Consolidate metadata configuration during S/R

fvoznika · gvisor-bot · commit f2e996521b51 · 2025-09-30T10:15:44.000-07:00
S/R requires certain metadata objects to be set to the state file. The code doing that was spreadout, duplicating some of the logic (spec) and missing metadata in others (container count). This change, moves the code to a single location that is called from the multiple places that trigger saving. Fixes #1956 PiperOrigin-RevId: 813319242
diff --git a/pkg/sentry/control/state.go b/pkg/sentry/control/state.go
@@ -87,72 +87,101 @@ type SaveOpts struct {
 	// after checkpointing.
 	Resume bool
 
-	// SaveRestoreExecArgv is the argv of the save/restore binary split by spaces.
+	// ExecOpts contains options for executing a binary during save/restore.
+	ExecOpts SaveRestoreExecOpts
+}
+
+// SaveRestoreExecOpts contains options for executing a binary
+// during save/restore.
+type SaveRestoreExecOpts struct {
+	// Argv is the argv of the save/restore binary split by spaces.
 	// The first element is the path to the binary.
-	SaveRestoreExecArgv string
+	Argv string
 
-	// SaveRestoreExecTimeout is the timeout for waiting for the save/restore
-	// binary.
-	SaveRestoreExecTimeout time.Duration
+	// Timeout is the timeout for waiting for the save/restore binary.
+	Timeout time.Duration
 
-	// SaveRestoreExecContainerID is the ID of the container that the
-	// save/restore binary executes in.
-	SaveRestoreExecContainerID string
+	// ContainerID is the ID of the container that the save/restore binary executes in.
+	ContainerID string
 }
 
-// Save saves the running system.
-func (s *State) Save(o *SaveOpts, _ *struct{}) error {
+// ConvertToStateSaveOpts converts a control.SaveOpts to a state.SaveOpts.
+// Returns a cleanup function that must be called after the SaveOpts is no longer
+// needed.
+func ConvertToStateSaveOpts(o *SaveOpts) (*state.SaveOpts, func(), error) {
 	wantFiles := 1
 	if o.HavePagesFile {
 		wantFiles += 2
 	}
 	if gotFiles := len(o.FilePayload.Files); gotFiles != wantFiles {
-		return fmt.Errorf("got %d files, wanted %d", gotFiles, wantFiles)
+		return nil, nil, fmt.Errorf("got %d files, wanted %d", gotFiles, wantFiles)
 	}
 
 	// Save to the first provided stream.
 	stateFile, err := o.ReleaseFD(0)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
-	defer stateFile.Close()
-	saveOpts := state.SaveOpts{
-		Destination:        stateFile,
+	cu := cleanup.Make(func() { stateFile.Close() })
+	defer cu.Clean()
+
+	saveOpts := &state.SaveOpts{
+		Destination:        o.FilePayload.Files[0],
 		Key:                o.Key,
 		Metadata:           o.Metadata,
 		MemoryFileSaveOpts: o.MemoryFileSaveOpts,
 		Resume:             o.Resume,
 	}
+
 	if o.HavePagesFile {
 		saveOpts.PagesMetadata, err = o.ReleaseFD(1)
 		if err != nil {
-			return err
+			return nil, nil, err
 		}
-		defer saveOpts.PagesMetadata.Close()
+		cu.Add(func() { saveOpts.PagesMetadata.Close() })
 
 		saveOpts.PagesFile, err = o.ReleaseFD(2)
 		if err != nil {
-			return err
+			return nil, nil, err
 		}
-		defer saveOpts.PagesFile.Close()
+		cu.Add(func() { saveOpts.PagesFile.Close() })
 	}
-	if err := PreSave(s.Kernel, o); err != nil {
+
+	return saveOpts, cu.Release(), nil
+}
+
+// Save saves the running system.
+func (s *State) Save(o *SaveOpts, _ *struct{}) error {
+	saveOpts, cleanup, err := ConvertToStateSaveOpts(o)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	return s.SaveWithOpts(saveOpts, &o.ExecOpts)
+}
+
+// SaveWithOpts saves the running system with the given options.
+func (s *State) SaveWithOpts(saveOpts *state.SaveOpts, execOpts *SaveRestoreExecOpts) error {
+	if err := preSave(s.Kernel, saveOpts, execOpts); err != nil {
 		return err
 	}
 	if err := saveOpts.Save(s.Kernel.SupervisorContext(), s.Kernel, s.Watchdog); err != nil {
 		return err
 	}
-	if o.Resume {
-		err = PostResume(s.Kernel, nil)
+	if saveOpts.Resume {
+		if err := PostResume(s.Kernel, nil); err != nil {
+			return err
+		}
 	}
-	return err
+	return nil
 }
 
