Implement shim/extension in containerd v2 APIs.

WORKSPACE

@@ -2649,6 +2649,22 @@ go_repository(
     version = "v1.6.36",
 )
 
+go_repository(
+    name = "com_github_containerd_containerd_api",
+    build_file_proto_mode = "disable",
+    importpath = "github.com/containerd/containerd/api",
+    sum = "h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=",
+    version = "v1.8.0",
+)
+
+go_repository(
+  name = "com_github_containerd_containerd_v2",
+  build_file_proto_mode = "disable",
+  importpath = "github.com/containerd/containerd/v2",
+  sum = "h1:GmH/tRBlTvrXOLwSpWE2vNAm8+MqI6nmxKpKBNKY8Wc=",
+  version = "v2.0.2",
+)
+
 go_repository(
     name = "com_github_cenkalti_backoff",
     importpath = "github.com/cenkalti/backoff",
@@ -2803,6 +2819,13 @@ go_repository(
     version = "v27.3.0+incompatible",
 )
 
+go_repository(
+    name = "com_github_moby_sys_userns",
+    importpath = "github.com/moby/sys/userns",
+    sum = "h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=",
+    version = "v0.1.0",
+)
+
 go_repository(
     name = "com_github_docker_docker",
     importpath = "github.com/docker/docker",
@@ -2997,9 +3020,10 @@ go_repository(
 
 go_repository(
     name = "com_github_containerd_ttrpc",
+    build_file_proto_mode = "disable_global",
     importpath = "github.com/containerd/ttrpc",
-    sum = "h1:GbtyLRxb0gOLR0TYQWt3O6B0NvT8tMdorEHqIQo/lWI=",
-    version = "v1.1.0",
+    sum = "h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=",
+    version = "v1.2.7",
 )
 
 go_repository(

go.mod

@@ -7,11 +7,13 @@ require (
 	github.com/bazelbuild/rules_go v0.44.2
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cilium/ebpf v0.12.3
-	github.com/containerd/cgroups v1.0.4
-	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.6.36
-	github.com/containerd/fifo v1.0.0
-	github.com/containerd/go-runc v1.0.0
+	github.com/containerd/cgroups v1.1.0
+	github.com/containerd/console v1.0.4
+	github.com/containerd/containerd v1.7.23
+	github.com/containerd/containerd/api v1.8.0
+	github.com/containerd/containerd/v2 v2.0.2
+	github.com/containerd/fifo v1.1.0
+	github.com/containerd/go-runc v1.1.0
 	github.com/containerd/typeurl v1.0.2
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/godbus/dbus/v5 v5.1.0
@@ -22,80 +24,80 @@ require (
 	github.com/kr/pty v1.1.5
 	github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a
 	github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9
-	github.com/opencontainers/runtime-spec v1.1.0-rc.1
+	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
-	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
+	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/mod v0.21.0
 	golang.org/x/sync v0.8.0
 	golang.org/x/sys v0.26.0
 	golang.org/x/time v0.7.0
 	golang.org/x/tools v0.26.0
-	google.golang.org/protobuf v1.33.0
-	k8s.io/api v0.23.16
-	k8s.io/apimachinery v0.23.16
-	k8s.io/client-go v0.23.16
+	google.golang.org/protobuf v1.35.1
+	k8s.io/api v0.31.2
+	k8s.io/apimachinery v0.31.2
+	k8s.io/client-go v0.31.2
 )
 
 require (
-	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.9.12 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
+	github.com/containerd/continuity v0.4.4 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/ttrpc v1.1.2 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/containerd/ttrpc v1.2.7 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/gogo/googleapis v1.4.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.7.0-rc.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-github/v56 v56.0.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/hanwen/go-fuse/v2 v2.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
-	github.com/moby/sys/signal v0.6.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/signal v0.7.1 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/selinux v1.10.1 // indirect
+	github.com/opencontainers/selinux v1.11.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
-	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 // indirect
+	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/term v0.25.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
-	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 // indirect
+	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.4.0 // indirect
 	honnef.co/go/tools v0.5.1 // indirect
-	k8s.io/klog/v2 v2.30.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

pkg/shim/BUILD

@@ -0,0 +1,20 @@
+load("//tools:defs.bzl", "go_library")
+
+package(
+    default_applicable_licenses = ["//:license"],
+    default_visibility = [":users"],
+    licenses = ["notice"],
+)
+
+package_group(
+    name = "users",
+    packages = [
+        "//...",
+        "//cloud/kubernetes/node/snapshot/...",
+    ],
+)
+
+go_library(
+    name = "shim",
+    srcs = ["config.go"],
+)

pkg/shim/config.go

@@ -0,0 +1,23 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package shim provides the configuration for the gVisor shim.
+package shim
+
+// RestoreConfig is the configuration for a restore request.
+type RestoreConfig struct {
+	ImagePath  string
+	Direct     bool
+	Background bool
+}

pkg/shim/v1/extension/BUILD

@@ -10,6 +10,7 @@ go_library(
     srcs = ["extension.go"],
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/shim",
         "@com_github_containerd_containerd//pkg/process:go_default_library",
         "@com_github_containerd_containerd//runtime/v2/task:go_default_library",
     ],

pkg/shim/v1/extension/extension.go

@@ -18,6 +18,8 @@ package extension
 import (
 	"context"
 
