From 4f27ac3ceaa64e2399a8bd1635cbb175f6526a67 Mon Sep 17 00:00:00 2001
From: Kris Coleman <kriscodeman@gmail.com>
Date: Tue, 5 May 2026 12:24:01 -0400
Subject: [PATCH] fix: containerd config compatible with both 1.x and 2.x CRI
 plugins
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous containerd_configure() approach deleted the
[...runtimes.runc.options] TOML section header and appended a
replacement using the containerd 1.x plugin name
(io.containerd.grpc.v1.cri). This caused two problems:

1. Deleting the section header orphaned key-value pairs (like
   SystemdCgroup) under the wrong TOML section, corrupting the config.

2. The appended section used the 1.x plugin name which containerd 2.x
   (shipped by AL2023, Ubuntu 24.04) does not recognize, so the CRI
   runtime plugin never received the SystemdCgroup=true setting.

Replace the delete-and-append approach with an in-place sed substitution
(SystemdCgroup = false → true) that works regardless of which CRI plugin
name wraps the runc.options section. Also create /etc/containerd/certs.d
before restarting containerd so the config_path directory exists.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 addons/containerd/1.6.28/install.sh        | 14 +++++++++-----
 addons/containerd/1.6.31/install.sh        | 14 +++++++++-----
 addons/containerd/1.6.32/install.sh        | 14 +++++++++-----
 addons/containerd/1.6.33/install.sh        | 14 +++++++++-----
 addons/containerd/1.7.25/install.sh        | 14 +++++++++-----
 addons/containerd/1.7.26/install.sh        | 14 +++++++++-----
 addons/containerd/1.7.27/install.sh        | 14 +++++++++-----
 addons/containerd/1.7.28/install.sh        | 14 +++++++++-----
 addons/containerd/1.7.29/install.sh        | 14 +++++++++-----
 addons/containerd/template/base/install.sh | 14 +++++++++-----
 10 files changed, 90 insertions(+), 50 deletions(-)

diff --git a/addons/containerd/1.6.28/install.sh b/addons/containerd/1.6.28/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.6.28/install.sh
+++ b/addons/containerd/1.6.28/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.6.31/install.sh b/addons/containerd/1.6.31/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.6.31/install.sh
+++ b/addons/containerd/1.6.31/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.6.32/install.sh b/addons/containerd/1.6.32/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.6.32/install.sh
+++ b/addons/containerd/1.6.32/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.6.33/install.sh b/addons/containerd/1.6.33/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.6.33/install.sh
+++ b/addons/containerd/1.6.33/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.7.25/install.sh b/addons/containerd/1.7.25/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.7.25/install.sh
+++ b/addons/containerd/1.7.25/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.7.26/install.sh b/addons/containerd/1.7.26/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.7.26/install.sh
+++ b/addons/containerd/1.7.26/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.7.27/install.sh b/addons/containerd/1.7.27/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.7.27/install.sh
+++ b/addons/containerd/1.7.27/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.7.28/install.sh b/addons/containerd/1.7.28/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.7.28/install.sh
+++ b/addons/containerd/1.7.28/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/1.7.29/install.sh b/addons/containerd/1.7.29/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/1.7.29/install.sh
+++ b/addons/containerd/1.7.29/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then
diff --git a/addons/containerd/template/base/install.sh b/addons/containerd/template/base/install.sh
index 56b7f2be1e..edca720992 100644
--- a/addons/containerd/template/base/install.sh
+++ b/addons/containerd/template/base/install.sh
@@ -166,9 +166,17 @@ function containerd_configure() {
     mkdir -p /etc/containerd
     containerd config default > /etc/containerd/config.toml
 
+    # Remove old-style systemd_cgroup key (containerd < 1.4)
     sed -i '/systemd_cgroup/d' /etc/containerd/config.toml
-    sed -i '/containerd.runtimes.runc.options/d' /etc/containerd/config.toml
+    # Enable SystemdCgroup for runc — works for both containerd 1.x and 2.x plugin names
+    # since the key lives under [plugins."<cri-plugin>".containerd.runtimes.runc.options]
+    # in both config versions.
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
     sed -i 's/level = ""/level = "warn"/' /etc/containerd/config.toml
+
+    # Ensure the hosts.toml config directory exists before containerd restarts
+    mkdir -p /etc/containerd/certs.d
+
     # Ensure containerd reads per-registry hosts.toml files (required for 1.x; no-op on 2.x which already sets this)
     sed -i 's|config_path = ""|config_path = "/etc/containerd/certs.d"|' /etc/containerd/config.toml
 
@@ -180,10 +188,6 @@ function containerd_configure() {
     # ignores colon-separated config_path values and never reads hosts.toml as a result.
     # https://github.com/containerd/containerd/issues/12415
     sed -i "s|config_path = '/etc/containerd/certs\.d:/etc/docker/certs\.d'|config_path = '/etc/containerd/certs.d'|" /etc/containerd/config.toml
-    cat >> /etc/containerd/config.toml <<EOF
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-  SystemdCgroup = true
-EOF
     local pause_image=
     pause_image="$(containerd_kubernetes_pause_image)"
     if [ -n "$pause_image" ]; then