbox      = "StopPodSandbox"
+	RemovePodSandbox    = "RemovePodSandbox"
+	CreateContainer     = "CreateContainer"
+	StartContainer      = "StartContainer"
+	UpdateContainer     = "UpdateContainer"
+	StopContainer       = "StopContainer"
+	RemoveContainer     = "RemoveContainer"
+	PostCreateContainer = "PostCreateContainer"
+	PostStartContainer  = "PostStartContainer"
+	PostUpdateContainer = "PostUpdateContainer"
+
+	Error   = "Error"
+	Timeout = ""
+)
+
+type Event struct {
+	Type EventType
+	Pod  string
+	Ctr  string
+}
+
+var (
+	PluginConfigured   = &Event{Type: Configured}
+	PluginSynchronized = &Event{Type: Synchronized}
+	PluginStartupError = &Event{Type: StartupError}
+	PluginShutdown     = &Event{Type: Shutdown}
+	PluginDisconnected = &Event{Type: Disconnected}
+	PluginStopped      = &Event{Type: Stopped}
+)
+
+func PodSandboxEvent(pod *api.PodSandbox, t EventType) *Event {
+	return &Event{Type: t, Pod: pod.Id}
+}
+
+func ContainerEvent(ctr *api.Container, t EventType) *Event {
+	return &Event{Type: t, Ctr: ctr.Id}
+}
+
+func PodRefEvent(pod string, t EventType) *Event {
+	return &Event{Type: t, Pod: pod}
+}
+
+func ContainerRefEvent(pod, ctr string, t EventType) *Event {
+	return &Event{Type: t, Pod: pod, Ctr: ctr}
+}
+
+func (e *Event) Matches(o *Event) bool {
+	if e.Type != o.Type {
+		return false
+	}
+	if e.Pod != "" && o.Pod != "" {
+		if e.Pod != o.Pod {
+			return false
+		}
+	}
+	if e.Ctr != "" && o.Ctr != "" {
+		if e.Ctr != o.Ctr {
+			return false
+		}
+	}
+	return true
+}
+
+func (e *Event) String() string {
+	str, sep := "", ""
+	if e.Pod != "" {
+		str = e.Pod
+		sep = ":"
+	}
+	if e.Ctr != "" {
+		str += sep + e.Ctr
+		sep = "/"
+	}
+	return str + sep + string(e.Type)
+}
+
+type eventQ struct {
+	sync.Mutex
+	q []*Event
+	c chan *Event
+}
+
+func (q *eventQ) Add(e *Event) {
+	if q == nil {
+		return
+	}
+	q.Lock()
+	defer q.Unlock()
+	q.q = append(q.q, e)
+	if q.c != nil {
+		q.c <- e
+	}
+}
+
+func (q *eventQ) Reset(e *Event) {
+	q.Lock()
+	defer q.Unlock()
+	q.q = []*Event{}
+}
+
+func (q *eventQ) Events() []*Event {
+	q.Lock()
+	defer q.Unlock()
+	var events []*Event
+	events = append(events, q.q...)
+	return events
+}
+
+func (q *eventQ) Has(e *Event) bool {
+	q.Lock()
+	defer q.Unlock()
+	return q.search(e) != nil
+}
+
+func (q *eventQ) search(e *Event) *Event {
+	for _, qe := range q.q {
+		if qe.Matches(e) {
+			return qe
+		}
+	}
+	return nil
+}
+
+func (q *eventQ) Wait(w *Event, deadline <-chan time.Time) (*Event, error) {
+	var unlocked bool
+	q.Lock()
+	defer func() {
+		if !unlocked {
+			q.Unlock()
+		}
+	}()
+
+	if e := q.search(w); e != nil {
+		return e, nil
+	}
+
+	if q.c != nil {
+		return nil, fmt.Errorf("event queue already busy Wait()ing")
+	}
+	q.c = make(chan *Event, 16)
+	defer func() {
+		c := q.c
+		q.c = nil
+		close(c)
+	}()
+
+	q.Unlock()
+	unlocked = true
+	for {
+		select {
+		case e := <-q.c:
+			if e.Matches(w) {
+				return e, nil
+			}
+		case <-deadline:
+			return nil, fmt.Errorf("event queue timed out Wait()ing for %s", w)
+		}
+	}
+}
+
+//
+// helper functions
+//
+
+// Wait for a file to show up in the filesystem then read its content.
