Skip to content

Add k3s 1.34 support with nix-snapshotter v0.4.0#175

Open
nuketownada wants to merge 21 commits intopdtpartners:mainfrom
joshperry:k3s-1.34-support
Open

Add k3s 1.34 support with nix-snapshotter v0.4.0#175
nuketownada wants to merge 21 commits intopdtpartners:mainfrom
joshperry:k3s-1.34-support

Conversation

@nuketownada
Copy link
Copy Markdown
Contributor

@nuketownada nuketownada commented Feb 24, 2026

Summary

  • Bump nixpkgs to 25.11 (+ lib.mdDoc deprecation fixes across all modules)
  • Add k3s 1.34 overlay that patches in nix-snapshotter support
  • Fix k3s rootless: use unwrapped binary (wrapper swallows PATH), add nsenter/iproute2/iptables

k3s Overlay

The overlay intercepts buildGoModule for k3s_1_34 to apply a patch that adds nix-snapshotter as an embedded containerd plugin. This uses the clean pkg/plugin import from nix-snapshotter v0.4.0 — no vendored code patching needed.

The same patch has been submitted upstream as k3s-io/k3s#13676. This overlay is temporary until that PR is merged and a k3s release includes it.

Test plan

  • nix build .#nix-snapshotter passes
  • nix build .#k3s produces k3s v1.34.2+k3s1 with nix-snapshotter plugin
  • nix flake check --no-build evaluates all modules/packages (pre-existing docker-distribution rename issue in test-push-n-pull unrelated to this PR)

🤖 Generated with Claude Code

bglgwyng and others added 6 commits February 24, 2026 13:10
@bglgwyng @nuketownada
Bump nixpkgs to 25.11
4f299c4
@bglgwyng @nuketownada
Remove k3s override
07ded64
@joshperry @nuketownada
Use the unwrapped k3s binary so PATH works
70fae30 
The wrapper swallows PATH
@joshperry @nuketownada
k3s needs more tools
d7c91f5
@joshperry @nuketownada
Update nixpkgs
deb48ef
@nuketownada @joshperry
k3s 1.34: add nix-snapshotter overlay with clean v0.4.0 patch
f0ecc54 
Override k3s_1_34 to apply the nix-snapshotter integration patch,
which adds the nix snapshotter plugin to k3s's embedded containerd.

The patch targets nix-snapshotter v0.4.0 (which includes the gRPC
forward-compatibility fix) and uses a clean one-line import of
pkg/plugin — no vendored code patching needed.

This overlay is temporary until the equivalent PR is merged upstream
in k3s-io/k3s (reviving #9319).

Co-Authored-By: Joshua Perry <josh@6bit.com>
@RobbieBuxton RobbieBuxton added the ok-to-test Runs NixOS tests label Feb 24, 2026
nuketownada and others added 9 commits February 28, 2026 13:21
@nuketownada @joshperry
nix: check for nix-store in PATH in Supported()
ca17536 
Fail early with a helpful error message if nix-store is not available,
rather than failing at image pull time with a cryptic exec error.

Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s patch: rebase onto v1.35.2, fix lint, add nix-store check
a6bc32d 
Regenerate the k3s-nix-snapshotter patch from the rebased k3s commit:
- Rebased onto k3s main (v1.35.2)
- Fixed gofmt import ordering (nix import alphabetical position)
- Added exec.LookPath("nix-store") check to NixSupported()

Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s patch: fix context for k3s 1.34 go.mod
ed4b321 
Regenerate patch against k3s_1_34 source (v1.34.3+k3s3) which has
slightly different go.mod dependency versions (selinux v1.13.0,
otiai10/copy v1.7.0) than the v1.35 branch used for the upstream PR.

Signed-off-by: Ada <ada@6bit.com>
Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s patch: configure containerd_address for embedded nix snapshotter
ec543a9 
The nix-snapshotter plugin needs the containerd gRPC address to
initialize its image service. When running as an embedded containerd
plugin in k3s, plugins.PropertyGRPCAddress may not be populated.
Add containerd_address to the containerd config template so the
plugin can find the backend CRI endpoint.

Signed-off-by: Ada <ada@6bit.com>
Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s patch: add Transfer service unpack_config for nix snapshotter
d93a2f8 
The containerd v2 Transfer API requires explicit unpack_config entries
to know which snapshotter to use when unpacking images. Without this
config, image pulls fail with "unable to initialize unpacker: no unpack
platforms defined: invalid argument" (containerd/containerd#11606).

Add unpack_config entries for both linux/amd64 and linux/arm64 to the
containerd config templates when the nix snapshotter is selected.

Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s patch: fix rootless socket path and add differ to unpack_config
9340449 
Two fixes for the k3s nix-snapshotter patch:

1. Use filepath.Join(nodeConfig.Containerd.State, "nix-snapshotter.sock")
   instead of hardcoded /run/nix-snapshotter/nix-snapshotter.sock.
   In rootless mode, /run is not writable for new directories, but
   the containerd state directory (/run/k3s/containerd/) is writable
   via rootlesskit's copy-up mount. This also works in privileged mode.

2. Add differ = "walking" to both unpack_config entries in the
   containerd config templates. Without explicit differ, containerd
   iterates diff plugins by platform matching, but the walking differ
   only registers for the host platform. The arm64 entry fails with
   "no matching diff plugins: not found". With explicit differ,
   containerd uses ID lookup which always succeeds.

Co-Authored-By: Joshua Perry <josh@6bit.com>
@nuketownada @joshperry
k3s overlay: support k3s 1.34.3+k3s3 vendorHash
612ccfc 
Add vendorHash mapping for k3s 1.34.3+k3s3 alongside the existing
1.34.2+k3s1 mapping. The patch applies cleanly to both versions.

Co-Authored-By: Joshua Perry <josh@6bit.com>
@nuketownada @joshperry
k3s patch: disable NRI in rootless mode
d08499f 
NRI (Node Resource Interface) tries to bind /var/run/nri/nri.sock
which fails in rootless mode with permission denied. Add NRI disable
to the V3 containerd config template when IsRunningInUserNS is true.

Tested: k3s rootless with nix-snapshotter starts successfully,
nix hello image pulls and runs with "Hello, world!" output.

Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s-rootless: add runc to PATH
38e53f2 
The k3s wrapper binary adds runc to PATH, but the rootless module
uses .k3s-wrapped directly (to control PATH ordering for suid
newuidmap). Without runc in PATH, containerd-shim-runc-v2 fails
with "exec: runc: executable file not found in $PATH".

Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@joshperry
Copy link
Copy Markdown
Contributor

joshperry commented Mar 1, 2026

This is running rootless on my laptop successfully now. All the changes made to the k3s patch have been updated in the k3s-io/k3s#13676 PR and I added an integration test there that runs a nix-snapshotter image on the k3s CI by installing nix on ubuntu.

@nuketownada nuketownada force-pushed the k3s-1.34-support branch 3 times, most recently from 2270fb8 to 9569070 Compare March 3, 2026 20:00
@nuketownada @joshperry
k3s: patch containerd checkpoint detection for image service proxies
aba4731 
containerd v2.1+ runs checkIfCheckpointOCIImage on every CreateContainer
call to detect CRIU checkpoint images. When the image isn't yet in the
CRI image store, LocalResolve returns ErrNotFound and the function
propagates it as a hard error — failing CreateContainer entirely.

This breaks image service proxies (like nix-snapshotter) that bypass
containerd's CRI PullImage and load images directly into the content
store. The CRI image store is only populated asynchronously via event
handlers, creating a race between image loading and CreateContainer.

An image that is not found cannot be a checkpoint image. The patch
returns ("", nil) on ErrNotFound instead of propagating the error,
matching the existing behavior for empty input and local file paths.

Applied to the vendored containerd in the k3s build overlay via
preBuild, since k3s embeds containerd as a Go module dependency.

Co-Authored-By: Joshua Perry <josh@6bit.com>
Signed-off-by: Ada <ada@6bit.com>
@nuketownada @joshperry
k3s overlay: support k3s 1.34.4+k3s1 vendorHash
87d099d 
Co-Authored-By: Joshua Perry <josh@6bit.com>
nuketownada and others added 4 commits March 30, 2026 16:27
@nuketownada @joshperry @claude
k3s overlay: add fake hash for k3s 1.34.5+k3s1 (to discover real hash)
668dcac 
Co-Authored-By: Joshua Perry <josh@6bit.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nuketownada @joshperry @claude
k3s overlay: fix go.mod patch for k3s 1.34.5, add vendorHash
d4d1a47 
Reduce go.mod context lines so the patch applies across k3s minor
versions where dependency versions shift (selinux, otiai10/copy).

Co-Authored-By: Joshua Perry <josh@6bit.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nuketownada @joshperry @claude
fix: go.mod patch hunk counts
d1f31d7 
Co-Authored-By: Joshua Perry <josh@6bit.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nuketownada @joshperry @claude
k3s overlay: support k3s 1.34.5+k3s1
eb3a870 
- Fix go.mod patch hunk to use minimal context (survives dep version bumps)
- Add vendorHash for k3s 1.34.5+k3s1

Co-Authored-By: Joshua Perry <josh@6bit.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ok-to-test Runs NixOS tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nuketownada @joshperry @RobbieBuxton @bglgwyng