Trim LCOW GetProperties response (#2458)

helsaawy · web-flow · commit a53730ee83cf · 2025-06-13T17:41:27.000-04:00
* Trim LCOW `GetProperties` response

Zero out the Linux `GetProperties` `Blkio` field, since it scales with the
number of container layers attacked to the uVM.
Additionally empty the `Rdma` and `Network` fields, in case they can
also grow without bound.
None of the fields are used in any code paths in the AzCRI, or exposed
elsewhere.

Clarify comment about the maximum message size, to reflect that it
mirrors and HCS value and is not arbitrary.

Additionally, don't quit the receive loop if the message size is too
large, since that brings the bridge down with it.

Signed-off-by: Hamza El-Saawy &lt;hamzaelsaawy@microsoft.com&gt;

* PR: undo receive loop changes

Signed-off-by: Hamza El-Saawy &lt;hamzaelsaawy@microsoft.com&gt;

---------

Signed-off-by: Hamza El-Saawy &lt;hamzaelsaawy@microsoft.com&gt;
diff --git a/internal/gcs/bridge.go b/internal/gcs/bridge.go
@@ -32,6 +32,8 @@ const (
 	// maxMsgSize is the maximum size of an incoming message. This is not
 	// enforced by the guest today but some maximum must be set to avoid
 	// unbounded allocations.
+	//
+	// Matches HCS limitions on maximum (sent and received) message size.
 	maxMsgSize = 0x10000
 )
 
@@ -266,7 +268,7 @@ func readMessage(r io.Reader) (int64, msgType, []byte, error) {
 	var h [hdrSize]byte
 	_, err := io.ReadFull(r, h[:])
 	if err != nil {
-		return 0, 0, nil, err
+		return 0, 0, nil, fmt.Errorf("header read: %w", err)
 	}
 	typ := msgType(binary.LittleEndian.Uint32(h[hdrOffType:]))
 	n := binary.LittleEndian.Uint32(h[hdrOffSize:])
diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
@@ -24,6 +24,7 @@ import (
 	didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver"
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
+	cgroup1stats "github.com/containerd/cgroups/v3/cgroup1/stats"
 	"github.com/mattn/go-shellwords"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
@@ -837,7 +838,16 @@ func (h *Host) GetProperties(ctx context.Context, containerID string, query prot
 			if err != nil {
 				return nil, err
 			}
+			// zero out [Blkio] sections, since:
+			//  1. (Az)CRI (currently) only looks at the CPU and memory sections; and
+			//  2. it can get very large for containers with many layers
+			cgroupMetrics.Blkio.Reset()
+			// also preemptively zero out [Rdma] and [Network], since they could also grow untenable large
+			cgroupMetrics.Rdma.Reset()
+			cgroupMetrics.Network = []*cgroup1stats.NetworkStat{}
 			properties.Metrics = cgroupMetrics
+		default:
+			log.G(ctx).WithField("propertyType", requestedProperty).Warn("unknown or empty property type")
 		}
 	}
 
