Merge pull request #1011 from ktock/cri-v1

Support CRI v1 API

Author: AkihiroSuda

cmd/containerd-stargz-grpc/main.go

@@ -57,7 +57,9 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/backoff"
 	"google.golang.org/grpc/credentials/insecure"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	runtime_alpha "github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"github.com/containerd/stargz-snapshotter/service/keychain/crialpha"
 )
 
 const (
@@ -152,28 +154,24 @@ func main() {
 			criAddr = cp
 		}
 		connectCRI := func() (runtime.ImageServiceClient, error) {
-			// TODO: make gRPC options configurable from config.toml
-			backoffConfig := backoff.DefaultConfig
-			backoffConfig.MaxDelay = 3 * time.Second
-			connParams := grpc.ConnectParams{
-				Backoff: backoffConfig,
-			}
-			gopts := []grpc.DialOption{
-				grpc.WithTransportCredentials(insecure.NewCredentials()),
-				grpc.WithConnectParams(connParams),
-				grpc.WithContextDialer(dialer.ContextDialer),
-				grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
-				grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
-			}
-			conn, err := grpc.Dial(dialer.DialAddress(criAddr), gopts...)
+			conn, err := newCRIConn(criAddr)
 			if err != nil {
 				return nil, err
 			}
 			return runtime.NewImageServiceClient(conn), nil
 		}
+		connectAlphaCRI := func() (runtime_alpha.ImageServiceClient, error) {
+			conn, err := newCRIConn(criAddr)
+			if err != nil {
+				return nil, err
+			}
+			return runtime_alpha.NewImageServiceClient(conn), nil
+		}
 		f, criServer := cri.NewCRIKeychain(ctx, connectCRI)
+		fAlpha, criAlphaServer := crialpha.NewCRIAlphaKeychain(ctx, connectAlphaCRI)
 		runtime.RegisterImageServiceServer(rpc, criServer)
-		credsFuncs = append(credsFuncs, f)
+		runtime_alpha.RegisterImageServiceServer(rpc, criAlphaServer)
+		credsFuncs = append(credsFuncs, f, fAlpha)
 	}
 	fsOpts := []fs.Option{fs.WithMetricsLogLevel(logrus.InfoLevel)}
 	if config.IPFS {
@@ -313,3 +311,20 @@ func getMetadataStore(rootDir string, config snapshotterConfig) (metadata.Store,
 			config.MetadataStore, memoryMetadataType, dbMetadataType)
 	}
 }
+
+func newCRIConn(criAddr string) (*grpc.ClientConn, error) {
+	// TODO: make gRPC options configurable from config.toml
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+	}
+	return grpc.Dial(dialer.DialAddress(criAddr), gopts...)
+}

cmd/go.mod

@@ -3,7 +3,7 @@ module github.com/containerd/stargz-snapshotter/cmd
 go 1.16
 
 require (
-	github.com/containerd/containerd v1.6.10
+	github.com/containerd/containerd v1.7.0-beta.0.0.20221118211334-792294ce06bf
 	github.com/containerd/go-cni v1.1.7
 	github.com/containerd/stargz-snapshotter v0.13.0
 	github.com/containerd/stargz-snapshotter/estargz v0.13.0
@@ -16,17 +16,17 @@ require (
 	github.com/ipfs/interface-go-ipfs-core v0.7.0
 	github.com/klauspost/compress v1.15.12
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799
+	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/pelletier/go-toml v1.9.5
 	github.com/rs/xid v1.4.0
 	github.com/sirupsen/logrus v1.9.0
-	github.com/urfave/cli v1.22.5
+	github.com/urfave/cli v1.22.9
 	go.etcd.io/bbolt v1.3.6
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/sync v0.1.0
 	golang.org/x/sys v0.2.0
 	google.golang.org/grpc v1.50.1
-	k8s.io/cri-api v0.26.0-alpha.3
+	k8s.io/cri-api v0.27.0-alpha.0
 )
 
