Initial multipod support (#2546)

* support multipod scenarios with VirtualPodID annotation

This is in continuation of the azcri changes https://msazure.visualstudio.com/ContainerPlatform/_git/azcri/pullrequest/12968264

- Add VirtualPodID, TenantSandboxID, and SkipPodNetworking annotations to pkg/annotations
- Update create.go to treat containers with VirtualPodID equal to container ID as sandboxes for networking to support separate Network namespace for each Pod in the UVM.

(cherry picked from commit c196086161b65682e0d923e3bb8b3c5ed789a497)
Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

* multi pod changes for GCS

Introduce cgroup changes and per pod mount changes to support multiple pod.

(cherry picked from commit 7170f3fae8d26fef6a975cdff8300f9ca67691d1)
Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

* Add multi-pod tmpfs support; fix lint errors

Remove unused functions `get(Sandbox|Standalone)(Hostname|Hosts|Resolv)Path`
and replace them with their `VirtualPodAware` counterparts to satisfy
linter. (The original functions are already replaced wholesale).

Expand multi-pod functionality to include tmpfs-backed sandbox mounts.

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

---------

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
Co-authored-by: Abhishek Singh (Manifold) <Abhishek.Singh@microsoft.com>

Author: helsaawy

cmd/gcs/main.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"syscall"
 	"time"
 
@@ -67,7 +68,12 @@ func readMemoryEvents(startTime time.Time, efdFile *os.File, cgName string, thre
 		}
 
 		count++
-		msg := "memory usage for cgroup exceeded threshold"
+		var msg string
+		if strings.HasPrefix(cgName, "/virtual-pods") {
+			msg = "memory usage for virtual pods cgroup exceeded threshold"
+		} else {
+			msg = "memory usage for cgroup exceeded threshold"
+		}
 		entry := logrus.WithFields(logrus.Fields{
 			"gcsStartTime":   startTime,
 			"time":           time.Now(),
@@ -294,40 +300,9 @@ func main() {
 	// Continuously log /dev/kmsg
 	go kmsg.ReadForever(kmsg.LogLevel(*kmsgLogLevel))
 
-	tport := &transport.VsockTransport{}
-	rtime, err := runc.NewRuntime(baseLogPath)
-	if err != nil {
-		logrus.WithError(err).Fatal("failed to initialize new runc runtime")
-	}
-	mux := bridge.NewBridgeMux()
-	b := bridge.Bridge{
-		Handler:  mux,
-		EnableV4: *v4,
-	}
-	h := hcsv2.NewHost(rtime, tport, initialEnforcer, logWriter)
-	b.AssignHandlers(mux, h)
-
-	var bridgeIn io.ReadCloser
-	var bridgeOut io.WriteCloser
-	if *useInOutErr {
-		bridgeIn = os.Stdin
-		bridgeOut = os.Stdout
-	} else {
-		const commandPort uint32 = 0x40000000
-		bridgeCon, err := tport.Dial(commandPort)
-		if err != nil {
-			logrus.WithFields(logrus.Fields{
-				"port":          commandPort,
-				logrus.ErrorKey: err,
-			}).Fatal("failed to dial host vsock connection")
-		}
-		bridgeIn = bridgeCon
-		bridgeOut = bridgeCon
-	}
-
 	// Setup the UVM cgroups to protect against a workload taking all available
-	// memory and causing the GCS to malfunction we create two cgroups: gcs,
-	// containers.
+	// memory and causing the GCS to malfunction we create cgroups: gcs,
+	// containers, and virtual-pods for multi-pod support.
 	//
 
 	// Write 1 to memory.use_hierarchy on the root cgroup to enable hierarchy
@@ -357,6 +332,18 @@ func main() {
 	}
 	defer containersControl.Delete() //nolint:errcheck
 
+	// Create virtual-pods cgroup hierarchy for multi-pod support
+	// This will be the parent for all virtual pod cgroups: /containers/virtual-pods/{virtualSandboxID}
+	virtualPodsControl, err := cgroups.New(cgroups.StaticPath("/containers/virtual-pods"), &oci.LinuxResources{
+		Memory: &oci.LinuxMemory{
+			Limit: &containersLimit, // Share the same limit as containers
+		},
+	})
+	if err != nil {
+		logrus.WithError(err).Fatal("failed to create containers/virtual-pods cgroup")
+	}
+	defer virtualPodsControl.Delete() //nolint:errcheck
+
 	gcsControl, err := cgroups.New(cgroups.StaticPath("/gcs"), &oci.LinuxResources{})
 	if err != nil {
 		logrus.WithError(err).Fatal("failed to create gcs cgroup")
@@ -366,6 +353,39 @@ func main() {
 		logrus.WithError(err).Fatal("failed add gcs pid to gcs cgroup")
 	}
 
