nerdctl should support `runtime_path` and `ConfigPath` options

fidencio commented 1 month ago

What is the problem you're trying to solve

runtime_path:

When using Kata Containers with nerdctl, there should be the need to have the containerd-shim-kata-v2 binary in the PATH, as containerd supports runtime_path being set in its configuration, and nerdctl should take advantage of that.

runtime_config:

One of the .options that can be set is runtime_config, which would be very handy when using nerdctl with Kata Containers

Describe the solution you'd like

I'd like to be able to call nerdctl --debug --debug-full run --runtime io.containerd.kata.v2 --rm docker.io/library/busybox:latest uname -r, and have that working, when using the following containerd config:

[plugins]
...
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
          runtime_type = "io.containerd.kata.v2"
          runtime_path = "/opt/kata/bin/containerd-shim-kata-v2"
          privileged_without_host_devices = true
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]
            ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"
...

Additional context

This would improve a lot the nerdctl's usability with Kata Containers / Confidential Containers.

fidencio commented 1 month ago

cc @AkihiroSuda

AkihiroSuda commented 1 month ago

nerdctl is not a CRI application, so "io.containerd.grpc.v1.cri" will never be recognized.

AkihiroSuda commented 1 month ago

containerd itself should have a generic interface for specifying runtime options that can be recognized by both CRI and non-CRI applications. Feel free to submit a proposal to https://github.com/containerd/containerd/pulls .

containerd / nerdctl