+	"gvisor.dev/gvisor/pkg/shim"
+
 	"github.com/containerd/containerd/pkg/process"
 	"github.com/containerd/containerd/runtime/v2/task"
 )
@@ -30,21 +32,14 @@ var NewExtension func(ctx context.Context, next TaskServiceExt, req *task.Create
 // task.StartRequest with restore functionality.
 type RestoreRequest struct {
 	Start task.StartRequest
-	Conf  RestoreConfig
+	Conf  shim.RestoreConfig
 }
 
 // Process extends process.Process with extra restore functionality.
 type Process interface {
 	process.Process
 	// Restore restores the container from a snapshot.
-	Restore(context.Context, *RestoreConfig) error
-}
-
-// RestoreConfig is the configuration for a restore request.
-type RestoreConfig struct {
-	ImagePath  string
-	Direct     bool
-	Background bool
+	Restore(context.Context, *shim.RestoreConfig) error
 }
 
 // TaskServiceExt extends TaskRequest with extra functionality required by the shim.

pkg/shim/v1/proc/BUILD

@@ -25,6 +25,7 @@ go_library(
     deps = [
         "//pkg/atomicbitops",
         "//pkg/cleanup",
+        "//pkg/shim",
         "//pkg/shim/v1/extension",
         "//pkg/shim/v1/runsccmd",
         "//pkg/shim/v1/utils",

pkg/shim/v1/proc/deleted_state.go

@@ -22,6 +22,7 @@ import (
 	"github.com/containerd/console"
 	"github.com/containerd/errdefs"
 	runc "github.com/containerd/go-runc"
+	"gvisor.dev/gvisor/pkg/shim"
 	"gvisor.dev/gvisor/pkg/shim/v1/extension"
 )
 
@@ -31,7 +32,7 @@ func (*deletedState) Resize(console.WinSize) error {
 	return fmt.Errorf("cannot resize a deleted container/process")
 }
 
-func (*deletedState) Start(context.Context, *extension.RestoreConfig) error {
+func (*deletedState) Start(context.Context, *shim.RestoreConfig) error {
 	return fmt.Errorf("cannot start a deleted container/process")
 }
 

pkg/shim/v1/proc/exec.go

@@ -33,7 +33,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/cleanup"
-	"gvisor.dev/gvisor/pkg/shim/v1/extension"
+	"gvisor.dev/gvisor/pkg/shim"
 	"gvisor.dev/gvisor/pkg/shim/v1/runsccmd"
 )
 
@@ -276,7 +276,7 @@ func (e *execProcess) start(ctx context.Context) error {
 	return nil
 }
 
-func (e *execProcess) Restore(context.Context, *extension.RestoreConfig) error {
+func (e *execProcess) Restore(context.Context, *shim.RestoreConfig) error {
 	return fmt.Errorf("cannot restore an exec'd process")
 }
 

pkg/shim/v1/proc/exec_state.go

@@ -20,12 +20,12 @@ import (
 	"fmt"
 
 	"github.com/containerd/console"
-	"gvisor.dev/gvisor/pkg/shim/v1/extension"
+	"gvisor.dev/gvisor/pkg/shim"
 )
 
 type execState interface {
 	Resize(console.WinSize) error
-	Start(context.Context, *extension.RestoreConfig) error
+	Start(context.Context, *shim.RestoreConfig) error
 	Delete(context.Context) error
 	Kill(context.Context, uint32, bool) error
 	SetExited(int)
@@ -56,7 +56,7 @@ func (s *execCreatedState) Resize(ws console.WinSize) error {
 	return s.p.resize(ws)
 }
 
-func (s *execCreatedState) Start(ctx context.Context, restoreConf *extension.RestoreConfig) error {
+func (s *execCreatedState) Start(ctx context.Context, restoreConf *shim.RestoreConfig) error {
 	if restoreConf != nil {
 		return fmt.Errorf("cannot restore an exec'd process")
 	}
@@ -103,7 +103,7 @@ func (s *execRunningState) Resize(ws console.WinSize) error {
 	return s.p.resize(ws)
 }
 
-func (s *execRunningState) Start(context.Context, *extension.RestoreConfig) error {
+func (s *execRunningState) Start(context.Context, *shim.RestoreConfig) error {
 	return fmt.Errorf("cannot start a running process")
 }
 
@@ -141,7 +141,7 @@ func (s *execStoppedState) Resize(console.WinSize) error {
 	return fmt.Errorf("cannot resize a stopped container")
 }
 
-func (s *execStoppedState) Start(context.Context, *extension.RestoreConfig) error {
+func (s *execStoppedState) Start(context.Context, *shim.RestoreConfig) error {
 	return fmt.Errorf("cannot start a stopped process")
 }
 

pkg/shim/v1/proc/init.go

@@ -36,6 +36,7 @@ import (
 	runc "github.com/containerd/go-runc"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
+	"gvisor.dev/gvisor/pkg/shim"
 	"gvisor.dev/gvisor/pkg/shim/v1/extension"
 	"gvisor.dev/gvisor/pkg/shim/v1/runsccmd"
 	"gvisor.dev/gvisor/pkg/shim/v1/utils"
@@ -229,7 +230,7 @@ func (p *Init) Start(ctx context.Context) error {
 	return p.initState.Start(ctx, nil /* restoreConf */)
 }
 
