Remove no_pivot when creating container from CRI

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>

pkg/cri/config/config_windows.go

@@ -38,7 +38,6 @@ func DefaultConfig() PluginConfig {
 		ContainerdConfig: ContainerdConfig{
 			Snapshotter:        containerd.DefaultSnapshotter,
 			DefaultRuntimeName: "runhcs-wcow-process",
-			NoPivot:            false,
 			Runtimes: map[string]Runtime{
 				"runhcs-wcow-process": {
 					Type:                 "io.containerd.runhcs.v1",

pkg/cri/sbserver/container_start.go

@@ -110,17 +110,12 @@ func (c *criService) StartContainer(ctx context.Context, r *runtime.StartContain
 		return cntr.IO, nil
 	}
 
-	ctrInfo, err := container.Info(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get container info: %w", err)
-	}
-
 	ociRuntime, err := c.getSandboxRuntime(sandbox.Config, sandbox.Metadata.RuntimeHandler)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get sandbox runtime: %w", err)
 	}
 
-	taskOpts := c.taskOpts(ctrInfo.Runtime.Name)
+	var taskOpts []containerd.NewTaskOpts
 	if ociRuntime.Path != "" {
 		taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
 	}

pkg/cri/sbserver/podsandbox/sandbox_run.go

@@ -212,7 +212,7 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
 	// Create sandbox task in containerd.
 	log.G(ctx).Tracef("Create sandbox container (id=%q, name=%q).", id, metadata.Name)
 
-	taskOpts := c.taskOpts(ociRuntime.Type)
+	var taskOpts []containerd.NewTaskOpts
 	if ociRuntime.Path != "" {
 		taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
 	}

pkg/cri/sbserver/podsandbox/sandbox_run_linux.go

@@ -22,9 +22,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
-	"github.com/containerd/containerd/plugin"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
@@ -325,19 +323,3 @@ func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
 	}
 	return nil
 }
-
-// taskOpts generates task options for a (sandbox) container.
-func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	// TODO(random-liu): Remove this after shim v1 is deprecated.
-	var taskOpts []containerd.NewTaskOpts
-
-	// c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime
-	// and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or  RuntimeRuncV2 = "io.containerd.runc.v2"
-	// for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see
-	// https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26
-	if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 {
-		taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
-	}
-
-	return taskOpts
-}

pkg/cri/sbserver/podsandbox/sandbox_run_other.go

@@ -19,7 +19,6 @@
 package podsandbox
 
 import (
-	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/pkg/cri/annotations"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -49,8 +48,3 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf
 func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error {
 	return nil
 }
-
-// taskOpts generates task options for a (sandbox) container.
-func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	return []containerd.NewTaskOpts{}
-}

pkg/cri/sbserver/podsandbox/sandbox_run_test.go

@@ -26,8 +26,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 
-	"github.com/containerd/containerd/pkg/cri/annotations"
-	criconfig "github.com/containerd/containerd/pkg/cri/config"
 	sandboxstore "github.com/containerd/containerd/pkg/cri/store/sandbox"
 )
 
