wire protocol: use dedicated RPC calls for all pod and container life-cycle events.

[klihub]

This PR updates the wire protocol/ttrpc API to have proper RPC calls and messages for all pod and container life-cycle events.

The added calls and messages replace the 'catch-most' StateChange call which is now used to relay {Run,Stop,Remove}PodSandbox pod and {PostCreate,Start,PostStart, PostUpdate,Remove} container events using a single 'event type + field union' message on the wire. The visible stub/plugin and runtime adaptation interfaces are unaffected. The PR leaves StateChange in the protocol to allow transparent backward compatibility, and updates the runtime adaptation to fall back to using StateChange if the plugin side NRI version does not implement the new RPC calls yet.

This has been attempted a few times earlier in connection with other changes, but since we've had multiple other real functional changes in flight, we always shied away from the resulting rebase conflicts and seeing this through. This time this is a self-contained PR with no other functional changes.

Although functionally straightforward, it's still painfully intrusive as it touches a lot of boilerplate. Currently we have 3 remaining PRs open which touch the protocol and will conflict: #166 (memory policy adjustment), #183 (plugin authentication), and #271 (version exchange). Of these #166 and #217 are probably small footprint enough to be fairly easily rebases (either way around).

Here are my updated runtime test trees with these changes included:

• containerd
• cri-o

[samuelkarp]

I know we were talking about a "nritest" tool; this would be a really good first use-case for it. We'd want to test these combinations:

• new runtime, new plugins (uses new RPCs)
• new runtime, old plugins (uses old RPCs)
• old runtime, new plugins (uses old RPCs)

And as discussed we'll need to expose whether old RPCs were used back up to the runtime so it can emit warnings about it too.

[mikebrow]

looks great just a few nits on the docs..

probably needs a read me / doc explaining the change wrapper support and any deprecation plans

[mikebrow]

pre/post v1.0.. hmm

[klihub]

Yes, it's a good question. I think it also depends a bit of the release cadence of the runtimes. Since it should be fairly cheap to keep the fallback to StateChange around I think we can be conservative about its deprecation and eventual removal, timewise.

[klihub]

looks great just a few nits on the docs..

probably needs a read me / doc explaining the change wrapper support and any deprecation plans

Added a section about deprecated interfaces to the README and a subsection explaining the deprecation of StateChange.

[mikebrow]

LGTM

[mikebrow]

thanks

[klihub]

And as discussed we'll need to expose whether old RPCs were used back up to the runtime so it can emit warnings about it too.

@samuelkarp I added the propragation of deprecation warnings back to the runtime and updated the linked working tree for containerd. With that in place now you get warnings like this when you run an old plugin:

$ ctr deprecations list
ID                                                LAST OCCURRENCE                   MESSAGE    
io.containerd.deprecation/nri-plugin-interface    2026-03-18T20:15:59.221928179Z    NRI plugin uses a deprecated interface.
$ journalctl -u containerd | grep "NRI plugin uses a deprecated interface"
Mar 18 20:15:04 n4c16-fedora-43-containerd containerd[19584]: time="2026-03-18T20:15:04.861795837Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement RunPodSandbox" plugin=10-template
Mar 18 20:15:04 n4c16-fedora-43-containerd containerd[19584]: time="2026-03-18T20:15:04.895085271Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement PostCreateContainer" plugin=10-template
Mar 18 20:15:04 n4c16-fedora-43-containerd containerd[19584]: time="2026-03-18T20:15:04.948749187Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement StartContainer" plugin=10-template
Mar 18 20:15:04 n4c16-fedora-43-containerd containerd[19584]: time="2026-03-18T20:15:04.956474857Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement PostStartContainer" plugin=10-template
Mar 18 20:55:54 n4c16-fedora-43-containerd containerd[15507]: time="2026-03-18T20:55:54.993906001Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement RemoveContainer" plugin=10-template
Mar 18 20:15:58 n4c16-fedora-43-containerd containerd[19584]: time="2026-03-18T20:15:58.070528415Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement StopPodSandbox" plugin=10-template
Mar 18 20:15:59 n4c16-fedora-43-containerd containerd[19584]: time="2026-03-18T20:15:59.221928179Z" level=warning msg="NRI plugin uses a deprecated interface." deprecated=StateChange details="does not implement RemovePodSandbox" plugin=10-template

[klihub]

@samuelkarp @chrishenzie PTAL, if you have spare cycles.

[samuelkarp]

Just a timing note here: due to the changes in the release cycle and safe upgrade policy, we can deprecate but we likely should not remove this support from containerd until 2.7 (next regular release after 2.6 LTS). We could try to get this change in for 2.3 LTS (in the next few weeks) and target removal in 2.4 (next regular release after 2.3 LTS), but that'd be a pretty short time for plugin authors to upgrade.

[mikebrow]

nod.. deprecation notice is fine for now. Target removal for 2.7 SGTM

[klihub]

@samuelkarp So anything remaining against merging this ?