 replace (

cmd/go.sum

@@ -4,33 +4,34 @@ go 1.16
 
 require (
 	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.6.10
+	github.com/containerd/containerd v1.7.0-beta.0.0.20221118211334-792294ce06bf
 	github.com/containerd/continuity v0.3.0
 	github.com/containerd/stargz-snapshotter/estargz v0.13.0
 	github.com/docker/cli v20.10.21+incompatible
 	github.com/docker/docker v20.10.7+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/docker/go-metrics v0.0.1
+	github.com/gogo/protobuf v1.3.2
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/hanwen/go-fuse/v2 v2.1.1-0.20220112183258-f57e95bda82d
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.1
 	github.com/klauspost/compress v1.15.12
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799
+	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/prometheus/client_golang v1.14.0
 	github.com/rs/xid v1.4.0
 	github.com/sirupsen/logrus v1.9.0
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/sync v0.1.0
 	golang.org/x/sys v0.2.0
 	google.golang.org/grpc v1.50.1
 	k8s.io/api v0.25.4
 	k8s.io/apimachinery v0.25.4
 	k8s.io/client-go v0.25.4
-	k8s.io/cri-api v0.26.0-alpha.3
+	k8s.io/cri-api v0.27.0-alpha.0
 )
 
 replace (

go.mod

@@ -126,6 +126,15 @@ cat <<EOF >> "${TMP_K3S_REPO}/go.mod"
 replace github.com/containerd/stargz-snapshotter => "$(realpath ${REPO})"
 replace github.com/containerd/stargz-snapshotter/estargz => "$(realpath ${REPO}/estargz)"
 EOF
+
+# k3s doesn't imports the latest version of containerd that includes their own
+# CRI v1alpha API fork (github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2).
+# So we bring our own CRI v1alpha API fork in our k3s test.
+#
+# TODO: Once k3s bring contianerd version to newer than 234bf990dca4e81e89f549448aa6b555286eaa7a, we can switch import
+# to github.com/containerd/stargz-snapshotter/service/plugin
+sed -i "s|github.com/containerd/stargz-snapshotter/service/plugin|github.com/containerd/stargz-snapshotter/service/pluginforked|g" "${TMP_K3S_REPO}/pkg/containerd/builtins_linux.go"
+
 sed -i -E 's|(ENV DAPPER_RUN_ARGS .*)|\1 -v '"$(realpath ${REPO})":"$(realpath ${REPO})"':ro|g' "${TMP_K3S_REPO}/Dockerfile.dapper"
 sed -i -E 's|(ENV DAPPER_ENV .*)|\1 DOCKER_BUILDKIT|g' "${TMP_K3S_REPO}/Dockerfile.dapper"
 (

go.sum

@@ -55,6 +55,15 @@ cat <<EOF >> "${TMP_K3S_REPO}/go.mod"
 replace github.com/containerd/stargz-snapshotter => "$(realpath ${REPO})"
 replace github.com/containerd/stargz-snapshotter/estargz => "$(realpath ${REPO}/estargz)"
 EOF
+
+# k3s doesn't imports the latest version of containerd that includes their own
+# CRI v1alpha API fork (github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2).
+# So we bring our own CRI v1alpha API fork in our k3s test.
+#
+# TODO: Once k3s bring contianerd version to newer than 234bf990dca4e81e89f549448aa6b555286eaa7a, we can switch import
+# to github.com/containerd/stargz-snapshotter/service/plugin
+sed -i "s|github.com/containerd/stargz-snapshotter/service/plugin|github.com/containerd/stargz-snapshotter/service/pluginforked|g" "${TMP_K3S_REPO}/pkg/containerd/builtins_linux.go"
+
 sed -i -E 's|(ENV DAPPER_RUN_ARGS .*)|\1 -v '"$(realpath ${REPO})":"$(realpath ${REPO})"':ro|g' "${TMP_K3S_REPO}/Dockerfile.dapper"
 sed -i -E 's|(ENV DAPPER_ENV .*)|\1 DOCKER_BUILDKIT|g' "${TMP_K3S_REPO}/Dockerfile.dapper"
 (

script/k3s-argo-workflow/run.sh

@@ -0,0 +1,9 @@
+# Note about importing of `github.com/containerd/stargz-snapshotter/service/plugin`
+
+`github.com/containerd/stargz-snapshotter/service/plugin` registeres our stargz snapshotter plugin to the containerd plugin system.
+This depends on containerd newer than [234bf990dca4e81e89f549448aa6b555286eaa7a](https://github.com/containerd/containerd/commit/234bf990dca4e81e89f549448aa6b555286eaa7a) which contains CRI v1alpha API fork.
+
+If you import this plugin to the tool that imports older version of containerd, import `github.com/containerd/stargz-snapshotter/service/pluginforked` instead.
+This plugin contains our forked CRI v1alpha API.
+
+Once you upgrade containerd to newer than 234bf990dca4e81e89f549448aa6b555286eaa7a, you can't use `github.com/containerd/stargz-snapshotter/service/pluginforked` and protobuf code fails with the error e.g. `proto: duplicate enum registered: runtime.v1alpha2.Protocol`. In this case, use `github.com/containerd/stargz-snapshotter/service/plugin`.

