containerd: advertise remap-ids capability for soci proxy plugin#939
Merged
ginglis13 merged 1 commit intoJun 16, 2026
Merged
Conversation
The soci proxy_plugins block does not declare the remap-ids capability, so containerd's resolveSnapshotOptions does not recognize the snapshotter as supporting ID remapping. For pods with user namespaces (hostUsers: false) containerd falls back to slow-chown remapping, then soci's mount callback remaps the already-remapped host UIDs, and the sandbox fails with "container ID cannot be mapped to a host ID". Declaring capabilities = ["remap-ids"] lets containerd pass the idmap labels and skip slow chown, allowing user-namespace pods to start. Related: awslabs/soci-snapshotter#1888 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
@mhulscher thanks for the contribution. I've tested on my end, LGTM Built an aws-k8s-1.34 (x86_64), built from core-kit develop with this PR's change applied. User data of the instance: [settings.container-runtime]
snapshotter = "soci"
[settings.kernel.sysctl]
"user.max_user_namespaces" = "65536"Confirmed the containerd config on the node includes the fix: # /etc/containerd/config.d/001-snapshotter.toml
[proxy_plugins.soci]
capabilities = ["remap-ids"]
type = "snapshot"
address = "/run/soci-snapshotter/soci-snapshotter.sock"Test pod setting apiVersion: v1
kind: Pod
metadata:
name: userns-soci-test
spec:
hostUsers: false
containers:
- name: test
image: public.ecr.aws/amazonlinux/amazonlinux:2023
command: ["sleep", "300"]Pod started successfully with no errors: User namespace mapping confirmed active inside the container: No |
ginglis13
approved these changes
Jun 16, 2026
jpculp
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue number:
Closes bottlerocket-os/bottlerocket#4854
Description of changes:
Add the
remap-idscapability to the soci snapshotter configuration, allowing it to start pods withhostUsers: falseTesting done:
Simple manual configuration change on running node (adding the line) and restarting containerd. Let's see what CI says :)
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.