Add multi-pod tmpfs support; fix lint errors

Remove unused functions `get(Sandbox|Standalone)(Hostname|Hosts|Resolv)Path`
and replace them with their `VirtualPodAware` counterparts to satisfy
linter. (The original functions are already replaced wholesale).

Expand multi-pod functionality to include tmpfs-backed sandbox mounts.

Signed-off-by: Hamza El-Saawy <[email protected]>

Author: helsaawy

internal/guest/runtime/hcsv2/container.go

@@ -201,14 +201,17 @@ func (c *Container) Delete(ctx context.Context) error {
 		}
 
 		// remove user mounts in sandbox container - use virtual pod aware paths
-		mountsDir := specGuest.VirtualPodAwareSandboxMountsDir(c.id, virtualSandboxID)
-		if err := storage.UnmountAllInPath(ctx, mountsDir, true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxMountsDir(c.id, virtualSandboxID), true); err != nil {
 			entity.WithError(err).Error("failed to unmount sandbox mounts")
 		}
 
+		// remove user mounts in tmpfs sandbox container - use virtual pod aware paths
+		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxTmpfsMountsDir(c.id, virtualSandboxID), true); err != nil {
+			entity.WithError(err).Error("failed to unmount tmpfs sandbox mounts")
+		}
+
 		// remove hugepages mounts in sandbox container - use virtual pod aware paths
-		hugePagesDir := specGuest.VirtualPodAwareHugePagesMountsDir(c.id, virtualSandboxID)
-		if err := storage.UnmountAllInPath(ctx, hugePagesDir, true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareHugePagesMountsDir(c.id, virtualSandboxID), true); err != nil {
 			entity.WithError(err).Error("failed to unmount hugepages mounts")
 		}
 	}

internal/guest/runtime/hcsv2/sandbox_container.go

@@ -20,27 +20,15 @@ import (
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
-func getSandboxHostnamePath(id string) string {
-	return filepath.Join(specGuest.SandboxRootDir(id), "hostname")
-}
-
-func getVirtualPodAwareSandboxHostnamePath(id, virtualSandboxID string) string {
+func getSandboxHostnamePath(id, virtualSandboxID string) string {
 	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hostname")
 }
 
-func getSandboxHostsPath(id string) string {
-	return filepath.Join(specGuest.SandboxRootDir(id), "hosts")
-}
-
-func getVirtualPodAwareSandboxHostsPath(id, virtualSandboxID string) string {
+func getSandboxHostsPath(id, virtualSandboxID string) string {
 	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hosts")
 }
 
-func getSandboxResolvPath(id string) string {
-	return filepath.Join(specGuest.SandboxRootDir(id), "resolv.conf")
-}
-
-func getVirtualPodAwareSandboxResolvPath(id, virtualSandboxID string) string {
+func getSandboxResolvPath(id, virtualSandboxID string) string {
 	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "resolv.conf")
 }
 
@@ -74,19 +62,18 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		}
 	}
 
-	sandboxHostnamePath := getVirtualPodAwareSandboxHostnamePath(id, virtualSandboxID)
+	sandboxHostnamePath := getSandboxHostnamePath(id, virtualSandboxID)
 	if err := os.WriteFile(sandboxHostnamePath, []byte(hostname+"\n"), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write hostname to %q", sandboxHostnamePath)
 	}
 
 	// Write the hosts
 	sandboxHostsContent := network.GenerateEtcHostsContent(ctx, hostname)
-	sandboxHostsPath := getVirtualPodAwareSandboxHostsPath(id, virtualSandboxID)
+	sandboxHostsPath := getSandboxHostsPath(id, virtualSandboxID)
 	if err := os.WriteFile(sandboxHostsPath, []byte(sandboxHostsContent), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write sandbox hosts to %q", sandboxHostsPath)
 	}
 