script/k3s/run-k3s.sh

@@ -27,7 +27,7 @@ import (
 	"github.com/containerd/containerd/reference"
 	distribution "github.com/containerd/containerd/reference/docker"
 	"github.com/containerd/stargz-snapshotter/service/resolver"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 )
 
 // NewCRIKeychain provides creds passed through CRI PullImage API.

service/README.md

@@ -0,0 +1,170 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package crialpha
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/reference"
+	distribution "github.com/containerd/containerd/reference/docker"
+	"github.com/containerd/stargz-snapshotter/service/resolver"
+
+	runtime_alpha "github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+// containerd newer than 234bf990dca4e81e89f549448aa6b555286eaa7a is required for this plugin.
+// If not, use "github.com/containerd/stargz-snapshotter/service/keychain/crialphaforked" instead.
+
+// NewAlphaCRIKeychain provides creds passed through CRI PullImage API.
+// Same as NewCRIKeychain but for CRI v1alpha API.
+// Containerd doesn't drop v1alpha API support so our proxy also exposes this API as well.
+func NewCRIAlphaKeychain(ctx context.Context, connectCRI func() (runtime_alpha.ImageServiceClient, error)) (resolver.Credential, runtime_alpha.ImageServiceServer) {
+	server := &instrumentedAlphaService{config: make(map[string]*runtime_alpha.AuthConfig)}
+	go func() {
+		log.G(ctx).Debugf("Waiting for CRI service is started...")
+		for i := 0; i < 100; i++ {
+			client, err := connectCRI()
+			if err == nil {
+				server.criMu.Lock()
+				server.cri = client
+				server.criMu.Unlock()
+				log.G(ctx).Info("connected to backend CRI service")
+				return
+			}
+			log.G(ctx).WithError(err).Warnf("failed to connect to CRI")
+			time.Sleep(10 * time.Second)
+		}
+		log.G(ctx).Warnf("no connection is available to CRI")
+	}()
+	return server.credentials, server
+}
+
+type instrumentedAlphaService struct {
+	cri   runtime_alpha.ImageServiceClient
+	criMu sync.Mutex
+
+	config   map[string]*runtime_alpha.AuthConfig
+	configMu sync.Mutex
+}
+
+func (in *instrumentedAlphaService) credentials(host string, refspec reference.Spec) (string, string, error) {
+	if host == "docker.io" || host == "registry-1.docker.io" {
+		// Creds of "docker.io" is stored keyed by "https://index.docker.io/v1/".
+		host = "index.docker.io"
+	}
+	in.configMu.Lock()
+	defer in.configMu.Unlock()
+	if cfg, ok := in.config[refspec.String()]; ok {
+		var v1cfg runtime.AuthConfig
+		if err := alphaReqToV1Req(cfg, &v1cfg); err != nil {
+			return "", "", err
+		}
+		return resolver.ParseAuth(&v1cfg, host)
+	}
+	return "", "", nil
+}
+
+func (in *instrumentedAlphaService) getCRI() (c runtime_alpha.ImageServiceClient) {
+	in.criMu.Lock()
+	c = in.cri
+	in.criMu.Unlock()
+	return
+}
+
+func (in *instrumentedAlphaService) ListImages(ctx context.Context, r *runtime_alpha.ListImagesRequest) (res *runtime_alpha.ListImagesResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	return cri.ListImages(ctx, r)
+}
+
+func (in *instrumentedAlphaService) ImageStatus(ctx context.Context, r *runtime_alpha.ImageStatusRequest) (res *runtime_alpha.ImageStatusResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	return cri.ImageStatus(ctx, r)
+}
+
+func (in *instrumentedAlphaService) PullImage(ctx context.Context, r *runtime_alpha.PullImageRequest) (res *runtime_alpha.PullImageResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	refspec, err := parseReference(r.GetImage().GetImage())
+	if err != nil {
+		return nil, err
+	}
+	in.configMu.Lock()
+	in.config[refspec.String()] = r.GetAuth()
+	in.configMu.Unlock()
+	return cri.PullImage(ctx, r)
+}
+
+func (in *instrumentedAlphaService) RemoveImage(ctx context.Context, r *runtime_alpha.RemoveImageRequest) (_ *runtime_alpha.RemoveImageResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	refspec, err := parseReference(r.GetImage().GetImage())
+	if err != nil {
+		return nil, err
+	}
+	in.configMu.Lock()
+	delete(in.config, refspec.String())
+	in.configMu.Unlock()
+	return cri.RemoveImage(ctx, r)
+}
+
+func (in *instrumentedAlphaService) ImageFsInfo(ctx context.Context, r *runtime_alpha.ImageFsInfoRequest) (res *runtime_alpha.ImageFsInfoResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	return cri.ImageFsInfo(ctx, r)
+}
+
+// NOTE: Ported from https://github.com/containerd/containerd/blob/792294ce06bfbd1fe07b458bfa066e6ef8b17046/pkg/cri/server/instrumented_service.go#L1704-L1717
+func alphaReqToV1Req(
+	alphar interface{ Marshal() ([]byte, error) },
+	v1r interface{ Unmarshal(_ []byte) error },
+) error {
+	p, err := alphar.Marshal()
+	if err != nil {
+		return err
+	}
+
+	if err = v1r.Unmarshal(p); err != nil {
+		return err
+	}
+	return nil
+}
+
+func parseReference(ref string) (reference.Spec, error) {
+	namedRef, err := distribution.ParseDockerRef(ref)
+	if err != nil {
+		return reference.Spec{}, fmt.Errorf("failed to parse image reference %q: %w", ref, err)
+	}
+	return reference.Parse(namedRef.String())
+}

