Merge pull request #2591 from pomahade/main

pomahade · web-flow · commit 73678370190e · 2026-02-03T10:13:26.000-08:00
VSMB fix bugcheck by keeping handle open to empty default share
diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go
@@ -187,6 +187,7 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 			}
 		case *uvm.OptionsWCOW:
 			wopts := (opts).(*uvm.OptionsWCOW)
+			wopts.BundleDirectory = req.Bundle
 			err = initializeWCOWBootFiles(ctx, wopts, req.Rootfs, s)
 			if err != nil {
 				return nil, err
diff --git a/cmd/gcs-sidecar/main.go b/cmd/gcs-sidecar/main.go
@@ -26,6 +26,8 @@ import (
 	sidecar "github.com/Microsoft/hcsshim/internal/gcs-sidecar"
 )
 
+var vsmbKeepAliveHandle windows.Handle
+
 var (
 	defaultLogFile  = "C:\\gcs-sidecar-logs.log"
 	defaultLogLevel = "trace"
@@ -182,8 +184,13 @@ func main() {
 		}
 	}
 
-	logrus.Println("Initializing VSMB redirector..")
-	sidecar.VsmbMain()
+	logrus.Println("Initializing VSMB redirector!!!")
+	var vsmbError error
+	vsmbKeepAliveHandle, vsmbError = sidecar.VsmbMain()
+	// For now just log the error again instead of failing.
+	if (vsmbError != nil) || (vsmbKeepAliveHandle == windows.InvalidHandle) {
+		logrus.WithError(vsmbError).Errorf("VSMB redirector initialization failed.")
+	}
 
 	// 1. Start external server to connect with inbox GCS
 	listener, err := winio.ListenHvsock(&winio.HvsockAddr{
diff --git a/internal/gcs-sidecar/vsmb.go b/internal/gcs-sidecar/vsmb.go
@@ -27,6 +27,9 @@ const (
 	LmrInstanceFlagAllowGuestAuth         = 0x8
 	LmrInstanceFlagSupportsDirectmappedIo = 0x10
 	SmbCeTransportTypeVmbus               = 3
+
+	FileReadAttributes      = 0x00000080
+	FileFlagBackupSemantics = 0x02000000
 )
 
 type IOStatusBlock struct {
@@ -166,13 +169,13 @@ func isLanmanWorkstationRunning() (bool, error) {
 	return status.State == svc.Running, nil
 }
 
-func VsmbMain() {
+func VsmbMain() (windows.Handle, error) {
 	logrus.Info("Starting VSMB initialization...")
 
 	logrus.Debug("Configuring LanmanWorkstation service...")
 	if err := configureAndStartLanmanWorkstation(); err != nil {
 		logrus.Errorf("LanmanWorkstation setup failed: %v", err)
-		return
+		return windows.InvalidHandle, err
 	}
 
 	time.Sleep(3 * time.Second) // TODO: This needs to be better logic.
@@ -187,13 +190,13 @@ func VsmbMain() {
 
 	if err := winio.EnableProcessPrivileges([]string{SeLoadDriverName}); err != nil {
 		logrus.Errorf("Failed to enable privilege: %v", err)
-		return
+		return windows.InvalidHandle, err
 	}
 	// Open LanmanRedirector
 	namePtr, nerr := windows.UTF16PtrFromString(GlobalRdrDeviceName)
 	if nerr != nil {
 		logrus.WithError(nerr).Errorf("invalid device name %q", GlobalRdrDeviceName)
-		return
+		return windows.InvalidHandle, nerr
 	}
 
 	lmrHandle, err := windows.CreateFile(
@@ -207,7 +210,7 @@ func VsmbMain() {
 	)
 	if err != nil {
 		logrus.WithError(err).Error("Failed to open redirector")
-		return
+		return windows.InvalidHandle, err
 	}
 	defer func() {
 		if derr := windows.CloseHandle(lmrHandle); derr != nil {
@@ -221,7 +224,7 @@ func VsmbMain() {
 	instanceNameUTF16, nerr := windows.UTF16FromString(GlobalVsmbInstanceName)
 	if nerr != nil {
 		logrus.WithError(nerr).Errorf("invalid instance name %q", GlobalVsmbInstanceName)
-		return
+		return windows.InvalidHandle, nerr
 	}
 	structSize := int(unsafe.Sizeof(LMRStartInstanceRequest{}))
 	bufferSize := structSize + (len(instanceNameUTF16)-1)*2
@@ -276,7 +279,7 @@ func VsmbMain() {
 	namePtr, nerr = windows.UTF16PtrFromString(GlobalVsmbDeviceName)
 	if nerr != nil {
 		logrus.WithError(nerr).Errorf("invalid device name %q", GlobalVsmbDeviceName)
-		return
+		return windows.InvalidHandle, nerr
 	}
 	vmsmbHandle, err := windows.CreateFile(
 		namePtr,
@@ -286,7 +289,7 @@ func VsmbMain() {
 	)
 	if err != nil {
 		logrus.Errorf("Failed to open VMSMB device: %v", err)
-		return
+		return windows.InvalidHandle, err
 	}
 	defer func() {
 		if derr := windows.CloseHandle(vmsmbHandle); derr != nil {
@@ -297,7 +300,7 @@ func VsmbMain() {
 	transportNameUTF16, nerr := windows.UTF16FromString(GlobalVsmbTransportName)
 	if nerr != nil {
 		logrus.WithError(nerr).Errorf("invalid instance name %q", GlobalVsmbTransportName)
-		return
+		return windows.InvalidHandle, nerr
 	}
 
