Add nix-snapshotter support to the embedded containerd

[nuketownada]

Proposed Changes

Add the nix-snapshotter plugin to k3s's embedded containerd, enabling rootless k3s with nix-snapshotter. This follows the same integration pattern as the existing stargz snapshotter.

Changes:

• Register nix-snapshotter plugin via blank import in builtins_linux.go
• Add NixSupported() validation functions for linux and windows
• Add "nix" case to snapshotter switch with image service socket config
• Add nix snapshotter containerd config blocks in both v2 and v3 templates
• Set disable_snapshot_annotations = false for nix (required for layer annotations)

Usage: k3s server --snapshotter=nix

Context

This revives #9319 (closed as stale), updated for k3s 1.34 and containerd v2.

Key differences from the original PR:

• Targets nix-snapshotter v0.4.0 (includes gRPC forward-compatibility fix)
• Updated for containerd v2 API (new plugin registration, config template structure)
• Config moved from config.go → config_linux.go (matching current k3s structure)
• Templates updated for both v2 and v3 config formats in templates.go

nix-snapshotter is a containerd snapshotter that understands nix store paths natively, enabling fully declarative container images built with Nix. See the architecture docs for details on the image service.

Types of Changes

• Adds nix-snapshotter as a Go dependency (1 line in go.mod)
• Adds nix as a valid snapshotter option for the agent
• When using nix snapshotter, configures it as an image service

Testing

• nix build .#k3s produces working k3s binary with nix-snapshotter linked in
• Integration test to be added

Linked Issues

• Add nix-snapshotter support to bundled containerd #13733

User-Facing Change

Add nix-snapshotter plugin to the embedded containerd to enable rootless k3s + nix-snapshotter

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 0% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 21.75%. Comparing base (abc7cc8) to head (85f325e).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/agent/config/config_linux.go	0.00%	5 Missing ⚠️
pkg/agent/containerd/config_linux.go	0.00%	4 Missing ⚠️
pkg/containerd/utility_linux.go	0.00%	4 Missing ⚠️
pkg/agent/containerd/config_windows.go	0.00%	2 Missing ⚠️
pkg/containerd/utility_windows.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13676      +/-   ##
==========================================
- Coverage   21.79%   21.75%   -0.04%     
==========================================
  Files         191      191              
  Lines       15539    15556      +17     
==========================================
- Hits         3386     3384       -2     
- Misses      11702    11721      +19     
  Partials      451      451              

Flag	Coverage Δ
unittests	21.75% <0.00%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[brandond]

1. Please fix conflicts and lint failure
2. Please add a test, similar to the stargz test
3. We don't test or support K3s on NixOS; is there anywhere else that this is expected to work?

[joshperry]

Thanks for the feedback @brandond! Working through what a test would look like for this snapshotter, as it's admittedly a bit more involved than stargz.

Regarding 3: Yes, this works on basically any distro that k3s supports, nix just needs to be installed; similar to a CRI needing to be installed to run OCI images. NixOS is just a meta-distribution built on top of nix and nixpkgs as its build system, package manager, and config store.

I'll add a check for nix and the store being available in NixSupported along with adding an integration test. For the test, I'll just install nix into the CI test runner container so it's apparent how this works outside NixOS.

[joshperry]

Alright, got everything delinted and synced.

Also added an integration test that uses the determinant systems nix install action on a new test in the matrix called "nixsnapshotter". It uses nix to build the test image at github:pdtpartners/nix-snapshotter#image-hello, and then loads it into a k3s pod and verifies that the nix-snapshotter set the runtime layer stack up correctly.

[joshperry]

Ended up changing the test a bit as it didn't work how I expected. Enabled CI on my fork so I could iterate through it and got the tests passing after figuring out the containerd configuration setup for the unpack_config. Also found a general bug in rootless k3s (NRI needs disabling on containerd v3).

Tested running nix-snapshotter images on rootless successfully locally. May want to add an integration test for that; an integration test for pulling an OCI image with the nix annotation would be another possible addition.

[joshperry]

Fixed the fmt.Errorf lint (:facepalm:). PR checks should be all green now.

[brandond]

Looks like you need a go mod tidy and to check in the resulting changes?

[joshperry]

Looks like you need a go mod tidy and to check in the resulting changes?

I saw that. It's just a go test tools transitive dependency minor version auto bump, between my last tidy and the test run. I can add the bump if you need that to be green.

[brandond]

yes, all the tests need to be green.

[joshperry]

yes, all the tests need to be green.

No problema! Bumped