service/keychain/cri/cri.go

@@ -0,0 +1,171 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package crialphaforked
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/reference"
+	distribution "github.com/containerd/containerd/reference/docker"
+	"github.com/containerd/stargz-snapshotter/service/resolver"
+
+	// We have our own fork to enable to be imported to tools that don't import the recent commit of containerd (e.g. k3s).
+	runtime_alpha "github.com/containerd/stargz-snapshotter/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+// This plugin provides the forked CRI v1alpha API. This should be used if this plugin is imported to tools that
+// doesn't import containerd newer than 234bf990dca4e81e89f549448aa6b555286eaa7a.
+
+// NewAlphaCRIKeychain provides creds passed through CRI PullImage API.
+// Same as NewCRIKeychain but for CRI v1alpha API.
+// Containerd doesn't drop v1alpha API support so our proxy also exposes this API as well.
+func NewCRIAlphaKeychain(ctx context.Context, connectCRI func() (runtime_alpha.ImageServiceClient, error)) (resolver.Credential, runtime_alpha.ImageServiceServer) {
+	server := &instrumentedAlphaService{config: make(map[string]*runtime_alpha.AuthConfig)}
+	go func() {
+		log.G(ctx).Debugf("Waiting for CRI service is started...")
+		for i := 0; i < 100; i++ {
+			client, err := connectCRI()
+			if err == nil {
+				server.criMu.Lock()
+				server.cri = client
+				server.criMu.Unlock()
+				log.G(ctx).Info("connected to backend CRI service")
+				return
+			}
+			log.G(ctx).WithError(err).Warnf("failed to connect to CRI")
+			time.Sleep(10 * time.Second)
+		}
+		log.G(ctx).Warnf("no connection is available to CRI")
+	}()
+	return server.credentials, server
+}
+
+type instrumentedAlphaService struct {
+	cri   runtime_alpha.ImageServiceClient
+	criMu sync.Mutex
+
+	config   map[string]*runtime_alpha.AuthConfig
+	configMu sync.Mutex
+}
+
+func (in *instrumentedAlphaService) credentials(host string, refspec reference.Spec) (string, string, error) {
+	if host == "docker.io" || host == "registry-1.docker.io" {
+		// Creds of "docker.io" is stored keyed by "https://index.docker.io/v1/".
+		host = "index.docker.io"
+	}
+	in.configMu.Lock()
+	defer in.configMu.Unlock()
+	if cfg, ok := in.config[refspec.String()]; ok {
+		var v1cfg runtime.AuthConfig
+		if err := alphaReqToV1Req(cfg, &v1cfg); err != nil {
+			return "", "", err
+		}
+		return resolver.ParseAuth(&v1cfg, host)
+	}
+	return "", "", nil
+}
+
+func (in *instrumentedAlphaService) getCRI() (c runtime_alpha.ImageServiceClient) {
+	in.criMu.Lock()
+	c = in.cri
+	in.criMu.Unlock()
+	return
+}
+
+func (in *instrumentedAlphaService) ListImages(ctx context.Context, r *runtime_alpha.ListImagesRequest) (res *runtime_alpha.ListImagesResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	return cri.ListImages(ctx, r)
+}
+
+func (in *instrumentedAlphaService) ImageStatus(ctx context.Context, r *runtime_alpha.ImageStatusRequest) (res *runtime_alpha.ImageStatusResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	return cri.ImageStatus(ctx, r)
+}
+
+func (in *instrumentedAlphaService) PullImage(ctx context.Context, r *runtime_alpha.PullImageRequest) (res *runtime_alpha.PullImageResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	refspec, err := parseReference(r.GetImage().GetImage())
+	if err != nil {
+		return nil, err
+	}
+	in.configMu.Lock()
+	in.config[refspec.String()] = r.GetAuth()
+	in.configMu.Unlock()
+	return cri.PullImage(ctx, r)
+}
+
+func (in *instrumentedAlphaService) RemoveImage(ctx context.Context, r *runtime_alpha.RemoveImageRequest) (_ *runtime_alpha.RemoveImageResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	refspec, err := parseReference(r.GetImage().GetImage())
+	if err != nil {
+		return nil, err
+	}
+	in.configMu.Lock()
+	delete(in.config, refspec.String())
+	in.configMu.Unlock()
+	return cri.RemoveImage(ctx, r)
+}
+
+func (in *instrumentedAlphaService) ImageFsInfo(ctx context.Context, r *runtime_alpha.ImageFsInfoRequest) (res *runtime_alpha.ImageFsInfoResponse, err error) {
+	cri := in.getCRI()
+	if cri == nil {
+		return nil, errors.New("server is not initialized yet")
+	}
+	return cri.ImageFsInfo(ctx, r)
+}
+
+// NOTE: Ported from https://github.com/containerd/containerd/blob/792294ce06bfbd1fe07b458bfa066e6ef8b17046/pkg/cri/server/instrumented_service.go#L1704-L1717
+func alphaReqToV1Req(
+	alphar interface{ Marshal() ([]byte, error) },
+	v1r interface{ Unmarshal(_ []byte) error },
+) error {
+	p, err := alphar.Marshal()
+	if err != nil {
+		return err
+	}
+
+	if err = v1r.Unmarshal(p); err != nil {
+		return err
+	}
+	return nil
+}
+
+func parseReference(ref string) (reference.Spec, error) {
+	namedRef, err := distribution.ParseDockerRef(ref)
+	if err != nil {
+		return reference.Spec{}, fmt.Errorf("failed to parse image reference %q: %w", ref, err)
+	}
+	return reference.Parse(namedRef.String())
+}