 	bindStructSize := int(unsafe.Sizeof(LMRBindUnbindTransportRequest{}))
@@ -329,4 +332,31 @@ func VsmbMain() {
 	} else {
 		logrus.Errorf("NtFsControlFile failed: 0x%08X", status)
 	}
+
+	const (
+		device = `\\?\GLOBALROOT\Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\defaultEmptyShare`
+	)
+
+	devicePtr, nerr := windows.UTF16PtrFromString(device)
+	if nerr != nil {
+		logrus.WithError(nerr).Errorf("invalid device name %q", device)
+		return windows.InvalidHandle, nerr
+	}
+	vsmbHandle, err := windows.CreateFile(
+		devicePtr,
+		FileReadAttributes,
+		windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE|windows.FILE_SHARE_DELETE,
+		nil,
+		windows.OPEN_EXISTING,
+		FileFlagBackupSemantics,
+		0,
+	)
+
+	if err != nil {
+		logrus.WithError(err).Errorf("Failed to open %s", device)
+		return windows.InvalidHandle, err
+	}
+
+	logrus.Infof("VSMB connection will be alive...")
+	return vsmbHandle, nil
 }
diff --git a/internal/uvm/create.go b/internal/uvm/create.go
@@ -137,6 +137,7 @@ type ConfidentialCommonOptions struct {
 	SecurityPolicyEnabled  bool   // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length
 	SecurityPolicyEnforcer string // Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic.
 	UVMReferenceInfoFile   string // Path to the file that contains the signed UVM measurements
+	BundleDirectory        string // This allows paths to be constructed relative to a per-VM bundle directory.
 }
 
 func verifyWCOWBootFiles(bootFiles *WCOWBootFiles) error {
diff --git a/internal/uvm/create_lcow.go b/internal/uvm/create_lcow.go
@@ -92,7 +92,6 @@ const (
 type ConfidentialLCOWOptions struct {
 	*ConfidentialCommonOptions
 	UseGuestStateFile  bool   // Use a vmgs file that contains a kernel and initrd, required for SNP
-	BundleDirectory    string // pod bundle directory
 	DmVerityRootFsVhd  string // The VHD file (bound to the vmgs file via embedded dmverity hash data file) to load.
 	DmVerityMode       bool   // override to be able to turn off dmverity for debugging
 	DmVerityCreateArgs string // set dm-verity args when booting with verity in non-SNP mode
diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
@@ -466,6 +466,30 @@ func prepareSecurityConfigDoc(ctx context.Context, uvm *UtilityVM, opts *Options
 		scsi.Slot{Controller: 0, LUN: 1},
 		scsi.Slot{Controller: 0, LUN: 2})
 
+	vsmbOpts := &hcsschema.VirtualSmbShareOptions{
+		ReadOnly:  true,
+		ShareRead: true,
+		NoOplocks: true,
+	}
+
+	// Construct a per-VM share directory relative to the bundle. The directory EmptyDoNotModify should be left empty.
+	sharePath := filepath.Join(opts.BundleDirectory, "EmptyDoNotModify")
+
+	// Ensure the directory exists.
+	if err := os.MkdirAll(sharePath, os.ModePerm); err != nil {
+		return nil, fmt.Errorf("failed to create VSMB default empty share directory %q: %w", sharePath, err)
+	}
+
+	if err := wclayer.GrantVmAccess(ctx, uvm.id, sharePath); err != nil {
+		return nil, errors.Wrap(err, "failed to grant vm access to VSMB default empty share directory")
+	}
+
+	doc.VirtualMachine.Devices.VirtualSmb.Shares = []hcsschema.VirtualSmbShare{{
+		Name:    "defaultEmptyShare",
+		Path:    sharePath,
+		Options: vsmbOpts,
+	}}
+
 	return doc, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -187,6 +187,7 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques`
`187`	`187`	`}`
`188`	`188`	`case *uvm.OptionsWCOW:`
`189`	`189`	`wopts := (opts).(*uvm.OptionsWCOW)`
	`190`	`+ wopts.BundleDirectory = req.Bundle`
`190`	`191`	`err = initializeWCOWBootFiles(ctx, wopts, req.Rootfs, s)`
`191`	`192`	`if err != nil {`
`192`	`193`	`return nil, err`
Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,7 @@ type ConfidentialCommonOptions struct {`
`137`	`137`	`SecurityPolicyEnabled bool // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length`
`138`	`138`	`SecurityPolicyEnforcer string // Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic.`
`139`	`139`	`UVMReferenceInfoFile string // Path to the file that contains the signed UVM measurements`
	`140`	`+ BundleDirectory string // This allows paths to be constructed relative to a per-VM bundle directory.`
`140`	`141`	`}`
`141`	`142`
`142`	`143`	`func verifyWCOWBootFiles(bootFiles *WCOWBootFiles) error {`