@@ -207,166 +205,3 @@ func TestHostAccessingSandbox(t *testing.T) {
 		})
 	}
 }
-
-func TestGetSandboxRuntime(t *testing.T) {
-	untrustedWorkloadRuntime := criconfig.Runtime{
-		Type:   "io.containerd.runtime.v1.linux",
-		Engine: "untrusted-workload-runtime",
-		Root:   "",
-	}
-
-	defaultRuntime := criconfig.Runtime{
-		Type:   "io.containerd.runtime.v1.linux",
-		Engine: "default-runtime",
-		Root:   "",
-	}
-
-	fooRuntime := criconfig.Runtime{
-		Type:   "io.containerd.runtime.v1.linux",
-		Engine: "foo-bar",
-		Root:   "",
-	}
-
-	for desc, test := range map[string]struct {
-		sandboxConfig   *runtime.PodSandboxConfig
-		runtimeHandler  string
-		runtimes        map[string]criconfig.Runtime
-		expectErr       bool
-		expectedRuntime criconfig.Runtime
-	}{
-		"should return error if untrusted workload requires host access": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Linux: &runtime.LinuxPodSandboxConfig{
-					SecurityContext: &runtime.LinuxSandboxSecurityContext{
-						Privileged: false,
-						NamespaceOptions: &runtime.NamespaceOption{
-							Network: runtime.NamespaceMode_NODE,
-							Pid:     runtime.NamespaceMode_NODE,
-							Ipc:     runtime.NamespaceMode_NODE,
-						},
-					},
-				},
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "true",
-				},
-			},
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-			},
-			expectErr: true,
-		},
-		"should use untrusted workload runtime for untrusted workload": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "true",
-				},
-			},
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-			},
-			expectedRuntime: untrustedWorkloadRuntime,
-		},
-		"should use default runtime for regular workload": {
-			sandboxConfig: &runtime.PodSandboxConfig{},
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault: defaultRuntime,
-			},
-			expectedRuntime: defaultRuntime,
-		},
-		"should use default runtime for trusted workload": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "false",
-				},
-			},
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-			},
-			expectedRuntime: defaultRuntime,
-		},
-		"should return error if untrusted workload runtime is required but not configured": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "true",
-				},
-			},
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault: defaultRuntime,
-			},
-			expectErr: true,
-		},
-		"should use 'untrusted' runtime for untrusted workload": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "true",
-				},
-			},
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-			},
-			expectedRuntime: untrustedWorkloadRuntime,
-		},
-		"should use 'untrusted' runtime for untrusted workload & handler": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "true",
-				},
-			},
-			runtimeHandler: "untrusted",
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-			},
-			expectedRuntime: untrustedWorkloadRuntime,
-		},
-		"should return an error if untrusted annotation with conflicting handler": {
-			sandboxConfig: &runtime.PodSandboxConfig{
-				Annotations: map[string]string{
-					annotations.UntrustedWorkload: "true",
-				},
-			},
-			runtimeHandler: "foo",
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-				"foo":                      fooRuntime,
-			},
-			expectErr: true,
-		},
-		"should use correct runtime for a runtime handler": {
-			sandboxConfig:  &runtime.PodSandboxConfig{},
-			runtimeHandler: "foo",
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault:   defaultRuntime,
-				criconfig.RuntimeUntrusted: untrustedWorkloadRuntime,
-				"foo":                      fooRuntime,
-			},
-			expectedRuntime: fooRuntime,
-		},
-		"should return error if runtime handler is required but not configured": {
-			sandboxConfig:  &runtime.PodSandboxConfig{},
-			runtimeHandler: "bar",
-			runtimes: map[string]criconfig.Runtime{
-				criconfig.RuntimeDefault: defaultRuntime,
-				"foo":                    fooRuntime,
-			},
-			expectErr: true,
-		},
-	} {
-		t.Run(desc, func(t *testing.T) {
-			cri := newControllerService()
-			cri.config = criconfig.Config{
-				PluginConfig: criconfig.DefaultConfig(),
-			}
-			cri.config.ContainerdConfig.DefaultRuntimeName = criconfig.RuntimeDefault
-			cri.config.ContainerdConfig.Runtimes = test.runtimes
-			r, err := cri.getSandboxRuntime(test.sandboxConfig, test.runtimeHandler)
-			assert.Equal(t, test.expectErr, err != nil)
-			assert.Equal(t, test.expectedRuntime, r)
-		})
-	}
-}

pkg/cri/sbserver/podsandbox/sandbox_run_windows.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
@@ -102,8 +101,3 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf
 func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error {
 	return nil
 }
-
-// No task options needed for windows.
-func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	return nil
-}