service/keychain/crialpha/crialpha.go

@@ -17,130 +17,54 @@
 package plugin
 
 import (
-	"errors"
-	"fmt"
-	"net"
-	"os"
-	"path/filepath"
+	"context"
 	"time"
 
 	"github.com/containerd/containerd/defaults"
-	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/pkg/dialer"
-	"github.com/containerd/containerd/platforms"
-	ctdplugin "github.com/containerd/containerd/plugin"
-	"github.com/containerd/stargz-snapshotter/service"
-	"github.com/containerd/stargz-snapshotter/service/keychain/cri"
-	"github.com/containerd/stargz-snapshotter/service/keychain/dockerconfig"
-	"github.com/containerd/stargz-snapshotter/service/keychain/kubeconfig"
-	"github.com/containerd/stargz-snapshotter/service/resolver"
 	grpc "google.golang.org/grpc"
 	"google.golang.org/grpc/backoff"
 	"google.golang.org/grpc/credentials/insecure"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
-)
-
-// Config represents configuration for the stargz snapshotter plugin.
-type Config struct {
-	service.Config
 
-	// RootPath is the directory for the plugin
-	RootPath string `toml:"root_path"`
+	runtime_alpha "github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	"github.com/containerd/stargz-snapshotter/service/keychain/crialpha"
+	"github.com/containerd/stargz-snapshotter/service/plugincore"
+	"github.com/containerd/stargz-snapshotter/service/resolver"
+)
 
-	// CRIKeychainImageServicePath is the path to expose CRI service wrapped by CRI keychain
-	CRIKeychainImageServicePath string `toml:"cri_keychain_image_service_path"`
-
-	// Registry is CRI-plugin-compatible registry configuration
-	Registry resolver.Registry `toml:"registry"`
-}
+// This plugin requires containerd newer than 234bf990dca4e81e89f549448aa6b555286eaa7a.
+// If not, use "github.com/containerd/stargz-snapshotter/service/pluginforked" instead.
 
