Add minimal crictl integration test + setup

Dockerfile

@@ -16,6 +16,7 @@
 ARG CONTAINERD_VERSION=1.7.30
 ARG RUNC_VERSION=1.3.3
 ARG NERDCTL_VERSION=2.1.6
+ARG CRICTL_VERSION=1.36.0
 ARG IGZIP_VERSION=2.31.1
 ARG RAPIDGZIP_VERSION=0.14.3
 
@@ -101,6 +102,7 @@ FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS containerd-snapshotter-base
 ARG CONTAINERD_VERSION
 ARG RUNC_VERSION
 ARG NERDCTL_VERSION
+ARG CRICTL_VERSION
 ARG TARGETARCH
 ENV GOPROXY=direct
 ENV GOCOVERDIR=/test_coverage
@@ -141,3 +143,6 @@ RUN curl -sSL --output /tmp/runc https://github.com/opencontainers/runc/releases
 RUN curl -sSL --output /tmp/nerdctl.tgz https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-${NERDCTL_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz \
     && tar zxvf /tmp/nerdctl.tgz -C /usr/local/bin/ \
     && rm -f /tmp/nerdctl.tgz
+RUN curl -sSL --output /tmp/crictl.tgz https://github.com/kubernetes-sigs/cri-tools/releases/download/v${CRICTL_VERSION}/crictl-v${CRICTL_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz \
+    && tar zxvf /tmp/crictl.tgz -C /usr/local/bin/ \
+    && rm -f /tmp/crictl.tgz

integration/cri_test.go

@@ -0,0 +1,46 @@
+/*
+   Copyright The Soci Snapshotter Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package integration
+
+import (
+	"testing"
+
+	"github.com/awslabs/soci-snapshotter/util/testutil"
+)
+
+// TestCRIImagePull pulls a SOCI-converted image through containerd's CRI image endpoint
+// and asserts that the layers are mounted as remote SOCI snapshots.
+func TestCRIImagePull(t *testing.T) {
+	regConfig := newRegistryConfig()
+	sh, done := newShellWithRegistry(t, regConfig)
+	defer done()
+
+	image := alpineImage
+
+	rebootContainerd(t, sh, getContainerdConfigToml(t, false), getSnapshotterConfigToml(t))
+	copyImage(sh, dockerhub(image), regConfig.mirror(image))
+	buildIndex(sh, regConfig.mirror(image), withMinLayerSize(0))
+	sh.X("soci", "push", "--user", regConfig.creds(), regConfig.mirror(image).ref)
+
+	rsm := testutil.NewRemoteSnapshotMonitor()
+	m := rebootContainerd(t, sh, getCRIContainerdConfigToml(t, false), getSnapshotterConfigToml(t, withCRIKeychain), rsm.MonitorFunc)
+	defer m.Cleanup(t)
+
+	sh.X(append(crictlCmd, "pull", "--creds", regConfig.creds(), regConfig.mirror(image).ref)...)
+
+	rsm.CheckAllRemoteSnapshots(t)
+}

integration/util_test.go

@@ -84,6 +84,11 @@ const (
 var (
 	runSociCmd   = []string{"nerdctl", "run", "--pull", "never", "--net", "none", "--snapshotter", "soci"}
 	imagePullCmd = []string{"nerdctl", "pull", "-q", "--snapshotter", "soci"}
+	crictlCmd    = []string{
+		"crictl",
+		"--runtime-endpoint", "unix:///run/containerd/containerd.sock",
+		"--image-endpoint", "unix:///run/soci-snapshotter-grpc/soci-snapshotter-grpc.sock",
+	}
 )
 
 // These are images that we use in our integration tests
@@ -140,6 +145,44 @@ level = "{{.LogLevel}}"
 {{.AdditionalConfig}}
 `
 
+// criContainerdConfigTemplate is the CRI counterpart to `containerdConfigTemplate`: it
+// leaves the containerd CRI plugin enabled and points it at the SOCI snapshotter.
+const criContainerdConfigTemplate = `
+version = 2
+
+disabled_plugins = [
+	"io.containerd.snapshotter.v1.aufs",
+	"io.containerd.snapshotter.v1.btrfs",
+	"io.containerd.snapshotter.v1.devmapper",
+	"io.containerd.snapshotter.v1.zfs",
+	"io.containerd.tracing.processor.v1.otlp",
+	"io.containerd.internal.v1.tracing",
+]
+
+# containerd 1.7.x
+[plugins."io.containerd.grpc.v1.cri".containerd]
+snapshotter = "soci"
+disable_snapshot_annotations = false
+
+# containerd 2.x
+[plugins."io.containerd.cri.v1.images"]
+snapshotter = "soci"
+disable_snapshot_annotations = false
+
+[plugins."io.containerd.snapshotter.v1.soci"]
+root_path = "/var/lib/soci-snapshotter-grpc/"
+disable_verification = {{.DisableVerification}}
+
+[plugins."io.containerd.snapshotter.v1.soci".blob]
+check_always = true
+
+[debug]
+format = "json"
+level = "{{.LogLevel}}"
+
+{{.AdditionalConfig}}
+`
+
 type composeDefaultTemplateArgs struct {
 	Entrypoint      string
 	ImageContextDir string
@@ -314,6 +357,27 @@ func getContainerdConfigToml(t *testing.T, disableVerification bool, additionalC
 	return s
 }
 
+// getCRIContainerdConfigToml is the CRI counterpart to `getContainerdConfigToml`,
+// rendering `criContainerdConfigTemplate` instead.
+func getCRIContainerdConfigToml(t *testing.T, disableVerification bool, additionalConfigs ...string) string {
+	if !isTestingBuiltinSnapshotter() {
+		additionalConfigs = append(additionalConfigs, proxySnapshotterConfig)
+	}
+	s, err := testutil.ApplyTextTemplate(criContainerdConfigTemplate, struct {
+		LogLevel            string
+		DisableVerification bool
+		AdditionalConfig    string
+	}{
+		LogLevel:            containerdLogLevel,
+		DisableVerification: disableVerification,
+		AdditionalConfig:    strings.Join(additionalConfigs, "\n"),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	return s
+}
+
 type snapshotterConfigOpt func(*config.Config)
 
 func withTCPMetrics(cfg *config.Config) {
@@ -335,6 +399,10 @@ func withDisableBgFetcher(cfg *config.Config) {
 	cfg.ServiceConfig.FSConfig.BackgroundFetchConfig.Disable = true
 }
 
+func withCRIKeychain(cfg *config.Config) {
+	cfg.ServiceConfig.CRIKeychainConfig.EnableKeychain = true
+}
+
 func withMinLayerSizeConfig(minLayerSize int64) snapshotterConfigOpt {
 	return func(c *config.Config) {
 		c.ServiceConfig.SnapshotterConfig.MinLayerSize = minLayerSize