Skip to content

Fix permission error creating socket directory for non-root instances #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dmcgowan wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix permission error creating socket directory for non-root instances #85

dmcgowan wants to merge 2 commits into from
+48 −40

Conversation

@dmcgowan
Copy link
Member

@dmcgowan dmcgowan commented Jan 23, 2026

Allows containerd to pass through the socket directory to listen in, preventing a permission error with the default /var/run/containerd directory for non-root instances.

Copilot AI review requested due to automatic review settings January 23, 2026 07:34
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates shim socket creation to support a caller-provided socket directory (intended to avoid permission errors for non-root instances) and bumps the containerd fork/dependency versions accordingly.

Changes:

  • Switch shim socket address generation from shim.SocketAddress to shim.CreateSocketAddress with an explicit socket directory/root.
  • Add support for opts.SocketDir (with a default fallback) when creating shim sockets (including debug socket).
  • Update go.mod replace to a newer github.com/dmcgowan/containerd/v2 pseudo-version and refresh transitive dependencies in go.sum.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
internal/shim/manager/manager.go Use a socket directory (from StartOpts) and new address-creation helper to avoid permission issues.
go.mod Update containerd fork replace target and indirect dependency versions.
go.sum Sync sums for updated module graph after dependency changes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

internal/shim/manager/manager.go
s, err := newShimSocket(ctx, opts.Address, grouping, false)
socketDir := opts.SocketDir
if socketDir == "" {
socketDir = filepath.Join(defaults.DefaultStateDir, "s")
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fallback when opts.SocketDir is empty hardcodes defaults.DefaultStateDir/"s". That can (a) reintroduce the original permission issue for non-root/rootless setups when SocketDir isn’t populated, and (b) ignore a non-default configured state dir. Consider deriving the socket directory from opts.Address (preserving the previous SocketAddress behavior) or returning a clear error instructing the caller to provide SocketDir instead of silently falling back to a potentially unwritable path.

Suggested change
socketDir = filepath.Join(defaults.DefaultStateDir, "s")
return params, fmt.Errorf("shim socket directory must be specified in options (SocketDir)")

Copilot uses AI. Check for mistakes.
internal/shim/manager/manager.go
Comment on lines +134 to +135
func newShimSocket(ctx context.Context, root, path, id string, debug bool) (*shimSocket, error) {
address, err := shim.CreateSocketAddress(ctx, root, path, id, debug)
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The newShimSocket parameters root and path are ambiguous in this context (with path actually being the containerd address). Renaming them to something like socketDir and containerdAddress (and updating call sites) would reduce the chance of future misuse, especially now that the function takes both values.

Suggested change
func newShimSocket(ctx context.Context, root, path, id string, debug bool) (*shimSocket, error) {
address, err := shim.CreateSocketAddress(ctx, root, path, id, debug)
func newShimSocket(ctx context.Context, socketDir, containerdAddress, id string, debug bool) (*shimSocket, error) {
address, err := shim.CreateSocketAddress(ctx, socketDir, containerdAddress, id, debug)

Copilot uses AI. Check for mistakes.
akerouanton
akerouanton approved these changes Jan 23, 2026
View reviewed changes
Copy link
Member

@akerouanton akerouanton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change LGTM. Not sure what's going on with types/fieldpath.proto though.

@dmcgowan
Update containerd version with shim socket directory config
f3f7e6b 
Adds ability to pass the socket directory to allow rootless
configuration to use a directory over than /var/run/containerd.

Signed-off-by: Derek McGowan <derek@mcg.dev>
@dmcgowan
Use new socket address function in containerd
7d3d6be 
Signed-off-by: Derek McGowan <derek@mcg.dev>
@dmcgowan dmcgowan force-pushed the update-containerd-rootless-permission branch from def128f to 7d3d6be Compare January 28, 2026 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@akerouanton akerouanton akerouanton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmcgowan @akerouanton