 func init() {
-	ctdplugin.Register(&ctdplugin.Registration{
-		Type:   ctdplugin.SnapshotPlugin,
-		ID:     "stargz",
-		Config: &Config{},
-		InitFn: func(ic *ctdplugin.InitContext) (interface{}, error) {
-			ic.Meta.Platforms = append(ic.Meta.Platforms, platforms.DefaultSpec())
-			ctx := ic.Context
-
-			config, ok := ic.Config.(*Config)
-			if !ok {
-				return nil, errors.New("invalid stargz snapshotter configuration")
-			}
-
-			root := ic.Root
-			if config.RootPath != "" {
-				root = config.RootPath
-			}
-			ic.Meta.Exports["root"] = root
+	plugincore.RegisterPlugin(registerCRIAlphaServer)
+}
 
-			// Configure keychain
-			credsFuncs := []resolver.Credential{dockerconfig.NewDockerconfigKeychain(ctx)}
-			if config.Config.KubeconfigKeychainConfig.EnableKeychain {
-				var opts []kubeconfig.Option
-				if kcp := config.Config.KubeconfigKeychainConfig.KubeconfigPath; kcp != "" {
-					opts = append(opts, kubeconfig.WithKubeconfigPath(kcp))
-				}
-				credsFuncs = append(credsFuncs, kubeconfig.NewKubeconfigKeychain(ctx, opts...))
-			}
-			if addr := config.CRIKeychainImageServicePath; config.Config.CRIKeychainConfig.EnableKeychain && addr != "" {
-				// connects to the backend CRI service (defaults to containerd socket)
-				criAddr := ic.Address
-				if cp := config.Config.CRIKeychainConfig.ImageServicePath; cp != "" {
-					criAddr = cp
-				}
-				if criAddr == "" {
-					return nil, errors.New("backend CRI service address is not specified")
-				}
-				connectCRI := func() (runtime.ImageServiceClient, error) {
-					// TODO: make gRPC options configurable from config.toml
-					backoffConfig := backoff.DefaultConfig
-					backoffConfig.MaxDelay = 3 * time.Second
-					connParams := grpc.ConnectParams{
-						Backoff: backoffConfig,
-					}
-					gopts := []grpc.DialOption{
-						grpc.WithTransportCredentials(insecure.NewCredentials()),
-						grpc.WithConnectParams(connParams),
-						grpc.WithContextDialer(dialer.ContextDialer),
-						grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
-						grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
-					}
-					conn, err := grpc.Dial(dialer.DialAddress(criAddr), gopts...)
-					if err != nil {
-						return nil, err
-					}
-					return runtime.NewImageServiceClient(conn), nil
-				}
-				criCreds, criServer := cri.NewCRIKeychain(ctx, connectCRI)
-				// Create a gRPC server
-				rpc := grpc.NewServer()
-				runtime.RegisterImageServiceServer(rpc, criServer)
-				// Prepare the directory for the socket
-				if err := os.MkdirAll(filepath.Dir(addr), 0700); err != nil {
-					return nil, fmt.Errorf("failed to create directory %q: %w", filepath.Dir(addr), err)
-				}
-				// Try to remove the socket file to avoid EADDRINUSE
-				if err := os.RemoveAll(addr); err != nil {
-					return nil, fmt.Errorf("failed to remove %q: %w", addr, err)
-				}
-				// Listen and serve
-				l, err := net.Listen("unix", addr)
-				if err != nil {
-					return nil, fmt.Errorf("error on listen socket %q: %w", addr, err)
-				}
-				go func() {
-					if err := rpc.Serve(l); err != nil {
-						log.G(ctx).WithError(err).Warnf("error on serving via socket %q", addr)
-					}
-				}()
-				credsFuncs = append(credsFuncs, criCreds)
-			}
+func registerCRIAlphaServer(ctx context.Context, criAddr string, rpc *grpc.Server) resolver.Credential {
+	connectAlphaCRI := func() (runtime_alpha.ImageServiceClient, error) {
+		conn, err := newCRIConn(criAddr)
+		if err != nil {
+			return nil, err
+		}
+		return runtime_alpha.NewImageServiceClient(conn), nil
+	}
+	criAlphaCreds, criAlphaServer := crialpha.NewCRIAlphaKeychain(ctx, connectAlphaCRI)
+	runtime_alpha.RegisterImageServiceServer(rpc, criAlphaServer)
+	return criAlphaCreds
+}
 