+func waitForFileAndRead(path string, timeout time.Duration) ([]byte, error) {
+	var (
+		deadline = time.After(timeout)
+		slack    = 100 * time.Millisecond
+	)
+
+WAIT:
+	for {
+		if _, err := os.Stat(path); err == nil {
+			break WAIT
+		}
+		select {
+		case <-deadline:
+			return nil, fmt.Errorf("waiting for %s timed out", path)
+		default:
+			time.Sleep(slack)
+		}
+	}
+
+	time.Sleep(slack)
+	return os.ReadFile(path)
+}
+
+// getAvailableCpuset returns the set of online CPUs.
+func getAvailableCpuset(t *testing.T) []string {
+	if availableCpuset == nil {
+		availableCpuset = getXxxset(t, "cpuset", onlineCpus)
+	}
+	return availableCpuset
+}
+
+// getAvailableMemset returns the set of usable NUMA nodes.
+func getAvailableMemset(t *testing.T) []string {
+	if availableMemset == nil {
+		availableMemset = getXxxset(t, "memset", normalMems)
+	}
+	return availableMemset
+}
+
+// getXxxset reads/parses a CPU/memory set into a slice.
+func getXxxset(t *testing.T, kind, path string) []string {
+	var (
+		data []byte
+		set  []string
+		one  uint64
+		err  error
+	)
+
+	data, err = os.ReadFile(path)
+	if err != nil {
+		t.Logf("failed to read %s: %v", path, err)
+		return nil
+	}
+
+	for _, rng := range strings.Split(strings.TrimSpace(string(data)), ",") {
+		var (
+			lo int
+			hi = -1
+		)
+		loHi := strings.Split(rng, "-")
+		switch len(loHi) {
+		case 2:
+			one, err = strconv.ParseUint(loHi[1], 10, 32)
+			if err != nil {
+				t.Errorf("failed to parse %s range %q: %v", kind, rng, err)
+				return nil
+			}
+			hi = int(one) + 1
+			fallthrough
+		case 1:
+			one, err = strconv.ParseUint(loHi[0], 10, 32)
+			if err != nil {
+				t.Errorf("failed to parse %s range %q: %v", kind, rng, err)
+				return nil
+			}
+			lo = int(one)
+		default:
+			t.Errorf("invalid %s range %q", kind, rng)
+			return nil
+		}
+
+		if hi == -1 {
+			hi = lo + 1
+		}
+
+		for i := lo; i < hi; i++ {
+			set = append(set, strconv.Itoa(i))
+		}
+	}
+
+	return set
+}
diff --git a/script/test/utils.sh b/script/test/utils.sh
index 75dc91c96..f3a009816 100755
--- a/script/test/utils.sh
+++ b/script/test/utils.sh
@@ -51,6 +51,20 @@ EOF
     cat >>${config_file} <<EOF
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
 runtime_type = "${CONTAINERD_RUNTIME}"
+EOF
+  fi
+  if [ $IS_WINDOWS -eq 0 ]; then
+    NRI_CONFIG_DIR="${CONTAINERD_CONFIG_DIR}/nri"
+    cat >>${config_file} <<EOF
+[plugins."io.containerd.nri.v1.nri"]
+  disable = false
+  config_file = "${NRI_CONFIG_DIR}/nri.conf"
+  socket_path = "/var/run/nri-test.sock"
+  plugin_path = "/no/pre-launched/nri/plugins"
+EOF
+    mkdir -p "${NRI_CONFIG_DIR}"
+    cat >"${NRI_CONFIG_DIR}/nri.conf" <<EOF
+disableConnections: false
 EOF
   fi
   CONTAINERD_CONFIG_FILE="${config_file}"
diff --git a/vendor/github.com/containerd/nri/pkg/stub/stub.go b/vendor/github.com/containerd/nri/pkg/stub/stub.go
new file mode 100644
index 000000000..39d6b22e6
--- /dev/null
+++ b/vendor/github.com/containerd/nri/pkg/stub/stub.go
@@ -0,0 +1,757 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package stub
+
+import (
+	"context"
+	"fmt"
+	stdnet "net"
+	"os"
+	"path/filepath"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/containerd/nri/pkg/api"
+	nrilog "github.com/containerd/nri/pkg/log"
+	"github.com/containerd/nri/pkg/net"
+	"github.com/containerd/nri/pkg/net/multiplex"
+	"github.com/containerd/ttrpc"
+)
+
+// Plugin can implement a number of interfaces related to Pod and Container
+// lifecycle events. No any single such inteface is mandatory, therefore the
+// Plugin interface itself is empty. Plugins are required to implement at
+// least one of these interfaces and this is verified during stub creation.
