Adds cgroup path to CreateVMResponse

This commit adds a response to CreateVM. The CreateVMResponse contains
the CgroupPath field that will be returned when jailing is enabled.

Signed-off-by: xibz <[email protected]>

Author: xibz

firecracker-control/local.go

@@ -78,7 +78,7 @@ func newLocal(ic *plugin.InitContext) (*local, error) {
 // CreateVM creates new Firecracker VM instance. It creates a runtime shim for the VM and the forwards
 // the CreateVM request to that shim. If there is already a VM created with the provided VMID, then
 // AlreadyExists is returned.
-func (s *local) CreateVM(requestCtx context.Context, req *proto.CreateVMRequest) (*empty.Empty, error) {
+func (s *local) CreateVM(requestCtx context.Context, req *proto.CreateVMRequest) (*proto.CreateVMResponse, error) {
 	var err error
 
 	id := req.GetVMID()

firecracker-control/service.go

@@ -67,7 +67,7 @@ func (s *service) RegisterTTRPC(server *ttrpc.Server) error {
 	return nil
 }
 
-func (s *service) CreateVM(ctx context.Context, req *proto.CreateVMRequest) (*empty.Empty, error) {
+func (s *service) CreateVM(ctx context.Context, req *proto.CreateVMRequest) (*proto.CreateVMResponse, error) {
 	log.G(ctx).Debugf("create VM request: %+v", req)
 	return s.local.CreateVM(ctx, req)
 }

proto/firecracker.pb.go

@@ -36,6 +36,10 @@ message CreateVMRequest {
     JailerConfig JailerConfig = 10;
 }
 
+message CreateVMResponse {
+    string CgroupPath = 1;
+}
+
 message StopVMRequest {
     string VMID = 1;
     uint32 TimeoutSeconds = 2;

proto/firecracker.proto

@@ -8,7 +8,7 @@ option go_package = "fccontrol";
 
 service Firecracker {
     // Runs new Firecracker VM instance
-    rpc CreateVM(CreateVMRequest) returns (google.protobuf.Empty);
+    rpc CreateVM(CreateVMRequest) returns (CreateVMResponse);
 
     // Stops existing Firecracker instance by VM ID
     rpc StopVM(StopVMRequest) returns (google.protobuf.Empty);

proto/service/fccontrol/fccontrol.proto

@@ -57,6 +57,10 @@ type jailer interface {
 	StubDrivesOptions() []stubDrivesOpt
 }
 
+type cgroupPather interface {
+	CgroupPath() string
+}
+
 // newJailer is used to construct a jailer from the CreateVM request. If no
 // request or jailer config was provided, then the noopJailer will be returned.
 func newJailer(
@@ -72,5 +76,5 @@ func newJailer(
 	}
 
 	l := logger.WithField("jailer", "runc")
-	return newRuncJailer(ctx, l, ociBundlePath, service.config.JailerConfig.RuncBinaryPath, jailerUID, jailerGID)
+	return newRuncJailer(ctx, l, ociBundlePath, service, jailerUID, jailerGID)
 }

proto/service/fccontrol/ttrpc/fccontrol.pb.go

@@ -72,3 +72,8 @@ func (j noopJailer) StubDrivesOptions() []stubDrivesOpt {
 	j.logger.Debug("noop operation for StubDrivesOptions")
 	return []stubDrivesOpt{}
 }
+
+func (j noopJailer) CgroupPath() string {
+	j.logger.Debug("noop operation for CgroupPath")
+	return ""
+}

runtime/jailer.go

@@ -45,19 +45,21 @@ type runcJailer struct {
 	runcBinaryPath string
 	uid            uint32
 	gid            uint32
+	vmID           string
 }
 
-func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath, runcBinPath string, uid, gid uint32) (*runcJailer, error) {
+func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath string, service *service, uid, gid uint32) (*runcJailer, error) {
 	l := logger.WithField("ociBundlePath", ociBundlePath).
-		WithField("runcBinaryPath", runcBinPath)
+		WithField("runcBinaryPath", service.config.JailerConfig.RuncBinaryPath)
 
 	j := &runcJailer{
 		ctx:            ctx,
 		logger:         l,
 		ociBundlePath:  ociBundlePath,
-		runcBinaryPath: runcBinPath,
+		runcBinaryPath: service.config.JailerConfig.RuncBinaryPath,
 		uid:            uid,
 		gid:            gid,
+		vmID:           service.vmID,
 	}
 
 	rootPath := j.RootPath()
@@ -371,6 +373,10 @@ func (j runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string)
 	return nil
 }
 
+func (j runcJailer) CgroupPath() string {
+	return filepath.Join("/firecracker-containerd", j.vmID)
+}
+
 // setDefaultConfigValues will process the spec file provided and allow any
 // empty/zero values to be replaced with default values.
 func (j runcJailer) setDefaultConfigValues(cfg *Config, socketPath string, spec specs.Spec) specs.Spec {
@@ -389,6 +395,8 @@ func (j runcJailer) setDefaultConfigValues(cfg *Config, socketPath string, spec
 		spec.Process.Args = cmd.Args
 	}
 
+	spec.Linux.CgroupsPath = j.CgroupPath()
+
 	return spec
 }
 

runtime/noop_jailer.go

@@ -52,7 +52,12 @@ func TestBuildJailedRootHandler_Isolated(t *testing.T) {
 	defer firecrackerFd.Close()
 
 	l := logrus.NewEntry(logrus.New())
-	jailer, err := newRuncJailer(context.Background(), l, dir, "bin-path", 123, 456)
+	s := &service{
+		config: &Config{
+			JailerConfig: JailerConfig{},
+		},
+	}
+	jailer, err := newRuncJailer(context.Background(), l, dir, s, 123, 456)
 	require.NoError(t, err, "failed to create runc jailer")
 
 	cfg := Config{

runtime/runc_jailer.go

@@ -407,12 +407,13 @@ func (s *service) waitVMReady() error {
 
 // CreateVM will attempt to create the VM as specified in the provided request, but only on the first request
 // received. Any subsequent requests will be ignored and get an AlreadyExists error response.
-func (s *service) CreateVM(requestCtx context.Context, request *proto.CreateVMRequest) (*empty.Empty, error) {
+func (s *service) CreateVM(requestCtx context.Context, request *proto.CreateVMRequest) (*proto.CreateVMResponse, error) {
 	defer logPanicAndDie(s.logger)
 
 	var (
 		err       error
 		createRan bool
+		resp      proto.CreateVMResponse
 	)
 
 	s.vmStartOnce.Do(func() {
@@ -442,7 +443,11 @@ func (s *service) CreateVM(requestCtx context.Context, request *proto.CreateVMRe
 
 	// let all the other methods know that the VM is ready for tasks
 	close(s.vmReady)
-	return &empty.Empty{}, nil
+
+	if c, ok := s.jailer.(cgroupPather); ok {
+		resp.CgroupPath = c.CgroupPath()
+	}
+	return &resp, nil
 }
 
 func (s *service) publishVMStart() error {