Skip to content

fix: finch linux rootless containerd detection#8650

Open
robbrad wants to merge 10 commits intoaws:developfrom
robbrad:fix/finch-linux-rootless-containerd-detection
Open

fix: finch linux rootless containerd detection#8650
robbrad wants to merge 10 commits intoaws:developfrom
robbrad:fix/finch-linux-rootless-containerd-detection

Conversation

@robbrad
Copy link

@robbrad robbrad commented Feb 12, 2026

This PR fixes Finch detection on Linux systems using rootless containerd by checking multiple standard socket locations instead of using a hardcoded path.

Which issue(s) does this change fix?

fixes #8649

Problem

SAM CLI fails with "No container runtime available" on Linux with rootless containerd despite Finch being installed and working. The issue is that SAM CLI only checks /var/run/finch.sock, but rootless containerd uses $XDG_RUNTIME_DIR/containerd/containerd.sock.

Solution

Updated LinuxHandler.get_finch_socket_path() to check multiple locations in priority order:

  1. $XDG_RUNTIME_DIR/containerd/containerd.sock (rootless containerd)
  2. $XDG_RUNTIME_DIR/finch.sock (Finch-specific)
  3. ~/.finch/finch.sock (user home directory)
  4. /var/run/finch.sock (system-wide fallback)
  5. Returns None when no socket found (enables future CLI fallback)

Changes

  • Updated samcli/local/docker/platform_config.py
  • Added comprehensive unit tests
  • Added debug logging for troubleshooting

Testing

  • All unit tests pass
  • Verified with custom test script
  • Backward compatible - still checks system socket as fallback

Risk

LOW - Only affects Linux socket detection, no changes to macOS or Windows

Related Issues

Fixes issue where SAM CLI fails to detect Finch on Linux with rootless containerd.

Mandatory Checklist

PRs will only be reviewed after checklist is complete

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Updated LinuxHandler.get_finch_socket_path() to check multiple standard
socket locations instead of using a hardcoded path.
Added comprehensive tests for all socket detection scenarios on Linux.
@robbrad robbrad requested a review from a team as a code owner February 12, 2026 20:48
@github-actions github-actions bot added area/local/start-api sam local start-api command area/local/invoke sam local invoke command area/local/start-invoke pr/external stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. labels Feb 12, 2026
@robbrad robbrad changed the title Fix/finch linux rootless containerd detection fix: finch linux rootless containerd detection Feb 12, 2026
Copy link
Contributor

@reedham-aws reedham-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing that needs to be modified in this PR is actually where we're collecting metrics:

def _get_container_engine_from_socket_path(self, socket_path: str) -> str:
"""
Detect container engine from socket path.
This handles detection for any socket path, whether from stored telemetry or environment.
Translation:
Value Final Value
# Case 1: Empty/None
- "" -> docker-default
# Case 2: Check Path-specific
- unix://~/.colima/default/docker.sock -> colima
- unix://~/.lima/default/sock/docker.sock -> lima
- unix://~/.rd/docker.sock -> rancher-desktop
- unix://~/.orbstack/run/docker.sock -> orbstack
# Case 3: Check Socket value
- unix://~/.finch/finch.sock -> finch
- unix:///var/run/docker.sock -> docker
- unix:///run/user/1000/podman/podman.sock -> podman
# Case 4: Check TCP
- tcp://localhost:2375 -> tcp-local
- tcp://localhost:2376 -> tcp-local
- tcp://host.docker.internal:* -> tcp-remote
# Case 5: Other
- other value -> unknown
"""

You can see that we determine container engine based on the socket path. Anything that has finch.sock will be labeled as finch, but the containerd.sock will fall through to unknown. The part I don't quite understand is how we'd categorize containerd here; correct me if I'm wrong, but I don't think this is really a finch specific socket, so it doesn't really fit in that bucket. I left another comment on the PR to that effect.

On another note, I haven't fully reviewed the tests either, I can get to those later. There's also some formatting errors, but those could probably be cleaned up with make format or make lint.

# Rootless containerd socket (most common on Linux)
containerd_sock = os.path.join(xdg_runtime_dir, "containerd", "containerd.sock")
if os.path.exists(containerd_sock):
LOG.debug(f"Found Finch socket at XDG_RUNTIME_DIR: {containerd_sock}")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the containerd_sock exclusively for finch, though? Couldn't other container clients/engines be using this socket?

@@ -123,11 +123,49 @@ def _read_config(self) -> Optional[str]:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should add a basic e2e test with rootless setup to see if it actually works.
Unit test i feel is not sufficient to check system related configs.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will also check the networking works as we probably will need to pull some container.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My one concern is that an added integration test for this situation will end up adding a lot of complexity to our testing structure, especially because this is a niche situation that requires a non-trivial amount of changes to the environment. I can discuss this further with the team.


# Default fallback to system socket
return "unix:///var/run/finch.sock"
Returns the socket path for Linux, checking multiple locations.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs integ test to check builds work too in rootless mode?

@reedham-aws reedham-aws removed the stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. label Feb 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: SAM CLI Finch Detection Fails on Linux with Rootless Containerd

3 participants