-			// TODO(ktock): print warn if old configuration is specified.
-			// TODO(ktock): should we respect old configuration?
-			return service.NewStargzSnapshotterService(ctx, root, &config.Config,
-				service.WithCustomRegistryHosts(resolver.RegistryHostsFromCRIConfig(ctx, config.Registry, credsFuncs...)))
-		},
-	})
+func newCRIConn(criAddr string) (*grpc.ClientConn, error) {
+	// TODO: make gRPC options configurable from config.toml
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+	}
+	return grpc.Dial(dialer.DialAddress(criAddr), gopts...)
 }

service/keychain/crialphaforked/crialpha.go

@@ -0,0 +1,152 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package plugincore
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/pkg/dialer"
+	"github.com/containerd/containerd/platforms"
+	ctdplugin "github.com/containerd/containerd/plugin"
+	"github.com/containerd/stargz-snapshotter/service"
+	"github.com/containerd/stargz-snapshotter/service/keychain/cri"
+	"github.com/containerd/stargz-snapshotter/service/keychain/dockerconfig"
+	"github.com/containerd/stargz-snapshotter/service/keychain/kubeconfig"
+	"github.com/containerd/stargz-snapshotter/service/resolver"
+	grpc "google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+// Config represents configuration for the stargz snapshotter plugin.
+type Config struct {
+	service.Config
+
+	// RootPath is the directory for the plugin
+	RootPath string `toml:"root_path"`
+
+	// CRIKeychainImageServicePath is the path to expose CRI service wrapped by CRI keychain
+	CRIKeychainImageServicePath string `toml:"cri_keychain_image_service_path"`
+
+	// Registry is CRI-plugin-compatible registry configuration
+	Registry resolver.Registry `toml:"registry"`
+}
+
+func RegisterPlugin(registerCRIAlphaServer func(ctx context.Context, criAddr string, rpc *grpc.Server) resolver.Credential) {
+	ctdplugin.Register(&ctdplugin.Registration{
+		Type:   ctdplugin.SnapshotPlugin,
+		ID:     "stargz",
+		Config: &Config{},
+		InitFn: func(ic *ctdplugin.InitContext) (interface{}, error) {
+			ic.Meta.Platforms = append(ic.Meta.Platforms, platforms.DefaultSpec())
+			ctx := ic.Context
+
+			config, ok := ic.Config.(*Config)
+			if !ok {
+				return nil, errors.New("invalid stargz snapshotter configuration")
+			}
+
+			root := ic.Root
+			if config.RootPath != "" {
+				root = config.RootPath
+			}
+			ic.Meta.Exports["root"] = root
+
+			// Configure keychain
+			credsFuncs := []resolver.Credential{dockerconfig.NewDockerconfigKeychain(ctx)}
+			if config.Config.KubeconfigKeychainConfig.EnableKeychain {
+				var opts []kubeconfig.Option
+				if kcp := config.Config.KubeconfigKeychainConfig.KubeconfigPath; kcp != "" {
+					opts = append(opts, kubeconfig.WithKubeconfigPath(kcp))
+				}
+				credsFuncs = append(credsFuncs, kubeconfig.NewKubeconfigKeychain(ctx, opts...))
+			}
+			if addr := config.CRIKeychainImageServicePath; config.Config.CRIKeychainConfig.EnableKeychain && addr != "" {
+				// connects to the backend CRI service (defaults to containerd socket)
+				criAddr := ic.Address
+				if cp := config.Config.CRIKeychainConfig.ImageServicePath; cp != "" {
+					criAddr = cp
+				}
+				if criAddr == "" {
+					return nil, errors.New("backend CRI service address is not specified")
+				}
+				connectCRI := func() (runtime.ImageServiceClient, error) {
+					conn, err := newCRIConn(criAddr)
+					if err != nil {
+						return nil, err
+					}
+					return runtime.NewImageServiceClient(conn), nil
+				}
+				criCreds, criServer := cri.NewCRIKeychain(ctx, connectCRI)
+				// Create a gRPC server
+				rpc := grpc.NewServer()
+				runtime.RegisterImageServiceServer(rpc, criServer)
+				criAlphaCreds := registerCRIAlphaServer(ctx, criAddr, rpc)
+				// Prepare the directory for the socket
+				if err := os.MkdirAll(filepath.Dir(addr), 0700); err != nil {
+					return nil, fmt.Errorf("failed to create directory %q: %w", filepath.Dir(addr), err)
+				}
+				// Try to remove the socket file to avoid EADDRINUSE
+				if err := os.RemoveAll(addr); err != nil {
+					return nil, fmt.Errorf("failed to remove %q: %w", addr, err)
+				}
+				// Listen and serve
+				l, err := net.Listen("unix", addr)
+				if err != nil {
+					return nil, fmt.Errorf("error on listen socket %q: %w", addr, err)
+				}
+				go func() {
+					if err := rpc.Serve(l); err != nil {
+						log.G(ctx).WithError(err).Warnf("error on serving via socket %q", addr)
+					}
+				}()
+				credsFuncs = append(credsFuncs, criAlphaCreds, criCreds)
+			}
+
+			// TODO(ktock): print warn if old configuration is specified.
+			// TODO(ktock): should we respect old configuration?
+			return service.NewStargzSnapshotterService(ctx, root, &config.Config,
+				service.WithCustomRegistryHosts(resolver.RegistryHostsFromCRIConfig(ctx, config.Registry, credsFuncs...)))
+		},
+	})
+}
+
+func newCRIConn(criAddr string) (*grpc.ClientConn, error) {
+	// TODO: make gRPC options configurable from config.toml
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+	}
+	return grpc.Dial(dialer.DialAddress(criAddr), gopts...)
+}

