Vminitd: Add pause command

Due to us supporting a pod type now, and pid ns sharing
being quite a common thing for pods, lets add a pause container
like command to vminitd to eventually enable pid ns sharing between
containers in our variant of a pod.

This changes vminitd slightly to have pause and init (default)
commands as it seemed simpler than creating a whole new binary
to include in the guest image.

Author: dcantah

vminitd/Sources/vminitd/Application.swift

@@ -14,119 +14,34 @@
 // limitations under the License.
 //===----------------------------------------------------------------------===//
 
-import Containerization
-import ContainerizationError
-import ContainerizationOS
 import Foundation
 import Logging
-import NIOCore
-import NIOPosix
-
-#if os(Linux)
-import Musl
-import LCShim
-#endif
 
 @main
 struct Application {
-    private static let foregroundEnvVar = "FOREGROUND"
-    private static let vsockPort = 1024
-    private static let standardErrorLock = NSLock()
-
-    private static func runInForeground(_ log: Logger) throws {
-        log.info("running vminitd under pid1")
-
-        var command = Command("/sbin/vminitd")
-        command.attrs = .init(setsid: true)
-        command.stdin = .standardInput
-        command.stdout = .standardOutput
-        command.stderr = .standardError
-        command.environment = ["\(foregroundEnvVar)=1"]
-
-        try command.start()
-        _ = try command.wait()
-    }
-
-    private static func adjustLimits() throws {
-        var limits = rlimit()
-        guard getrlimit(RLIMIT_NOFILE, &limits) == 0 else {
-            throw POSIXError(.init(rawValue: errno)!)
-        }
-        limits.rlim_cur = 65536
-        limits.rlim_max = 65536
-        guard setrlimit(RLIMIT_NOFILE, &limits) == 0 else {
-            throw POSIXError(.init(rawValue: errno)!)
-        }
-    }
+    static let standardErrorLock = NSLock()
 
     @Sendable
-    private static func standardError(label: String) -> StreamLogHandler {
+    static func standardError(label: String) -> StreamLogHandler {
         standardErrorLock.withLock {
             StreamLogHandler.standardError(label: label)
         }
     }
 
     static func main() async throws {
         LoggingSystem.bootstrap(standardError)
-        var log = Logger(label: "vminitd")
-
-        try adjustLimits()
-
-        // when running under debug mode, launch vminitd as a sub process of pid1
-        // so that we get a chance to collect better logs and errors before pid1 exists
-        // and the kernel panics.
-        #if DEBUG
-        let environment = ProcessInfo.processInfo.environment
-        let foreground = environment[Self.foregroundEnvVar]
-        log.info("checking for shim var \(foregroundEnvVar)=\(String(describing: foreground))")
-
-        if foreground == nil {
-            try runInForeground(log)
-            exit(0)
-        }
-
-        // since we are not running as pid1 in this mode we must set ourselves
-        // as a subpreaper so that all child processes are reaped by us and not
-        // passed onto our parent.
-        CZ_set_sub_reaper()
-        #endif
-
-        signal(SIGPIPE, SIG_IGN)
-
-        // Because the sysctl rpc wouldn't make sense if this didn't always exist, we
-        // ALWAYS mount /proc.
-        guard Musl.mount("proc", "/proc", "proc", 0, "") == 0 else {
-            log.error("failed to mount /proc")
-            exit(1)
-        }
-        guard Musl.mount("tmpfs", "/run", "tmpfs", 0, "") == 0 else {
-            log.error("failed to mount /run")
-            exit(1)
-        }
-        try Binfmt.mount()
-
-        log.logLevel = .debug
-
-        log.info("vminitd booting")
-        let eg = MultiThreadedEventLoopGroup(numberOfThreads: System.coreCount)
-        let server = Initd(log: log, group: eg)
-
-        do {
-            log.info("serving vminitd API")
-            try await server.serve(port: vsockPort)
-            log.info("vminitd API returned, syncing filesystems")
-
-            #if os(Linux)
-            Musl.sync()
-            #endif
-        } catch {
-            log.error("vminitd boot error \(error)")
-
-            #if os(Linux)
-            Musl.sync()
-            #endif
 
