feat(shim): add containerd access session

sidneychang · sidneychang · commit 457e776bfb06 · 2026-05-12T21:29:01.000Z
Signed-off-by: sidneychang &lt;2190206983@qq.com&gt;
diff --git a/go.mod b/go.mod
@@ -28,6 +28,7 @@ require (
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
 	golang.org/x/sys v0.43.0
+	google.golang.org/grpc v1.79.3
 	k8s.io/cri-api v0.35.4
 )
 
@@ -79,7 +80,6 @@ require (
 	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/pkg/containerd-shim/containerd_resources.go b/pkg/containerd-shim/containerd_resources.go
@@ -0,0 +1,83 @@
+// Copyright (c) 2023-2026, Nubificus LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:unused // Intentionally unused until feature wiring.
+package containerdshim
+
+import (
+	"context"
+
+	containersapi "github.com/containerd/containerd/api/services/containers/v1"
+	contentapi "github.com/containerd/containerd/api/services/content/v1"
+	imagesapi "github.com/containerd/containerd/api/services/images/v1"
+	leasesapi "github.com/containerd/containerd/api/services/leases/v1"
+	snapshotsapi "github.com/containerd/containerd/api/services/snapshots/v1"
+)
+
+// containerdResourceBase carries the task-level scope shared by
+// feature-specific resource views. It deliberately carries scope metadata, not
+// the underlying connection or all generated containerd clients.
+type containerdResourceBase struct {
+	namespace   string
+	containerID string
+	container   *containersapi.Container
+}
+
+func newContainerdResourceBase(s *ContainerdSession) containerdResourceBase {
+	return containerdResourceBase{
+		namespace:   s.GetNamespace(),
+		containerID: s.GetContainerID(),
+		container:   s.GetContainer(),
+	}
+}
+
+func (s containerdResourceBase) withNamespace(ctx context.Context) context.Context {
+	return withContainerdNamespace(ctx, s.namespace)
+}
+
+// annotationResources is the capability-style view for annotation injection.
+// It intentionally exposes only container metadata plus images and content
+// access, and does not include snapshots or leases.
+type annotationResources struct {
+	containerdResourceBase
+
+	images  imagesapi.ImagesClient
+	content contentapi.ContentClient
+}
+
+func newAnnotationResources(s *ContainerdSession) annotationResources {
+	return annotationResources{
+		containerdResourceBase: newContainerdResourceBase(s),
+		images:                 s.imagesClient(),
+		content:                s.contentClient(),
+	}
+}
+
+// snapshotViewResources is the capability-style view for snapshot inspection.
+// It intentionally exposes only container metadata plus snapshots and leases
+// access, and does not include images or content.
+type snapshotViewResources struct {
+	containerdResourceBase
+
+	snapshots snapshotsapi.SnapshotsClient
+	leases    leasesapi.LeasesClient
+}
+
+func newSnapshotViewResources(s *ContainerdSession) snapshotViewResources {
+	return snapshotViewResources{
+		containerdResourceBase: newContainerdResourceBase(s),
+		snapshots:              s.snapshotsClient(),
+		leases:                 s.leasesClient(),
+	}
+}
diff --git a/pkg/containerd-shim/containerd_session.go b/pkg/containerd-shim/containerd_session.go
@@ -0,0 +1,196 @@
+// Copyright (c) 2023-2026, Nubificus LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package containerdshim
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	containersapi "github.com/containerd/containerd/api/services/containers/v1"
+	contentapi "github.com/containerd/containerd/api/services/content/v1"
+	imagesapi "github.com/containerd/containerd/api/services/images/v1"
+	leasesapi "github.com/containerd/containerd/api/services/leases/v1"
+	snapshotsapi "github.com/containerd/containerd/api/services/snapshots/v1"
+	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/pkg/dialer"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+const defaultConnectTimeout = 10 * time.Second
+
+// ContainerdSession owns one shim-side connection to containerd for a single task
+// operation. It intentionally does not expose the underlying grpc connection,
+// and generated service clients remain private implementation details used to
+// build feature-specific resource views.
+type ContainerdSession struct {
+	conn *grpc.ClientConn
+
+	namespace   string
+	containerID string
+	container   *containersapi.Container
+}
+
+// OpenContainerdSession opens a narrow containerd session for a single task operation.
+// The containerd namespace must already be present in ctx.
+func OpenContainerdSession(ctx context.Context, address, containerID string) (*ContainerdSession, error) {
+	if address == "" {
+		return nil, fmt.Errorf("containerd address is empty")
+	}
+	if containerID == "" {
+		return nil, fmt.Errorf("container id is empty")
+	}
+
+	namespace, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	dialOptions := []grpc.DialOption{
