CWCOW: Misc fixes (microsoft#2605)

MahatiC · web-flow · commit ac7a4ebe4230 · 2026-02-26T10:56:00.000-08:00
Signed-off-by: Mahati Chamarthy &lt;mahati.chamarthy@gmail.com&gt;
diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
@@ -104,11 +104,13 @@ func (b *Bridge) createContainer(req *request) (err error) {
 			log.G(ctx).Tracef("Container exists in the map.")
 			return err
 		}
-		defer func(err error) {
+		defer func() {
 			if err != nil {
-				b.hostState.RemoveContainer(ctx, containerID)
+				if removeErr := b.hostState.RemoveContainer(ctx, containerID); removeErr != nil {
+					log.G(ctx).WithError(removeErr).Errorf("Failed to remove container: %v", containerID)
+				}
 			}
-		}(err)
+		}()
 
 		if oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.WCOWSecurityPolicyEnv, true) {
 			if err := b.hostState.securityOptions.WriteSecurityContextDir(&spec); err != nil {
@@ -459,13 +461,11 @@ func (b *Bridge) deleteContainerState(req *request) (err error) {
 	if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil {
 		return fmt.Errorf("failed to unmarshal deleteContainerState: %w", err)
 	}
-	_, err = b.hostState.GetCreatedContainer(req.ctx, r.ContainerID)
+	err = b.hostState.RemoveContainer(req.ctx, r.ContainerID)
 	if err != nil {
 		log.G(req.ctx).Tracef("Container not found during deleteContainerState: %v", r.ContainerID)
 		return fmt.Errorf("container not found: %w", err)
 	}
-	// remove container state regardless of delete's success
-	defer b.hostState.RemoveContainer(req.ctx, r.ContainerID)
 
 	b.forwardRequestToGcs(req)
 	return nil
diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go
@@ -75,17 +75,18 @@ func (h *Host) AddContainer(ctx context.Context, id string, c *Container) error
 	return nil
 }
 
-func (h *Host) RemoveContainer(ctx context.Context, id string) {
+func (h *Host) RemoveContainer(ctx context.Context, id string) error {
 	h.containersMutex.Lock()
 	defer h.containersMutex.Unlock()
 
 	_, ok := h.containers[id]
 	if !ok {
 		log.G(ctx).Tracef("RemoveContainer: Container not found: ID: %v", id)
-		return
+		return gcserr.NewHresultError(gcserr.HrVmcomputeSystemNotFound)
 	}
 
 	delete(h.containers, id)
+	return nil
 }
 
 func (h *Host) GetCreatedContainer(ctx context.Context, id string) (*Container, error) {
diff --git a/pkg/securitypolicy/securitypolicy_options.go b/pkg/securitypolicy/securitypolicy_options.go
@@ -86,7 +86,7 @@ func (s *SecurityOptions) SetConfidentialOptions(ctx context.Context, enforcerTy
 	// The other point is on startup where we take a flag to set the default
 	// policy enforcer to use before a policy arrives. After that flag is set,
 	// we use the enforcer in question to set up logging as well.
-	if err = s.PolicyEnforcer.EnforceRuntimeLoggingPolicy(ctx); err == nil {
+	if err = p.EnforceRuntimeLoggingPolicy(ctx); err == nil {
 		logrus.SetOutput(s.logWriter)
 	} else {
 		logrus.SetOutput(io.Discard)

Original file line number	Diff line number	Diff line change
`@@ -75,17 +75,18 @@ func (h Host) AddContainer(ctx context.Context, id string, c Container) error`
`75`	`75`	`return nil`
`76`	`76`	`}`
`77`	`77`
`78`		`-func (h *Host) RemoveContainer(ctx context.Context, id string) {`
	`78`	`+func (h *Host) RemoveContainer(ctx context.Context, id string) error {`
`79`	`79`	`h.containersMutex.Lock()`
`80`	`80`	`defer h.containersMutex.Unlock()`
`81`	`81`
`82`	`82`	`_, ok := h.containers[id]`
`83`	`83`	`if !ok {`
`84`	`84`	`log.G(ctx).Tracef("RemoveContainer: Container not found: ID: %v", id)`
`85`		`- return`
	`85`	`+ return gcserr.NewHresultError(gcserr.HrVmcomputeSystemNotFound)`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`delete(h.containers, id)`
	`89`	`+ return nil`
`89`	`90`	`}`
`90`	`91`
`91`	`92`	`func (h Host) GetCreatedContainer(ctx context.Context, id string) (Container, error) {`