+// Trying to create a stub for a plugin violating this requirement will fail
+// with and error.
+type Plugin interface{}
+
+// ConfigureInterface handles Configure API request.
+type ConfigureInterface interface {
+	// Configure the plugin with the given NRI-supplied configuration.
+	// If a non-zero EventMask is returned, the plugin will be subscribed
+	// to the corresponding.
+	Configure(config, runtime, version string) (api.EventMask, error)
+}
+
+// SynchronizeInterface handles Synchronize API requests.
+type SynchronizeInterface interface {
+	// Synchronize the state of the plugin with the runtime.
+	// The plugin can request updates to containers in response.
+	Synchronize([]*api.PodSandbox, []*api.Container) ([]*api.ContainerUpdate, error)
+}
+
+// ShutdownInterface handles a Shutdown API request.
+type ShutdownInterface interface {
+	// Shutdown notifies the plugin about the runtime shutting down.
+	Shutdown(*api.ShutdownRequest)
+}
+
+// RunPodInterface handles RunPodSandbox API events.
+type RunPodInterface interface {
+	// RunPodSandbox relays a RunPodSandbox event to the plugin.
+	RunPodSandbox(*api.PodSandbox) error
+}
+
+// StopPodInterface handles StopPodSandbox API events.
+type StopPodInterface interface {
+	// StopPodSandbox relays a StopPodSandbox event to the plugin.
+	StopPodSandbox(*api.PodSandbox) error
+}
+
+// RemovePodInterface handles RemovePodSandbox API events.
+type RemovePodInterface interface {
+	// RemovePodSandbox relays a RemovePodSandbox event to the plugin.
+	RemovePodSandbox(*api.PodSandbox) error
+}
+
+// CreateContainerInterface handles CreateContainer API requests.
+type CreateContainerInterface interface {
+	// CreateContainer relays a CreateContainer request to the plugin.
+	// The plugin can request adjustments to the container being created
+	// and updates to other unstopped containers in response.
+	CreateContainer(*api.PodSandbox, *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error)
+}
+
+// StartContainerInterface handles StartContainer API requests.
+type StartContainerInterface interface {
+	// StartContainer relays a StartContainer event to the plugin.
+	StartContainer(*api.PodSandbox, *api.Container) error
+}
+
+// UpdateContainerInterface handles UpdateContainer API requests.
+type UpdateContainerInterface interface {
+	// UpdateContainer relays an UpdateContainer request to the plugin.
+	// The plugin can request updates both to the container being updated
+	// (which then supersedes the original update) and to other unstopped
+	// containers in response.
+	UpdateContainer(*api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error)
+}
+
+// StopContainerInterface handles StopContainer API requests.
+type StopContainerInterface interface {
+	// StopContainer relays a StopContainer request to the plugin.
+	// The plugin can request updates to unstopped containers in response.
+	StopContainer(*api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error)
+}
+
+// RemoveContainerInterface handles RemoveContainer API events.
+type RemoveContainerInterface interface {
+	// RemoveContainer relays a RemoveContainer event to the plugin.
+	RemoveContainer(*api.PodSandbox, *api.Container) error
+}
+
+// PostCreateContainerInterface handles PostCreateContainer API events.
+type PostCreateContainerInterface interface {
+	// PostCreateContainer relays a PostCreateContainer event to the plugin.
+	PostCreateContainer(*api.PodSandbox, *api.Container) error
+}
+
+// PostStartContainerInterface handles PostStartContainer API events.
+type PostStartContainerInterface interface {
+	// PostStartContainer relays a PostStartContainer event to the plugin.
+	PostStartContainer(*api.PodSandbox, *api.Container) error
+}
+
+// PostUpdateContainerInterface handles PostUpdateContainer API events.
