Make copies of the VMGS for each confidential pod

ambarve · ambarve · commit 36f0201e0280 · 2025-10-01T15:11:04.000-04:00
Even though VMGS files aren't written to, we can't share the same file across multiple
pods because HCS seems to be taking an exclusive lock on the file. To handle this, we make
copies of the VMGS file (similar to how we make copies of the EFI VHD) per pod.  This
commit also changes the name of the default VMGS file to `cwcow.snp.vmgs` to better convey
that by default we run in SNP mode. If a different VMGS file is desired,
`"io.microsoft.virtualmachine.wcow.gueststatefile"` annotation can be used to override
that.

This commit also adds the code to handle the UVM console pipe annotation, if provided, for
windows pods.

Signed-off-by: Amit Barve &lt;ambarve@microsoft.com&gt;
diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go
@@ -37,6 +37,7 @@ func initializeWCOWBootFiles(ctx context.Context, wopts *uvm.OptionsWCOW, rootfs
 	if s.Windows != nil {
 		layerFolders = s.Windows.LayerFolders
 	}
+	log.G(ctx).WithField("options", log.Format(ctx, *wopts)).Debug("initialize WCOW boot files")
 
 	wopts.BootFiles, err = layers.GetWCOWUVMBootFilesFromLayers(ctx, rootfs, layerFolders)
 	if err != nil {
@@ -50,6 +51,16 @@ func initializeWCOWBootFiles(ctx context.Context, wopts *uvm.OptionsWCOW, rootfs
 		// we use measured EFI & rootfs for confidential UVMs, use those instead of the ones passed in layers/rootfs
 		wopts.BootFiles.BlockCIMFiles.EFIVHDPath = uvm.GetDefaultConfidentialEFIPath()
 		wopts.BootFiles.BlockCIMFiles.BootCIMVHDPath = uvm.GetDefaultConfidentialBootCIMPath()
+
+		// make a copy of the vmgs file as the same vmgs can not be used by multiple pods in parallel
+		// TODO(ambarve): for C-LCOW we make a copy in the bundle directory, is it better
+		// to use the bundle directory instead of the snapshot directory?
+		vmgsCopyPath := filepath.Join(filepath.Dir(wopts.BootFiles.BlockCIMFiles.ScratchVHDPath), filepath.Base(wopts.GuestStateFilePath))
+		if err := copyfile.CopyFile(ctx, wopts.GuestStateFilePath, vmgsCopyPath, false); err != nil {
+			return fmt.Errorf("failed to make a copy of VMGS: %w", err)
+		}
+		wopts.GuestStateFilePath = vmgsCopyPath
+
 	} else if wopts.BootFiles.BootType == uvm.BlockCIMBoot {
 		// Supporting hyperv isolation with block CIM layers requires changes in
 		// the image pull path to prepare the EFI VHD. But more importantly, since both the
@@ -69,7 +80,7 @@ func initializeWCOWBootFiles(ctx context.Context, wopts *uvm.OptionsWCOW, rootfs
 		// UVM.
 		writableEFIVHDPath := filepath.Join(filepath.Dir(wopts.BootFiles.BlockCIMFiles.ScratchVHDPath), filepath.Base(wopts.BootFiles.BlockCIMFiles.EFIVHDPath))
 		if err := copyfile.CopyFile(ctx, wopts.BootFiles.BlockCIMFiles.EFIVHDPath, writableEFIVHDPath, false); err != nil {
-			return fmt.Errorf("failed to copy EFI VHD at %s: %w", writableEFIVHDPath, err)
+			return fmt.Errorf("failed to copy EFI VHD: %w", err)
 		}
 		wopts.BootFiles.BlockCIMFiles.EFIVHDPath = writableEFIVHDPath
 	}
diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go
@@ -330,6 +330,7 @@ func specToUVMCreateOptionsCommon(ctx context.Context, opts *uvm.Options, s *spe
 		opts.NumaProcessorCounts)
 	opts.NumaMemoryBlocksCounts = ParseAnnotationCommaSeparatedUint64(ctx, s.Annotations, annotations.NumaCountOfMemoryBlocks,
 		opts.NumaMemoryBlocksCounts)
+	opts.ConsolePipe = ParseAnnotationsString(s.Annotations, iannotations.UVMConsolePipe, opts.ConsolePipe)
 
 	maps.Copy(opts.AdditionalHyperVConfig, parseHVSocketServiceTable(ctx, s.Annotations))
 
@@ -376,7 +377,6 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		lopts.UVMReferenceInfoFile = ParseAnnotationsString(s.Annotations, annotations.LCOWReferenceInfoFile, lopts.UVMReferenceInfoFile)
 		lopts.KernelBootOptions = ParseAnnotationsString(s.Annotations, annotations.KernelBootOptions, lopts.KernelBootOptions)
 		lopts.DisableTimeSyncService = ParseAnnotationsBool(ctx, s.Annotations, annotations.DisableLCOWTimeSyncService, lopts.DisableTimeSyncService)
-		lopts.ConsolePipe = ParseAnnotationsString(s.Annotations, iannotations.UVMConsolePipe, lopts.ConsolePipe)
 		handleAnnotationPreferredRootFSType(ctx, s.Annotations, lopts)
 		handleAnnotationKernelDirectBoot(ctx, s.Annotations, lopts)
 		handleAnnotationFullyPhysicallyBacked(ctx, s.Annotations, lopts)
diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
@@ -66,7 +66,7 @@ func defaultConfidentialWCOWOSBootFilesPath() string {
 }
 
 func GetDefaultConfidentialVMGSPath() string {
-	return filepath.Join(defaultConfidentialWCOWOSBootFilesPath(), "cwcow.vmgs")
+	return filepath.Join(defaultConfidentialWCOWOSBootFilesPath(), "cwcow.snp.vmgs")
 }
 
 func GetDefaultConfidentialBootCIMPath() string {

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func defaultConfidentialWCOWOSBootFilesPath() string {`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`func GetDefaultConfidentialVMGSPath() string {`
`69`		`- return filepath.Join(defaultConfidentialWCOWOSBootFilesPath(), "cwcow.vmgs")`
	`69`	`+ return filepath.Join(defaultConfidentialWCOWOSBootFilesPath(), "cwcow.snp.vmgs")`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`func GetDefaultConfidentialBootCIMPath() string {`