pkg/cri/sbserver/sandbox_run_linux.go

@@ -1,38 +0,0 @@
-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package sbserver
-
-import (
-	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/plugin"
-)
-
-// taskOpts generates task options for a (sandbox) container.
-func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	// TODO(random-liu): Remove this after shim v1 is deprecated.
-	var taskOpts []containerd.NewTaskOpts
-
-	// c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime
-	// and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or  RuntimeRuncV2 = "io.containerd.runc.v2"
-	// for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see
-	// https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26
-	if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 {
-		taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
-	}
-
-	return taskOpts
-}

pkg/cri/sbserver/sandbox_run_other.go

@@ -1,28 +0,0 @@
-//go:build !windows && !linux
-
-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package sbserver
-
-import (
-	"github.com/containerd/containerd"
-)
-
-// taskOpts generates task options for a (sandbox) container.
-func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	return []containerd.NewTaskOpts{}
-}

pkg/cri/sbserver/sandbox_run_windows.go

@@ -1,26 +0,0 @@
-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package sbserver
-
-import (
-	"github.com/containerd/containerd"
-)
-
-// No task options needed for windows.
-func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	return nil
-}

pkg/cri/server/container_start.go

@@ -110,17 +110,12 @@ func (c *criService) StartContainer(ctx context.Context, r *runtime.StartContain
 		return cntr.IO, nil
 	}
 
-	ctrInfo, err := container.Info(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get container info: %w", err)
-	}
-
 	ociRuntime, err := c.getSandboxRuntime(sandbox.Config, sandbox.Metadata.RuntimeHandler)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get sandbox runtime: %w", err)
 	}
 
-	taskOpts := c.taskOpts(ctrInfo.Runtime.Name)
+	var taskOpts []containerd.NewTaskOpts
 	if ociRuntime.Path != "" {
 		taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
 	}

pkg/cri/server/helpers_test.go

@@ -236,7 +236,7 @@ systemd_cgroup = true
 	require.NoError(t, err)
 	err = tree.Unmarshal(&nilOptsConfig)
 	require.NoError(t, err)
-	require.Len(t, nilOptsConfig.Runtimes, 3)
+	require.Len(t, nilOptsConfig.Runtimes, 1)
 
 	tree, err = toml.Load(nonNilOpts)
 	require.NoError(t, err)

pkg/cri/server/sandbox_run.go

@@ -352,7 +352,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 	log.G(ctx).Tracef("Create sandbox container (id=%q, name=%q).",
 		id, name)
 
-	taskOpts := c.taskOpts(ociRuntime.Type)
+	var taskOpts []containerd.NewTaskOpts
 	if ociRuntime.Path != "" {
 		taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path))
 	}

pkg/cri/server/sandbox_run_linux.go

@@ -22,9 +22,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
-	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/snapshots"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
@@ -344,22 +342,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
 	return nil
 }
 
-// taskOpts generates task options for a (sandbox) container.
-func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	// TODO(random-liu): Remove this after shim v1 is deprecated.
-	var taskOpts []containerd.NewTaskOpts
-
-	// c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime
-	// and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or  RuntimeRuncV2 = "io.containerd.runc.v2"
-	// for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see
-	// https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26
-	if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 {
-		taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
-	}
-
-	return taskOpts
-}
-
 func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) {
 	for i := range spec.Linux.Namespaces {
 		if spec.Linux.Namespaces[i].Type == runtimespec.NetworkNamespace {

pkg/cri/server/sandbox_run_other.go

@@ -19,7 +19,6 @@
 package server
 
 import (
-	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/pkg/cri/annotations"
 	"github.com/containerd/containerd/snapshots"
@@ -51,11 +50,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
 	return nil
 }
 
-// taskOpts generates task options for a (sandbox) container.
-func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	return []containerd.NewTaskOpts{}
-}
-
 func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) {
 }
 

pkg/cri/server/sandbox_run_windows.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/snapshots"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -104,11 +103,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo
 	return nil
 }
 
-// No task options needed for windows.
-func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts {
-	return nil
-}
-
 func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) {
 	spec.Windows.Network.NetworkNamespace = nsPath
 }