+type PostUpdateContainerInterface interface {
+	// PostUpdateContainer relays a PostUpdateContainer event to the plugin.
+	PostUpdateContainer(*api.PodSandbox, *api.Container) error
+}
+
+// Stub is the interface the stub provides for the plugin implementation.
+type Stub interface {
+	// Run the plugin. Starts the plugin then waits for an error or the plugin to stop
+	Run(context.Context) error
+	// Start the plugin.
+	Start(context.Context) error
+	// Stop the plugin.
+	Stop()
+	// Wait for the plugin to stop.
+	Wait()
+
+	// UpdateContainer requests unsolicited updates to containers.
+	UpdateContainers([]*api.ContainerUpdate) ([]*api.ContainerUpdate, error)
+}
+
+const (
+	// Plugin registration timeout.
+	registrationTimeout = 2 * time.Second
+)
+
+var (
+	// Logger for messages generated internally by the stub itself.
+	log = nrilog.Get()
+
+	// Used instead of a nil Context in logging.
+	noCtx = context.TODO()
+)
+
+// EventMask holds a mask of events for plugin subscription.
+type EventMask = api.EventMask
+
+// Option to apply to a plugin during its creation.
+type Option func(*stub) error
+
+// WithOnClose sets a notification function to call if the ttRPC connection goes down.
+func WithOnClose(onClose func()) Option {
+	return func(s *stub) error {
+		s.onClose = onClose
+		return nil
+	}
+}
+
+// WithPluginName sets the name to use in plugin registration.
+func WithPluginName(name string) Option {
+	return func(s *stub) error {
+		if s.name != "" {
+			return fmt.Errorf("plugin name already set (%q)", s.name)
+		}
+		s.name = name
+		return nil
+	}
+}
+
+// WithPluginIdx sets the index to use in plugin registration.
+func WithPluginIdx(idx string) Option {
+	return func(s *stub) error {
+		if s.idx != "" {
+			return fmt.Errorf("plugin ID already set (%q)", s.idx)
+		}
+		s.idx = idx
+		return nil
+	}
+}
+
+// WithSocketPath sets the NRI socket path to connect to.
+func WithSocketPath(path string) Option {
+	return func(s *stub) error {
+		s.socketPath = path
+		return nil
+	}
+}
+
+// WithConnection sets an existing NRI connection to use.
+func WithConnection(conn stdnet.Conn) Option {
+	return func(s *stub) error {
+		s.conn = conn
+		return nil
+	}
+}
+
+// WithDialer sets the dialer to use.
+func WithDialer(d func(string) (stdnet.Conn, error)) Option {
+	return func(s *stub) error {
+		s.dialer = d
+		return nil
+	}
+}
+
+// stub implements Stub.
+type stub struct {
+	sync.Mutex
+	plugin     interface{}
+	handlers   handlers
+	events     api.EventMask
+	name       string
+	idx        string
+	socketPath string
+	dialer     func(string) (stdnet.Conn, error)
+	conn       stdnet.Conn
+	onClose    func()
+	rpcm       multiplex.Mux
+	rpcl       stdnet.Listener
+	rpcs       *ttrpc.Server
+	rpcc       *ttrpc.Client
+	runtime    api.RuntimeService
+	closeOnce  sync.Once
+	started    bool
+	doneC      chan struct{}
+	srvErrC    chan error
+	cfgErrC    chan error
+}
+
+// Handlers for NRI plugin event and request.
+type handlers struct {
+	Configure           func(string, string, string) (api.EventMask, error)
+	Synchronize         func([]*api.PodSandbox, []*api.Container) ([]*api.ContainerUpdate, error)
+	Shutdown            func(*api.ShutdownRequest)
+	RunPodSandbox       func(*api.PodSandbox) error
+	StopPodSandbox      func(*api.PodSandbox) error
+	RemovePodSandbox    func(*api.PodSandbox) error
+	CreateContainer     func(*api.PodSandbox, *api.Container) (*api.ContainerAdjustment, []*api.ContainerUpdate, error)
+	StartContainer      func(*api.PodSandbox, *api.Container) error
+	UpdateContainer     func(*api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error)
+	StopContainer       func(*api.PodSandbox, *api.Container) ([]*api.ContainerUpdate, error)
+	RemoveContainer     func(*api.PodSandbox, *api.Container) error
+	PostCreateContainer func(*api.PodSandbox, *api.Container) error
+	PostStartContainer  func(*api.PodSandbox, *api.Container) error
+	PostUpdateContainer func(*api.PodSandbox, *api.Container) error
+}
+
+// New creates a stub with the given plugin and options.