-func (p *Init) start(ctx context.Context, restoreConf *extension.RestoreConfig) error {
+func (p *Init) start(ctx context.Context, restoreConf *shim.RestoreConfig) error {
 	var cio runc.IO
 	if !p.Sandbox {
 		cio = p.io
@@ -265,7 +266,7 @@ func (p *Init) start(ctx context.Context, restoreConf *extension.RestoreConfig)
 }
 
 // Restore restores the container from a snapshot.
-func (p *Init) Restore(ctx context.Context, conf *extension.RestoreConfig) error {
+func (p *Init) Restore(ctx context.Context, conf *shim.RestoreConfig) error {
 	p.mu.Lock()
 	defer p.mu.Unlock()
 

pkg/shim/v1/proc/init_state.go

@@ -23,6 +23,7 @@ import (
 	runc "github.com/containerd/go-runc"
 	"golang.org/x/sys/unix"
 
+	"gvisor.dev/gvisor/pkg/shim"
 	"gvisor.dev/gvisor/pkg/shim/v1/extension"
 )
 
@@ -50,7 +51,7 @@ func (s stateTransition) String() string {
 type initState interface {
 	// Start starts the process. If RestoreConfig is provided, the process is
 	// restored using the checkpoint image provided in the config.
-	Start(context.Context, *extension.RestoreConfig) error
+	Start(context.Context, *shim.RestoreConfig) error
 	Delete(context.Context) error
 	Exec(context.Context, string, *ExecConfig) (extension.Process, error)
 	State(ctx context.Context) (string, error)
@@ -80,7 +81,7 @@ func (s *createdState) transition(transition stateTransition) {
 	}
 }
 
-func (s *createdState) Start(ctx context.Context, restoreConf *extension.RestoreConfig) error {
+func (s *createdState) Start(ctx context.Context, restoreConf *shim.RestoreConfig) error {
 	if err := s.p.start(ctx, restoreConf); err != nil {
 		// Containerd doesn't allow deleting container in created state.
 		// However, for gVisor, a non-root container in created state can
@@ -149,7 +150,7 @@ func (s *runningState) transition(transition stateTransition) {
 	}
 }
 
-func (s *runningState) Start(context.Context, *extension.RestoreConfig) error {
+func (s *runningState) Start(context.Context, *shim.RestoreConfig) error {
 	return fmt.Errorf("cannot start a running container")
 }
 
@@ -199,7 +200,7 @@ func (s *stoppedState) transition(transition stateTransition) {
 	}
 }
 
-func (s *stoppedState) Start(context.Context, *extension.RestoreConfig) error {
+func (s *stoppedState) Start(context.Context, *shim.RestoreConfig) error {
 	return fmt.Errorf("cannot start a stopped container")
 }
 

pkg/shim/v2/extension/BUILD

@@ -0,0 +1,16 @@
+load("//tools:defs.bzl", "go_library")
+
+package(
+    default_applicable_licenses = ["//:license"],
+    licenses = ["notice"],
+)
+
+go_library(
+    name = "extension",
+    srcs = ["extension.go"],
+    deps = [
+        "//pkg/shim",
+        "@com_github_containerd_containerd_api//runtime/task/v3:go_default_library",
+        "@com_github_containerd_containerd_v2//cmd/containerd-shim-runc-v2/process:go_default_library",
+    ],
+)

pkg/shim/v2/extension/extension.go

@@ -0,0 +1,50 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package extension provides an extension to the shim.
+package extension
+
+import (
+	"context"
+
+	"gvisor.dev/gvisor/pkg/shim"
+
+	task "github.com/containerd/containerd/api/runtime/task/v3"
+	"github.com/containerd/containerd/v2/cmd/containerd-shim-runc-v2/process"
+)
+
+// NewExtension registers an extension constructor. It may return nil, nil to indicate that the
+// extension should not handle this task request. Returning an error will fail the task request.
+var NewExtension func(ctx context.Context, next TaskServiceExt, req *task.CreateTaskRequest) (TaskServiceExt, error)
+
+// RestoreRequest is a request to restore a container. It extends
+// task.StartRequest with restore functionality.
+type RestoreRequest struct {
+	Start task.StartRequest
+	Conf  shim.RestoreConfig
+}
+
+// Process extends process.Process with extra restore functionality.
+type Process interface {
+	process.Process
+	// Restore restores the container from a snapshot.
+	Restore(context.Context, *shim.RestoreConfig) error
+}
+
+// TaskServiceExt extends TaskRequest with extra functionality required by the shim.
+type TaskServiceExt interface {
+	task.TTRPCTaskService
+	Cleanup(ctx context.Context) (*task.DeleteResponse, error)
+	Restore(ctx context.Context, req *RestoreRequest) (*task.StartResponse, error)
+}