-// PreSave is called before saving the kernel.
-func PreSave(k *kernel.Kernel, o *SaveOpts) error {
-	if o.SaveRestoreExecArgv != "" {
-		saveRestoreExecArgv := strings.Split(o.SaveRestoreExecArgv, " ")
-		if err := ConfigureSaveRestoreExec(k, saveRestoreExecArgv, o.SaveRestoreExecTimeout, o.SaveRestoreExecContainerID); err != nil {
+// preSave is called before saving the kernel.
+func preSave(k *kernel.Kernel, o *state.SaveOpts, execOpts *SaveRestoreExecOpts) error {
+	if execOpts.Argv != "" {
+		argv := strings.Split(execOpts.Argv, " ")
+		if err := ConfigureSaveRestoreExec(k, argv, execOpts.Timeout, execOpts.ContainerID); err != nil {
 			return fmt.Errorf("failed to configure save/restore binary: %w", err)
 		}
 		if err := SaveRestoreExec(k, SaveRestoreExecSave); err != nil {
diff --git a/pkg/sentry/control/state_impl.go b/pkg/sentry/control/state_impl.go
@@ -19,10 +19,11 @@ package control
 
 import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
+	"gvisor.dev/gvisor/pkg/sentry/state"
 	"gvisor.dev/gvisor/pkg/timing"
 )
 
-func preSaveImpl(k *kernel.Kernel, o *SaveOpts) error {
+func preSaveImpl(k *kernel.Kernel, o *state.SaveOpts) error {
 	return nil
 }
 
diff --git a/runsc/boot/autosave.go b/runsc/boot/autosave.go
@@ -21,12 +21,11 @@ import (
 	"gvisor.dev/gvisor/pkg/fd"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/arch"
+	"gvisor.dev/gvisor/pkg/sentry/control"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/state"
 	"gvisor.dev/gvisor/pkg/sentry/strace"
 	"gvisor.dev/gvisor/pkg/sync"
-	"gvisor.dev/gvisor/runsc/specutils"
-	"gvisor.dev/gvisor/runsc/version"
 )
 
 func getTargetForSaveResume(l *Loader) func(k *kernel.Kernel) {
@@ -39,14 +38,8 @@ func getTargetForSaveResume(l *Loader) func(k *kernel.Kernel) {
 			Autosave:    true,
 			Resume:      true,
 			Destination: &buf,
-			Metadata:    map[string]string{VersionKey: version.Version()},
 		}
-		specsStr, err := specutils.ConvertSpecsToString(l.GetContainerSpecs())
-		if err != nil {
-			panic(fmt.Sprintf("error to get container specs from metadata, %v", err))
-		}
-		saveOpts.Metadata[ContainerSpecsKey] = specsStr
-		saveOpts.Save(k.SupervisorContext(), k, l.watchdog)
+		l.saveWithOpts(&saveOpts, &control.SaveRestoreExecOpts{})
 	}
 }
 
@@ -62,18 +55,12 @@ func getTargetForSaveRestore(l *Loader, files []*fd.FD) func(k *kernel.Kernel) {
 				Autosave:    true,
 				Resume:      false,
 				Destination: files[0],
-				Metadata:    map[string]string{VersionKey: version.Version()},
 			}
 			if len(files) == 3 {
 				saveOpts.PagesMetadata = files[1]
 				saveOpts.PagesFile = files[2]
 			}
-			specsStr, err := specutils.ConvertSpecsToString(l.GetContainerSpecs())
-			if err != nil {
-				panic(fmt.Sprintf("error to get container specs from metadata, %v", err))
-			}
-			saveOpts.Metadata[ContainerSpecsKey] = specsStr
-			saveOpts.Save(k.SupervisorContext(), k, l.watchdog)
+			l.saveWithOpts(&saveOpts, &control.SaveRestoreExecOpts{})
 		})
 	}
 }
diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go
@@ -610,23 +610,16 @@ func (cm *containerManager) Restore(o *RestoreOpts, _ *struct{}) error {
 	cm.l.k.Pause()
 	timer.Reached("kernel paused")
 
