From 0dc9582295d8df173c714f762375a4b624185ae9 Mon Sep 17 00:00:00 2001 From: ningmingxiao Date: Thu, 8 Jan 2026 20:27:59 +0800 Subject: [PATCH 1/3] cri: fix checkpoint failed with short id Signed-off-by: ningmingxiao --- .../cri/server/container_checkpoint_linux.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/cri/server/container_checkpoint_linux.go b/internal/cri/server/container_checkpoint_linux.go index b54963ae8676..de6f287f7998 100644 --- a/internal/cri/server/container_checkpoint_linux.go +++ b/internal/cri/server/container_checkpoint_linux.go @@ -488,7 +488,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo if state != runtime.ContainerState_CONTAINER_RUNNING { return nil, fmt.Errorf( "container %q is in %s state. only %s containers can be checkpointed", - r.GetContainerId(), + container.ID, criContainerStateToString(state), criContainerStateToString(runtime.ContainerState_CONTAINER_RUNNING), ) @@ -515,11 +515,11 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo task, err := container.Container.Task(ctx, nil) if err != nil { - return nil, fmt.Errorf("failed to get task for container %q: %w", r.GetContainerId(), err) + return nil, fmt.Errorf("failed to get task for container %q: %w", container.ID, err) } - img, err := task.Checkpoint(ctx, []client.CheckpointTaskOpts{withCheckpointOpts(i.Runtime.Name, c.getContainerRootDir(r.GetContainerId()))}...) + img, err := task.Checkpoint(ctx, []client.CheckpointTaskOpts{withCheckpointOpts(i.Runtime.Name, c.getContainerRootDir(container.ID))}...) if err != nil { - return nil, fmt.Errorf("checkpointing container %q failed: %w", r.GetContainerId(), err) + return nil, fmt.Errorf("checkpointing container %q failed: %w", container.ID, err) } // the checkpoint image has been provided as an index with manifests representing the tar of criu data, the rw layer, and the config @@ -542,7 +542,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo return nil, fmt.Errorf("failed to unmarshall blob into checkpoint data OCI index: %w", err) } - cpPath := filepath.Join(c.getContainerRootDir(r.GetContainerId()), "ctrd-checkpoint") + cpPath := filepath.Join(c.getContainerRootDir(container.ID), "ctrd-checkpoint") if err := os.MkdirAll(cpPath, 0o700); err != nil { return nil, err } @@ -551,7 +551,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo // This internal containerd file is used by checkpointctl for // checkpoint archive analysis. if err := c.os.CopyFile( - filepath.Join(c.getContainerRootDir(r.GetContainerId()), crmetadata.StatusFile), + filepath.Join(c.getContainerRootDir(container.ID), crmetadata.StatusFile), filepath.Join(cpPath, crmetadata.StatusFile), 0o600, ); err != nil { @@ -561,7 +561,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo // This file is created by CRIU and includes timing analysis. // Also used by checkpointctl if err := c.os.CopyFile( - filepath.Join(c.getContainerRootDir(r.GetContainerId()), stats.StatsDump), + filepath.Join(c.getContainerRootDir(container.ID), stats.StatsDump), filepath.Join(cpPath, stats.StatsDump), 0o600, ); err != nil { @@ -571,7 +571,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo // The log file created by CRIU. This file could be missing. // Let's ignore errors if the file is missing. if err := c.os.CopyFile( - filepath.Join(c.getContainerRootDir(r.GetContainerId()), crmetadata.DumpLogFile), + filepath.Join(c.getContainerRootDir(container.ID), crmetadata.DumpLogFile), filepath.Join(cpPath, crmetadata.DumpLogFile), 0o600, ); err != nil { @@ -645,7 +645,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo