Remove pause container creation for process isolated containers

This commit does the following: - Introduces new HostComputeNamespace.ReadyOnCreate field and set it for HNS versions that support pause container removal - Remove pause container creation while creating process isolated pods for HNS versions that support pause container creation Signed-off-by: Kirtana Ashok <[email protected]>
kiashok · Feb 11, 2025 · a7fa46d · a7fa46d
1 parent bd7c37c
commit a7fa46d
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 14 deletions.
diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/Microsoft/hcsshim/hcn"
 	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/uvm"
@@ -149,7 +150,6 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 			parent.Close()
 			return nil, err
 		}
-
 	} else if oci.IsJobContainer(s) {
 		// If we're making a job container fake a task (i.e reuse the wcowPodSandbox logic)
 		p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, "")
@@ -196,25 +196,21 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 		}
 	}
 
-	// TODO: JTERRY75 - There is a bug in the compartment activation for Windows
-	// Process isolated that requires us to create the real pause container to
-	// hold the network compartment open. This is not required for Windows
-	// Hypervisor isolated. When we have a build that supports this for Windows
-	// Process isolated make sure to move back to this model.
-
 	// For WCOW we fake out the init task since we dont need it. We only
 	// need to provision the guest network namespace if this is hypervisor
 	// isolated. Process isolated WCOW gets the namespace endpoints
 	// automatically.
 	nsid := ""
-	if isWCOW && parent != nil {
-		if s.Windows != nil && s.Windows.Network != nil {
-			nsid = s.Windows.Network.NetworkNamespace
-		}
+	if isWCOW && (parent != nil || hcn.CanRemovePauseContainer()) {
+		if parent != nil {
+			if s.Windows != nil && s.Windows.Network != nil {
+				nsid = s.Windows.Network.NetworkNamespace
+			}
 
-		if nsid != "" {
-			if err := parent.ConfigureNetworking(ctx, nsid); err != nil {
-				return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID)
+			if nsid != "" {
+				if err := parent.ConfigureNetworking(ctx, nsid); err != nil {
+					return nil, errors.Wrapf(err, "failed to setup networking for pod %q", req.ID)
+				}
 			}
 		}
 		p.sandboxTask = newWcowPodSandboxTask(ctx, events, req.ID, req.Bundle, parent, nsid)

diff --git a/hcn/hcnnamespace.go b/hcn/hcnnamespace.go
@@ -8,6 +8,7 @@ import (
 	"syscall"
 
 	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/hcsshim"
 	icni "github.com/Microsoft/hcsshim/internal/cni"
 	"github.com/Microsoft/hcsshim/internal/interop"
 	"github.com/Microsoft/hcsshim/internal/regstate"
@@ -62,6 +63,7 @@ type HostComputeNamespace struct {
 	Type          NamespaceType       `json:",omitempty"` // Host, HostDefault, Guest, GuestDefault
 	Resources     []NamespaceResource `json:",omitempty"`
 	SchemaVersion SchemaVersion       `json:",omitempty"`
+	ReadyOnCreate bool                `json:",omitempty"`
 }
 
 // ModifyNamespaceSettingRequest is the structure used to send request to modify a namespace.
@@ -306,6 +308,19 @@ func GetNamespaceContainerIds(namespaceID string) ([]string, error) {
 	return containerIds, nil
 }
 
+func CanRemovePauseContainer() bool {
+	// HNS versions >= 15.2 change how network compartments are
+	// initialized for pods. This supports removal of pause containers
+	// for process isolation.
+	hnsGlobals, err := hcsshim.GetHNSGlobals()
+	if err == nil {
+		return (hnsGlobals.Version.Major > 15) ||
+			(hnsGlobals.Version.Major == 15 && hnsGlobals.Version.Minor >= 2)
+	}
+
+	return false
+}
+
 // NewNamespace creates a new Namespace object
 func NewNamespace(nsType NamespaceType) *HostComputeNamespace {
 	return &HostComputeNamespace{
@@ -318,6 +333,12 @@ func NewNamespace(nsType NamespaceType) *HostComputeNamespace {
 func (namespace *HostComputeNamespace) Create() (*HostComputeNamespace, error) {
 	logrus.Debugf("hcn::HostComputeNamespace::Create id=%s", namespace.Id)
 
+	// Set ReadyOnCreate flag to true only if pause containers
+	// can be removed.
+	if CanRemovePauseContainer() {
+		namespace.ReadyOnCreate = true
+	}
+
 	jsonString, err := json.Marshal(namespace)
 	if err != nil {
 		return nil, err