-            exit(1)
+        // Parse command line arguments
+        let args = CommandLine.arguments
+        let command = args.count > 1 ? args[1] : "init"
+
+        switch command {
+        case "pause":
+            try PauseCommand.run()
+        case "init":
+            try await InitCommand.run()
+        default:
+            try await InitCommand.run()
         }
     }
 }

vminitd/Sources/vminitd/InitCommand.swift

@@ -0,0 +1,114 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2025 Apple Inc. and the Containerization project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import Containerization
+import ContainerizationError
+import ContainerizationOS
+import Foundation
+import LCShim
+import Logging
+import Musl
+import NIOCore
+import NIOPosix
+
+struct InitCommand {
+    private static let foregroundEnvVar = "FOREGROUND"
+    private static let vsockPort = 1024
+
+    static func run() async throws {
+        let log = Logger(label: "vminitd")
+
+        try Self.adjustLimits()
+
+        // when running under debug mode, launch vminitd as a sub process of pid1
+        // so that we get a chance to collect better logs and errors before pid1 exists
+        // and the kernel panics.
+        #if DEBUG
+        let environment = ProcessInfo.processInfo.environment
+        let foreground = environment[Self.foregroundEnvVar]
+        log.info("checking for shim var \(Self.foregroundEnvVar)=\(String(describing: foreground))")
+
+        if foreground == nil {
+            try Self.runInForeground(log)
+            Musl.exit(0)
+        }
+
+        // since we are not running as pid1 in this mode we must set ourselves
+        // as a subpreaper so that all child processes are reaped by us and not
+        // passed onto our parent.
+        CZ_set_sub_reaper()
+        #endif
+
+        signal(SIGPIPE, SIG_IGN)
+
+        // Because the sysctl rpc wouldn't make sense if this didn't always exist, we
+        // ALWAYS mount /proc.
+        guard Musl.mount("proc", "/proc", "proc", 0, "") == 0 else {
+            log.error("failed to mount /proc")
+            Musl.exit(1)
+        }
+        guard Musl.mount("tmpfs", "/run", "tmpfs", 0, "") == 0 else {
+            log.error("failed to mount /run")
+            Musl.exit(1)
+        }
+        try Binfmt.mount()
+
+        log.logLevel = .debug
+
+        log.info("vminitd booting")
+        let eg = MultiThreadedEventLoopGroup(numberOfThreads: System.coreCount)
+        let server = Initd(log: log, group: eg)
+
+        do {
+            log.info("serving vminitd API")
+            try await server.serve(port: Self.vsockPort)
+            log.info("vminitd API returned, syncing filesystems")
+
+            Musl.sync()
+        } catch {
+            log.error("vminitd boot error \(error)")
+
+            Musl.sync()
+            Musl.exit(1)
+        }
+    }
+
+    private static func runInForeground(_ log: Logger) throws {
+        log.info("running vminitd under pid1")
+
+        var command = Command("/sbin/vminitd")
+        command.attrs = .init(setsid: true)
+        command.stdin = .standardInput
+        command.stdout = .standardOutput
+        command.stderr = .standardError
+        command.environment = ["\(foregroundEnvVar)=1"]
+
+        try command.start()
+        _ = try command.wait()
+    }
+
+    private static func adjustLimits() throws {
+        var limits = rlimit()
+        guard getrlimit(RLIMIT_NOFILE, &limits) == 0 else {
+            throw POSIXError(.init(rawValue: errno)!)
+        }
+        limits.rlim_cur = 65536
+        limits.rlim_max = 65536
+        guard setrlimit(RLIMIT_NOFILE, &limits) == 0 else {
+            throw POSIXError(.init(rawValue: errno)!)
+        }
+    }
+}

vminitd/Sources/vminitd/PauseCommand.swift

@@ -0,0 +1,61 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2025 Apple Inc. and the Containerization project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import Dispatch
+import Logging
+import Musl
+
+struct PauseCommand {
+    static func run() throws {
+        let log = Logger(label: "vminitd-pause")
+
+        if getpid() != 1 {
+            log.warning("pause should be the first process")
+        }
+
+        // NOTE: For whatever reason, using signal() for the below causes a swift compiler issue.
+        // Can revert whenever that is understood.
+        let sigintSource = DispatchSource.makeSignalSource(signal: SIGINT)
+        sigintSource.setEventHandler {
+            log.info("Shutting down, got SIGINT")
+            Musl.exit(0)
+        }
+        sigintSource.resume()
+
+        let sigtermSource = DispatchSource.makeSignalSource(signal: SIGTERM)
+        sigtermSource.setEventHandler {
+            log.info("Shutting down, got SIGTERM")
+            Musl.exit(0)
+        }
+        sigtermSource.resume()
+
+        let sigchldSource = DispatchSource.makeSignalSource(signal: SIGINT)
+        sigchldSource.setEventHandler {
+            var status: Int32 = 0
+            while waitpid(-1, &status, WNOHANG) > 0 {}
+        }
+        sigchldSource.resume()
+
+        log.info("pause container running, waiting for signals...")
+
+        while true {
+            Musl.pause()
+        }
+
+        log.error("Error: infinite loop terminated")
+        Musl.exit(42)
+    }
+}

vminitd/Sources/vminitd/Server+GRPC.swift

@@ -26,7 +26,6 @@ import Logging
 import NIOCore
 import NIOPosix
 import SwiftProtobuf
-import _NIOFileSystem
 
 private let _setenv = Foundation.setenv