containerCheckpointTimer.WithValues(i.Runtime.Name).UpdateSince(start) - log.G(ctx).Infof("Wrote checkpoint archive to %s for %s", outFile.Name(), r.GetContainerId()) + log.G(ctx).Infof("Wrote checkpoint archive to %s for %s", outFile.Name(), container.ID) return &runtime.CheckpointContainerResponse{}, nil } From 7b85525cfee51d0b306cd1e1278e21365077213a Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Fri, 9 Jan 2026 10:20:03 +0200 Subject: [PATCH 2/3] cri,nri: pass any POSIX rlimits to plugins. Signed-off-by: Krisztian Litkey --- internal/cri/nri/nri_api_linux.go | 18 ++++++++++++++++++ internal/nri/container.go | 2 ++ 2 files changed, 20 insertions(+) diff --git a/internal/cri/nri/nri_api_linux.go b/internal/cri/nri/nri_api_linux.go index c6f1a0e5136a..cf4ab845f1b4 100644 --- a/internal/cri/nri/nri_api_linux.go +++ b/internal/cri/nri/nri_api_linux.go @@ -1017,6 +1017,24 @@ func (c *criContainer) GetPid() uint32 { return c.pid } +func (c *criContainer) GetRlimits() []*api.POSIXRlimit { + if c.spec == nil { + return nil + } + + var rlimits []*api.POSIXRlimit + + for _, l := range c.spec.Process.Rlimits { + rlimits = append(rlimits, &api.POSIXRlimit{ + Type: l.Type, + Hard: l.Hard, + Soft: l.Soft, + }) + } + + return rlimits +} + // // conversion to/from CRI types // diff --git a/internal/nri/container.go b/internal/nri/container.go index c7980367618c..4dc288370159 100644 --- a/internal/nri/container.go +++ b/internal/nri/container.go @@ -47,6 +47,7 @@ type Container interface { GetHooks() *nri.Hooks GetLinuxContainer() LinuxContainer GetCDIDevices() []*nri.CDIDevice + GetRlimits() []*nri.POSIXRlimit } type LinuxContainer interface { @@ -82,6 +83,7 @@ func commonContainerToNRI(ctr Container) *nri.Container { StartedAt: status.StartedAt, FinishedAt: status.FinishedAt, ExitCode: status.ExitCode, + Rlimits: ctr.GetRlimits(), } } From cfec4b30a72d8a37f39d1981ccfcf3e3e82bebc9 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Fri, 9 Jan 2026 14:30:32 +0200 Subject: [PATCH 3/3] cri,nri: pass seccomp policy to plugins. Signed-off-by: Krisztian Litkey --- internal/cri/nri/nri_api_linux.go | 8 ++++++++ internal/nri/container.go | 1 + internal/nri/container_linux.go | 1 + 3 files changed, 10 insertions(+) diff --git a/internal/cri/nri/nri_api_linux.go b/internal/cri/nri/nri_api_linux.go index cf4ab845f1b4..374dcae1a714 100644 --- a/internal/cri/nri/nri_api_linux.go +++ b/internal/cri/nri/nri_api_linux.go @@ -1013,6 +1013,14 @@ func (c *criContainer) GetSysctl() map[string]string { return maps.Clone(c.spec.Linux.Sysctl) } +func (c *criContainer) GetSeccompPolicy() *api.LinuxSeccomp { + if c.spec.Linux == nil || c.spec.Linux.Seccomp == nil { + return nil + } + + return api.FromOCILinuxSeccomp(c.spec.Linux.Seccomp) +} + func (c *criContainer) GetPid() uint32 { return c.pid } diff --git a/internal/nri/container.go b/internal/nri/container.go index 4dc288370159..ab1cd14eab7c 100644 --- a/internal/nri/container.go +++ b/internal/nri/container.go @@ -62,6 +62,7 @@ type LinuxContainer interface { GetRdt() *nri.LinuxRdt GetSeccompProfile() *nri.SecurityProfile GetSysctl() map[string]string + GetSeccompPolicy() *nri.LinuxSeccomp } func commonContainerToNRI(ctr Container) *nri.Container { diff --git a/internal/nri/container_linux.go b/internal/nri/container_linux.go index a0bb93cd4d23..a956ee8fa7d0 100644 --- a/internal/nri/container_linux.go +++ b/internal/nri/container_linux.go @@ -37,6 +37,7 @@ func containerToNRI(ctr Container) *nri.Container { Rdt: lnxCtr.GetRdt(), SeccompProfile: lnxCtr.GetSeccompProfile(), Sysctl: lnxCtr.GetSysctl(), + SeccompPolicy: lnxCtr.GetSeccompPolicy(), } return nriCtr }