From 3f2058aba29c1e30c9daaadea54b0035811ce318 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Mon, 29 Jul 2024 20:41:22 +0400
Subject: [PATCH] fix: update containerd configuration and settings

Provide `XDG_RUNTIME_DIR` environment variable, this specifically fixes
the `kubectl exec` action when `/tmp` is filled up.

Update containerd configuration to version 3 and fix it up.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
---
 hack/containerd.toml                                   |  4 +++-
 hack/cri-containerd.toml                               |  2 +-
 hack/cri-plugin.part                                   |  7 +++----
 .../app/machined/pkg/system/services/containerd.go     |  7 ++++++-
 internal/app/machined/pkg/system/services/cri.go       |  7 ++++++-
 internal/app/machined/pkg/system/services/udevd.go     |  5 +++++
 internal/pkg/containers/cri/containerd/config.go       |  2 +-
 .../pkg/containers/cri/containerd/testdata/cri.toml    | 10 +++++-----
 .../v1.8/talos-guides/configuration/containerd.md      |  4 ++--
 .../configuration/nvidia-gpu-proprietary.md            |  4 ++--
 .../v1.8/talos-guides/configuration/nvidia-gpu.md      |  4 ++--
 11 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/hack/containerd.toml b/hack/containerd.toml
index 68aa8efee5..cf9dc8ee95 100644
--- a/hack/containerd.toml
+++ b/hack/containerd.toml
@@ -1,7 +1,9 @@
-version = 2
+version = 3
 
 disabled_plugins = [
     "io.containerd.grpc.v1.cri",
+    "io.containerd.cri.v1.images",
+    "io.containerd.cri.v1.runtime",
     "io.containerd.internal.v1.opt",
     "io.containerd.internal.v1.tracing",
     "io.containerd.nri.v1.nri",
diff --git a/hack/cri-containerd.toml b/hack/cri-containerd.toml
index a7b203815c..11b13933bf 100644
--- a/hack/cri-containerd.toml
+++ b/hack/cri-containerd.toml
@@ -1,4 +1,4 @@
-version = 2
+version = 3
 
 disabled_plugins = [
     "io.containerd.nri.v1.nri",
diff --git a/hack/cri-plugin.part b/hack/cri-plugin.part
index fbfe254110..b4cbeb0290 100644
--- a/hack/cri-plugin.part
+++ b/hack/cri-plugin.part
@@ -1,5 +1,4 @@
-version = 2
+version = 3
 
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-    runtime_type = "io.containerd.runc.v2"
-    discard_unpacked_layers = true
+[plugins."io.containerd.cri.v1.images"]
+  discard_unpacked_layers = true
diff --git a/internal/app/machined/pkg/system/services/containerd.go b/internal/app/machined/pkg/system/services/containerd.go
index 7ca3621611..1185a2c445 100644
--- a/internal/app/machined/pkg/system/services/containerd.go
+++ b/internal/app/machined/pkg/system/services/containerd.go
@@ -104,7 +104,12 @@ func (c *Containerd) Runner(r runtime.Runtime) (runner.Runner, error) {
 		debug,
 		args,
 		runner.WithLoggingManager(r.Logging()),
-		runner.WithEnv(environment.Get(r.Config())),
+		runner.WithEnv(append(
+			environment.Get(r.Config()),
+			// append a default value for XDG_RUNTIME_DIR for the services running on the host
+			// see https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+			"XDG_RUNTIME_DIR=/run",
+		)),
 		runner.WithOOMScoreAdj(-999),
 		runner.WithCgroupPath(constants.CgroupSystemRuntime),
 		runner.WithDroppedCapabilities(constants.DefaultDroppedCapabilities),
diff --git a/internal/app/machined/pkg/system/services/cri.go b/internal/app/machined/pkg/system/services/cri.go
index 4dfcd80d52..bc1cc5517f 100644
--- a/internal/app/machined/pkg/system/services/cri.go
+++ b/internal/app/machined/pkg/system/services/cri.go
@@ -98,7 +98,12 @@ func (c *CRI) Runner(r runtime.Runtime) (runner.Runner, error) {
 		r.Config().Debug(),
 		args,
 		runner.WithLoggingManager(r.Logging()),
-		runner.WithEnv(environment.Get(r.Config())),
+		runner.WithEnv(append(
+			environment.Get(r.Config()),
+			// append a default value for XDG_RUNTIME_DIR for the services running on the host
+			// see https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+			"XDG_RUNTIME_DIR=/run",
+		)),
 		runner.WithOOMScoreAdj(-500),
 		runner.WithCgroupPath(constants.CgroupPodRuntime),
 		runner.WithDroppedCapabilities(constants.DefaultDroppedCapabilities),
diff --git a/internal/app/machined/pkg/system/services/udevd.go b/internal/app/machined/pkg/system/services/udevd.go
index e6cabea4bc..95fee14e1a 100644
--- a/internal/app/machined/pkg/system/services/udevd.go
+++ b/internal/app/machined/pkg/system/services/udevd.go
@@ -85,6 +85,11 @@ func (c *Udevd) Runner(r runtime.Runtime) (runner.Runner, error) {
 		runner.WithLoggingManager(r.Logging()),
 		runner.WithCgroupPath(constants.CgroupUdevd),
 		runner.WithDroppedCapabilities(constants.UdevdDroppedCapabilities),
+		runner.WithEnv([]string{
+			// append a default value for XDG_RUNTIME_DIR for the services running on the host
+			// see https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+			"XDG_RUNTIME_DIR=/run",
+		}),
 	),
 		restart.WithType(restart.Forever),
 	), nil
diff --git a/internal/pkg/containers/cri/containerd/config.go b/internal/pkg/containers/cri/containerd/config.go
index 9c30e9a0b7..9a9e6a5c57 100644
--- a/internal/pkg/containers/cri/containerd/config.go
+++ b/internal/pkg/containers/cri/containerd/config.go
@@ -30,7 +30,7 @@ type CRIConfig struct {
 
