annotations: Add annotations for runtime config

Additional annotations added to customise runtime configuration.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

virtcontainers/pkg/annotations/annotations.go

@@ -180,6 +180,26 @@ const (
 	BlockDeviceCacheNoflush = kataAnnotHypervisorPrefix + "block_device_cache_noflush"
 )
 
+const (
+	kataAnnotRuntimePrefix = kataConfAnnotationsPrefix + "runtime."
+
+	// DisableGuestSeccomp is a sandbox annotation that determines if seccomp should be applied inside guest.
+	DisableGuestSeccomp = kataAnnotRuntimePrefix + "disable_guest_seccomp"
+
+	// SandboxCgroupOnly is a sandbox annotation that determines if kata processes are managed only in sandbox cgroup.
+	SandboxCgroupOnly = kataAnnotRuntimePrefix + "sandbox_cgroup_only"
+
+	// Experimental is a sandbox annotation that determines if experimental features enabled.
+	Experimental = kataAnnotRuntimePrefix + "experimental"
+
+	// InterNetworkModel is a sandbox annotaion that determines how the VM should be connected to the
+	//the container network interface.
+	InterNetworkModel = kataAnnotRuntimePrefix + "internetworking_model"
+
+	// DisableNewNetNs is a sandbox annotation that determines if create a netns for hypervisor process.
+	DisableNewNetNs = kataAnnotRuntimePrefix + "disable_new_netns"
+)
+
 const (
 	kataAnnotAgentPrefix = kataConfAnnotationsPrefix + "agent."
 

virtcontainers/pkg/oci/utils.go

@@ -328,6 +328,10 @@ func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig) error {
 		return err
 	}
 
+	if err := addRuntimeConfigOverrides(ocispec, config); err != nil {
+		return err
+	}
+
 	if err := addAgentConfigOverrides(ocispec, config); err != nil {
 		return err
 	}
@@ -657,6 +661,58 @@ func addHypervisporVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxCon
 	return nil
 }
 
+func addRuntimeConfigOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error {
+	if value, ok := ocispec.Annotations[vcAnnotations.DisableGuestSeccomp]; ok {
+		disableGuestSeccomp, err := strconv.ParseBool(value)
+		if err != nil {
+			return fmt.Errorf("Error parsing annotation for disable_guest_seccomp: Please specify boolean value 'true|false'")
+		}
+
+		sbConfig.DisableGuestSeccomp = disableGuestSeccomp
+	}
+
+	if value, ok := ocispec.Annotations[vcAnnotations.SandboxCgroupOnly]; ok {
+		sandboxCgroupOnly, err := strconv.ParseBool(value)
+		if err != nil {
+			return fmt.Errorf("Error parsing annotation for sandbox_cgroup_only: Please specify boolean value 'true|false'")
+		}
+
+		sbConfig.SandboxCgroupOnly = sandboxCgroupOnly
+	}
+
+	if value, ok := ocispec.Annotations[vcAnnotations.Experimental]; ok {
+		features := strings.Split(value, " ")
+		sbConfig.Experimental = []exp.Feature{}
+
+		for _, f := range features {
+			feature := exp.Get(f)
+			if feature == nil {
+				return fmt.Errorf("Unsupported experimental feature %s specified in annotation %v", f, vcAnnotations.Experimental)
+			}
+			sbConfig.Experimental = append(sbConfig.Experimental, *feature)
+		}
+	}
+
+	if value, ok := ocispec.Annotations[vcAnnotations.DisableNewNetNs]; ok {
+		disableNewNetNs, err := strconv.ParseBool(value)
+		if err != nil {
+			return fmt.Errorf("Error parsing annotation for experimental: Please specify boolean value 'true|false'")
+		}
+		sbConfig.NetworkConfig.DisableNewNetNs = disableNewNetNs
+	}
+
+	if value, ok := ocispec.Annotations[vcAnnotations.InterNetworkModel]; ok {
+		runtimeConfig := RuntimeConfig{}
+		if err := runtimeConfig.InterNetworkModel.SetModel(value); err != nil {
+			return fmt.Errorf("Unknown network model specified in annotation %s", vcAnnotations.InterNetworkModel)
+		}
+
+		sbConfig.NetworkConfig.InterworkingModel = runtimeConfig.InterNetworkModel
+	}
+
+	return nil
+}
+
 func addAgentConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error {
 	if value, ok := ocispec.Annotations[vcAnnotations.KernelModules]; ok {
 		if c, ok := config.AgentConfig.(vc.KataAgentConfig); ok {