[pull] main from containerd:main

internal/cri/nri/nri_api_linux.go

@@ -1013,10 +1013,36 @@ func (c *criContainer) GetSysctl() map[string]string {
 	return maps.Clone(c.spec.Linux.Sysctl)
 }
 
+func (c *criContainer) GetSeccompPolicy() *api.LinuxSeccomp {
+	if c.spec.Linux == nil || c.spec.Linux.Seccomp == nil {
+		return nil
+	}
+
+	return api.FromOCILinuxSeccomp(c.spec.Linux.Seccomp)
+}
+
 func (c *criContainer) GetPid() uint32 {
 	return c.pid
 }
 
+func (c *criContainer) GetRlimits() []*api.POSIXRlimit {
+	if c.spec == nil {
+		return nil
+	}
+
+	var rlimits []*api.POSIXRlimit
+
+	for _, l := range c.spec.Process.Rlimits {
+		rlimits = append(rlimits, &api.POSIXRlimit{
+			Type: l.Type,
+			Hard: l.Hard,
+			Soft: l.Soft,
+		})
+	}
+
+	return rlimits
+}
+
 //
 // conversion to/from CRI types
 //

internal/cri/server/container_checkpoint_linux.go

@@ -488,7 +488,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 	if state != runtime.ContainerState_CONTAINER_RUNNING {
 		return nil, fmt.Errorf(
 			"container %q is in %s state. only %s containers can be checkpointed",
-			r.GetContainerId(),
+			container.ID,
 			criContainerStateToString(state),
 			criContainerStateToString(runtime.ContainerState_CONTAINER_RUNNING),
 		)
@@ -515,11 +515,11 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 
 	task, err := container.Container.Task(ctx, nil)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get task for container %q: %w", r.GetContainerId(), err)
+		return nil, fmt.Errorf("failed to get task for container %q: %w", container.ID, err)
 	}
-	img, err := task.Checkpoint(ctx, []client.CheckpointTaskOpts{withCheckpointOpts(i.Runtime.Name, c.getContainerRootDir(r.GetContainerId()))}...)
+	img, err := task.Checkpoint(ctx, []client.CheckpointTaskOpts{withCheckpointOpts(i.Runtime.Name, c.getContainerRootDir(container.ID))}...)
 	if err != nil {
-		return nil, fmt.Errorf("checkpointing container %q failed: %w", r.GetContainerId(), err)
+		return nil, fmt.Errorf("checkpointing container %q failed: %w", container.ID, err)
 	}
 
 	// the checkpoint image has been provided as an index with manifests representing the tar of criu data, the rw layer, and the config
@@ -542,7 +542,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 		return nil, fmt.Errorf("failed to unmarshall blob into checkpoint data OCI index: %w", err)
 	}
 
-	cpPath := filepath.Join(c.getContainerRootDir(r.GetContainerId()), "ctrd-checkpoint")
+	cpPath := filepath.Join(c.getContainerRootDir(container.ID), "ctrd-checkpoint")
 	if err := os.MkdirAll(cpPath, 0o700); err != nil {
 		return nil, err
 	}
@@ -551,7 +551,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 	// This internal containerd file is used by checkpointctl for
 	// checkpoint archive analysis.
 	if err := c.os.CopyFile(
-		filepath.Join(c.getContainerRootDir(r.GetContainerId()), crmetadata.StatusFile),
+		filepath.Join(c.getContainerRootDir(container.ID), crmetadata.StatusFile),
 		filepath.Join(cpPath, crmetadata.StatusFile),
 		0o600,
 	); err != nil {
@@ -561,7 +561,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 	// This file is created by CRIU and includes timing analysis.
 	// Also used by checkpointctl
 	if err := c.os.CopyFile(
-		filepath.Join(c.getContainerRootDir(r.GetContainerId()), stats.StatsDump),
+		filepath.Join(c.getContainerRootDir(container.ID), stats.StatsDump),
 		filepath.Join(cpPath, stats.StatsDump),
 		0o600,
 	); err != nil {
@@ -571,7 +571,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 	// The log file created by CRIU. This file could be missing.
 	// Let's ignore errors if the file is missing.
 	if err := c.os.CopyFile(
-		filepath.Join(c.getContainerRootDir(r.GetContainerId()), crmetadata.DumpLogFile),
+		filepath.Join(c.getContainerRootDir(container.ID), crmetadata.DumpLogFile),
 		filepath.Join(cpPath, crmetadata.DumpLogFile),
 		0o600,
 	); err != nil {
@@ -645,7 +645,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo
 
 	containerCheckpointTimer.WithValues(i.Runtime.Name).UpdateSince(start)
 
-	log.G(ctx).Infof("Wrote checkpoint archive to %s for %s", outFile.Name(), r.GetContainerId())
+	log.G(ctx).Infof("Wrote checkpoint archive to %s for %s", outFile.Name(), container.ID)
 
 	return &runtime.CheckpointContainerResponse{}, nil
 }

internal/nri/container.go

@@ -47,6 +47,7 @@ type Container interface {
 	GetHooks() *nri.Hooks
 	GetLinuxContainer() LinuxContainer
 	GetCDIDevices() []*nri.CDIDevice
+	GetRlimits() []*nri.POSIXRlimit
 }
 
 type LinuxContainer interface {
@@ -61,6 +62,7 @@ type LinuxContainer interface {
 	GetRdt() *nri.LinuxRdt
 	GetSeccompProfile() *nri.SecurityProfile
 	GetSysctl() map[string]string
+	GetSeccompPolicy() *nri.LinuxSeccomp
 }
 
 func commonContainerToNRI(ctr Container) *nri.Container {
@@ -82,6 +84,7 @@ func commonContainerToNRI(ctr Container) *nri.Container {
 		StartedAt:    status.StartedAt,
 		FinishedAt:   status.FinishedAt,
 		ExitCode:     status.ExitCode,
+		Rlimits:      ctr.GetRlimits(),
 	}
 }
 

internal/nri/container_linux.go

@@ -37,6 +37,7 @@ func containerToNRI(ctr Container) *nri.Container {
 		Rdt:            lnxCtr.GetRdt(),
 		SeccompProfile: lnxCtr.GetSeccompProfile(),
 		Sysctl:         lnxCtr.GetSysctl(),
+		SeccompPolicy:  lnxCtr.GetSeccompPolicy(),
 	}
 	return nriCtr
 }