Add shim command for launching hostprocess cntr processes #1443
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dcantah
force-pushed
the
hpc-launchprocess-shim
branch
4 times, most recently
from
191ea3b
to
5b9de5e
Compare
dcantah
force-pushed
the
hpc-launchprocess-shim
branch
2 times, most recently
from
1fea41d
to
2ac8a49
Compare
|
@kevpar Okay, this is ready for review |
dcantah
commented
Jul 1, 2022
|
@marosset @jsturtevant fyi. This should get us backwards compatibility with mounts in beta |
helsaawy
reviewed
Jul 7, 2022
| } | ||
|
|
||
| // Strip the drive letter (if there is one) so we don't end up with "%CONTAINER_SANDBOX_MOUNT_POINT%"\C:\path\to\mount | ||
| func stripDriveLetter(name string) string { |
There was a problem hiding this comment.
Do we care about pathological cases like \\?\C:\path\to\mount as well, or, worse yet, \\?\Volume{GUID}\path\?
Due to the rootfs for a hostprocess container being a bind mount that is only viewable for a process currently running in the containers silo, this poses some challenges for launching a process in the container image via CreateProcess from outside of the container. There's no usermode mechanism to join a job object/silo and then leave afterwards, so that isn't viable either. How we were working around this fact today is by launching container processes via `cmd /c C:\hpc\mybinary.exe rest of the commandline`. The reason this works is because cmd exists outside of the bind mount and should always exist, and then once cmd starts up it is able to view the bind mount as it's running in the containers silo. We can get the same functionality and keep full control of launching and managing the process by exposing a new command on our shim that we can invoke instead. This change adds in a new hidden hpc command to our shim that host process containers will make use of. It looks for a file in its working directory that contains all the info needed to launch and manage a container process. This new shim instance will join the containers silo so it can successfully see the rootfs (generally at C:\hpc) and launch processes. This also allows us to get some backwards compatible behavior for how bind mounts are handled on systems that bindflt isn't available. In addition to binding mounts to the path requested, we can additionally bind them to a relative path under the containers rootfs, which is what was done for non-bindflt machines. In addition to this change I've added some safeguards around trying to kill a process that has just recently exited and removed an unncessary environment variable workaround from the initial process launch for a container. Signed-off-by: Daniel Canter <dcanter@microsoft.com>
dcantah
force-pushed
the
hpc-launchprocess-shim
branch
from
2ac8a49
to
fabe3a3
Compare
|
Turns out this actually won't work with nested paths, and my test cases were getting lucky as they built on each other (C:\foo, and C:\foo\bar). This change makes things really ugly right now also.. I think there's an easier way we can get backwards compatibility a lot easier that I'll push shortly. We can just use symlinks like we do now for mounts for backwards compat, and use bindflt for where the mounts are actually being asked to show up |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to the rootfs for a hostprocess container being a bind mount that is
only viewable for a process currently running in the containers silo, this
poses some challenges for launching a process in the container image via
CreateProcess from outside of the container. There's no usermode mechanism
to join a job object/silo and then leave afterwards, so that isn't viable either.
How we were working around this fact today is by launching container processes
via
cmd /c C:\hpc\mybinary.exe rest of the commandline. The reason thisworks is because cmd exists outside of the bind mount and should always
exist, and then once cmd starts up it is able to view the bind mount as
it's running in the containers silo. We can get the same functionality
and keep full control of launching and managing the process by exposing a
new command on our shim that we can invoke instead.
This change adds in a new hidden hpc command to our shim that host process
containers will make use of. It looks for a file in its working directory
that contains all the info needed to launch and manage a container process.
This new shim instance will join the containers silo so it can successfully
see the rootfs (generally at C:\hpc) and launch processes. This also allows
us to get some backwards compatible behavior for how bind mounts are handled
on systems that bindflt isn't available. In addition to binding mounts to
the path requested, we can additionally bind them to a relative path under
the containers rootfs, which is what was done for non-bindflt machines.
In addition to this change I've added some safeguards around trying to kill
a process that has just recently exited and removed an unncessary environment
variable workaround from the initial process launch for a container.