feat: implement CRI configuration customization

This is tricky, as containerd doesn't merge itself plugin configuration across multiple files. TOML can't load configuration correctly from concatenated files. Fixes #6390 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2025-10-23 21:41:11 +02:00 · 2022-11-15 20:21:59 +04:00 · 2022-11-15 20:21:59 +04:00 · 6ffc381c59
commit 6ffc381c59
parent e1e340bdd9
14 changed files with 234 additions and 25 deletions
--- a/4
+++ b/4
@ -479,7 +479,7 @@ RUN mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
 COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
 COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml
 COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part
-RUN touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part}
+RUN touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part}
 RUN ln -s ca-certificates /rootfs/etc/ssl/certs/ca-certificates.crt
 RUN ln -s /etc/ssl /rootfs/etc/pki
 RUN ln -s /etc/ssl /rootfs/usr/share/ca-certificates
@ -526,7 +526,7 @@ RUN mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
 COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
 COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml
 COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part
-RUN touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part}
+RUN touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part}
 RUN ln -s /etc/ssl /rootfs/etc/pki
 RUN ln -s ca-certificates /rootfs/etc/ssl/certs/ca-certificates.crt
 RUN ln -s /etc/ssl /rootfs/usr/share/ca-certificates
--- a/hack/cri-containerd.toml
+++ b/hack/cri-containerd.toml
@ -7,7 +7,6 @@ disabled_plugins = [
 imports = [
    "/etc/cri/conf.d/cri.toml",
    "/var/cri/conf.d/*.toml", # deprecated
 ]
 [debug]
--- a/hack/release.toml
+++ b/hack/release.toml
@ -225,6 +225,14 @@ machine:
 Changes to the node labels will be applied immediately without `kubelet` restart.
 Talos keeps track of the owned node labels in the `talos.dev/owned-labels` annotation.
 """
    [notes.criconfig]
        title = "CRI Configuration Overrides"
        description = """\
 Talos no longer supports CRI config overrides placed in `/var/cri/conf.d` directory.
 [New way](https://www.talos.dev/v1.3/talos-guides/configuration/containerd/) correctly handles merging of containerd/CRI plugin configuration.
 """
 [make_deps]
--- a/internal/app/machined/pkg/controllers/files/cri_config_parts.go
+++ b/internal/app/machined/pkg/controllers/files/cri_config_parts.go
@ -7,15 +7,14 @@ package files
 import (
 	"context"
 	"fmt"
 	"os"
 	"path/filepath"
 	"sort"
 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/siderolabs/go-pointer"
 	"go.uber.org/zap"
 	"github.com/siderolabs/talos/internal/pkg/toml"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 )
@ -37,7 +36,6 @@ func (ctrl *CRIConfigPartsController) Inputs() []controller.Input {
 		{
 			Namespace: files.NamespaceName,
 			Type:      files.EtcFileStatusType,
 			ID:        pointer.To(constants.CRIRegistryConfigPart), // watch only registry configuration which might be updated
 			Kind:      controller.InputWeak,
 		},
 	}
@ -74,24 +72,16 @@ func (ctrl *CRIConfigPartsController) Run(ctx context.Context, r controller.Runt
 		sort.Strings(parts)
-		var contents []byte
+		out, err := toml.Merge(parts)
-
+		if err != nil {
-		for _, part := range parts {
+			return err
 			var partContents []byte
 			partContents, err = os.ReadFile(part)
 			if err != nil {
 				return err
 			}
 			contents = append(contents, append([]byte("\n## "+part+"\n\n"), partContents...)...)
 		}
 		if err := r.Modify(ctx, files.NewEtcFileSpec(files.NamespaceName, constants.CRIConfig),
 			func(r resource.Resource) error {
 				spec := r.(*files.EtcFileSpec).TypedSpec()
-				spec.Contents = contents
+				spec.Contents = out
 				spec.Mode = 0o600
 				return nil
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@ -70,6 +70,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1/machine"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/kernel"
 	resourcefiles "github.com/siderolabs/talos/pkg/machinery/resources/files"
 	"github.com/siderolabs/talos/pkg/machinery/resources/k8s"
 	resourceruntime "github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 	"github.com/siderolabs/talos/pkg/version"
@ -1066,6 +1067,15 @@ func WriteUserFiles(seq runtime.Sequence, data interface{}) (runtime.TaskExecuti
 				continue
 			}
 			// CRI configuration customization
 			if f.Path() == filepath.Join("/etc", constants.CRICustomizationConfigPart) {
 				if err = injectCRIConfigPatch(ctx, r.State().V1Alpha2().Resources(), []byte(f.Content())); err != nil {
 					result = multierror.Append(result, err)
 				}
 				continue
 			}
 			// Determine if supplied path is in /var or not.
