From f0036cb9dc049f1b003d770d1e6aab8bf153fa10 Mon Sep 17 00:00:00 2001
From: Daniel Canter <dcanter@microsoft.com>
Date: Thu, 5 May 2022 20:41:11 -0700
Subject: [PATCH] windows: Add runhcs-wcow-hypervisor runtimeclass to the
 default config

As part of the effort of getting hypervisor isolated windows container
support working for the CRI entrypoint here, add the runhcs-wcow-hypervisor
handler for the default config. This sets the correct SandboxIsolation
value that the Windows shim uses to differentiate process vs. hypervisor
isolation. This change additionally sets the wcow-process runtime to
passthrough io.microsoft.container* annotations and the hypervisor runtime
to accept io.microsoft.virtualmachine* annotations.

Note that for K8s users this runtime handler will need to be configured by
creating the corresponding RuntimeClass resources on the cluster as it's
not the default runtime.

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
---
 pkg/cri/config/config_windows.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/cri/config/config_windows.go b/pkg/cri/config/config_windows.go
index f0a9c4ba3..32a66ec29 100644
--- a/pkg/cri/config/config_windows.go
+++ b/pkg/cri/config/config_windows.go
@@ -40,7 +40,28 @@ func DefaultConfig() PluginConfig {
 			NoPivot:            false,
 			Runtimes: map[string]Runtime{
 				"runhcs-wcow-process": {
-					Type: "io.containerd.runhcs.v1",
+					Type:                 "io.containerd.runhcs.v1",
+					ContainerAnnotations: []string{"io.microsoft.container.*"},
+				},
+				"runhcs-wcow-hypervisor": {
+					Type:                 "io.containerd.runhcs.v1",
+					PodAnnotations:       []string{"io.microsoft.virtualmachine.*"},
+					ContainerAnnotations: []string{"io.microsoft.container.*"},
+					// Full set of Windows shim options:
+					// https://pkg.go.dev/github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options#Options
+					Options: map[string]interface{}{
+						// SandboxIsolation specifies the isolation level of the sandbox.
+						// PROCESS (0) and HYPERVISOR (1) are the valid options.
+						"SandboxIsolation": 1,
+						// ScaleCpuLimitsToSandbox indicates that the containers CPU
+						// maximum value (specifies the portion of processor cycles that
+						// a container can use as a percentage times 100) should be adjusted
+						// to account for the difference in the number of cores between the
+						// host and UVM.
+						//
+						// This should only be turned on if SandboxIsolation is 1.
+						"ScaleCpuLimitsToSandbox": true,
+					},
 				},
 			},
 		},