Samuel Karp

[Slack thread](https://kubernetes.slack.com/archives/C0BP8PW9G/p1722265834673329)

 We did miss this change for 2.0. Any breaking change is going to require us to figure out how to help users upgrade. > Idea ---->: defaultK8sUnixCaps() I don't...

I think https://github.com/containerd/nri/pull/173 will make this more clear; plugins will receive an error from `Run()` and be able to define their own logic by examining the error.

It'd be useful to get the folks who are currently on the [email protected] list access to any incoming reports here as well. Some of the incoming reports have been cross-cutting...

> You also update your plugin to exit if it sees that annotation on a container it is about to process. I think this part wouldn't be necessary; you'd just...

It also looks like you are measuring `ctr image pull`, which includes unpacking in addition to network-level fetching. Unpacking is sequential (https://github.com/containerd/containerd/issues/8881) and can be CPU- or disk-bound. `ctr image...

> There is a large class of things we use node labels and/or taints and tolerations for that could be automatically derived. We think of these "workload requirements" and "node...

That sounds like a bug in the Kata runtime, not a bug in NRI?

Starting at https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go#L490 we have a bunch of logic that mutates the profile in various ways based on attributes like kernel version, architecture, bounding capabilities, etc. A single static override...

I took a look at the code for a bit today, here are some thoughts: * We correctly [create a lease](https://github.com/containerd/containerd/blob/a448047386476027f96c005485ad5639473a5e48/client/pull.go#L77-L81) at the top of `Pull`, which should be used...