 			// If not, we'll write it to /var anyways and bind mount below
 			p := f.Path()
@ -1115,6 +1125,56 @@ func WriteUserFiles(seq runtime.Sequence, data interface{}) (runtime.TaskExecuti
 	}, "writeUserFiles"
 }
 func injectCRIConfigPatch(ctx context.Context, st state.State, content []byte) error {
 	// limit overall waiting time
 	ctx, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()
 	ch := make(chan state.Event)
 	// wait for the CRI config to be created
 	if err := st.Watch(ctx, resourcefiles.NewEtcFileSpec(resourcefiles.NamespaceName, constants.CRIConfig).Metadata(), ch); err != nil {
 		return err
 	}
 	// first update should be received about the existing resource
 	select {
 	case <-ch:
 	case <-ctx.Done():
 		return ctx.Err()
 	}
 	etcFileSpec := resourcefiles.NewEtcFileSpec(resourcefiles.NamespaceName, constants.CRICustomizationConfigPart)
 	etcFileSpec.TypedSpec().Mode = 0o600
 	etcFileSpec.TypedSpec().Contents = content
 	if err := st.Create(ctx, etcFileSpec); err != nil {
 		return err
 	}
 	// wait for the CRI config parts controller to generate the merged file
 	var version resource.Version
 	select {
 	case ev := <-ch:
 		version = ev.Resource.Metadata().Version()
 	case <-ctx.Done():
 		return ctx.Err()
 	}
 	// wait for the file to be rendered
 	_, err := st.WatchFor(ctx, resourcefiles.NewEtcFileStatus(resourcefiles.NamespaceName, constants.CRIConfig).Metadata(), state.WithCondition(func(r resource.Resource) (bool, error) {
 		fileStatus, ok := r.(*resourcefiles.EtcFileStatus)
 		if !ok {
 			return false, nil
 		}
 		return fileStatus.TypedSpec().SpecVersion == version.String(), nil
 	}))
 	return err
 }
 //nolint:deadcode,unused
 func doesNotExists(p string) (err error) {
 	_, err = os.Stat(p)
--- a/internal/pkg/toml/merge.go
+++ b/internal/pkg/toml/merge.go
@ -0,0 +1,48 @@
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 package toml
 import (
 	"bytes"
 	"fmt"
 	"github.com/BurntSushi/toml"
 	"github.com/siderolabs/talos/pkg/machinery/config/merge"
 )
 // Merge several TOML documents in files into one.
 //
 // Merge process relies on generic map[string]interface{} merge which might not always be correct.
 func Merge(parts []string) ([]byte, error) {
 	merged := map[string]interface{}{}
 	var header []byte
 	for _, part := range parts {
 		partial := map[string]interface{}{}
 		if _, err := toml.DecodeFile(part, &partial); err != nil {
 			return nil, fmt.Errorf("error decoding %q: %w", part, err)
 		}
 		if err := merge.Merge(merged, partial); err != nil {
 			return nil, fmt.Errorf("error merging %q: %w", part, err)
 		}
 		header = append(header, []byte(fmt.Sprintf("## %s\n", part))...)
 	}
 	var out bytes.Buffer
 	_, _ = out.Write(header) //nolint:errcheck
 	_ = out.WriteByte('\n')  //nolint:errcheck
 	if err := toml.NewEncoder(&out).Encode(merged); err != nil {
 		return nil, fmt.Errorf("error encoding merged config: %w", err)
 	}
 	return out.Bytes(), nil
 }
--- a/internal/pkg/toml/merge_test.go
+++ b/internal/pkg/toml/merge_test.go
@ -0,0 +1,29 @@
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 package toml_test
 import (
 	_ "embed"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/siderolabs/talos/internal/pkg/toml"
 )
 //go:embed testdata/expected.toml
 var expected []byte
 func TestMerge(t *testing.T) {
 	out, err := toml.Merge([]string{
 		"testdata/1.toml",
 		"testdata/2.toml",
 		"testdata/3.toml",
 	})
 	require.NoError(t, err)
 	assert.Equal(t, expected, out)
 }
--- a/internal/pkg/toml/testdata/1.toml
+++ b/internal/pkg/toml/testdata/1.toml
@ -0,0 +1,5 @@
 version = 2
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
    runtime_type = "io.containerd.runc.v2"
    discard_unpacked_layers = true
--- a/internal/pkg/toml/testdata/2.toml
+++ b/internal/pkg/toml/testdata/2.toml
@ -0,0 +1,5 @@
 [plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/cri/conf.d/hosts"
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
--- a/internal/pkg/toml/testdata/3.toml
+++ b/internal/pkg/toml/testdata/3.toml
@ -0,0 +1,6 @@
 [metrics]
  address = "0.0.0.0:11234"
 [plugins]
   [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "registry.k8s.io/pause:3.8"
--- a/internal/pkg/toml/testdata/expected.toml
+++ b/internal/pkg/toml/testdata/expected.toml
@ -0,0 +1,20 @@
 ## testdata/1.toml
 ## testdata/2.toml
 ## testdata/3.toml
 version = 2
 [metrics]
  address = "0.0.0.0:11234"
 [plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "registry.k8s.io/pause:3.8"
    [plugins."io.containerd.grpc.v1.cri".containerd]
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          discard_unpacked_layers = true
          runtime_type = "io.containerd.runc.v2"
    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/cri/conf.d/hosts"
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
--- a/internal/pkg/toml/toml.go
+++ b/internal/pkg/toml/toml.go
@ -0,0 +1,6 @@
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 // Package toml provides utility functions for TOML handling.