+func New(p interface{}, opts ...Option) (Stub, error) {
+	stub := &stub{
+		plugin:     p,
+		name:       os.Getenv(api.PluginNameEnvVar),
+		idx:        os.Getenv(api.PluginIdxEnvVar),
+		socketPath: api.DefaultSocketPath,
+		dialer:     func(p string) (stdnet.Conn, error) { return stdnet.Dial("unix", p) },
+		doneC:      make(chan struct{}),
+	}
+
+	for _, o := range opts {
+		if err := o(stub); err != nil {
+			return nil, err
+		}
+	}
+
+	if err := stub.setupHandlers(); err != nil {
+		return nil, err
+	}
+
+	if err := stub.getIdentity(); err != nil {
+		return nil, err
+	}
+
+	log.Infof(noCtx, "Created plugin %s (%s, handles %s)", stub.Name(),
+		filepath.Base(os.Args[0]), stub.events.PrettyString())
+
+	return stub, nil
+}
+
+// Start event processing, register to NRI and wait for getting configured.
+func (stub *stub) Start(ctx context.Context) (retErr error) {
+	stub.Lock()
+	defer stub.Unlock()
+
+	if stub.started {
+		return fmt.Errorf("stub already started")
+	}
+	stub.started = true
+
+	err := stub.connect()
+	if err != nil {
+		return err
+	}
+
+	rpcm := multiplex.Multiplex(stub.conn)
+	defer func() {
+		if retErr != nil {
+			rpcm.Close()
+			stub.rpcm = nil
+		}
+	}()
+
+	rpcl, err := rpcm.Listen(multiplex.PluginServiceConn)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if retErr != nil {
+			rpcl.Close()
+			stub.rpcl = nil
+		}
+	}()
+
+	rpcs, err := ttrpc.NewServer()
+	if err != nil {
+		return fmt.Errorf("failed to create ttrpc server: %w", err)
+	}
+	defer func() {
+		if retErr != nil {
+			rpcs.Close()
+			stub.rpcs = nil
+		}
+	}()
+
+	api.RegisterPluginService(rpcs, stub)
+
+	conn, err := rpcm.Open(multiplex.RuntimeServiceConn)
+	if err != nil {
+		return fmt.Errorf("failed to multiplex ttrpc client connection: %w", err)
+	}
+	rpcc := ttrpc.NewClient(conn,
+		ttrpc.WithOnClose(func() {
+			stub.connClosed()
+		}),
+	)
+	defer func() {
+		if retErr != nil {
+			rpcc.Close()
+			stub.rpcc = nil
+		}
+	}()
+
+	stub.srvErrC = make(chan error, 1)
+	stub.cfgErrC = make(chan error, 1)
+	go func() {
+		stub.srvErrC <- rpcs.Serve(ctx, rpcl)
+		close(stub.doneC)
+	}()
+
+	stub.rpcm = rpcm
+	stub.rpcl = rpcl
+	stub.rpcs = rpcs
+	stub.rpcc = rpcc
+
+	stub.runtime = api.NewRuntimeClient(rpcc)
+
+	if err = stub.register(ctx); err != nil {
+		stub.close()
+		return err
+	}
+
+	if err = <-stub.cfgErrC; err != nil {
+		return err
+	}
+
+	log.Infof(ctx, "Started plugin %s...", stub.Name())
+
+	return nil
+}
+
+// Stop the plugin.
+func (stub *stub) Stop() {
+	log.Infof(noCtx, "Stopping plugin %s...", stub.Name())
+
+	stub.Lock()
+	defer stub.Unlock()
+	stub.close()
+}
+
+func (stub *stub) close() {
+	stub.closeOnce.Do(func() {
+		if stub.rpcl != nil {
+			stub.rpcl.Close()
+		}
+		if stub.rpcs != nil {
+			stub.rpcs.Close()
+		}
+		if stub.rpcc != nil {
+			stub.rpcc.Close()
+		}
+		if stub.rpcm != nil {
+			stub.rpcm.Close()
+		}
+		if stub.srvErrC != nil {
+			<-stub.doneC
+		}
+	})
+}
+
+// Run the plugin. Start event processing then wait for an error or getting stopped.
