CWCOW: Handle container remove request

MahatiC · MahatiC · commit 751abbfc2aac · 2026-01-05T14:36:55.000Z
Signed-off-by: Mahati Chamarthy &lt;mahati.chamarthy@gmail.com&gt;
diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
@@ -646,33 +646,37 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			return nil
 
 		case guestresource.ResourceTypeCWCOWCombinedLayers:
-
-			if modifyGuestSettingsRequest.RequestType == guestrequest.RequestTypeRemove {
-				return fmt.Errorf("not implemented")
-			}
-
 			settings := modifyGuestSettingsRequest.Settings.(*guestresource.CWCOWCombinedLayers)
-			containerID := settings.ContainerID
-			log.G(ctx).Tracef("CWCOWCombinedLayers:: ContainerID: %v, ContainerRootPath: %v, Layers: %v, ScratchPath: %v",
-				containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath)
+			switch modifyGuestSettingsRequest.RequestType {
+			case guestrequest.RequestTypeAdd:
+				containerID := settings.ContainerID
+				log.G(ctx).Tracef("CWCOWCombinedLayers:: ContainerID: %v, ContainerRootPath: %v, Layers: %v, ScratchPath: %v",
+					containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath)
+
+				//Since unencrypted scratch is not an option, always pass true
+				if err := b.hostState.securityOptions.PolicyEnforcer.EnforceScratchMountPolicy(ctx, settings.CombinedLayers.ContainerRootPath, true); err != nil {
+					return fmt.Errorf("scratch mounting denied by policy: %w", err)
+				}
+				// The following two folders are expected to be present in the scratch.
+				// But since we have just formatted the scratch we would need to
+				// create them manually.
+				sandboxStateDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, sandboxStateDirName)
+				err = os.Mkdir(sandboxStateDirectory, 0777)
+				if err != nil {
+					return fmt.Errorf("failed to create sandboxStateDirectory: %w", err)
+				}
 
-			//Since unencrypted scratch is not an option, always pass true
-			if err := b.hostState.securityOptions.PolicyEnforcer.EnforceScratchMountPolicy(ctx, settings.CombinedLayers.ContainerRootPath, true); err != nil {
-				return fmt.Errorf("scratch mounting denied by policy: %w", err)
-			}
-			// The following two folders are expected to be present in the scratch.
-			// But since we have just formatted the scratch we would need to
-			// create them manually.
-			sandboxStateDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, sandboxStateDirName)
-			err = os.Mkdir(sandboxStateDirectory, 0777)
-			if err != nil {
-				return fmt.Errorf("failed to create sandboxStateDirectory: %w", err)
-			}
+				hivesDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, hivesDirName)
+				err = os.Mkdir(hivesDirectory, 0777)
+				if err != nil {
+					return fmt.Errorf("failed to create hivesDirectory: %w", err)
+				}
 
-			hivesDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, hivesDirName)
-			err = os.Mkdir(hivesDirectory, 0777)
-			if err != nil {
-				return fmt.Errorf("failed to create hivesDirectory: %w", err)
+			case guestrequest.RequestTypeRemove:
+				log.G(ctx).Tracef("CWCOWCombinedLayers: Remove")
+				if err := b.hostState.securityOptions.PolicyEnforcer.EnforceScratchUnmountPolicy(ctx, settings.CombinedLayers.ContainerRootPath); err != nil {
+					return fmt.Errorf("scratch unmounting denied by policy: %w", err)
+				}
 			}
 
 			// Reconstruct WCOWCombinedLayers{} req before forwarding to GCS
diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go
@@ -35,6 +35,7 @@ func (umb *UVMMountedBlockCIMs) MountedVolumePath() string {
 }
 
 func (umb *UVMMountedBlockCIMs) Release(ctx context.Context) error {
+	log.G(ctx).Tracef("UVMWCOWBlockCIMs : Release")
 	umb.host.blockCIMMountLock.Lock()
 	defer umb.host.blockCIMMountLock.Unlock()
 
diff --git a/internal/uvm/combine_layers.go b/internal/uvm/combine_layers.go
@@ -85,15 +85,32 @@ func (uvm *UtilityVM) CombineLayersLCOW(ctx context.Context, containerID string,
 //
 // NOTE: `rootfsPath` is the path from within the UVM.
 func (uvm *UtilityVM) RemoveCombinedLayersWCOW(ctx context.Context, rootfsPath string) error {
-	msr := &hcsschema.ModifySettingRequest{
-		GuestRequest: guestrequest.ModificationRequest{
-			ResourceType: guestresource.ResourceTypeCombinedLayers,
-			RequestType:  guestrequest.RequestTypeRemove,
-			Settings: guestresource.WCOWCombinedLayers{
-				ContainerRootPath: rootfsPath,
+	var msr *hcsschema.ModifySettingRequest
+
+	if uvm.HasConfidentialPolicy() {
+		msr = &hcsschema.ModifySettingRequest{
+			GuestRequest: guestrequest.ModificationRequest{
+				ResourceType: guestresource.ResourceTypeCWCOWCombinedLayers,
+				RequestType:  guestrequest.RequestTypeRemove,
+				Settings: guestresource.CWCOWCombinedLayers{
+					CombinedLayers: guestresource.WCOWCombinedLayers{
+						ContainerRootPath: rootfsPath,
+					},
+				},
 			},
-		},
+		}
+	} else {
+		msr = &hcsschema.ModifySettingRequest{
+			GuestRequest: guestrequest.ModificationRequest{
+				ResourceType: guestresource.ResourceTypeCombinedLayers,
+				RequestType:  guestrequest.RequestTypeRemove,
+				Settings: guestresource.WCOWCombinedLayers{
+					ContainerRootPath: rootfsPath,
+				},
+			},
+		}
 	}
+
 	return uvm.modify(ctx, msr)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ func (umb *UVMMountedBlockCIMs) MountedVolumePath() string {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`func (umb *UVMMountedBlockCIMs) Release(ctx context.Context) error {`
	`38`	`+ log.G(ctx).Tracef("UVMWCOWBlockCIMs : Release")`
`38`	`39`	`umb.host.blockCIMMountLock.Lock()`
`39`	`40`	`defer umb.host.blockCIMMountLock.Unlock()`
`40`	`41`