guest: unify pod model for V1, virtual pod, and V2 shim support#2699
Open
shreyanshjain7174 wants to merge 2 commits intomicrosoft:mainfrom
Open
guest: unify pod model for V1, virtual pod, and V2 shim support#2699shreyanshjain7174 wants to merge 2 commits intomicrosoft:mainfrom
shreyanshjain7174 wants to merge 2 commits intomicrosoft:mainfrom
Conversation
shreyanshjain7174
force-pushed
the
guest-pod-unification-v2
branch
from
62fc02c to
a724fae
Compare
rawahars
requested changes
Apr 30, 2026
shreyanshjain7174
force-pushed
the
guest-pod-unification-v2
branch
from
a724fae to
ad3ee5f
Compare
rawahars
requested changes
May 4, 2026
shreyanshjain7174
force-pushed
the
guest-pod-unification-v2
branch
from
ad3ee5f to
f51f773
Compare
rawahars
reviewed
May 4, 2026
rawahars
reviewed
May 4, 2026
Replace the separate VirtualPod tracking (dedicated type, exported
methods, parent cgroup manager, reverse-lookup map) with a unified
uvmPod type and a single pods map on Host. All pod types (V1 sandbox,
virtual pod, V2 shim) now go through the same code path:
- createPodInUVM allocates a cgroup under /pods/{sandboxID}
- RemoveContainer handles cleanup uniformly
Cgroup hierarchy changes from:
/containers/{id} (V1 sandbox)
/containers/virtual-pods/{virtualPodID} (virtual pod)
to:
/pods/{sandboxID} (all pod types)
/pods/{sandboxID}/{containerID} (workload containers)
Signed-off-by: Shreyansh Jain <shreyanshjain7174@gmail.com>
Signed-off-by: Shreyansh Sancheti <shsancheti@microsoft.com>
shreyanshjain7174
force-pushed
the
guest-pod-unification-v2
branch
from
f51f773 to
32802d9
Compare
…ID assign - Lock containersMutex over the entire createPodInUVM method instead of the double-check pattern. - Assign sandboxID directly from annotation without intermediate sid variable in the early resolution block. Signed-off-by: Shreyansh Jain <shreyanshjain7174@gmail.com> Signed-off-by: Shreyansh Sancheti <shsancheti@microsoft.com>
rawahars
reviewed
May 7, 2026
| spec.Linux.CgroupsPath = "/containers/" + id | ||
| // Set cgroup path under the pod. | ||
| sandboxID := id | ||
| if vpID := spec.Annotations[annotations.VirtualPodID]; vpID != "" { |
Contributor
There was a problem hiding this comment.
nit: You have virtualSandboxID from above. You can consolidate them.
rawahars
reviewed
May 7, 2026
| if vpID := spec.Annotations[annotations.VirtualPodID]; vpID != "" { | ||
| sandboxID = vpID | ||
| } | ||
| spec.Linux.CgroupsPath = "/pods/" + sandboxID |
Contributor
There was a problem hiding this comment.
Please do the following tests-
- Run a pod with cgroup resources set at pod level. Run 3 containers such that 2 normal containers do not consume much memory but 3rd one is OOM. Then the entire pod should be killed.
- Run a pod with cgroup resources set at pod level. Run 3 containers such that 2 normal containers do not consume much memory. 3rd one has cgroup limit set and is lower than pod limit. This time when 3rd one OOMs, only 3rd container should be killed.
rawahars
reviewed
May 7, 2026
| } | ||
| } | ||
|
|
||
| // Normally we would be doing policy checking here at the start of our |
Contributor
There was a problem hiding this comment.
please add these comments after modifying.
rawahars
reviewed
May 7, 2026
| } | ||
| h.containersMutex.Unlock() | ||
| } else { | ||
| // Capture namespaceID if any because setupStandaloneContainerSpec clears the Windows section. |
Contributor
There was a problem hiding this comment.
nit: Please add comments back.
rawahars
reviewed
May 7, 2026
| return fmt.Errorf("virtual pod %s does not exist", virtualSandboxID) | ||
| h.pods[sid] = &uvmPod{ | ||
| sandboxID: sid, | ||
| networkNamespace: nsID, |
Contributor
There was a problem hiding this comment.
nit: Please check if you are using networkNamespace and cgroupPath anywhere.
rawahars
reviewed
May 7, 2026
| } | ||
|
|
||
| // Register container with its pod. | ||
| h.containersMutex.Lock() |
Contributor
There was a problem hiding this comment.
Please move this block to front after resolving sandboxID.
Return error if pod or container already exists.
rawahars
reviewed
May 7, 2026
| spec.Linux.CgroupsPath = "/containers/" + id | ||
| } | ||
| // Set cgroup path under the sandbox's pod cgroup. | ||
| spec.Linux.CgroupsPath = "/pods/" + sbid + "/" + id |
Contributor
There was a problem hiding this comment.
nit: Can you please convert the format as a constant.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The GCS guest runtime (
internal/guest/runtime/hcsv2/uvm.go) tracks virtual pods separately from V1 sandbox containers — a dedicatedVirtualPodtype, seven exported methods, a parent cgroup manager, and a reverse-lookup map. V1 sandboxes have no pod-level tracking at all. Adding V2 shim support would need a third path.This collapses all three into one: a private
uvmPodtype and a singlepodsmap onHost. Every sandbox — V1, virtual pod, or V2 shim — goes throughcreatePodInUVM, which allocates a cgroup under/pods/{sandboxID}. Workload containers nest at/pods/{sandboxID}/{containerID}. Container-to-pod membership is tracked viaaddContainerToPod. Cleanup inRemoveContaineris a single code path: remove the container from the pod, and when the sandbox container itself is removed, delete the pod's cgroup.Cgroup hierarchy changes from:
to:
Standalone (non-CRI) containers keep their own cgroup at
/pods/{id}with no pod entry — same isolation as before, just under the new prefix.Network namespace teardown for virtual pod sandboxes is preserved:
RemoveContainerskipsRemoveNetworkNamespacefor virtual pod sandbox containers since the host-driven path (TearDownNetworking→RemoveNetNS→removeNIC) handles adapter removal first.cmd/gcs/main.goreplaces the/containers/virtual-podsparent cgroup with/podsand drops theInitializeVirtualPodSupportcall.Tested E2E with both shims:
io.containerd.runhcs.v1)io.containerd.lcow.v2)/run/gcs/c/<podId>/run/gcs/pods/<podId>/<podId>/sys/fs/cgroup/memory/pods/<podId>/sys/fs/cgroup/memory/pods/<podId>/containers/virtual-pods/