shim: infer SandboxPlatform from OCI spec when not explicitly set

rzlink · rzlink · commit 25e49d5be44d · 2026-03-04T13:32:03.000-08:00
When runtime options are non-empty (e.g., SandboxIsolation is set) but SandboxPlatform is empty, infer the platform from the OCI spec rather than failing validation. This matches the existing behavior when options are entirely empty. containerd's default config (config_windows.go) sets SandboxIsolation=1 for the runhcs-wcow-hypervisor runtime handler but omits SandboxPlatform, making options non-empty with an empty platform string. This causes platforms.Parse("") to fail with 'invalid runtime sandbox platform'. The OCI spec already contains sufficient information to determine the platform: spec.Linux != nil indicates LCOW, while spec.Windows != nil with spec.Linux == nil indicates WCOW. Fixes the interaction between containerd's default runtime config and hcsshim's strict validation added in PR #2473.
diff --git a/cmd/containerd-shim-runhcs-v1/service_internal.go b/cmd/containerd-shim-runhcs-v1/service_internal.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 
 	task "github.com/containerd/containerd/api/runtime/task/v2"
 	containerd_v1_types "github.com/containerd/containerd/api/types/task"
@@ -130,8 +131,25 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 	}
 
 	if !emptyShimOpts {
+		sandboxPlatform := shimOpts.GetSandboxPlatform()
+		if sandboxPlatform == "" {
+			// Infer platform from the OCI spec when not explicitly configured.
+			// containerd's default config sets SandboxIsolation without SandboxPlatform,
+			// making options non-empty but leaving the platform unset. Rather than
+			// failing, fall back to spec-based inference which is already used when
+			// options are entirely empty.
+			if oci.IsLCOW(&spec) {
+				sandboxPlatform = "linux/" + runtime.GOARCH
+			} else if oci.IsWCOW(&spec) {
+				sandboxPlatform = "windows/" + runtime.GOARCH
+			} else {
+				return nil, fmt.Errorf("cannot infer runtime sandbox platform from OCI spec: no Linux or Windows config present")
+			}
+			shimOpts.SandboxPlatform = sandboxPlatform
+		}
+
 		// validate runtime platform
-		plat, err := platforms.Parse(shimOpts.GetSandboxPlatform())
+		plat, err := platforms.Parse(sandboxPlatform)
 		if err != nil {
 			return nil, fmt.Errorf("invalid runtime sandbox platform: %w", err)
 		}
