containerd: advertise remap-ids capability for soci proxy plugin

The soci proxy_plugins block does not declare the remap-ids
capability, so containerd's resolveSnapshotOptions does not recognize
the snapshotter as supporting ID remapping. For pods with user
namespaces (hostUsers: false) containerd falls back to slow-chown
remapping, then soci's mount callback remaps the already-remapped host
UIDs, and the sandbox fails with "container ID cannot be mapped to a
host ID".

Declaring capabilities = ["remap-ids"] lets containerd pass the idmap
labels and skip slow chown, allowing user-namespace pods to start.

Related: awslabs/soci-snapshotter#1888

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: mhulscher

packages/containerd-1.7/snapshotter-toml

@@ -9,6 +9,7 @@ snapshotter = "soci"
 disable_snapshot_annotations = false
 # Plug soci snapshotter into containerd
 [proxy_plugins.soci]
+capabilities = ["remap-ids"]
 type = "snapshot"
 address = "/run/soci-snapshotter/soci-snapshotter.sock"
 [proxy_plugins.soci.exports]

packages/containerd-2.1/snapshotter-toml

@@ -13,6 +13,7 @@ snapshotter = "soci"
 
 # Plug soci snapshotter into containerd
 [proxy_plugins.soci]
+capabilities = ["remap-ids"]
 type = "snapshot"
 address = "/run/soci-snapshotter/soci-snapshotter.sock"
 [proxy_plugins.soci.exports]

packages/containerd-2.2/snapshotter-toml

@@ -13,6 +13,7 @@ snapshotter = "soci"
 
 # Plug soci snapshotter into containerd
 [proxy_plugins.soci]
+capabilities = ["remap-ids"]
 type = "snapshot"
 address = "/run/soci-snapshotter/soci-snapshotter.sock"
 [proxy_plugins.soci.exports]