 package toml
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@ -446,6 +446,9 @@ const (
 	// CRIRegistryConfigPart is the path to the CRI generated registry configuration relative to /etc.
 	CRIRegistryConfigPart = "cri/conf.d/01-registries.part"
 	// CRICustomizationConfigPart is the path to the CRI generated registry configuration relative to /etc.
 	CRICustomizationConfigPart = "cri/conf.d/20-customization.part"
 	// TalosConfigEnvVar is the environment variable for setting the Talos configuration file path.
 	TalosConfigEnvVar = "TALOSCONFIG"
--- a/website/content/v1.3/talos-guides/configuration/containerd.md
+++ b/website/content/v1.3/talos-guides/configuration/containerd.md
@ -5,27 +5,28 @@ aliases:
  - ../../guides/configuring-containerd
 ---
-The base containerd configuration expects to merge in any additional configs present in `/var/cri/conf.d/*.toml`.
+The base containerd configuration expects to merge in any additional configs present in `/etc/cri/conf.d/20-customization.part`.
-## An example of exposing metrics
+## Examples
-Into each machine config, add the following:
+### Exposing Metrics
 Patch the machine config by adding the following:
 ```yaml
 machine:
  ...
  files:
    - content: |
        [metrics]
          address = "0.0.0.0:11234"
-      path: /var/cri/conf.d/metrics.toml
+      path: /etc/cri/conf.d/20-customization.part
      op: create
 ```
-Create cluster like normal and see that metrics are now present on this port:
+Once the server reboots, metrics are now available:
 ```bash
-$ curl 127.0.0.1:11234/v1/metrics
+$ curl ${IP}:11234/v1/metrics
 # HELP container_blkio_io_service_bytes_recursive_bytes The blkio io service bytes recursive
 # TYPE container_blkio_io_service_bytes_recursive_bytes gauge
 container_blkio_io_service_bytes_recursive_bytes{container_id="0677d73196f5f4be1d408aab1c4125cf9e6c458a4bea39e590ac779709ffbe14",device="/dev/dm-0",major="253",minor="0",namespace="k8s.io",op="Async"} 0
@ -33,3 +34,32 @@ container_blkio_io_service_bytes_recursive_bytes{container_id="0677d73196f5f4be1
 ...
 ...
 ```
 ### Pause Image
 This change is often required for air-gapped environments, as `containerd` CRI plugin has a reference to the `pause` image which is used
 to create pods, and it can't be controlled with Kubernetes pod definitions.
 ```yaml
 machine:
  files:
    - content: |
        [plugins]
          [plugins."io.containerd.grpc.v1.cri"]
            sandbox_image = "registry.k8s.io/pause:3.8"
      path: /etc/cri/conf.d/20-customization.part
      op: create
 ```
 Now the `pause` image is set to `registry.k8s.io/pause:3.8`:
 ```bash
 $ talosctl containers --kubernetes
 NODE         NAMESPACE   ID                                                 IMAGE                                                      PID    STATUS
 172.20.0.5   k8s.io      kube-system/kube-flannel-6hfck                     registry.k8s.io/pause:3.8                                  1773   SANDBOX_READY
 172.20.0.5   k8s.io      └─ kube-system/kube-flannel-6hfck:install-cni      ghcr.io/siderolabs/install-cni:v1.3.0-alpha.0-2-gb155fa0   0      CONTAINER_EXITED
 172.20.0.5   k8s.io      └─ kube-system/kube-flannel-6hfck:install-config   ghcr.io/siderolabs/flannel:v0.20.1                         0      CONTAINER_EXITED
 172.20.0.5   k8s.io      └─ kube-system/kube-flannel-6hfck:kube-flannel     ghcr.io/siderolabs/flannel:v0.20.1                         2092   CONTAINER_RUNNING
 172.20.0.5   k8s.io      kube-system/kube-proxy-xp7jq                       registry.k8s.io/pause:3.8                                  1780   SANDBOX_READY
 172.20.0.5   k8s.io      └─ kube-system/kube-proxy-xp7jq:kube-proxy         k8s.gcr.io/kube-proxy:v1.26.0-alpha.3                      1843   CONTAINER_RUNNING
 ```