+	tport := &transport.VsockTransport{}
+	rtime, err := runc.NewRuntime(baseLogPath)
+	if err != nil {
+		logrus.WithError(err).Fatal("failed to initialize new runc runtime")
+	}
+	mux := bridge.NewBridgeMux()
+	b := bridge.Bridge{
+		Handler:  mux,
+		EnableV4: *v4,
+	}
+	h := hcsv2.NewHost(rtime, tport, initialEnforcer, logWriter)
+	// Initialize virtual pod support in the host
+	h.InitializeVirtualPodSupport(virtualPodsControl)
+	b.AssignHandlers(mux, h)
+
+	var bridgeIn io.ReadCloser
+	var bridgeOut io.WriteCloser
+	if *useInOutErr {
+		bridgeIn = os.Stdin
+		bridgeOut = os.Stdout
+	} else {
+		const commandPort uint32 = 0x40000000
+		bridgeCon, err := tport.Dial(commandPort)
+		if err != nil {
+			logrus.WithFields(logrus.Fields{
+				"port":          commandPort,
+				logrus.ErrorKey: err,
+			}).Fatal("failed to dial host vsock connection")
+		}
+		bridgeIn = bridgeCon
+		bridgeOut = bridgeCon
+	}
+
 	event := cgroups.MemoryThresholdEvent(*gcsMemLimitBytes, false)
 	gefd, err := gcsControl.RegisterMemoryEvent(event)
 	if err != nil {
@@ -381,6 +401,14 @@ func main() {
 	oomFile := os.NewFile(oom, "cefd")
 	defer oomFile.Close()
 
+	// Setup OOM monitoring for virtual-pods cgroup
+	virtualPodsOom, err := virtualPodsControl.OOMEventFD()
+	if err != nil {
+		logrus.WithError(err).Fatal("failed to retrieve the virtual-pods cgroups oom eventfd")
+	}
+	virtualPodsOomFile := os.NewFile(virtualPodsOom, "vp-oomfd")
+	defer virtualPodsOomFile.Close()
+
 	// time synchronization service
 	if !(*disableTimeSync) {
 		if err = startTimeSyncService(); err != nil {
@@ -390,6 +418,7 @@ func main() {
 
 	go readMemoryEvents(startTime, gefdFile, "/gcs", int64(*gcsMemLimitBytes), gcsControl)
 	go readMemoryEvents(startTime, oomFile, "/containers", containersLimit, containersControl)
+	go readMemoryEvents(startTime, virtualPodsOomFile, "/containers/virtual-pods", containersLimit, virtualPodsControl)
 	err = b.ListenAndServe(bridgeIn, bridgeOut)
 	if err != nil {
 		logrus.WithFields(logrus.Fields{

internal/guest/runtime/hcsv2/container.go

@@ -30,6 +30,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
+	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 // containerStatus has been introduced to enable parallel container creation
@@ -193,13 +194,24 @@ func (c *Container) Delete(ctx context.Context) error {
 	entity := log.G(ctx).WithField(logfields.ContainerID, c.id)
 	entity.Info("opengcs::Container::Delete")
 	if c.isSandbox {
-		// remove user mounts in sandbox container
-		if err := storage.UnmountAllInPath(ctx, specGuest.SandboxMountsDir(c.id), true); err != nil {
+		// Check if this is a virtual pod
+		virtualSandboxID := ""
+		if c.spec != nil && c.spec.Annotations != nil {
+			virtualSandboxID = c.spec.Annotations[annotations.VirtualPodID]
+		}
+
+		// remove user mounts in sandbox container - use virtual pod aware paths
+		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxMountsDir(c.id, virtualSandboxID), true); err != nil {
 			entity.WithError(err).Error("failed to unmount sandbox mounts")
 		}
 
-		// remove hugepages mounts in sandbox container
-		if err := storage.UnmountAllInPath(ctx, specGuest.HugePagesMountsDir(c.id), true); err != nil {
+		// remove user mounts in tmpfs sandbox container - use virtual pod aware paths
+		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxTmpfsMountsDir(c.id, virtualSandboxID), true); err != nil {
+			entity.WithError(err).Error("failed to unmount tmpfs sandbox mounts")
+		}
+
+		// remove hugepages mounts in sandbox container - use virtual pod aware paths
+		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareHugePagesMountsDir(c.id, virtualSandboxID), true); err != nil {
 			entity.WithError(err).Error("failed to unmount hugepages mounts")
 		}
 	}

internal/guest/runtime/hcsv2/sandbox_container.go

@@ -15,20 +15,21 @@ import (
 
 	"github.com/Microsoft/hcsshim/internal/guest/network"
 	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
+	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
-func getSandboxHostnamePath(id string) string {
-	return filepath.Join(specGuest.SandboxRootDir(id), "hostname")
+func getSandboxHostnamePath(id, virtualSandboxID string) string {
+	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hostname")
 }
 
-func getSandboxHostsPath(id string) string {
-	return filepath.Join(specGuest.SandboxRootDir(id), "hosts")
+func getSandboxHostsPath(id, virtualSandboxID string) string {
+	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hosts")
 }
 