-	var count int
 	countStr, ok := metadata[ContainerCountKey]
 	if !ok {
-		// TODO(gvisor.dev/issue/1956): Add container count with syscall save
-		// trigger. For now, assume that only a single container exists if metadata
-		// isn't present.
-		//
-		// -return errors.New("container count not present in state file")
-		count = 1
-	} else {
-		count, err = strconv.Atoi(countStr)
-		if err != nil {
-			return fmt.Errorf("invalid container count: %w", err)
-		}
-		if count < 1 {
-			return fmt.Errorf("invalid container count value: %v", count)
-		}
+		return errors.New("container count not present in state file")
+	}
+	count, err := strconv.Atoi(countStr)
+	if err != nil {
+		return fmt.Errorf("invalid container count: %w", err)
+	}
+	if count < 1 {
+		return fmt.Errorf("invalid container count value: %v", count)
 	}
 	cm.restorer.totalContainers = count
 	log.Infof("Restoring a total of %d containers", cm.restorer.totalContainers)
diff --git a/runsc/boot/restore.go b/runsc/boot/restore.go
@@ -36,6 +36,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/pgalloc"
 	"gvisor.dev/gvisor/pkg/sentry/socket/hostinet"
 	"gvisor.dev/gvisor/pkg/sentry/socket/netstack"
+	"gvisor.dev/gvisor/pkg/sentry/state"
 	"gvisor.dev/gvisor/pkg/sentry/time"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 	"gvisor.dev/gvisor/pkg/sentry/watchdog"
@@ -409,6 +410,17 @@ func (r *restorer) restore(l *Loader) error {
 }
 
 func (l *Loader) save(o *control.SaveOpts) (err error) {
+	saveOpts, cleanup, err := control.ConvertToStateSaveOpts(o)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	return l.saveWithOpts(saveOpts, &o.ExecOpts)
+}
+
+// saveWithOpts saves the kernel with the given options.
+func (l *Loader) saveWithOpts(saveOpts *state.SaveOpts, execOpts *control.SaveRestoreExecOpts) (err error) {
 	defer func() {
 		// This closure is required to capture the final value of err.
 		l.k.OnCheckpointAttempt(err)
@@ -419,27 +431,24 @@ func (l *Loader) save(o *control.SaveOpts) (err error) {
 		return errors.New("checkpoint not supported when using hostinet")
 	}
 
-	if o.Metadata == nil {
-		o.Metadata = make(map[string]string)
+	if saveOpts.Metadata == nil {
+		saveOpts.Metadata = make(map[string]string)
 	}
-	o.Metadata[ContainerCountKey] = strconv.Itoa(l.containerCount())
+	saveOpts.Metadata[ContainerCountKey] = strconv.Itoa(l.containerCount())
 
 	// Save runsc version.
-	o.Metadata[VersionKey] = version.Version()
+	saveOpts.Metadata[VersionKey] = version.Version()
 
 	// Save container specs.
 	specsStr, err := specutils.ConvertSpecsToString(l.GetContainerSpecs())
 	if err != nil {
 		return err
 	}
-	o.Metadata[ContainerSpecsKey] = specsStr
+	saveOpts.Metadata[ContainerSpecsKey] = specsStr
 
 	state := control.State{
 		Kernel:   l.k,
 		Watchdog: l.watchdog,
 	}
-	if err := state.Save(o, nil); err != nil {
-		return err
-	}
-	return nil
+	return state.SaveWithOpts(saveOpts, execOpts)
 }
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
@@ -1516,11 +1516,13 @@ func (s *Sandbox) Checkpoint(cid string, imagePath string, opts CheckpointOpts)
 		FilePayload: urpc.FilePayload{
 			Files: files,
 		},
-		HavePagesFile:              len(files) > 1,
-		Resume:                     opts.Resume,
-		SaveRestoreExecArgv:        opts.SaveRestoreExecArgv,
-		SaveRestoreExecTimeout:     opts.SaveRestoreExecTimeout,
-		SaveRestoreExecContainerID: opts.SaveRestoreExecContainerID,
+		HavePagesFile: len(files) > 1,
+		Resume:        opts.Resume,
+		ExecOpts: control.SaveRestoreExecOpts{
+			Argv:        opts.SaveRestoreExecArgv,
+			Timeout:     opts.SaveRestoreExecTimeout,
+			ContainerID: opts.SaveRestoreExecContainerID,
+		},
 	}
 
 	if err := s.call(boot.ContMgrCheckpoint, &opt, nil); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,11 @@ package control`
`19`	`19`
`20`	`20`	`import (`
`21`	`21`	`"gvisor.dev/gvisor/pkg/sentry/kernel"`
	`22`	`+ "gvisor.dev/gvisor/pkg/sentry/state"`
`22`	`23`	`"gvisor.dev/gvisor/pkg/timing"`
`23`	`24`	`)`
`24`	`25`
`25`		`-func preSaveImpl(k kernel.Kernel, o SaveOpts) error {`
	`26`	`+func preSaveImpl(k kernel.Kernel, o state.SaveOpts) error {`
`26`	`27`	`return nil`
`27`	`28`	`}`
`28`	`29`