windows: Add runhcs-wcow-hypervisor runtimeclass to the default config

As part of the effort of getting hypervisor isolated windows container support working for the CRI entrypoint here, add the runhcs-wcow-hypervisor handler for the default config. This sets the correct SandboxIsolation value that the Windows shim uses to differentiate process vs. hypervisor isolation. This change additionally sets the wcow-process runtime to passthrough io.microsoft.container* annotations and the hypervisor runtime to accept io.microsoft.virtualmachine* annotations. Note that for K8s users this runtime handler will need to be configured by creating the corresponding RuntimeClass resources on the cluster as it's not the default runtime. Signed-off-by: Daniel Canter <dcanter@microsoft.com>
2022-05-05 20:41:11 -07:00 · 2022-05-05 20:41:11 -07:00 · f0036cb9dc
commit f0036cb9dc
parent f4a905109b
1 changed files with 22 additions and 1 deletions
--- a/pkg/cri/config/config_windows.go
+++ b/pkg/cri/config/config_windows.go
@ -40,7 +40,28 @@ func DefaultConfig() PluginConfig {
 			NoPivot:            false,
 			Runtimes: map[string]Runtime{
 				"runhcs-wcow-process": {
-					Type: "io.containerd.runhcs.v1",
+					Type:                 "io.containerd.runhcs.v1",
+					ContainerAnnotations: []string{"io.microsoft.container.*"},
+				},
+				"runhcs-wcow-hypervisor": {
+					Type:                 "io.containerd.runhcs.v1",
+					PodAnnotations:       []string{"io.microsoft.virtualmachine.*"},
+					ContainerAnnotations: []string{"io.microsoft.container.*"},
+					// Full set of Windows shim options:
+					// https://pkg.go.dev/github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options#Options
+					Options: map[string]interface{}{
+						// SandboxIsolation specifies the isolation level of the sandbox.
+						// PROCESS (0) and HYPERVISOR (1) are the valid options.
+						"SandboxIsolation": 1,
+						// ScaleCpuLimitsToSandbox indicates that the containers CPU
+						// maximum value (specifies the portion of processor cycles that
+						// a container can use as a percentage times 100) should be adjusted
+						// to account for the difference in the number of cores between the
+						// host and UVM.
+						//
+						// This should only be turned on if SandboxIsolation is 1.
+						"ScaleCpuLimitsToSandbox": true,
+					},
 				},
 			},
 		},