+func (stub *stub) Run(ctx context.Context) error {
+	var err error
+
+	if err = stub.Start(ctx); err != nil {
+		return err
+	}
+
+	err = <-stub.srvErrC
+	if err == ttrpc.ErrServerClosed {
+		return nil
+	}
+
+	return err
+}
+
+// Wait for the plugin to stop.
+func (stub *stub) Wait() {
+	stub.Lock()
+	if stub.srvErrC == nil {
+		return
+	}
+	stub.Unlock()
+	<-stub.doneC
+}
+
+// Name returns the full indexed name of the plugin.
+func (stub *stub) Name() string {
+	return stub.idx + "-" + stub.name
+}
+
+// Connect the plugin to NRI.
+func (stub *stub) connect() error {
+	if stub.conn != nil {
+		log.Infof(noCtx, "Using given plugin connection...")
+		return nil
+	}
+
+	if env := os.Getenv(api.PluginSocketEnvVar); env != "" {
+		log.Infof(noCtx, "Using connection %q from environment...", env)
+
+		fd, err := strconv.Atoi(env)
+		if err != nil {
+			return fmt.Errorf("invalid socket in environment (%s=%q): %w",
+				api.PluginSocketEnvVar, env, err)
+		}
+
+		stub.conn, err = net.NewFdConn(fd)
+		if err != nil {
+			return fmt.Errorf("invalid socket (%d) in environment: %w", fd, err)
+		}
+
+		return nil
+	}
+
+	conn, err := stub.dialer(stub.socketPath)
+	if err != nil {
+		return fmt.Errorf("failed to connect to NRI service: %w", err)
+	}
+
+	stub.conn = conn
+
+	return nil
+}
+
+// Register the plugin with NRI.
+func (stub *stub) register(ctx context.Context) error {
+	log.Infof(ctx, "Registering plugin %s...", stub.Name())
+
+	ctx, cancel := context.WithTimeout(ctx, registrationTimeout)
+	defer cancel()
+
+	req := &api.RegisterPluginRequest{
+		PluginName: stub.name,
+		PluginIdx:  stub.idx,
+	}
+	if _, err := stub.runtime.RegisterPlugin(ctx, req); err != nil {
+		return fmt.Errorf("failed to register with NRI/Runtime: %w", err)
+	}
+
+	return nil
+}
+
+// Handle a lost connection.
+func (stub *stub) connClosed() {
+	stub.close()
+	if stub.onClose != nil {
+		stub.onClose()
+		return
+	}
+
+	os.Exit(0)
+}
+
+//
+// plugin event and request handlers
+//
+
+// UpdateContainers requests unsolicited updates to containers.
+func (stub *stub) UpdateContainers(update []*api.ContainerUpdate) ([]*api.ContainerUpdate, error) {
+	ctx := context.Background()
+	req := &api.UpdateContainersRequest{
+		Update: update,
+	}
+	rpl, err := stub.runtime.UpdateContainers(ctx, req)
+	if rpl != nil {
+		return rpl.Failed, err
+	}
+	return nil, err
+}
+
+// Configure the plugin.
+func (stub *stub) Configure(ctx context.Context, req *api.ConfigureRequest) (rpl *api.ConfigureResponse, retErr error) {
+	var (
+		events api.EventMask
+		err    error
+	)
+
+	log.Infof(ctx, "Configuring plugin %s for runtime %s/%s...", stub.Name(),
+		req.RuntimeName, req.RuntimeVersion)
+
+	defer func() {
+		stub.cfgErrC <- retErr
+	}()
+
+	if handler := stub.handlers.Configure; handler == nil {
+		events = stub.events
+	} else {
+		events, err = handler(req.Config, req.RuntimeName, req.RuntimeVersion)
+		if err != nil {
+			log.Errorf(ctx, "Plugin configuration failed: %v", err)
+			return nil, err
+		}
+
+		if events == 0 {
+			events = stub.events
+		}
+
+		// Only allow plugins to subscribe to events they can handle.