+		grpc.WithBlock(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.FailOnNonTempDialError(true),
+		grpc.WithConnectParams(grpc.ConnectParams{Backoff: backoffConfig}),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithReturnConnectionError(),
+		grpc.WithDefaultCallOptions(
+			grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize),
+			grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize),
+		),
+	}
+
+	dialCtx, cancel := context.WithTimeout(ctx, defaultConnectTimeout)
+	defer cancel()
+
+	conn, err := grpc.DialContext(dialCtx, dialer.DialAddress(address), dialOptions...)
+	if err != nil {
+		return nil, fmt.Errorf("dial containerd at %q: %w", address, err)
+	}
+
+	session := &ContainerdSession{
+		conn:        conn,
+		namespace:   namespace,
+		containerID: containerID,
+	}
+
+	container, err := loadContainer(ctx, namespace, containerID, session.containersClient())
+	if err != nil {
+		if closeErr := conn.Close(); closeErr != nil {
+			return nil, fmt.Errorf("loadContainer failed: %w; close containerd connection: %v", err, closeErr)
+		}
+		return nil, fmt.Errorf("loadContainer failed: %w", err)
+	}
+	session.container = container
+
+	return session, nil
+}
+
+// Close closes the underlying containerd connection. The loaded container
+// metadata is a protobuf value and does not hold resources that need releasing.
+func (s *ContainerdSession) Close() error {
+	if s == nil || s.conn == nil {
+		return nil
+	}
+	return s.conn.Close()
+}
+
+// GetNamespace returns the containerd namespace bound to this session.
+func (s *ContainerdSession) GetNamespace() string {
+	return s.namespace
+}
+
+// GetContainerID returns the container ID bound to this session.
+func (s *ContainerdSession) GetContainerID() string {
+	return s.containerID
+}
+
+// GetContainer returns the task-level container metadata loaded during session
+// creation.
+func (s *ContainerdSession) GetContainer() *containersapi.Container {
+	return s.container
+}
+
+func loadContainer(ctx context.Context, namespace, containerID string, client containersapi.ContainersClient) (*containersapi.Container, error) {
+	resp, err := client.Get(withContainerdNamespace(ctx, namespace), &containersapi.GetContainerRequest{
+		ID: containerID,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("get container %q: %w", containerID, containerdErr(err))
+	}
+	container := resp.GetContainer()
+	if container == nil {
+		return nil, fmt.Errorf("get container %q: empty response", containerID)
+	}
+
+	return container, nil
+}
+
+func withContainerdNamespace(ctx context.Context, namespace string) context.Context {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	return namespaces.WithNamespace(ctx, namespace)
+}
+
+func containerdErr(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errdefs.FromGRPC(err)
+}
+
+// containersClient returns a generated containers service client scoped to the
+// session connection.
+func (s *ContainerdSession) containersClient() containersapi.ContainersClient {
+	return containersapi.NewContainersClient(s.conn)
+}
+
+// imagesClient returns a generated images service client scoped to the session
+// connection.
+//
+//nolint:unused // Intentionally unused until feature wiring.
+func (s *ContainerdSession) imagesClient() imagesapi.ImagesClient {
+	return imagesapi.NewImagesClient(s.conn)
+}
+
+// contentClient returns a generated content service client scoped to the
+// session connection.
+//
+//nolint:unused // Intentionally unused until feature wiring.
+func (s *ContainerdSession) contentClient() contentapi.ContentClient {
+	return contentapi.NewContentClient(s.conn)
+}
+
+// snapshotsClient returns a generated snapshots service client scoped to the
+// session connection.
+//
+//nolint:unused // Intentionally unused until feature wiring.
+func (s *ContainerdSession) snapshotsClient() snapshotsapi.SnapshotsClient {
+	return snapshotsapi.NewSnapshotsClient(s.conn)
+}
+
+// leasesClient returns a generated leases service client scoped to the session
+// connection.
+//
+//nolint:unused // Intentionally unused until feature wiring.
+func (s *ContainerdSession) leasesClient() leasesapi.LeasesClient {
+	return leasesapi.NewLeasesClient(s.conn)
+}

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ require (`
`28`	`28`	`github.com/vishvananda/netlink v1.3.1`
`29`	`29`	`github.com/vishvananda/netns v0.0.5`
`30`	`30`	`golang.org/x/sys v0.43.0`
	`31`	`+ google.golang.org/grpc v1.79.3`
`31`	`32`	`k8s.io/cri-api v0.35.4`
`32`	`33`	`)`
`33`	`34`
`@@ -79,7 +80,6 @@ require (`
`79`	`80`	`golang.org/x/tools v0.41.0 // indirect`
`80`	`81`	`google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect`
`81`	`82`	`google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect`
`82`		`- google.golang.org/grpc v1.79.3 // indirect`
`83`	`83`	`google.golang.org/protobuf v1.36.11 // indirect`
`84`	`84`	`gopkg.in/yaml.v3 v3.0.1 // indirect`
`85`	`85`	`)`