-	log.G(ctx).Debug("quick setup network namespace, cflick")
 	// Check if this is a virtual pod sandbox container by comparing container ID with virtual pod ID
 	isVirtualPodSandbox := virtualSandboxID != "" && id == virtualSandboxID
 	if strings.EqualFold(spec.Annotations[annotations.SkipPodNetworking], "true") || isVirtualPodSandbox {
@@ -97,7 +84,6 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		}
 	}
 	// Write resolv.conf
-	log.G(ctx).Debug("sandbox resolv.conf, cflick")
 	ns, err := getNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
 	if err != nil {
 		if !strings.EqualFold(spec.Annotations[annotations.SkipPodNetworking], "true") {
@@ -119,7 +105,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		if err != nil {
 			return errors.Wrap(err, "failed to generate sandbox resolv.conf content")
 		}
-		sandboxResolvPath := getVirtualPodAwareSandboxResolvPath(id, virtualSandboxID)
+		sandboxResolvPath := getSandboxResolvPath(id, virtualSandboxID)
 		if err := os.WriteFile(sandboxResolvPath, []byte(resolvContent), 0644); err != nil {
 			return errors.Wrap(err, "failed to write sandbox resolv.conf")
 		}

internal/guest/runtime/hcsv2/standalone_container.go

@@ -20,40 +20,24 @@ import (
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
-func getStandaloneRootDir(id string) string {
-	return filepath.Join(guestpath.LCOWRootPrefixInUVM, id)
-}
-
-func getVirtualPodAwareStandaloneRootDir(id, virtualSandboxID string) string {
+func getStandaloneRootDir(id, virtualSandboxID string) string {
 	if virtualSandboxID != "" {
 		// Standalone container in virtual pod gets its own subdir
 		return filepath.Join(guestpath.LCOWRootPrefixInUVM, "virtual-pods", virtualSandboxID, id)
 	}
-	return getStandaloneRootDir(id)
-}
-
-func getStandaloneHostnamePath(id string) string {
-	return filepath.Join(getStandaloneRootDir(id), "hostname")
-}
-
-func getVirtualPodAwareStandaloneHostnamePath(id, virtualSandboxID string) string {
-	return filepath.Join(getVirtualPodAwareStandaloneRootDir(id, virtualSandboxID), "hostname")
-}
-
-func getStandaloneHostsPath(id string) string {
-	return filepath.Join(getStandaloneRootDir(id), "hosts")
+	return filepath.Join(guestpath.LCOWRootPrefixInUVM, id)
 }
 
-func getVirtualPodAwareStandaloneHostsPath(id, virtualSandboxID string) string {
-	return filepath.Join(getVirtualPodAwareStandaloneRootDir(id, virtualSandboxID), "hosts")
+func getStandaloneHostnamePath(id, virtualSandboxID string) string {
+	return filepath.Join(getStandaloneRootDir(id, virtualSandboxID), "hostname")
 }
 
-func getStandaloneResolvPath(id string) string {
-	return filepath.Join(getStandaloneRootDir(id), "resolv.conf")
+func getStandaloneHostsPath(id, virtualSandboxID string) string {
+	return filepath.Join(getStandaloneRootDir(id, virtualSandboxID), "hosts")
 }
 
-func getVirtualPodAwareStandaloneResolvPath(id, virtualSandboxID string) string {
-	return filepath.Join(getVirtualPodAwareStandaloneRootDir(id, virtualSandboxID), "resolv.conf")
+func getStandaloneResolvPath(id, virtualSandboxID string) string {
+	return filepath.Join(getStandaloneRootDir(id, virtualSandboxID), "resolv.conf")
 }
 
 func setupStandaloneContainerSpec(ctx context.Context, id string, spec *oci.Spec) (err error) {
@@ -66,7 +50,7 @@ func setupStandaloneContainerSpec(ctx context.Context, id string, spec *oci.Spec
 	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
 
 	// Generate the standalone root dir - virtual pod aware
-	rootDir := getVirtualPodAwareStandaloneRootDir(id, virtualSandboxID)
+	rootDir := getStandaloneRootDir(id, virtualSandboxID)
 	if err := os.MkdirAll(rootDir, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create container root directory %q", rootDir)
 	}
@@ -87,15 +71,15 @@ func setupStandaloneContainerSpec(ctx context.Context, id string, spec *oci.Spec
 
