Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.
As an example, if you use the following config for your containerd:
```toml
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io/v2"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
"^library/(.*)" = "my-org/$1"
```
And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.
This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9baec2b278b8172a789bf601168292f645.
Ref: https://github.com/k3s-io/k3s/issues/11191#issuecomment-2455525773
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Don't produce `reference for unknown type: application/vnd.in-toto+json`
warning logs when pushing/fetching an image containing the attestation
manifests.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Before this patch, calling `image.Children` on an image built with
BuildKit would produce unnecessary `encountered unknown type
application/vnd.in-toto+json; children may not be fetched` debug logs,
because the media type is neither a known layer or config type.
Make the `image.Children` aware of the attestation layers and don't
attempt to traverse them.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Fix the gRPC client dialer not using the timeout passed by the
containerd client timeout option.
Commit 63b4688175 replaced the usage of deprecated `grpc.DialContext`
with `grpc.NewClient`.
However, the `dialer.ContextDialer` relied on the context deadline to
propagate the timeout:
388fb336b0/vendor/google.golang.org/grpc/clientconn.go (L216)
This assumption is now broken, because `grpc.NewClient` doesn't do any
initial connection and defers it to the first RPC usage.
This commit passes the timeout via the `MinConnectTimeout` grpc
connection param, which will be applied to **every** connection attempt
(not just the first).
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
- go1.23.7 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, and the reflect,
runtime, and syscall packages. See the Go 1.23.7 milestone on our issue
tracker for details
- go1.24.1 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, the go command, and
the reflect, runtime, and syscall packages. See the Go 1.24.1 milestone
on our issue tracker for details.
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
We changed the default setting for `enable_unprivileged_ports` and
`enable_unprivileged_icmp` in the CRI plugin in
https://github.com/containerd/containerd/pull/9348, but missed including
this change in the release notes.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
use the shim bundled with cri-cni-containerd tar rather than using
the shim present on the host machine for running e2e
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
The remote content writer proxy already has the capability to break up
large files into multiple writes, but the current API doesn't recognize
when it's about to exceed the limits and attempts to send the data over
grpc in one message instead of breaking it into multiple messages.
This changes the behavior of `Write` to automatically break up the size
of the content based on the max send message size.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
(cherry picked from commit f25f36c334144d87233e06b0de90522ebd97e144)
Previously, PluginInfo was called with task options as the primary
value, resulting in opts.BinaryName being omitted. Consequently, the
containerd-shim-runc-v2 fell back to the system's runc binary in the
PATH rather than the explicitly specified one. This change inverts the
option fallback by preferring runtime options over task options,
ensuring the correct binary is used for the PluginInfo request.
Closes: https://github.com/containerd/containerd/issues/11169
Signed-off-by: Jose Fernandez <josef@netflix.com>
Reviewed-by: Erikson Tung <etung@netflix.com>
