Upgrade cri-api for runtimeHandler parameter support

[prafgup]

Issue #, if available:

I was investigating soci pull taking too long for the first time on k8s using continerd 2.2 and figured there were a couple of issues. Investigating that I figured that containerd is pulling the full image as well as soci is mounting it as fuse leading to very high 1st pull time (containerd pull is discarded).

• The setup I use is defaulting to overlayfs and switches to soci via k8s RuntimeConfig, thus the global default is overlayfs
• In containerd 2.2 (prev I was using 1.7x but upgraded recently) there has been a lot of refactoring done and now when using RuntimeConfig and not defaulting to soci we need this for soci to work -

  [plugins.'io.containerd.cri.v1.images']
    disable_snapshot_annotations = false  <----- for soci
    max_concurrent_downloads = 10
    stats_collect_period = 10

    [plugins.'io.containerd.cri.v1.images'.runtime_platforms.soci] <----- new runtime_platforms for soci
      snapshotter = "soci"
      platform = "linux/<[ami_architecture]>" <---- (like linux/amd64)

• Manual testing on node - Upgrade cri-api for runtimeHandler parameter support #1943 (comment)
• As seems like the pull path consults runtime_platforms, not runtimes.*, without this entry containerd falls back to the default (overlayfs) and fully unpacks the image even when the pod sets runtimeClassName: soci.

More info in the comment above the function here - https://github.com/containerd/containerd/blob/v2.2.2/internal/cri/server/images/image_pull.go#L824-L867

• I never see this log "experimental: PullImage %q for runtime %s, using snapshotter %s", having plugins.'io.containerd.cri.v1.images'.runtime_platforms.soci should fix it.
• And I see Using deprecated annotation %q for runtime handler. thus its not returning here.

SOCI v0.13.0 drops runtime_handler on the wire (imports k8s.io/cri-api v0.28.2 which predates that field, and has no runtime_handler field on PullImageRequest).

Description of changes:

Testing performed:

• "lima sudo make build"
• "lima sudo make test"
• Tested this by building this new commit and using it in a k8s node and pulling soci based images.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[prafgup]

Hey @sondavidb can you run the integration tests here? and review if things look right to you :)

[prafgup]

I just confirmed that with the above (plugins.'io.containerd.cri.v1.images'.runtime_platforms.soci) change the pull latency went from ~15s -> 2s :)

And I see this in the logs as well `"experimental: PullImage … for runtime soci, using snapshotter soci"

[sondavidb]

Hey @prafgup, apologies things have been busy + been on vacation. Feel free to ping me for anything else I've missed — trying to catch up. (I still need to look at your concatenated ztoc PR, apologies for putting that one off for a while 😔 )

Related to this PR, would be great if we could get some testing with crictl (ref #1572) so that we can catch things such as these. Obviously not expecting this change to handle it though.

[prafgup]

Hey @sondavidb 😄 hope you had a nice vacation !!

Theres this one critical fix that should be prioritized - #1947 (fixes multi platform standalone convert)
Apart from that it looks fine, you can look at #1871 later as well as it not high prio but a good to have.

In the meantime I'll take a look if I can get something setup with crictl. I have tested this PR on a real cluster itself so should be fine overall :)

• Edit, here minimal crictl setup and test 😄 - Add minimal crictl integration test + setup #1952

[sondavidb]

Oops, forgot to approve this

[Swapnanil-Gupta]

Thanks.