shim: Fix CreateContainer for the confidential computing case

In the confidential computing scenario, there is no Image information on the host, so skip handling Rootfs at CreateContainer. Fixes #3009 Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
2025-09-13 12:59:36 +00:00 · 2021-11-10 15:46:23 +08:00
parent e502fb23ea
commit 5691e66e1b
6 changed files with 24 additions and 0 deletions
--- a/src/runtime/pkg/containerd-shim-v2/create.go
+++ b/src/runtime/pkg/containerd-shim-v2/create.go
@@ -242,6 +242,11 @@ func loadRuntimeConfig(s *service, r *taskAPI.CreateTaskRequest, anno map[string
 }

 func checkAndMount(s *service, r *taskAPI.CreateTaskRequest) (bool, error) {
+	// In the confidential computing, there is no Image information on the host,
+	// so there is no Rootfs.
+	if s.config.ServiceOffload && len(r.Rootfs) == 0 {
+		return false, nil
+	}
 	if len(r.Rootfs) == 1 {
 		m := r.Rootfs[0]

--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@@ -1166,6 +1166,7 @@ func LoadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 	config.JaegerEndpoint = tomlConf.Runtime.JaegerEndpoint
 	config.JaegerUser = tomlConf.Runtime.JaegerUser
 	config.JaegerPassword = tomlConf.Runtime.JaegerPassword
+	config.ServiceOffload = tomlConf.Image.ServiceOffload
 	for _, f := range tomlConf.Runtime.Experimental {
 		feature := exp.Get(f)
 		if feature == nil {
--- a/src/runtime/virtcontainers/container.go
+++ b/src/runtime/virtcontainers/container.go
@@ -1252,6 +1252,11 @@ func (c *Container) hotplugDrive(ctx context.Context) error {
 	// Check to see if the rootfs is an umounted block device (source) or if the
 	// mount (target) is backed by a block device:
 	if !c.rootFs.Mounted {
+		// In the confidential computing, there is no Image information on the host,
+		// so there is no Rootfs.Source.
+		if c.sandbox.config.ServiceOffload && c.rootFs.Source == "" {
+			return nil
+		}
 		dev, err = getDeviceForPath(c.rootFs.Source)
 		// there is no "rootfs" dir on block device backed rootfs
 		c.rootfsSuffix = ""
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@@ -1235,6 +1235,11 @@ func (k *kataAgent) rollbackFailingContainerCreation(ctx context.Context, c *Con
 }

 func (k *kataAgent) buildContainerRootfs(ctx context.Context, sandbox *Sandbox, c *Container, rootPathParent string) (*grpc.Storage, error) {
+	// In the confidential computing, there is no Image information on the host,
+	// so there is no Rootfs.Target.
+	if sandbox.config.ServiceOffload && c.rootFs.Target == "" {
+		return nil, nil
+	}
 	if c.state.Fstype != "" && c.state.BlockDeviceID != "" {
 		// The rootfs storage volume represents the container rootfs
 		// mount point inside the guest.
--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@@ -134,6 +134,9 @@ type RuntimeConfig struct {

 	// Determines if enable pprof
 	EnablePprof bool
+
+	// Offload the CRI image management service to the Kata agent.
+	ServiceOffload bool
 }

 // AddKernelParam allows the addition of new kernel parameters to an existing
@@ -917,6 +920,8 @@ func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid, c
 		// Spec: &ocispec,

 		Experimental: runtime.Experimental,
+
+		ServiceOffload: runtime.ServiceOffload,
 	}

 	if err := addAnnotations(ocispec, &sandboxConfig, runtime); err != nil {
--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@@ -147,6 +147,9 @@ type SandboxConfig struct {
 	SandboxCgroupOnly bool

 	DisableGuestSeccomp bool
+
+	// Offload the CRI image management service to the Kata agent.
+	ServiceOffload bool
 }

 // valid checks that the sandbox configuration is valid.