Make multi-container the default mode for runsc

And remove multicontainer option.

PiperOrigin-RevId: 215236981
Change-Id: I9fd1d963d987e421e63d5817f91a25c819ced6cb

7 files changed, 16 insertions, 55 deletions

diff --git a/runsc/boot/config.go b/runsc/boot/config.go
index 01da535af..cd977c8a5 100644
--- a/runsc/boot/config.go
+++ b/runsc/boot/config.go
@@ -193,10 +193,6 @@ type Config struct {
 	// disabled. Pardon the double negation, but default to enabled is important.
 	DisableSeccomp bool
 
-	// MultiContainer enables multiple containers support inside one sandbox.
-	// TODO: Remove this when multiple container is fully supported.
-	MultiContainer bool
-
 	// SpecFile is the file containing the OCI spec.
 	SpecFile string
 
@@ -224,7 +220,6 @@ func (c *Config) ToFlags() []string {
 		"--debug-log-dir=" + c.DebugLogDir,
 		"--file-access=" + c.FileAccess.String(),
 		"--overlay=" + strconv.FormatBool(c.Overlay),
-		"--multi-container=" + strconv.FormatBool(c.MultiContainer),
 		"--network=" + c.Network.String(),
 		"--log-packets=" + strconv.FormatBool(c.LogPackets),
 		"--platform=" + c.Platform.String(),
diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go
index 9e8fea7e1..42e011beb 100644
--- a/runsc/boot/fs.go
+++ b/runsc/boot/fs.go
@@ -85,14 +85,14 @@ func (f *fdDispenser) empty() bool {
 // and all mounts. 'rootCtx' is used to walk directories to find mount points.
 func createMountNamespace(userCtx context.Context, rootCtx context.Context, spec *specs.Spec, conf *Config, goferFDs []int) (*fs.MountNamespace, error) {
 	mounts := compileMounts(spec)
-	if conf.MultiContainer {
-		// Create a tmpfs mount where we create and mount a root filesystem for
-		// each child container.
-		mounts = append(mounts, specs.Mount{
-			Type:        tmpfs,
-			Destination: ChildContainersDir,
-		})
-	}
+
+	// Create a tmpfs mount where we create and mount a root filesystem for
+	// each child container.
+	mounts = append(mounts, specs.Mount{
+		Type:        tmpfs,
+		Destination: ChildContainersDir,
+	})
+
 	fds := &fdDispenser{fds: goferFDs}
 	rootInode, err := createRootMount(rootCtx, spec, conf, fds, mounts)
 	if err != nil {
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 1e2a12280..9fa9b51a0 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -579,8 +579,6 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
 	return tgid, nil
 }
 
-// TODO: Per-container namespaces must be supported for -pid.
-
 // waitContainer waits for the root process of a container to exit.
 func (l *Loader) waitContainer(cid string, waitStatus *uint32) error {
 	// Don't defer unlock, as doing so would make it impossible for
diff --git a/runsc/container/container.go b/runsc/container/container.go
index b39d6bf12..be833c03d 100644
--- a/runsc/container/container.go
+++ b/runsc/container/container.go
@@ -267,7 +267,7 @@ func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSo
 	// started in an existing sandbox, we must do so. The metadata will
 	// indicate the ID of the sandbox, which is the same as the ID of the
 	// init container in the sandbox.
-	if specutils.ShouldCreateSandbox(spec) || !conf.MultiContainer {
+	if specutils.ShouldCreateSandbox(spec) {
 		log.Debugf("Creating new sandbox for container %q", id)
 		ioFiles, err := c.createGoferProcess(spec, conf, bundleDir)
 		if err != nil {
@@ -345,7 +345,7 @@ func (c *Container) Start(conf *boot.Config) error {
 		}
 	}
 
-	if specutils.ShouldCreateSandbox(c.Spec) || !conf.MultiContainer {
+	if specutils.ShouldCreateSandbox(c.Spec) {
 		if err := c.Sandbox.StartRoot(c.Spec, conf); err != nil {
 			return err
 		}
diff --git a/runsc/main.go b/runsc/main.go
index 624db5f40..2a18c4b9e 100644
--- a/runsc/main.go
+++ b/runsc/main.go
@@ -60,7 +60,6 @@ var (
 	network        = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
 	fileAccess     = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
 	overlay        = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
-	multiContainer = flag.Bool("multi-container", false, "enable *experimental* multi-container support.")
 	watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
 	panicSignal    = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
 )
@@ -140,7 +139,6 @@ func main() {
 		Platform:       platformType,
 		Strace:         *strace,
 		StraceLogSize:  *straceLogSize,
-		MultiContainer: *multiContainer,
 		WatchdogAction: wa,
 		PanicSignal:    *panicSignal,
 	}
diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go
index 60cbbfcdb..86a52c6ae 100644
--- a/runsc/sandbox/network.go
+++ b/runsc/sandbox/network.go
@@ -57,35 +57,6 @@ const (
 func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *boot.Config) error {
 	log.Infof("Setting up network")
 
-	if !conf.MultiContainer {
-		// HACK!
-		//
-		// When kubernetes starts a pod, it first creates a sandbox with an
-		// application that just pauses forever.  Later, when a container is
-		// added to the pod, kubernetes will create another sandbox with a
-		// config that corresponds to the containerized application, and add it
-		// to the same namespaces as the pause sandbox.
-		//
-		// Running a second sandbox currently breaks because the two sandboxes
-		// have the same network namespace and configuration, and try to create
-		// a tap device on the same host device which fails.
-		//
-		// Runsc will eventually need to detect that this container is meant to
-		// be run in the same sandbox as the pausing application, and somehow
-		// make that happen.
-		//
-		// For now the following HACK disables networking for the "pause"
-		// sandbox, allowing the second sandbox to start up successfully.
-		//
-		// TODO: Remove this once multiple containers per sandbox
-		// is properly supported.
-		if spec.Annotations[crioContainerTypeAnnotation] == "sandbox" ||
-			spec.Annotations[containerdContainerTypeAnnotation] == "sandbox" {
-			log.Warningf("HACK: Disabling network")
-			conf.Network = boot.NetworkNone
-		}
-	}
-
 	switch conf.Network {
 	case boot.NetworkNone:
 		log.Infof("Network is disabled, create loopback interface only")
diff --git a/runsc/test/testutil/testutil.go b/runsc/test/testutil/testutil.go
index 706db74a7..07d66e469 100644
--- a/runsc/test/testutil/testutil.go
+++ b/runsc/test/testutil/testutil.go
@@ -104,13 +104,12 @@ func FindFile(path string) (string, error) {
 // TestConfig return the default configuration to use in tests.
 func TestConfig() *boot.Config {
 	return &boot.Config{
-		Debug:          true,
-		LogFormat:      "text",
-		LogPackets:     true,
-		Network:        boot.NetworkNone,
-		Strace:         true,
-		MultiContainer: true,
-		FileAccess:     boot.FileAccessExclusive,
+		Debug:      true,
+		LogFormat:  "text",
+		LogPackets: true,
+		Network:    boot.NetworkNone,
+		Strace:     true,
+		FileAccess: boot.FileAccessExclusive,
 		TestOnlyAllowRunAsCurrentUserWithoutChroot: true,
 	}
 }