service/plugin/plugin.go

@@ -0,0 +1,77 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package pluginfroked
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/pkg/dialer"
+	grpc "google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/containerd/stargz-snapshotter/service/plugincore"
+	"github.com/containerd/stargz-snapshotter/service/resolver"
+
+	// We have our own fork to enable to be imported to tools that don't import the recent commit of containerd (e.g. k3s).
+	runtime_alpha "github.com/containerd/stargz-snapshotter/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+
+	// We use CRI keychain that depends on our own CRI v1alpha fork.
+	"github.com/containerd/stargz-snapshotter/service/keychain/crialphaforked"
+)
+
+// NOTE: When containerd >= 234bf990dca4e81e89f549448aa6b555286eaa7a can be imported,
+// use "github.com/containerd/stargz-snapshotter/service/plugin" instead.
+//
+// This plugin provides the forked CRI v1alpha API. This should be used if this plugin is imported to tools that
+// doesn't import containerd newer than 234bf990dca4e81e89f549448aa6b555286eaa7a.
+
+func init() {
+	plugincore.RegisterPlugin(registerCRIAlphaServer)
+}
+
+func registerCRIAlphaServer(ctx context.Context, criAddr string, rpc *grpc.Server) resolver.Credential {
+	connectAlphaCRI := func() (runtime_alpha.ImageServiceClient, error) {
+		conn, err := newCRIConn(criAddr)
+		if err != nil {
+			return nil, err
+		}
+		return runtime_alpha.NewImageServiceClient(conn), nil
+	}
+	criAlphaCreds, criAlphaServer := crialphaforked.NewCRIAlphaKeychain(ctx, connectAlphaCRI)
+	runtime_alpha.RegisterImageServiceServer(rpc, criAlphaServer)
+	return criAlphaCreds
+}
+
+func newCRIConn(criAddr string) (*grpc.ClientConn, error) {
+	// TODO: make gRPC options configurable from config.toml
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+	}
+	return grpc.Dial(dialer.DialAddress(criAddr), gopts...)
+}

service/plugincore/plugin.go

@@ -42,7 +42,7 @@ import (
 	dconfig "github.com/containerd/containerd/remotes/docker/config"
 	"github.com/containerd/stargz-snapshotter/fs/source"
 	rhttp "github.com/hashicorp/go-retryablehttp"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 )
 
 // Registry is registry settings configured

service/pluginforked/plugin.go

@@ -0,0 +1,71 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+// This file contains all constants defined in CRI.
+
+// Required runtime condition type.
+const (
+	// RuntimeReady means the runtime is up and ready to accept basic containers.
+	RuntimeReady = "RuntimeReady"
+	// NetworkReady means the runtime network is up and ready to accept containers which require network.
+	NetworkReady = "NetworkReady"
+)
+
+// LogStreamType is the type of the stream in CRI container log.
+type LogStreamType string
+
+const (
+	// Stdout is the stream type for stdout.
+	Stdout LogStreamType = "stdout"
+	// Stderr is the stream type for stderr.
+	Stderr LogStreamType = "stderr"
+)
+
+// LogTag is the tag of a log line in CRI container log.
+// Currently defined log tags:
+// * First tag: Partial/Full - P/F.
+// The field in the container log format can be extended to include multiple
+// tags by using a delimiter, but changes should be rare. If it becomes clear
+// that better extensibility is desired, a more extensible format (e.g., json)
+// should be adopted as a replacement and/or addition.
+type LogTag string
+
+const (
+	// LogTagPartial means the line is part of multiple lines.
+	LogTagPartial LogTag = "P"
+	// LogTagFull means the line is a single full line or the end of multiple lines.
+	LogTagFull LogTag = "F"
+	// LogTagDelimiter is the delimiter for different log tags.
+	LogTagDelimiter = ":"
+)