+		if extra := events & ^stub.events; extra != 0 {
+			log.Errorf(ctx, "Plugin subscribed for unhandled events %s (0x%x)",
+				extra.PrettyString(), extra)
+			return nil, fmt.Errorf("internal error: unhandled events %s (0x%x)",
+				extra.PrettyString(), extra)
+		}
+
+		log.Infof(ctx, "Subscribing plugin %s (%s) for events %s", stub.Name(),
+			filepath.Base(os.Args[0]), events.PrettyString())
+	}
+
+	return &api.ConfigureResponse{
+		Events: int32(events),
+	}, nil
+}
+
+// Synchronize the state of the plugin with the runtime.
+func (stub *stub) Synchronize(ctx context.Context, req *api.SynchronizeRequest) (*api.SynchronizeResponse, error) {
+	handler := stub.handlers.Synchronize
+	if handler == nil {
+		return &api.SynchronizeResponse{}, nil
+	}
+	update, err := handler(req.Pods, req.Containers)
+	return &api.SynchronizeResponse{
+		Update: update,
+	}, err
+}
+
+// Shutdown the plugin.
+func (stub *stub) Shutdown(ctx context.Context, req *api.ShutdownRequest) (*api.ShutdownResponse, error) {
+	handler := stub.handlers.Shutdown
+	if handler != nil {
+		handler(req)
+	}
+	return &api.ShutdownResponse{}, nil
+}
+
+// CreateContainer request handler.
+func (stub *stub) CreateContainer(ctx context.Context, req *api.CreateContainerRequest) (*api.CreateContainerResponse, error) {
+	handler := stub.handlers.CreateContainer
+	if handler == nil {
+		return nil, nil
+	}
+	adjust, update, err := handler(req.Pod, req.Container)
+	return &api.CreateContainerResponse{
+		Adjust: adjust,
+		Update: update,
+	}, err
+}
+
+// UpdateContainer request handler.
+func (stub *stub) UpdateContainer(ctx context.Context, req *api.UpdateContainerRequest) (*api.UpdateContainerResponse, error) {
+	handler := stub.handlers.UpdateContainer
+	if handler == nil {
+		return nil, nil
+	}
+	update, err := handler(req.Pod, req.Container)
+	return &api.UpdateContainerResponse{
+		Update: update,
+	}, err
+}
+
+// StopContainer request handler.
+func (stub *stub) StopContainer(ctx context.Context, req *api.StopContainerRequest) (*api.StopContainerResponse, error) {
+	handler := stub.handlers.StopContainer
+	if handler == nil {
+		return nil, nil
+	}
+	update, err := handler(req.Pod, req.Container)
+	return &api.StopContainerResponse{
+		Update: update,
+	}, err
+}
+
+// StateChange event handler.
+func (stub *stub) StateChange(ctx context.Context, evt *api.StateChangeEvent) (*api.Empty, error) {
+	var err error
+	switch evt.Event {
+	case api.Event_RUN_POD_SANDBOX:
+		if handler := stub.handlers.RunPodSandbox; handler != nil {
+			err = handler(evt.Pod)
+		}
+	case api.Event_STOP_POD_SANDBOX:
+		if handler := stub.handlers.StopPodSandbox; handler != nil {
+			err = handler(evt.Pod)
+		}
+	case api.Event_REMOVE_POD_SANDBOX:
+		if handler := stub.handlers.RemovePodSandbox; handler != nil {
+			err = handler(evt.Pod)
+		}
+	case api.Event_POST_CREATE_CONTAINER:
+		if handler := stub.handlers.PostCreateContainer; handler != nil {
+			err = handler(evt.Pod, evt.Container)
+		}
+	case api.Event_START_CONTAINER:
+		if handler := stub.handlers.StartContainer; handler != nil {
+			err = handler(evt.Pod, evt.Container)
+		}
+	case api.Event_POST_START_CONTAINER:
+		if handler := stub.handlers.PostStartContainer; handler != nil {
+			err = handler(evt.Pod, evt.Container)
+		}
+	case api.Event_POST_UPDATE_CONTAINER:
+		if handler := stub.handlers.PostUpdateContainer; handler != nil {
+			err = handler(evt.Pod, evt.Container)
+		}
+	case api.Event_REMOVE_CONTAINER:
+		if handler := stub.handlers.RemoveContainer; handler != nil {
+			err = handler(evt.Pod, evt.Container)
+		}
+	}
+
+	return &api.StateChangeResponse{}, err
+}
+
+// getIdentity gets plugin index and name from the binary if those are unset.