 	// Write the hostname
 	if !specGuest.MountPresent("/etc/hostname", spec.Mounts) {
-		standaloneHostnamePath := getVirtualPodAwareStandaloneHostnamePath(id, virtualSandboxID)
+		standaloneHostnamePath := getStandaloneHostnamePath(id, virtualSandboxID)
 		if err := os.WriteFile(standaloneHostnamePath, []byte(hostname+"\n"), 0644); err != nil {
 			return errors.Wrapf(err, "failed to write hostname to %q", standaloneHostnamePath)
 		}
 
 		mt := oci.Mount{
 			Destination: "/etc/hostname",
 			Type:        "bind",
-			Source:      getVirtualPodAwareStandaloneHostnamePath(id, virtualSandboxID),
+			Source:      getStandaloneHostnamePath(id, virtualSandboxID),
 			Options:     []string{"bind"},
 		}
 		if specGuest.IsRootReadonly(spec) {
@@ -107,15 +91,15 @@ func setupStandaloneContainerSpec(ctx context.Context, id string, spec *oci.Spec
 	// Write the hosts
 	if !specGuest.MountPresent("/etc/hosts", spec.Mounts) {
 		standaloneHostsContent := network.GenerateEtcHostsContent(ctx, hostname)
-		standaloneHostsPath := getVirtualPodAwareStandaloneHostsPath(id, virtualSandboxID)
+		standaloneHostsPath := getStandaloneHostsPath(id, virtualSandboxID)
 		if err := os.WriteFile(standaloneHostsPath, []byte(standaloneHostsContent), 0644); err != nil {
 			return errors.Wrapf(err, "failed to write standalone hosts to %q", standaloneHostsPath)
 		}
 
 		mt := oci.Mount{
 			Destination: "/etc/hosts",
 			Type:        "bind",
-			Source:      getVirtualPodAwareStandaloneHostsPath(id, virtualSandboxID),
+			Source:      getStandaloneHostsPath(id, virtualSandboxID),
 			Options:     []string{"bind"},
 		}
 		if specGuest.IsRootReadonly(spec) {
@@ -140,15 +124,15 @@ func setupStandaloneContainerSpec(ctx context.Context, id string, spec *oci.Spec
 		if err != nil {
 			return errors.Wrap(err, "failed to generate standalone resolv.conf content")
 		}
-		standaloneResolvPath := getVirtualPodAwareStandaloneResolvPath(id, virtualSandboxID)
+		standaloneResolvPath := getStandaloneResolvPath(id, virtualSandboxID)
 		if err := os.WriteFile(standaloneResolvPath, []byte(resolvContent), 0644); err != nil {
 			return errors.Wrap(err, "failed to write standalone resolv.conf")
 		}
 
 		mt := oci.Mount{
 			Destination: "/etc/resolv.conf",
 			Type:        "bind",
-			Source:      getVirtualPodAwareStandaloneResolvPath(id, virtualSandboxID),
+			Source:      getStandaloneResolvPath(id, virtualSandboxID),
 			Options:     []string{"bind"},
 		}
 		if specGuest.IsRootReadonly(spec) {

internal/guest/runtime/hcsv2/uvm.go

@@ -322,8 +322,7 @@ func setupSandboxMountsPath(id string) (err error) {
 	return storage.MountRShared(mountPath)
 }
 
-func setupSandboxTmpfsMountsPath(id string) error {
-	var err error
+func setupSandboxTmpfsMountsPath(id string) (err error) {
 	tmpfsDir := specGuest.SandboxTmpfsMountsDir(id)
 	if err := os.MkdirAll(tmpfsDir, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create sandbox tmpfs mounts dir in sandbox %v", id)
@@ -473,16 +472,13 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 
 			if isVirtualPod {
 				// For virtual pods, create virtual pod specific paths
-				err = setupVirtualPodMountsPath(virtualPodID, id)
-				if err != nil {
+				if err = setupVirtualPodMountsPath(virtualPodID); err != nil {
 					return nil, err
 				}
-				// Create hugepages path for virtual pod
-				mountPath := specGuest.VirtualPodHugePagesMountsDir(virtualPodID)
-				if err := os.MkdirAll(mountPath, 0755); err != nil {
-					return nil, errors.Wrapf(err, "failed to create virtual pod hugepage mounts dir %v", virtualPodID)
+				if err = setupVirtualPodTmpfsMountsPath(virtualPodID); err != nil {
+					return nil, err
 				}
-				if err := storage.MountRShared(mountPath); err != nil {
+				if err = setupVirtualPodHugePageMountsPath(virtualPodID); err != nil {
 					return nil, err
 				}
 			} else {
@@ -507,8 +503,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 			if !ok || sid == "" {
 				return nil, errors.Errorf("unsupported 'io.kubernetes.cri.sandbox-id': '%s'", sid)
 			}
-			err = setupWorkloadContainerSpec(ctx, sid, id, settings.OCISpecification, settings.OCIBundlePath)
-			if err != nil {
+			if err = setupWorkloadContainerSpec(ctx, sid, id, settings.OCISpecification, settings.OCIBundlePath); err != nil {
 				return nil, err
 			}
 