 // PluginsConfig represents the CRI plugins config.
 type PluginsConfig struct {
-	CRI CRIConfig `toml:"io.containerd.grpc.v1.cri"`
+	CRI CRIConfig `toml:"io.containerd.cri.v1.images"`
 }
 
 // Config represnts the containerd config.
diff --git a/internal/pkg/containers/cri/containerd/testdata/cri.toml b/internal/pkg/containers/cri/containerd/testdata/cri.toml
index 3edb5da6e5..4c86f9dbd0 100644
--- a/internal/pkg/containers/cri/containerd/testdata/cri.toml
+++ b/internal/pkg/containers/cri/containerd/testdata/cri.toml
@@ -1,11 +1,11 @@
 [plugins]
-  [plugins.'io.containerd.grpc.v1.cri']
-    [plugins.'io.containerd.grpc.v1.cri'.registry]
+  [plugins.'io.containerd.cri.v1.images']
+    [plugins.'io.containerd.cri.v1.images'.registry]
       config_path = '/etc/cri/conf.d/hosts'
 
-      [plugins.'io.containerd.grpc.v1.cri'.registry.configs]
-        [plugins.'io.containerd.grpc.v1.cri'.registry.configs.'some.host:123']
-          [plugins.'io.containerd.grpc.v1.cri'.registry.configs.'some.host:123'.auth]
+      [plugins.'io.containerd.cri.v1.images'.registry.configs]
+        [plugins.'io.containerd.cri.v1.images'.registry.configs.'some.host:123']
+          [plugins.'io.containerd.cri.v1.images'.registry.configs.'some.host:123'.auth]
             username = 'root'
             password = 'secret'
             auth = 'auth'
diff --git a/website/content/v1.8/talos-guides/configuration/containerd.md b/website/content/v1.8/talos-guides/configuration/containerd.md
index cf4fbf747c..f1e89fcc6c 100644
--- a/website/content/v1.8/talos-guides/configuration/containerd.md
+++ b/website/content/v1.8/talos-guides/configuration/containerd.md
@@ -45,8 +45,8 @@ machine:
   files:
     - content: |
         [plugins]
-          [plugins."io.containerd.grpc.v1.cri"]
-            sandbox_image = "registry.k8s.io/pause:3.8"
+          [plugins."io.containerd.cri.v1.images".pinned_images]
+            sandbox = "registry.k8s.io/pause:3.8"
       path: /etc/cri/conf.d/20-customization.part
       op: create
 ```
diff --git a/website/content/v1.8/talos-guides/configuration/nvidia-gpu-proprietary.md b/website/content/v1.8/talos-guides/configuration/nvidia-gpu-proprietary.md
index 4ff5017d21..70c2fde2b8 100644
--- a/website/content/v1.8/talos-guides/configuration/nvidia-gpu-proprietary.md
+++ b/website/content/v1.8/talos-guides/configuration/nvidia-gpu-proprietary.md
@@ -117,8 +117,8 @@ Create a patch yaml `nvidia-default-runtimeclass.yaml` to update the machine con
   value:
     - content: |
         [plugins]
-          [plugins."io.containerd.grpc.v1.cri"]
-            [plugins."io.containerd.grpc.v1.cri".containerd]
+          [plugins."io.containerd.cri.v1.runtime"]
+            [plugins."io.containerd.cri.v1.runtime".containerd]
               default_runtime_name = "nvidia"
       path: /etc/cri/conf.d/20-customization.part
       op: create
diff --git a/website/content/v1.8/talos-guides/configuration/nvidia-gpu.md b/website/content/v1.8/talos-guides/configuration/nvidia-gpu.md
index 7f252a1c6f..f4b8caeb30 100644
--- a/website/content/v1.8/talos-guides/configuration/nvidia-gpu.md
+++ b/website/content/v1.8/talos-guides/configuration/nvidia-gpu.md
@@ -116,8 +116,8 @@ Create a patch yaml `nvidia-default-runtimeclass.yaml` to update the machine con
   value:
     - content: |
         [plugins]
-          [plugins."io.containerd.grpc.v1.cri"]
-            [plugins."io.containerd.grpc.v1.cri".containerd]
+          [plugins."plugins."io.containerd.cri.v1.runtime"]
+            [plugins."io.containerd.cri.v1.runtime".containerd]
               default_runtime_name = "nvidia"
       path: /etc/cri/conf.d/20-customization.part
       op: create