+func (stub *stub) getIdentity() error {
+	if stub.idx != "" && stub.name != "" {
+		return nil
+	}
+
+	if stub.idx != "" {
+		stub.name = filepath.Base(os.Args[0])
+		return nil
+	}
+
+	idx, name, err := api.ParsePluginName(filepath.Base(os.Args[0]))
+	if err != nil {
+		return err
+	}
+
+	stub.name = name
+	stub.idx = idx
+
+	return nil
+}
+
+// Set up event handlers and the subscription mask for the plugin.
+func (stub *stub) setupHandlers() error {
+	if plugin, ok := stub.plugin.(ConfigureInterface); ok {
+		stub.handlers.Configure = plugin.Configure
+	}
+	if plugin, ok := stub.plugin.(SynchronizeInterface); ok {
+		stub.handlers.Synchronize = plugin.Synchronize
+	}
+	if plugin, ok := stub.plugin.(ShutdownInterface); ok {
+		stub.handlers.Shutdown = plugin.Shutdown
+	}
+
+	if plugin, ok := stub.plugin.(RunPodInterface); ok {
+		stub.handlers.RunPodSandbox = plugin.RunPodSandbox
+		stub.events.Set(api.Event_RUN_POD_SANDBOX)
+	}
+	if plugin, ok := stub.plugin.(StopPodInterface); ok {
+		stub.handlers.StopPodSandbox = plugin.StopPodSandbox
+		stub.events.Set(api.Event_STOP_POD_SANDBOX)
+	}
+	if plugin, ok := stub.plugin.(RemovePodInterface); ok {
+		stub.handlers.RemovePodSandbox = plugin.RemovePodSandbox
+		stub.events.Set(api.Event_REMOVE_POD_SANDBOX)
+	}
+	if plugin, ok := stub.plugin.(CreateContainerInterface); ok {
+		stub.handlers.CreateContainer = plugin.CreateContainer
+		stub.events.Set(api.Event_CREATE_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(StartContainerInterface); ok {
+		stub.handlers.StartContainer = plugin.StartContainer
+		stub.events.Set(api.Event_START_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(UpdateContainerInterface); ok {
+		stub.handlers.UpdateContainer = plugin.UpdateContainer
+		stub.events.Set(api.Event_UPDATE_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(StopContainerInterface); ok {
+		stub.handlers.StopContainer = plugin.StopContainer
+		stub.events.Set(api.Event_STOP_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(RemoveContainerInterface); ok {
+		stub.handlers.RemoveContainer = plugin.RemoveContainer
+		stub.events.Set(api.Event_REMOVE_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(PostCreateContainerInterface); ok {
+		stub.handlers.PostCreateContainer = plugin.PostCreateContainer
+		stub.events.Set(api.Event_POST_CREATE_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(PostStartContainerInterface); ok {
+		stub.handlers.PostStartContainer = plugin.PostStartContainer
+		stub.events.Set(api.Event_POST_START_CONTAINER)
+	}
+	if plugin, ok := stub.plugin.(PostUpdateContainerInterface); ok {
+		stub.handlers.PostUpdateContainer = plugin.PostUpdateContainer
+		stub.events.Set(api.Event_POST_UPDATE_CONTAINER)
+	}
+
+	if stub.events == 0 {
+		return fmt.Errorf("internal error: plugin %T does not implement any NRI request handlers",
+			stub.plugin)
+	}
+
+	return nil
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 722f7abb0..2bd131842 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -135,6 +135,7 @@ github.com/containerd/nri/pkg/log
 github.com/containerd/nri/pkg/net
 github.com/containerd/nri/pkg/net/multiplex
 github.com/containerd/nri/pkg/runtime-tools/generate
+github.com/containerd/nri/pkg/stub
 github.com/containerd/nri/types/v1
 # github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3
 ## explicit; go 1.13