From a527acc55f6e0bacf42cd3ecf01cce68070f0922 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Mon, 2 Oct 2023 12:47:50 -0700 Subject: [PATCH] Remove pause container creation for process isolated containers This commit does the following: - Introduces new HostComputeNamespace.ReadyOnCreate field and set it for HNS versions that support pause container removal - Remove pause container creation while creating process isolated pods for HNS versions that support pause container creation Signed-off-by: Kirtana Ashok --- cmd/containerd-shim-runhcs-v1/pod.go | 40 ++++++++++++++++++---------- hcn/hcnnamespace.go | 14 ++++++++++ 2 files changed, 40 insertions(+), 14 deletions(-) diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go index 1d2551ee4d..967ad27904 100644 --- a/cmd/containerd-shim-runhcs-v1/pod.go +++ b/cmd/containerd-shim-runhcs-v1/pod.go @@ -10,6 +10,7 @@ import ( "strings" "sync" + "github.com/Microsoft/hcsshim" "github.com/Microsoft/hcsshim/internal/layers" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/oci" @@ -69,6 +70,22 @@ type shimPod interface { DeleteTask(ctx context.Context, tid string) error } +func isPauseContainerRequired() bool { + // HNS versions >= 15.2 change how network compartments are + // initialized for pods. This supports removal of pause containers + // for process isolation. + isPauseContainerNeeded := true + hnsGlobals, err := hcsshim.GetHNSGlobals() + if err == nil { + if hnsGlobals.Version.Major > 15 || + (hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2) { + isPauseContainerNeeded = false + } + } + + return isPauseContainerNeeded +} + func createPod(ctx context.Context, events publisher, req *task.CreateTaskRequest, s *specs.Spec) (_ shimPod, err error) { log.G(ctx).WithField("tid", req.ID).Debug("createPod") @@ -143,7 +160,6 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques parent.Close() return nil, err } - } else if oci.IsJobContainer(s) { // If we're making a job container fake a task (i.e reuse the wcowPodSandbox logic) p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, "") @@ -190,25 +206,21 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques } } - // TODO: JTERRY75 - There is a bug in the compartment activation for Windows - // Process isolated that requires us to create the real pause container to - // hold the network compartment open. This is not required for Windows - // Hypervisor isolated. When we have a build that supports this for Windows - // Process isolated make sure to move back to this model. - // For WCOW we fake out the init task since we dont need it. We only // need to provision the guest network namespace if this is hypervisor // isolated. Process isolated WCOW gets the namespace endpoints // automatically. nsid := "" - if isWCOW && parent != nil { - if s.Windows != nil && s.Windows.Network != nil { - nsid = s.Windows.Network.NetworkNamespace - } + if isWCOW && (parent != nil || !isPauseContainerRequired()) { + if parent != nil { + if s.Windows != nil && s.Windows.Network != nil { + nsid = s.Windows.Network.NetworkNamespace + } - if nsid != "" { - if err := parent.ConfigureNetworking(ctx, nsid); err != nil { - return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID) + if nsid != "" { + if err := parent.ConfigureNetworking(ctx, nsid); err != nil { + return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID) + } } } p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, nsid) diff --git a/hcn/hcnnamespace.go b/hcn/hcnnamespace.go index e855f5a3aa..1b5b34ff20 100644 --- a/hcn/hcnnamespace.go +++ b/hcn/hcnnamespace.go @@ -9,6 +9,7 @@ import ( "syscall" "github.com/Microsoft/go-winio/pkg/guid" + "github.com/Microsoft/hcsshim" icni "github.com/Microsoft/hcsshim/internal/cni" "github.com/Microsoft/hcsshim/internal/interop" "github.com/Microsoft/hcsshim/internal/regstate" @@ -63,6 +64,7 @@ type HostComputeNamespace struct { Type NamespaceType `json:",omitempty"` // Host, HostDefault, Guest, GuestDefault Resources []NamespaceResource `json:",omitempty"` SchemaVersion SchemaVersion `json:",omitempty"` + ReadyOnCreate bool `json:",omitempty"` } // ModifyNamespaceSettingRequest is the structure used to send request to modify a namespace. @@ -309,9 +311,21 @@ func GetNamespaceContainerIds(namespaceID string) ([]string, error) { // NewNamespace creates a new Namespace object func NewNamespace(nsType NamespaceType) *HostComputeNamespace { + // HNS versions >= 15.2 change how network compartments are + // initialized for pods and depends on ReadyOnCreate flag in + // HCN namespace. It primarily supports removal of pause containers + // for process isolation. + isReadyOnCreate := false + hnsGlobals, err := hcsshim.GetHNSGlobals() + if err == nil { + isReadyOnCreate = (hnsGlobals.Version.Major > 15) || + (hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2) + } + return &HostComputeNamespace{ Type: nsType, SchemaVersion: V2SchemaVersion(), + ReadyOnCreate: isReadyOnCreate, } }