lakitu: Cherry-pick a patch to containerd 1.2

This patch is asked by GKE and will be maintained by GKE. It has been
merged to upstream containerd HEAD.

TEST=emerge-lakitu containerd
BUG=b:141117955
RELEASE_NOTE=Cherry-picked https://github.com/containerd/cri/pull/1084 to
containerd.

Change-Id: Ifdf5562741ed4a105073c4333266948957a36649
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/board-overlays/+/1825266
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Commit-Queue: Ke Wu <mikewu@google.com>
Tested-by: Ke Wu <mikewu@google.com>
diff --git a/overlay-lakitu/app-emulation/containerd/containerd-1.2.8-r1.ebuild b/overlay-lakitu/app-emulation/containerd/containerd-1.2.8-r2.ebuild
similarity index 100%
rename from overlay-lakitu/app-emulation/containerd/containerd-1.2.8-r1.ebuild
rename to overlay-lakitu/app-emulation/containerd/containerd-1.2.8-r2.ebuild
diff --git a/overlay-lakitu/app-emulation/containerd/containerd-1.2.8.ebuild b/overlay-lakitu/app-emulation/containerd/containerd-1.2.8.ebuild
index cba5439..c75442c 100644
--- a/overlay-lakitu/app-emulation/containerd/containerd-1.2.8.ebuild
+++ b/overlay-lakitu/app-emulation/containerd/containerd-1.2.8.ebuild
@@ -48,6 +48,9 @@
 	# 2. set containerd path to /usr/bin/containerd
 	# 3. set OOM score to -999
 	"${FILESDIR}"/1.2.6-customize-containerd-service.patch
+	# lakitu: cherry-pick https://github.com/containerd/cri/pull/1084 to
+	# containerd v1.2.
+	"${FILESDIR}"/1.2.8-improve-sandbox-emptydir-performance.patch
 )
 
 RESTRICT="test"
diff --git a/overlay-lakitu/app-emulation/containerd/files/1.2.8-improve-sandbox-emptydir-performance.patch b/overlay-lakitu/app-emulation/containerd/files/1.2.8-improve-sandbox-emptydir-performance.patch
new file mode 100644
index 0000000..0a48ee0
--- /dev/null
+++ b/overlay-lakitu/app-emulation/containerd/files/1.2.8-improve-sandbox-emptydir-performance.patch
@@ -0,0 +1,84 @@
+diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go
+index c80aed59..9a4021f0 100644
+--- a/vendor/github.com/containerd/cri/pkg/config/config.go
++++ b/vendor/github.com/containerd/cri/pkg/config/config.go
+@@ -30,6 +30,10 @@ type Runtime struct {
+ 	// This only works for runtime type "io.containerd.runtime.v1.linux".
+ 	// DEPRECATED: use Options instead. Remove when shim v1 is deprecated.
+ 	Engine string `toml:"runtime_engine" json:"runtimeEngine"`
++	// PodAnnotations is list of pod annotations passed to both pod sandbox as well as
++	// PodAnnotations is a list of pod annotations passed to both pod sandbox as well as
++	// container OCI annotations.
++	PodAnnotations []string `toml:"pod_annotations" json:"PodAnnotations"`
+ 	// Root is the directory used by containerd for runtime state.
+ 	// DEPRECATED: use Options instead. Remove when shim v1 is deprecated.
+ 	// This only works for runtime type "io.containerd.runtime.v1.linux".
+diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go
+index a477245b..21a35101 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
++++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
+@@ -170,6 +170,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
+ 		return nil, errors.Wrapf(err, "failed to generate container %q spec", id)
+ 	}
+ 
++	ociRuntime, err := c.getSandboxRuntime(sandboxConfig, sandbox.Metadata.RuntimeHandler)
++	if err != nil {
++		return nil, errors.Wrap(err, "failed to get sandbox runtime")
++	}
++	logrus.Debugf("Use OCI %+v for sandbox %q and container %q", ociRuntime, sandboxID, id)
++
++	g := newSpecGenerator(spec)
++	for pKey, pValue := range getPassthroughAnnotations(sandboxConfig.Annotations, ociRuntime.PodAnnotations) {
++		g.AddAnnotation(pKey, pValue)
++	}
++	spec = g.Config
++
+ 	logrus.Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec))
+ 
+ 	// Set snapshotter before any other options.
+diff --git a/vendor/github.com/containerd/cri/pkg/server/helpers.go b/vendor/github.com/containerd/cri/pkg/server/helpers.go
+index 5c06f426..a74d6f2e 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/helpers.go
++++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go
+@@ -585,3 +585,22 @@ func unknownSandboxStatus() sandboxstore.Status {
+ 		State: sandboxstore.StateUnknown,
+ 	}
+ }
++
++// getPassthroughAnnotations filters requested pod annotations by comparing
++// against permitted annotations for the given runtime.
++func getPassthroughAnnotations(podAnnotations map[string]string,
++	runtimePodAnnotations []string) (passthroughAnnotations map[string]string) {
++	passthroughAnnotations = make(map[string]string)
++
++	for podAnnotationKey, podAnnotationValue := range podAnnotations {
++		for _, pattern := range runtimePodAnnotations {
++			// Use path.Match instead of filepath.Match here.
++			// filepath.Match treated `\\` as path separator
++			// on windows, which is not what we want.
++			if ok, _ := path.Match(pattern, podAnnotationKey); ok {
++				passthroughAnnotations[podAnnotationKey] = podAnnotationValue
++			}
++		}
++	}
++	return passthroughAnnotations
++}
+diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
+index cf450623..660cf88d 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
++++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
+@@ -150,6 +150,13 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
+ 	if err != nil {
+ 		return nil, errors.Wrap(err, "failed to generate sandbox container spec")
+ 	}
++
++	g := newSpecGenerator(spec)
++	for pKey, pValue := range getPassthroughAnnotations(config.Annotations, ociRuntime.PodAnnotations) {
++		g.AddAnnotation(pKey, pValue)
++	}
++	spec = g.Config
++
+ 	logrus.Debugf("Sandbox container %q spec: %#+v", id, spew.NewFormatter(spec))
+ 
+ 	var specOpts []oci.SpecOpts
+