feat(shim): add task wrapper and containerd access session

[sidneychang]

Description

The containerd access layer adds a narrow Session helper that owns a
short-lived gRPC connection, namespace propagation, task-level container
metadata lookup, and gRPC error conversion. It keeps the raw connection private
and exposes only common task/container metadata through getters.

The generated service-client constructors are package-private helpers. They are
not exposed to feature code directly; later feature PRs can use them inside the
containerd access package to build narrow annotation or snapshot/view
access/resource constructors for only the clients each feature needs.

Related issues

• Fix Come up with a common interface for the sim communication with contianerd #642
• Related to Feat/inject missing annot in shim #565
• Related to feat(view): add per-container snapshot views for boot artifacts #639
• Related discussion: LFx Mentorship (urunc Optimize rootfs handling with block-based snapshotters) #523

How was this tested?

LLM usage

GPT-5

Checklist

• I have read the contribution guide.
• The linter passes locally (make lint).
• The e2e tests of at least one tool pass locally (make test_ctr, make test_nerdctl, make test_docker, make test_crictl).
• If LLMs were used: I have read the llm policy.

[netlify]

✅ Deploy Preview for urunc canceled.

Name	Link
🔨 Latest commit	4bcd59f
🔍 Latest deploy log	https://app.netlify.com/projects/urunc/deploys/6a0473733dd7d200073e0f37

[sidneychang]

Hi @cmainas and @jiwahn,

I opened this draft PR for the initial task service wrapper and narrow containerd access session.

There are still some implementation details to clean up, but I would like to first check whether the overall design direction looks reasonable to you.

Please let me know if this layering matches what we discussed, or if you think I should adjust the structure before continuing with the remaining details.

Thanks!

[cmainas]

Hello @sidneychang ,

I have added a few comments in the code. Please correct me if I have misunderstood something.

Also, is it necessary to wrap the manager too?

[cmainas]

Why do we need a mutex? As far as I understand we will have one container, which is going to get initialized once and then it should immutable.

[cmainas]

Since we are working in the task level we are handling one container per time. Therefore, we can add the lofic of obtaining the metadata when we create anew session.

[sidneychang]

Also, is it necessary to wrap the manager too?

Hello, @cmainas
I added this to hook the shim binary delete path, which goes through Manager.Stop instead of TaskService.Delete.

My idea was to keep all the shim wrapper logic in this PR, so the later view feature can build on top of it. If we prefer not to introduce it before it is actually used, I can drop it here and add the manager wrapper back in the view feature PR.

[jiwahn]

Hi Sidney, thanks for this implementation. I think this aligns really well with the direction we discussed in the issue. I left comment regarding resource scoping part. Please let me know if I misunderstood something.

[jiwahn]

This may not need to be exported, since it is currently only used internally by loadContainer()

[cmainas]

I agree

[jiwahn]

In the issue discussion, my understanding was that each feature should only access the containerd resources it actually needs. For example, the annotation path should not need access to the snapshotter/lease clients, and the snapshot-view path should not need access to image/content clients unless required. This seems slightly different from the direction of limiting resource access per feature.

[jiwahn]

I am not sure if this is ideal, but we could do something like this while keeping these client constructors private.
WDYT @sidneychang @cmainas

type annotationResources struct {
	container *containersapi.Container
	images   imagesapi.ImagesClient
	content  contentapi.ContentClient
}

func newAnnotationResources(s *ContainerdSession) annotationResources {
	return annotationResources{
		container: s.Container(),
		images:   s.imagesClient(),
		content:  s.contentClient(),
	}
}

[cmainas]

I agree with @jiwahn . We do not need to expose these functions and they can be called whenever required. In any case, it is just a stub, no reason to expose it.

[cmainas]

Hello @sidneychang , I have added some more comments.

Regarding the manager, I would suggest we keep it separately. The manager and the task have different semantics.

[cmainas]

Why do we need a double call to GetContainer? It has already been called and we can store the return value in a variable.

[cmainas]

The first error here will not be very clear. Let's add a few words before the error., like loadContainer failed: %w.

[cmainas]

Since getting the container takes place once, we should not add it as a method for ContainerdSession, but just a helper function.

[cmainas]

Function name should be GetNamespace()

[cmainas]

Function name should be GetContainerID()

[cmainas]

Function name should be GetContainer()

[cmainas]

This should be a helper function, no need to get access to ContainerdSession, since namespace is just a string.

[cmainas]

I agree

[sidneychang]

Hello @jiwahn @cmainas, Thanks for the reviews.

I initially exported the generated containerd client getters to avoid unused-code lint issues while the feature logic was not wired yet. Based on your feedback, I refined this so the constructors are private and the feature-specific resource structs expose only the clients each path needs.

Could you please take another look?

[jiwahn]

Thanks, Sidney. This looks good to me.

How about adding a short comment above OpenSession? It opens a containerd session and also loads the container metadata.

Other than that, I think this is good to go.

[sidneychang]

Thanks, @jiwahn. I have added the comment above OpenSession to clarify that it opens the containerd session and loads the container metadata.

[cmainas]

Hey all, I think there has been some misunderstanding.

We are trying to establish a common interface to use the shared containerd resources required form the annotations and the snapshots PRs later. We decided to only share the common parts and let the respective additions (annotations / snapshots) to retrieve whatever is necessary for them. I thought this will be the role of the Session struct. Based on the current implementation (BaseAccess), I am missing how the annotations / snapshots parts will have access to the containerd connection, which is not exposed to any of them.

I do not really understand the role of BaseAccess. Sure, we do not want to expose everything in each feature, but the containerd connection is necessary since in the snapshot part we instruct containerd to create a view snapshot.

Moreveor, why are we defining the AnnotationAccess and the SnapshotAccess in this PR? The upcoming PRs should be responsible to set and manage the data structures they require.

[cmainas]

Why a new struct?

[cmainas]

Why defining in this PR the annotations parts?

[cmainas]

Why defining in this PR the snapshot parts?

[sidneychang]

Sorry for the confusion, that was my mistake.

When I was thinking through how to avoid exposing the raw containerd connection directly to future feature-specific paths, I considered an access-type structure that was somewhat similar to inheritance / polymorphism. After reconsidering it, I realized that this was not the right abstraction here. During that experiment, I accidentally included some extra code in this PR.

I have fixed this by removing those access types.

[cmainas]

Thank you @sidneychang , if @jiwahn is also ok, we can rebase over main to merge.

[jiwahn]

Looks good to me too.

[cmainas]

Thank you @sidneychang for the addition and @jiwahn for the review.