Remove pause container creation for process isolated containers

This commit does the following: - Introduces new HostComputeNamespace.ReadyOnCreate field and set it for HNS versions that support pause container removal - Removes pause container creation while creating process isolated pods for HNS versions that support pause container creation Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
microsoft · Dec 6, 2023 · 9f35c91 · 9f35c91
1 parent 0af576d
commit 9f35c91
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 15 deletions.
diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/Microsoft/hcsshim/internal/hns"
 	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/uvm"
@@ -68,6 +69,23 @@ type shimPod interface {
 	DeleteTask(ctx context.Context, tid string) error
 }
 
+// Checks HNS version currently being used to determine if pause containers can
+// be removed for process isolated cases or not.
+func canDropPauseContainerCreation() bool {
+	hnsGlobals, err := hns.GetHNSGlobals()
+	if err != nil {
+		log.G(context.Background()).Debugf("failed to get HNS globals: %v", err)
+		return false
+	}
+
+	// Check for HNS versions that support pause container removal
+	if (hnsGlobals.Version.Major > 15) ||
+		(hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2) {
+		return true
+	}
+	return false
+}
+
 func createPod(ctx context.Context, events publisher, req *task.CreateTaskRequest, s *specs.Spec) (_ shimPod, err error) {
 	log.G(ctx).WithField("tid", req.ID).Debug("createPod")
 
@@ -149,7 +167,6 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 			parent.Close()
 			return nil, err
 		}
-
 	} else if oci.IsJobContainer(s) {
 		// If we're making a job container fake a task (i.e reuse the wcowPodSandbox logic)
 		p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, "")
@@ -196,25 +213,21 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 		}
 	}
 
-	// TODO: JTERRY75 - There is a bug in the compartment activation for Windows
-	// Process isolated that requires us to create the real pause container to
-	// hold the network compartment open. This is not required for Windows
-	// Hypervisor isolated. When we have a build that supports this for Windows
-	// Process isolated make sure to move back to this model.
-
 	// For WCOW we fake out the init task since we dont need it. We only
 	// need to provision the guest network namespace if this is hypervisor
 	// isolated. Process isolated WCOW gets the namespace endpoints
 	// automatically.
 	nsid := ""
-	if isWCOW && parent != nil {
-		if s.Windows != nil && s.Windows.Network != nil {
-			nsid = s.Windows.Network.NetworkNamespace
-		}
+	if isWCOW && (parent != nil || (parent == nil && canDropPauseContainerCreation())) {
+		if parent != nil {
+			if s.Windows != nil && s.Windows.Network != nil {
+				nsid = s.Windows.Network.NetworkNamespace
+			}
 
-		if nsid != "" {
-			if err := parent.ConfigureNetworking(ctx, nsid); err != nil {
-				return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID)
+			if nsid != "" {
+				if err := parent.ConfigureNetworking(ctx, nsid); err != nil {
+					return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID)
+				}
 			}
 		}
 		p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, nsid)

diff --git a/hcn/hcnnamespace.go b/hcn/hcnnamespace.go
@@ -8,6 +8,7 @@ import (
 	"syscall"
 
 	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim"
 	icni "github.com/Microsoft/hcsshim/internal/cni"
 	"github.com/Microsoft/hcsshim/internal/interop"
 	"github.com/Microsoft/hcsshim/internal/regstate"
@@ -62,6 +63,7 @@ type HostComputeNamespace struct {
 	Type          NamespaceType       `json:",omitempty"` // Host, HostDefault, Guest, GuestDefault
 	Resources     []NamespaceResource `json:",omitempty"`
 	SchemaVersion SchemaVersion       `json:",omitempty"`
+	ReadyOnCreate bool                `json:",omitempty"`
 }
 
 // ModifyNamespaceSettingRequest is the structure used to send request to modify a namespace.
@@ -308,10 +310,24 @@ func GetNamespaceContainerIds(namespaceID string) ([]string, error) {
 
 // NewNamespace creates a new Namespace object
 func NewNamespace(nsType NamespaceType) *HostComputeNamespace {
-	return &HostComputeNamespace{
+	hostComputeNamespace := HostComputeNamespace{
 		Type:          nsType,
 		SchemaVersion: V2SchemaVersion(),
 	}
+	// Set ReadyOnCreate to true if HNS version >= 15.2 or 13.4 .
+	// These versions of HNS change how network compartments are
+	// initialized and depend on ReadyOnCreate field for the same.
+	// These changes on HNS side were mostly made to support removal
+	// of pause containers for windows process isolated scenarios.
+	hnsGlobals, err := hcsshim.GetHNSGlobals()
+	if err != nil {
+		if (hnsGlobals.Version.Major > 15) ||
+			(hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2) {
+			hostComputeNamespace.ReadyOnCreate = true
+		}
+	}
+
+	return &hostComputeNamespace
 }
 
 // Create Namespace.