Remove pause container creation for process isolated containers

This commit does the following: - Introduces new HostComputeNamespace.ReadyOnCreate field and set it for HNS versions that support pause container removal - Remove pause container creation while creating process isolated pods for HNS versions that support pause container creation Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
microsoft · Apr 15, 2024 · 6e28691 · 6e28691
1 parent 1d406d0
commit 6e28691
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 14 deletions.
diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/Microsoft/hcsshim"
 	"github.com/Microsoft/hcsshim/internal/layers"
 	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/oci"
@@ -69,6 +70,22 @@ type shimPod interface {
 	DeleteTask(ctx context.Context, tid string) error
 }
 
+func isPauseContainerRequired() bool {
+	// HNS versions >= 15.2 change how network compartments are
+	// initialized for pods. This supports removal of pause containers
+	// for process isolation.
+	isPauseContainerNeeded := true
+	hnsGlobals, err := hcsshim.GetHNSGlobals()
+	if err == nil {
+		if hnsGlobals.Version.Major > 15 ||
+			(hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2) {
+			isPauseContainerNeeded = false
+		}
+	}
+
+	return isPauseContainerNeeded
+}
+
 func createPod(ctx context.Context, events publisher, req *task.CreateTaskRequest, s *specs.Spec) (_ shimPod, err error) {
 	log.G(ctx).WithField("tid", req.ID).Debug("createPod")
 
@@ -143,7 +160,6 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 			parent.Close()
 			return nil, err
 		}
-
 	} else if oci.IsJobContainer(s) {
 		// If we're making a job container fake a task (i.e reuse the wcowPodSandbox logic)
 		p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, "")
@@ -190,25 +206,21 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 		}
 	}
 
-	// TODO: JTERRY75 - There is a bug in the compartment activation for Windows
-	// Process isolated that requires us to create the real pause container to
-	// hold the network compartment open. This is not required for Windows
-	// Hypervisor isolated. When we have a build that supports this for Windows
-	// Process isolated make sure to move back to this model.
-
 	// For WCOW we fake out the init task since we dont need it. We only
 	// need to provision the guest network namespace if this is hypervisor
 	// isolated. Process isolated WCOW gets the namespace endpoints
 	// automatically.
 	nsid := ""
-	if isWCOW && parent != nil {
-		if s.Windows != nil && s.Windows.Network != nil {
-			nsid = s.Windows.Network.NetworkNamespace
-		}
+	if isWCOW && (parent != nil || (parent == nil && !isPauseContainerRequired())) {
+		if parent != nil {
+			if s.Windows != nil && s.Windows.Network != nil {
+				nsid = s.Windows.Network.NetworkNamespace
+			}
 
-		if nsid != "" {
-			if err := parent.ConfigureNetworking(ctx, nsid); err != nil {
-				return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID)
+			if nsid != "" {
+				if err := parent.ConfigureNetworking(ctx, nsid); err != nil {
+					return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID)
+				}
 			}
 		}
 		p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, nsid)

diff --git a/hcn/hcnnamespace.go b/hcn/hcnnamespace.go
@@ -9,6 +9,7 @@ import (
 	"syscall"
 
 	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim"
 	icni "github.com/Microsoft/hcsshim/internal/cni"
 	"github.com/Microsoft/hcsshim/internal/interop"
 	"github.com/Microsoft/hcsshim/internal/regstate"
@@ -63,6 +64,7 @@ type HostComputeNamespace struct {
 	Type          NamespaceType       `json:",omitempty"` // Host, HostDefault, Guest, GuestDefault
 	Resources     []NamespaceResource `json:",omitempty"`
 	SchemaVersion SchemaVersion       `json:",omitempty"`
+	ReadyOnCreate bool                `json:",omitempty"`
 }
 
 // ModifyNamespaceSettingRequest is the structure used to send request to modify a namespace.
@@ -309,9 +311,21 @@ func GetNamespaceContainerIds(namespaceID string) ([]string, error) {
 
 // NewNamespace creates a new Namespace object
 func NewNamespace(nsType NamespaceType) *HostComputeNamespace {
+	// HNS versions >= 15.2 change how network compartments are
+	// initialized for pods and depends on ReadyOnCreate flag in
+	// HCN namespace. It primarily supports removal of pause containers
+	// for process isolation.
+	isReadyOnCreate := false
+	hnsGlobals, err := hcsshim.GetHNSGlobals()
+	if err == nil {
+		isReadyOnCreate = (hnsGlobals.Version.Major > 15) ||
+			(hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2)
+	}
+
 	return &HostComputeNamespace{
 		Type:          nsType,
 		SchemaVersion: V2SchemaVersion(),
+		ReadyOnCreate: isReadyOnCreate,
 	}
 }