Hi @ruiwen-zhao. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

/ok-to-test

Needs a rebase

You need to commit the changes to the vendoring in this PR as the project checks tries to validate go.mod and go.sum are correct and are finding differences because the removal isn't committed in this PR.

You need to commit the changes to the vendoring in this PR as the project checks tries to validate go.mod and go.sum are correct and are finding differences because the removal isn't committed in this PR.

oh so I need to run go mod tidy && go mod vendor to include the vendor changes in this PR? Makes sense. Will do

The windows failure seems to be related...

1 attempt "run_crictl"! Trying again in 1 seconds...
2 attempt "run_crictl"! Trying again in 2 seconds...
3 attempt "run_crictl"! Trying again in 3 seconds...
4 attempt "run_crictl"! Trying again in 4 seconds...
time="2022-11-11T19:01:07Z" level=fatal msg="getting status of runtime: rpc error: code = Unimplemented desc = unknown service runtime.v1alpha2.RuntimeService"
[SC] DeleteService SUCCESS

SERVICE_NAME: containerd-test 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
mingw32-make: *** [Makefile:223: cri-integration] Error 1
Error: Process completed with exit code 2.

Only windows tests are failing, but not the linux ones. So I am guessing windows tests are using their own config.toml

per offline discussion..

let's keep (or at least try to keep) cri v1alpha2 in containerd until containerd v2.. this because we have a number of older clients still using containerd and they may need to update to the latest containerd for certain scenarios.. without moving up k/k and all the other clients still using cri v1alpha2 .. we can and should deprecate / provide notice from instrumented..

plan would be to vendor the v1alpha2 apis from one version of cri-api and v1 can go ahead and move up

I was doing some golang research but didn't really find a way to do this. To make sure I captured it correct, we would like

1. containerd to depend on both cri-api v0.26.x (which has latest everything), and v0.25.3 (which has v1alpha2 support)
2. k8s.io/cri-api/pkg/apis/runtime/v1 to use on v0.26.x, and k8s.io/cri-api/pkg/apis/runtime/v1alpha2 to use v0.25.3.

I tried using something like

replace k8s.io/cri-api/pkg/apis/runtime/v1alpha2 => k8s.io/cri-api v0.25.3

but i can't make it point to a directory under cri-api. Did i miss something here?

nod.. sans a go package trick.. since grpc only registers ServiceName: "runtime.v1alpha2.RuntimeService", let's just fork the v1alpha2 api for now through containerd v2.. maybe into containerd/containerd/pkg/cri/v1alpha2 do the renaming of the package import directory in a couple files and good to go I think!

protobuf check fails with

go build  -gcflags=-trimpath=/home/runner/work/containerd/containerd/src -buildmode=pie  -o bin/protoc-gen-go-fieldpath -ldflags '-X github.com/containerd/containerd/version.Version=b055e73 -X github.com/containerd/containerd/version.Revision=b055e736c2f16d4a8d444cab43c420ce6840e96e -X github.com/containerd/containerd/version.Package=github.com/containerd/containerd -s -w ' -tags "urfave_cli_no_docs"  ./cmd/protoc-gen-go-fieldpath
+ protos
github.com/gogo/protobuf/gogoproto/gogo.proto: File not found.
github.com/containerd/containerd/pkg/cri/v1alpha2/api.proto:23:1: Import "github.com/gogo/protobuf/gogoproto/gogo.proto" was not found or had errors.
2022/11/14 21:32:14 protoc -I./protobuf:/home/runner/work/containerd/containerd/src:/usr/local/include:/usr/include --go_out=/home/runner/work/containerd/containerd/src /home/runner/work/containerd/containerd/src/github.com/containerd/containerd/pkg/cri/v1alpha2/api.proto
make: *** [Makefile:179: protos] Error 1
Error: Process completed with exit code 2.

I am just copying the existing proto file instead of re-generating the proto, so I guess that caused some problem.

Project checks fails with

Run echo "::group::📚 File headers"
  echo "::group::📚 File headers"
  /home/runner/work/_actions/containerd/project-checks/v1/script/validate/fileheader /home/runner/work/_actions/containerd/project-checks/v1/
  echo "::endgroup::"
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    GO_VERSION: 1.19.3
    GOPATH: /home/runner/work/containerd/containerd
📚 File headers
  /home/runner/work/containerd/containerd/bin/ltag
  pkg/cri/v1alpha2/constants.go
  Error: Process completed with exit code 1.

Not too much info here...

📚 File headers
  /home/runner/work/containerd/containerd/bin/ltag
  pkg/cri/v1alpha2/constants.go

Not too much info here...

pkg/cri/v1alpha2/constants.go has the wrong file header. The right header is here, though since you copied that file from another project you'll likely want to keep both headers and note where the file came from in a comment too.

Thanks @samuelkarp for the pointers! I added containerd header to constant.go and removed gogoproto references from cri-api proto (some how I cannot verify if it works locally so has to push it to the PR and see)

One thing I want to call out here is that, by applying the manual fixes to the copied cri-api code, we are creating a divergence between the containerd-owned cri-api v1alpha2 code and the real cri-api code. I don't think this is a big problem because v1alpha2 is deprecated and no one will be changing it anymore. So the divergence will not increase.