@@ -672,9 +667,9 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 		ns, err := getNetworkNamespace(namespaceID)
 		// skip network activity for sandbox containers marked with skip uvm networking annotation
 		if isCRI && err != nil && !strings.EqualFold(settings.OCISpecification.Annotations[annotations.SkipPodNetworking], "true") {
-			// return nil, err
 			return nil, err
 		}
+		// standalone is not required to have a networking namespace setup
 		if ns != nil {
 			if err := ns.AssignContainerPid(ctx, c.container.Pid()); err != nil {
 				return nil, err
@@ -1556,11 +1551,11 @@ func (h *Host) cleanupVirtualPod(virtualSandboxID string) {
 }
 
 // setupVirtualPodMountsPath creates mount directories for virtual pods
-func setupVirtualPodMountsPath(virtualSandboxID, masterSandboxID string) (err error) {
+func setupVirtualPodMountsPath(virtualSandboxID string) (err error) {
 	// Create virtual pod specific mount path using the new path generation functions
 	mountPath := specGuest.VirtualPodMountsDir(virtualSandboxID)
 	if err := os.MkdirAll(mountPath, 0755); err != nil {
-		return errors.Wrapf(err, "failed to create virtual pod sandboxMounts dir %v", virtualSandboxID)
+		return errors.Wrapf(err, "failed to create virtual pod mounts dir in sandbox %v", virtualSandboxID)
 	}
 	defer func() {
 		if err != nil {
@@ -1570,3 +1565,34 @@ func setupVirtualPodMountsPath(virtualSandboxID, masterSandboxID string) (err er
 
 	return storage.MountRShared(mountPath)
 }
+
+func setupVirtualPodTmpfsMountsPath(virtualSandboxID string) (err error) {
+	tmpfsDir := specGuest.VirtualPodTmpfsMountsDir(virtualSandboxID)
+	if err := os.MkdirAll(tmpfsDir, 0755); err != nil {
+		return errors.Wrapf(err, "failed to create virtual pod tmpfs mounts dir in sandbox %v", virtualSandboxID)
+	}
+
+	defer func() {
+		if err != nil {
+			_ = os.RemoveAll(tmpfsDir)
+		}
+	}()
+
+	// mount a tmpfs at the tmpfsDir
+	// this ensures that the tmpfsDir is a mount point and not just a directory
+	// we don't care if it is already mounted, so ignore EBUSY
+	if err := unix.Mount("tmpfs", tmpfsDir, "tmpfs", 0, ""); err != nil && !errors.Is(err, unix.EBUSY) {
+		return errors.Wrapf(err, "failed to mount tmpfs at %s", tmpfsDir)
+	}
+
+	return storage.MountRShared(tmpfsDir)
+}
+
+func setupVirtualPodHugePageMountsPath(virtualSandboxID string) error {
+	mountPath := specGuest.VirtualPodHugePagesMountsDir(virtualSandboxID)
+	if err := os.MkdirAll(mountPath, 0755); err != nil {
+		return errors.Wrapf(err, "failed to create virtual pod hugepage mounts dir %v", virtualSandboxID)
+	}
+
+	return storage.MountRShared(mountPath)
+}

