How to categorize this issue?

/area os
/kind enhancement

What would you like to be added:

With containerd 2.0, which was recently released and already included in Debian and will subsequently appear in the next Garden Linux release, containerd introduced a new version 3 for its configuration file (as opposed to version 2 that was used by 1.5 to 1.7 versions). With version 3 of the configuration file format, a number of configuration options changed and were moved to different paths within the toml structure. The config file version is determined by the config file header version = <one of [1, 2, 3]> or the lack thereof which means version = 1.
For more info, refer to https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md, https://github.com/containerd/containerd/blob/main/docs/cri/config.md and https://github.com/containerd/containerd/blob/main/docs/hosts.md.

To stay compatible with containerd 2.0, those parts of the containerd configuration that are managed and modified by gardener-node-agent need to altered in GNAs code so that they are put at the right places according to the configuration file version.

In particular, those are:

• registry config path: changed from [plugins."io.containerd.grpc.v1.cri".registry] to [plugins."io.containerd.cri.v1.images".registry] (ref).
• almost everything in [plugins."io.containerd.grpc.v1.cri"]: most of the configuration keys under [plugins."io.containerd.grpc.v1.cri"] were moved to [plugins."io.containerd.cri.v1.*"] which especially applies to:
  • sandbox image: changed from [plugins."io.containerd.grpc.v1.cri"] to [plugins."io.containerd.cri.v1.runtime"]
  • cgroup driver: moved from [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] to [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runc.options] (ref)
• plugin settings: as those plugin settings are meant to add, configure and delete runtime plugins such as gVisor and/or Kata, their location changed as well from [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] to [plugins."io.containerd.cri.v1.runtime".containerd.runtimes] (ref)

Related issue that started to appear with containerd 2.0:

• All CNI plugins we use in Gardener get installed at /opt/cni/bin which is the containerd default. Some distributions (mostly those based on Debian) however chose to patch containerd to make /usr/lib/cni the default location for CNI plugins (ref). Those changes started to appear with the release of containerd 2.0. GNA hence should reconfigure containerd through its config file to always locate the CNI plugins in /opt/cni/bin.

GNA should be enhanced with a lookup table for the confguration options is directly touches that contains relevant entries according to the config file version present on the worker node. In addition, it might need a translation method that can translate plugin config paths specified in an OSC that conform to version 2 of a config file to the paths that are expected in a version 3 config file.

Why is this needed:

see above