From e9e82ce28b0e25255f56ea5f2a391f839bf3b0fe Mon Sep 17 00:00:00 2001
From: Peng Tao <bergwolf@hyper.sh>
Date: Mon, 12 Dec 2022 09:52:27 +0000
Subject: [PATCH 1/4] runtime-rs: fix is_pid_namespace_enabled check

We should test is_pid_namespace_enabled before amending the container
spec, where the pid namespace path is cleared and resulting
sandbox_pidns to always being false.

Fixes: #5881
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
---
 .../runtimes/virt_container/src/container_manager/container.rs  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
index ded8f0a45..fcc36957a 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -81,8 +81,8 @@ impl Container {
         let mut inner = self.inner.write().await;
         let toml_config = self.resource_manager.config().await;
         let config = &self.config;
-        amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("amend spec")?;
         let sandbox_pidns = is_pid_namespace_enabled(&spec);
+        amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("amend spec")?;
 
         // handler rootfs
         let rootfs = self

From 5b6596f54e38455382f85fc96c579b7eb2aa00b1 Mon Sep 17 00:00:00 2001
From: Peng Tao <bergwolf@hyper.sh>
Date: Mon, 12 Dec 2022 09:49:04 +0000
Subject: [PATCH 2/4] runtime-rs: CreateContainerRequest has Default

We can just use it to initialize the default fields.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
---
 .../virt_container/src/container_manager/container.rs        | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
index fcc36957a..e5851fbd5 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -143,13 +143,10 @@ impl Container {
         // create container
         let r = agent::CreateContainerRequest {
             process_id: agent::ContainerProcessID::new(&config.container_id, ""),
-            string_user: None,
-            devices: vec![],
             storages,
             oci: Some(spec),
-            guest_hooks: None,
             sandbox_pidns,
-            rootfs_mounts: vec![],
+            ..Default::default()
         };
 
         self.agent

From 62f4603e814974798708938855dc272fb82892e5 Mon Sep 17 00:00:00 2001
From: Peng Tao <bergwolf@hyper.sh>
Date: Mon, 12 Dec 2022 09:51:21 +0000
Subject: [PATCH 3/4] runtime-rs: reset rdma cgroup

We don't support rdma cgroups yet. Let's make sure it is reset to empty.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
---
 .../runtimes/virt_container/src/container_manager/container.rs  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
index e5851fbd5..b41c8c732 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -4,6 +4,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use std::collections::HashMap;
 use std::sync::Arc;
 
 use agent::Agent;
@@ -393,6 +394,7 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
             resource.block_io = None;
             resource.hugepage_limits = Vec::new();
             resource.network = None;
+            resource.rdma = HashMap::new();
         }
 
         // Host pidns path does not make sense in kata. Let's just align it with

From 79cf38e6ea83b91714e8a395f836fe9bd770b25d Mon Sep 17 00:00:00 2001
From: Peng Tao <bergwolf@hyper.sh>
Date: Mon, 12 Dec 2022 11:07:14 +0000
Subject: [PATCH 4/4] runtime-rs: clear OCI spec namespace path

None of the host namespace paths make sense in the guest. Let's clear
them all before sending the spec to the agent.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
---
 .../virt_container/src/container_manager/container.rs        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
index b41c8c732..764eba08c 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -403,7 +403,10 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
         for n in linux.namespaces.iter() {
             match n.r#type.as_str() {
                 oci::PIDNAMESPACE | oci::NETWORKNAMESPACE => continue,
-                _ => ns.push(n.clone()),
+                _ => ns.push(oci::LinuxNamespace {
+                    r#type: n.r#type.clone(),
+                    path: "".to_string(),
+                }),
             }
         }