internal/guest/runtime/hcsv2/workload_container.go

@@ -45,13 +45,15 @@ func updateSandboxMounts(sbid string, spec *oci.Spec) error {
 		var sandboxSource string
 		// if using `sandbox-tmp://` prefix, we mount a tmpfs in sandboxTmpfsMountsDir
 		if strings.HasPrefix(m.Source, guestpath.SandboxTmpfsMountPrefix) {
-			sandboxSource = specGuest.SandboxTmpfsMountSource(sbid, m.Source)
+			// Use virtual pod aware mount source
+			sandboxSource = specGuest.VirtualPodAwareSandboxTmpfsMountSource(sbid, virtualSandboxID, m.Source)
+			expectedMountsDir := specGuest.VirtualPodAwareSandboxTmpfsMountsDir(sbid, virtualSandboxID)
+
 			// filepath.Join cleans the resulting path before returning, so it would resolve the relative path if one was given.
 			// Hence, we need to ensure that the resolved path is still under the correct directory
-			if !strings.HasPrefix(sandboxSource, specGuest.SandboxTmpfsMountsDir(sbid)) {
-				return errors.Errorf("mount path %v for mount %v is not within sandboxTmpfsMountsDir", sandboxSource, m.Source)
+			if !strings.HasPrefix(sandboxSource, expectedMountsDir) {
+				return errors.Errorf("mount path %v for mount %v is not within sandbox's tmpfs mounts dir", sandboxSource, m.Source)
 			}
-
 		} else {
 			// Use virtual pod aware mount source
 			sandboxSource = specGuest.VirtualPodAwareSandboxMountSource(sbid, virtualSandboxID, m.Source)
@@ -81,29 +83,31 @@ func updateHugePageMounts(sbid string, spec *oci.Spec) error {
 	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
 
 	for i, m := range spec.Mounts {
-		if strings.HasPrefix(m.Source, guestpath.HugePagesMountPrefix) {
-			// Use virtual pod aware hugepages directory
-			mountsDir := specGuest.VirtualPodAwareHugePagesMountsDir(sbid, virtualSandboxID)
-			subPath := strings.TrimPrefix(m.Source, guestpath.HugePagesMountPrefix)
-			pageSize := strings.Split(subPath, string(os.PathSeparator))[0]
-			hugePageMountSource := filepath.Join(mountsDir, subPath)
-
-			// filepath.Join cleans the resulting path before returning so it would resolve the relative path if one was given.
-			// Hence, we need to ensure that the resolved path is still under the correct directory
-			if !strings.HasPrefix(hugePageMountSource, mountsDir) {
-				return errors.Errorf("mount path %v for mount %v is not within hugepages's mounts dir", hugePageMountSource, m.Source)
-			}
+		if !strings.HasPrefix(m.Source, guestpath.HugePagesMountPrefix) {
+			continue
+		}
+
+		// Use virtual pod aware hugepages directory
+		mountsDir := specGuest.VirtualPodAwareHugePagesMountsDir(sbid, virtualSandboxID)
+		subPath := strings.TrimPrefix(m.Source, guestpath.HugePagesMountPrefix)
+		pageSize := strings.Split(subPath, string(os.PathSeparator))[0]
+		hugePageMountSource := filepath.Join(mountsDir, subPath)
+
+		// filepath.Join cleans the resulting path before returning so it would resolve the relative path if one was given.
+		// Hence, we need to ensure that the resolved path is still under the correct directory
+		if !strings.HasPrefix(hugePageMountSource, mountsDir) {
+			return errors.Errorf("mount path %v for mount %v is not within hugepages's mounts dir", hugePageMountSource, m.Source)
+		}
 
-			spec.Mounts[i].Source = hugePageMountSource
+		spec.Mounts[i].Source = hugePageMountSource
 
-			_, err := os.Stat(hugePageMountSource)
-			if os.IsNotExist(err) {
-				if err := mkdirAllModePerm(hugePageMountSource); err != nil {
-					return err
-				}
-				if err := unix.Mount("none", hugePageMountSource, "hugetlbfs", 0, "pagesize="+pageSize); err != nil {
-					return errors.Errorf("mount operation failed for %v failed with error %v", hugePageMountSource, err)
-				}
+		_, err := os.Stat(hugePageMountSource)
+		if os.IsNotExist(err) {
+			if err := mkdirAllModePerm(hugePageMountSource); err != nil {
+				return err
+			}
+			if err := unix.Mount("none", hugePageMountSource, "hugetlbfs", 0, "pagesize="+pageSize); err != nil {
+				return errors.Errorf("mount operation failed for %v failed with error %v", hugePageMountSource, err)
 			}
 		}
 	}