Launch sandboxed containers from task service

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>

containers/containers.go

@@ -78,6 +78,8 @@ type Container struct {
 	Extensions map[string]typeurl.Any
 
 	// SandboxID is an identifier of sandbox this container belongs to.
+	//
+	// This property is optional, but can't be changed after creation.
 	SandboxID string
 }
 

runtime/runtime.go

@@ -49,6 +49,8 @@ type CreateOpts struct {
 	// Runtime name to use (e.g. `io.containerd.NAME.VERSION`).
 	// As an alternative full abs path to binary may be specified instead.
 	Runtime string
+	// SandboxID is an optional ID of sandbox this container belongs to
+	SandboxID string
 }
 
 // Exit information for a process

runtime/v2/manager.go

@@ -373,10 +373,23 @@ func (m *TaskManager) ID() string {
 
 // Create launches new shim instance and creates new task
 func (m *TaskManager) Create(ctx context.Context, taskID string, opts runtime.CreateOpts) (runtime.Task, error) {
-	process, err := m.manager.Start(ctx, taskID, opts)
+	var (
+		process ShimProcess
+		err     error
+	)
+
+	if opts.SandboxID != "" {
+		// This container belongs to sandbox which supposed to be already started via sandbox API.
+		process, err = m.manager.Get(ctx, opts.SandboxID)
+		if err != nil {
+			return nil, fmt.Errorf("can't find sandbox %s", opts.SandboxID)
+		}
+	} else {
+		process, err = m.manager.Start(ctx, taskID, opts)
 		if err != nil {
 			return nil, fmt.Errorf("failed to start shim: %w", err)
 		}
+	}
 
 	// Cast to shim task and call task service to create a new container task instance.
 	// This will not be required once shim service / client implemented.

sandbox/controller.go

@@ -22,8 +22,7 @@ import (
 	"github.com/gogo/protobuf/types"
 )
 
-// Controller is an interface to manage a runtime sandbox instance (runtimes's SandboxManager)
+// Controller is an interface to manage sandboxes at runtime.
-// SandboxRuntime is responsible for the sandbox instances lifecycle management.
 // When running the traditional containerd shim, the workflow looks as follows:
 // For each new task we're about to run:
 //  1. Invoke `shim_binary --start` to obtain `TaskService` address (printed in stdout)
@@ -33,8 +32,9 @@ import (
 //  5. TaskService.RunContainer(id=2)
 //  6. Exec `shim_binary --delete` to stop shim
 //
-// When running in sandbox mode, shim must implement `SandboxService`. In sandbox mode shim lifetimes are managed manually.
+// When running in sandbox mode, shim must implement `SandboxService`.
-// 	1. Client calls `client.Controller.Start()` to launch new shim and create sandbox process
+// In sandbox mode shim lifetimes are managed manually via sandbox API.
+//  1. Client calls `client.SandboxController.Start()` to launch new shim and create sandbox process
 //  2. Run containers with `shim.TaskService.RunContainer(id=1)` and another one `shim.TaskService.RunContainer(id=2)`
 //  3. ... usual container lifecycle calls to `shim.TaskService`
 //  4. Client calls shim to stop the sandbox with `client.SandboxService.Shutdown()`

services/tasks/local.go

@@ -200,6 +200,7 @@ func (l *local) Create(ctx context.Context, r *api.CreateTaskRequest, _ ...grpc.
 		Runtime:        container.Runtime.Name,
 		RuntimeOptions: container.Runtime.Options,
 		TaskOptions:    r.Options,
+		SandboxID:      container.SandboxID,
 	}
 	if r.RuntimePath != "" {
 		opts.Runtime = r.RuntimePath