Upgrade Garden to Containerd v2.0

.gitmodules

@@ -26,3 +26,7 @@
 	path = src/garden-performance-acceptance-tests
 	url = https://github.com/cloudfoundry/garden-performance-acceptance-tests
 	branch = main
+[submodule "src/containerd"]
+	path = src/containerd
+	url = https://github.com/containerd/containerd.git
+	branch = release/2.0

jobs/garden/templates/bin/containerd_utils.erb

@@ -52,7 +52,7 @@ start_containerd() {
 
   echo "$!" > "$CONTAINERD_PIDFILE"
 
-  address=$(grep containerd.sock $containerd_config_filepath | awk '{print $3}' | tr -d '"')
+  address=$(grep containerd.sock $containerd_config_filepath | awk '{print $3}' | tr -d \')
   while ! /var/vcap/packages/containerd/bin/ctr -a $address --connect-timeout 100ms c ls; do
     log "waiting for containerd to become available"
     sleep 0.1

jobs/garden/templates/config/containerd.toml.erb

@@ -1,33 +1,32 @@
-root = "/var/vcap/data/containerd/root"
-state = "/var/vcap/sys/run/containerd/state"
-subreaper = true
+version = 3
+root = '/var/vcap/data/containerd/root'
+state = '/var/vcap/sys/run/containerd/state'
+disabled_plugins = ['io.containerd.snapshotter.v1.aufs',
+  'io.containerd.snapshotter.v1.devmapper',
+  'io.containerd.snapshotter.v1.overlayfs',
+  'io.containerd.snapshotter.v1.zfs',
+  'io.containerd.grpc.v1.walking',
+  'io.containerd.gc.v1.scheduler',
+  'io.containerd.service.v1.diff-service',
+  'io.containerd.service.v1.images-service',
+  'io.containerd.service.v1.namespaces-service',
+  'io.containerd.service.v1.snapshots-service',
+  'io.containerd.grpc.v1.diff',
+ 'io.containerd.grpc.v1.healthcheck',
+ 'io.containerd.grpc.v1.images',
+ 'io.containerd.grpc.v1.namespaces',
+ 'io.containerd.grpc.v1.snapshots',
+ 'io.containerd.grpc.v1.version',
+ 'io.containerd.grpc.v1.cri',
+ 'io.containerd.grpc.v1.leases',
+ 'io.containerd.service.v1.leases-service',
+ 'io.containerd.internal.v1.restart']
+
 oom_score = -999
-disabled_plugins = [
-  "aufs",
-  "devmapper",
-  "overlayfs",
-  "zfs",
-  "walking",
-  "scheduler",
-  "diff-service",
-  "images-service",
-  "namespaces-service",
-  "snapshots-service",
-  "diff",
-  "healthcheck",
-  "images",
-  "namespaces",
-  "snapshots",
-  "version",
-  "cri",
-  "leases",
-  "leases-service",
-  "restart",
-]
 
 [grpc]
-address = "/var/vcap/sys/run/containerd/containerd.sock"
+  address = '/var/vcap/sys/run/containerd/containerd.sock'
 
 [debug]
-address = "/var/vcap/sys/run/containerd/debug.sock"
-level = "info"
+  address = '/var/vcap/sys/run/containerd/debug.sock'
+  level = 'info'

packages/containerd/packaging

@@ -10,10 +10,8 @@ source /var/vcap/packages/golang-*-linux/bosh/compile.env
 mkdir -p "${BOSH_INSTALL_TARGET}/bin"
 export GOBIN="${BOSH_INSTALL_TARGET}/bin"
 
-pushd src/guardian/vendor/github.com/containerd/containerd
+pushd src/containerd
   BUILDTAGS=no_btrfs make ./bin/containerd
-  BUILDTAGS=no_btrfs make ./bin/containerd-shim
-  BUILDTAGS=no_btrfs make ./bin/containerd-shim-runc-v1
   BUILDTAGS=no_btrfs make ./bin/containerd-shim-runc-v2
   BUILDTAGS=no_btrfs make ./bin/ctr
   cp -R bin "${BOSH_INSTALL_TARGET}"

packages/runc/packaging

@@ -15,25 +15,7 @@ source /var/vcap/packages/golang-*-linux/bosh/compile.env
 mkdir -p "${BOSH_INSTALL_TARGET}/bin"
 export GOBIN="${BOSH_INSTALL_TARGET}/bin"
 
-. /etc/lsb-release
-if [[ "${DISTRIB_CODENAME}" == "xenial" ]]; then
-  patch -r Makefile-xenial.rej -F 0 \
-    src/guardian/vendor/github.com/opencontainers/runc/Makefile \
-    src/runc-patches/Makefile-xenial.patch \
-    >&2 || true >&2
-  # there are cases where patch can return 0, but will still generate a .rej file since
-  # it tried to be smart and figure out how to apply the patch. We'd like to err on the side
-  # of failure and requiring human eyes just in case. As a result, we ignore the exit code,
-  # and look for the reject file to tell us things failed.
-  if [[ -f Makefile-xenial.rej ]]; then
-    echo "Patching Makefile with Makefile-xenial.patch failed" >&2
-    echo "Please resolve the issue manually until patching succeeds and does not generate a .rej file:" >&2
-    echo "'patch -r Makefile-xenial.rej -F 0 src/guardian/vendor/github.com/opencontainers/runc/Makefile src/runc-patches/Makefile-xenial.patch' succeeds" >&2
-    exit 1
-  fi
-fi
-
 pushd src/guardian/vendor/github.com/opencontainers/runc
-  make BUILDTAGS='seccomp apparmor' static
+  make static
   cp runc "${GOBIN}/runc"
 popd

packages/runc/spec

@@ -7,7 +7,6 @@ dependencies:
   - pkg-config
 
 files:
-  - runc-patches/*.patch
   - guardian/go.mod
   - guardian/go.sum
   - guardian/vendor/modules.txt