If this kind of divergence is not acceptable in any way, an alternative of maintaining v1alpha2 dependency while picking up the latest v1 cri-api is to create a github fork repo pointing to 0.25.x cri-api, which still has v1alpha2 code. And make contaienrd's v1alpha2 dependency point to that fork.

Update:

So removing gogproto refs will make the proto check fail again because the generated go code is different than the copied-over one...

Ok cool, finally made protobuf check happy by excluding pkg/cri/v1alpha2 from multiple checks in Makefile. Updated the details in the PR description.

Code scanning is failing because cri-api code returns Password in one of the methods:

func (this *AuthConfig) String() string {
	if this == nil {
		return "nil"
	}
	s := strings.Join([]string{`&AuthConfig{`,
		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
		`Password:` + fmt.Sprintf("%v", this.Password) + `,`,
		`Auth:` + fmt.Sprintf("%v", this.Auth) + `,`,
		`ServerAddress:` + fmt.Sprintf("%v", this.ServerAddress) + `,`,
		`IdentityToken:` + fmt.Sprintf("%v", this.IdentityToken) + `,`,
		`RegistryToken:` + fmt.Sprintf("%v", this.RegistryToken) + `,`,
		`}`,
	}, "")
	return s
}

Is Code scanning configured anywhere and I can exclude this file from the check, just like vendor?

Ok cool, finally made protobuf check happy by excluding pkg/cri/v1alpha2 from multiple checks in Makefile. Updated the details in the PR description.

I don't think we should do this. Rather than copying the generated api.pb.go file, can we copy the api.proto file, adjust the file header, and use the existing proto generation logic in containerd to generate the new api.pb.go file?

Is Code scanning configured anywhere and I can exclude this file from the check, just like vendor?

We should probably exclude this field from logging rather than adjust the check.

I don't think we should do this. Rather than copying the generated api.pb.go file, can we copy the api.proto file, adjust the file header, and use the existing proto generation logic in containerd to generate the new api.pb.go file?

Yes we can do that technically. But I think that the cri-api go code should be treated in the same way as vendor. Containerd has been using the cri-api go code built by k8s already.

We should probably exclude this field from logging rather than adjust the check.

Maybe I am looking at wrong places but I don't think instrumented_server logs Password. For example, in the failed run , it complains

Check failure on line 79 in pkg/cri/sbserver/instrumented_service.go
... Sensitive data returned by an access to Password flows to a logging call.

But looking at the code where the check fails, instrumented_service only logs PodSandboxMetadata, which doesn't contain AuthConfig.Password:

defer func() {
		if err != nil {
			log.G(ctx).WithError(err).Errorf("RunPodSandbox for %+v failed, error", r.GetConfig().GetMetadata())

Note that AuthConfig is part of pull image request, so it is not even part of RunPodSandbox API call, so it shouldn't even be in the error.

Similar goes to the other failure, it only logs the image name:

defer func() {
		if err != nil {
			log.G(ctx).WithError(err).Errorf("PullImage %q failed", r.GetImage().GetImage())

What also confuses me is that this PR does not change the cri-api v1alpha2 code, why this check only fails now?

Regarding code scanning failures, sync'ed with @samuelkarp offline. For all the 10 scanning failures, the tool thinks the error message returned from PullImage is exposing AuthConfig.Password. And the tool thinks ref.String() at https://github.com/containerd/containerd/blob/main/reference/docker/reference.go#L632 is the root cause of leaking AuthConfig.Password, which doesn't seem to be true.

I dont know what throws off Code Scanning in this case. But I am gonna update my PR to run Code Scanning on only the first commit, and see if it solves the problem.

Regarding code scanning failures, sync'ed with @samuelkarp offline. For all the 10 scanning failures, the tool thinks the error message returned from PullImage is exposing AuthConfig.Password. And the tool thinks ref.String() at https://github.com/containerd/containerd/blob/main/reference/docker/reference.go#L632 is the root cause of leaking AuthConfig.Password, which doesn't seem to be true.

I dont know what throws off Code Scanning in this case. But I am gonna update my PR to run Code Scanning on only the first commit, and see if it solves the problem.

this all sounds familiar I may have had to do the override to approve this before..

So even with only one commit, Code Scanning still fails. I will add back the other commit now.

Yes we can do that technically. But I think that the cri-api go code should be treated in the same way as vendor. Containerd has been using the cri-api go code built by k8s already.

My preference would be to regenerate the Go code for consistency with the rest of the protos in containerd. However, if we must consume it exactly, let's move it into a clearly-marked "third party" folder and then apply the exception at that level.

Yes we can do that technically. But I think that the cri-api go code should be treated in the same way as vendor. Containerd has been using the cri-api go code built by k8s already.

My preference would be to regenerate the Go code for consistency with the rest of the protos in containerd. However, if we must consume it exactly, let's move it into a clearly-marked "third party" folder and then apply the exception at that level.

Makes sense. I moved the v1alpha2 proto files to third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/ instead. Also updated PR description.