Skip to content

Commit

Permalink
Merge pull request #11323 from cweld510:cweld/skip-spec-validation-un…
Browse files Browse the repository at this point in the history
…safe

PiperOrigin-RevId: 710762980
  • Loading branch information
gvisor-bot committed Dec 30, 2024
2 parents 6c5bc5e + 17b2c1b commit 0a28828
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 4 deletions.
10 changes: 6 additions & 4 deletions runsc/boot/restore.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ func (r *restorer) restoreContainerInfo(l *Loader, info *containerInfo) error {

if len(r.containers) == r.totalContainers {
// Trigger the restore if this is the last container.
return r.restore(l)
return r.restore(l, info.conf.UnsafeSkipRestoreSpecValidation)
}
return nil
}
Expand Down Expand Up @@ -544,7 +544,7 @@ func validateSpecs(oldSpecs, newSpecs map[string]*specs.Spec) error {
return nil
}

func (r *restorer) restore(l *Loader) error {
func (r *restorer) restore(l *Loader, unsafeSkipRestoreSpecValidation bool) error {
log.Infof("Starting to restore %d containers", len(r.containers))

// Create a new root network namespace with the network stack of the
Expand Down Expand Up @@ -650,8 +650,10 @@ func (r *restorer) restore(l *Loader) error {
if err != nil {
return fmt.Errorf("failed to pop container specs from checkpoint: %w", err)
}
if err := validateSpecs(oldSpecs, l.containerSpecs); err != nil {
return fmt.Errorf("failed to validate restore spec: %w", err)
if !unsafeSkipRestoreSpecValidation {
if err := validateSpecs(oldSpecs, l.containerSpecs); err != nil {
return fmt.Errorf("failed to validate restore spec: %w", err)
}
}

// Since we have a new kernel we also must make a new watchdog.
Expand Down
4 changes: 4 additions & 0 deletions runsc/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,10 @@ type Config struct {

// TestOnlySaveRestoreNetstack indicates netstack should be saved and restored.
TestOnlySaveRestoreNetstack bool `flag:"TESTONLY-save-restore-netstack"`

// UnsafeSkipRestoreSpecValidation optionally skips validation of the container spec for restored
// containers.
UnsafeSkipRestoreSpecValidation bool `flag:"unsafe-skip-restore-spec-validation"`
}

func (c *Config) validate() error {
Expand Down
1 change: 1 addition & 0 deletions runsc/config/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ func RegisterFlags(flagSet *flag.FlagSet) {
flagSet.Bool("enable-core-tags", false, "enables core tagging. Requires host linux kernel >= 5.14.")
flagSet.String("pod-init-config", "", "path to configuration file with additional steps to take during pod creation.")
flagSet.Var(HostSettingsCheck.Ptr(), "host-settings", "how to handle non-optimal host kernel settings: check (default, advisory-only), ignore (do not check), adjust (best-effort auto-adjustment), or enforce (auto-adjustment must succeed).")
flagSet.Bool("unsafe-skip-restore-spec-validation", false, "Enables skipping validation of the restore-time container spec when restoring checkpoints.")

// Flags that control sandbox runtime behavior: MM related.
flagSet.Bool("app-huge-pages", true, "enable use of huge pages for application memory; requires /sys/kernel/mm/transparent_hugepage/shmem_enabled = advise")
Expand Down

0 comments on commit 0a28828

Please sign in to comment.