Skip to content

Commit 1c4d7ce

Browse files
committed
reject task creation if the UVM does not support HPCs
Signed-off-by: Harsh Rawat <harshrawat@microsoft.com>
1 parent 4916a30 commit 1c4d7ce

4 files changed

Lines changed: 21 additions & 0 deletions

File tree

cmd/containerd-shim-runhcs-v1/pod.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -502,6 +502,11 @@ func (p *pod) updateConfigForHostProcessContainer(s *specs.Spec) error {
502502
return errors.New("cannot create a host process container inside sandbox which has missing annotation: microsoft.com/hostprocess-container")
503503
}
504504

505+
if isHypervisorIsolatedPrivilegedSandbox &&
506+
p.host != nil && !p.host.HostProcessContainerSupported() {
507+
return fmt.Errorf("UVM does not support HostProcess containers")
508+
}
509+
505510
if isProcessIsolatedPrivilegedSandbox || (isHypervisorIsolatedPrivilegedSandbox && isHypervisorIsolatedPrivilegedContainer) {
506511
if isProcessIsolatedPrivilegedSandbox && !isProcessIsolatedPrivilegedContainer {
507512
// This is a short circuit to make sure that all containers in a pod will have

internal/gcs/guestcaps.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,3 +104,7 @@ func (w *WCOWGuestDefinedCapabilities) IsDeleteContainerStateSupported() bool {
104104
func (w *WCOWGuestDefinedCapabilities) IsLogForwardingSupported() bool {
105105
return w.LogForwardingSupported
106106
}
107+
108+
func (w *WCOWGuestDefinedCapabilities) IsHostProcessContainerSupported() bool {
109+
return w.HostProcessContainerSupported
110+
}

internal/hcs/schema1/schema1.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -222,6 +222,7 @@ type GuestDefinedCapabilities struct {
222222
DeleteContainerStateSupported bool `json:",omitempty"`
223223
UpdateContainerSupported bool `json:",omitempty"`
224224
LogForwardingSupported bool `json:",omitempty"`
225+
HostProcessContainerSupported bool `json:",omitempty"`
225226
}
226227

227228
// GuestConnectionInfo is the structure of an iterm return by a GuestConnection call on a utility VM

internal/uvm/capabilities.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,17 @@ func (uvm *UtilityVM) DeleteContainerStateSupported() bool {
2121
return uvm.guestCaps.IsDeleteContainerStateSupported()
2222
}
2323

24+
// HostProcessContainerSupported returns if the WCOW UVM supports
25+
// running host process containers.
26+
func (uvm *UtilityVM) HostProcessContainerSupported() bool {
27+
if uvm.OS() != "windows" {
28+
return false
29+
}
30+
31+
wcaps := gcs.GetWCOWCapabilities(uvm.gc.Capabilities())
32+
return wcaps != nil && wcaps.HostProcessContainerSupported
33+
}
34+
2435
// Capabilities returns the protocol version and the guest defined capabilities.
2536
// This should only be used for testing.
2637
func (uvm *UtilityVM) Capabilities() (uint32, gcs.GuestDefinedCapabilities) {

0 commit comments

Comments
 (0)