-func getSandboxResolvPath(id string) string {
-	return filepath.Join(specGuest.SandboxRootDir(id), "resolv.conf")
+func getSandboxResolvPath(id, virtualSandboxID string) string {
+	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "resolv.conf")
 }
 
 func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (err error) {
@@ -37,8 +38,11 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("cid", id))
 
-	// Generate the sandbox root dir
-	rootDir := specGuest.SandboxRootDir(id)
+	// Check if this is a virtual pod to use appropriate root directory
+	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
+
+	// Generate the sandbox root dir - virtual pod aware
+	rootDir := specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID)
 	if err := os.MkdirAll(rootDir, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create sandbox root directory %q", rootDir)
 	}
@@ -58,39 +62,53 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		}
 	}
 
-	sandboxHostnamePath := getSandboxHostnamePath(id)
+	sandboxHostnamePath := getSandboxHostnamePath(id, virtualSandboxID)
 	if err := os.WriteFile(sandboxHostnamePath, []byte(hostname+"\n"), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write hostname to %q", sandboxHostnamePath)
 	}
 
 	// Write the hosts
 	sandboxHostsContent := network.GenerateEtcHostsContent(ctx, hostname)
-	sandboxHostsPath := getSandboxHostsPath(id)
+	sandboxHostsPath := getSandboxHostsPath(id, virtualSandboxID)
 	if err := os.WriteFile(sandboxHostsPath, []byte(sandboxHostsContent), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write sandbox hosts to %q", sandboxHostsPath)
 	}
 
+	// Check if this is a virtual pod sandbox container by comparing container ID with virtual pod ID
+	isVirtualPodSandbox := virtualSandboxID != "" && id == virtualSandboxID
+	if strings.EqualFold(spec.Annotations[annotations.SkipPodNetworking], "true") || isVirtualPodSandbox {
+		ns := GetOrAddNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
+		err := ns.Sync(ctx)
+		if err != nil {
+			return err
+		}
+	}
 	// Write resolv.conf
 	ns, err := getNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
 	if err != nil {
-		return err
-	}
-	var searches, servers []string
-	for _, n := range ns.Adapters() {
-		if len(n.DNSSuffix) > 0 {
-			searches = network.MergeValues(searches, strings.Split(n.DNSSuffix, ","))
+		if !strings.EqualFold(spec.Annotations[annotations.SkipPodNetworking], "true") {
+			return err
 		}
-		if len(n.DNSServerList) > 0 {
-			servers = network.MergeValues(servers, strings.Split(n.DNSServerList, ","))
+		// Networking is skipped, do not error out
+		log.G(ctx).Infof("setupSandboxContainerSpec: Did not find NS spec %v, err %v", spec, err)
+	} else {
+		var searches, servers []string
+		for _, n := range ns.Adapters() {
+			if len(n.DNSSuffix) > 0 {
+				searches = network.MergeValues(searches, strings.Split(n.DNSSuffix, ","))
+			}
+			if len(n.DNSServerList) > 0 {
+				servers = network.MergeValues(servers, strings.Split(n.DNSServerList, ","))
+			}
+		}
+		resolvContent, err := network.GenerateResolvConfContent(ctx, searches, servers, nil)
+		if err != nil {
+			return errors.Wrap(err, "failed to generate sandbox resolv.conf content")
+		}
+		sandboxResolvPath := getSandboxResolvPath(id, virtualSandboxID)
+		if err := os.WriteFile(sandboxResolvPath, []byte(resolvContent), 0644); err != nil {
+			return errors.Wrap(err, "failed to write sandbox resolv.conf")
 		}
-	}
-	resolvContent, err := network.GenerateResolvConfContent(ctx, searches, servers, nil)
-	if err != nil {
-		return errors.Wrap(err, "failed to generate sandbox resolv.conf content")
-	}
-	sandboxResolvPath := getSandboxResolvPath(id)
-	if err := os.WriteFile(sandboxResolvPath, []byte(resolvContent), 0644); err != nil {
-		return errors.Wrap(err, "failed to write sandbox resolv.conf")
 	}
 
 	// User.Username is generally only used on Windows, but as there's no (easy/fast at least) way to grab
@@ -113,8 +131,14 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	// also has a concept of a sandbox/shm file when the IPC NamespaceMode !=
 	// NODE.
 
-	// Force the parent cgroup into our /containers root
-	spec.Linux.CgroupsPath = "/containers/" + id
+	// Set cgroup path - check if this is a virtual pod
+	if virtualSandboxID != "" {
+		// Virtual pod sandbox gets its own cgroup under /containers/virtual-pods using the virtual pod ID
+		spec.Linux.CgroupsPath = "/containers/virtual-pods/" + virtualSandboxID
+	} else {
+		// Traditional sandbox goes under /containers
+		spec.Linux.CgroupsPath = "/containers/" + id
+	}
 
 	// Clear the windows section as we dont want to forward to runc
 	spec.Windows = nil