Swap to APIServer for all communications #628
Merged
+1,254
−568
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dcantah
force-pushed
the
move-to-api-server-for-everythang
branch
3 times, most recently
from
4838bcf to
e7e4dcb
Compare
dcantah
force-pushed
the
move-to-api-server-for-everythang
branch
3 times, most recently
from
1a56c99 to
6a497e6
Compare
wlan0
reviewed
Sep 18, 2025
wlan0
reviewed
Sep 18, 2025
wlan0
reviewed
Sep 18, 2025
jglogan
reviewed
Sep 18, 2025
dcantah
force-pushed
the
move-to-api-server-for-everythang
branch
from
6a497e6 to
5d5e622
Compare
jglogan
reviewed
Sep 18, 2025
jglogan
reviewed
Sep 18, 2025
jglogan
reviewed
Sep 18, 2025
jglogan
reviewed
Sep 18, 2025
jglogan
reviewed
Sep 18, 2025
Sources/Services/ContainerAPIService/Containers/ContainersService.swift
Outdated
Show resolved
Hide resolved
Sources/Services/ContainerAPIService/Containers/ContainersService.swift
Outdated
Show resolved
Hide resolved
jglogan
previously approved these changes
Sep 19, 2025
Sources/Services/ContainerAPIService/Containers/ContainersService.swift
Outdated
Show resolved
Hide resolved
Sources/Services/ContainerAPIService/Containers/ContainersService.swift
Outdated
Show resolved
Hide resolved
jglogan
requested changes
Sep 19, 2025
| return container | ||
| } | ||
|
|
||
| private func gracefulStopContainer(_ lc: LinuxContainer, stopOpts: ContainerStopOptions) async throws { |
There was a problem hiding this comment.
Note about code not modified in this PR:
private nonisolated func configureProcessConfig()This should be able to become:
private static func configureProcessConfig()Same for closeHandle().
There was a problem hiding this comment.
Another lowkey obsessive nit in the non-modified code above - move getDefaultNameserver out from between the configure...() funcs. All the private methods could probably stand to be reordered sensibly. In a swift file that's pushing 1200 lines it will help new developers.
dcantah
force-pushed
the
move-to-api-server-for-everythang
branch
2 times, most recently
from
560d05a to
07707d5
Compare
|
Converting to draft because there's a small cz change that I want in that will allow us to "fix" some behavior in stop() |
Today, we have a sort of odd model all things considered. We talk to the APIServer to do the initial container creation, which mostly all of the work is just registering the runtime helper with launchd. After this registration, almost all communication from a client is talking directly to that runtime helper. This has a couple rather annoying issues in that we now need a sort of event/notification channel that the helper will establish with the APIServer for errors/start/exited cases. If instead of talking to the runtime helper directly, we instead took a detour through the APIServer, the APIServer is clued into exactly what order of operations is occurring. This makes "did starting the container fail? Okay we should clean up" scenarios much simpler, and it also simplifies the clients quite a bit as they don't need this split brained client model, everyone just talks to the APIServer. This change is in pursuit of that. I have reworked our clients, the ContainerService and some of our XPC types to accomplish it. The biggest "contract" changes are in the SandboxService. The first is today we have on the flag when we register any runtime helper that makes any xpc messages wake up the registered process. This isn't great in scenarios where the process may have crashed, or it exited normally and we're just trying to invoke an RPC on it. Today the helper would spawn again and try and answer our request. It'd be much nicer if we have a connection object that will become invalid if the process that vended it to us is gone. To accomplish this, now the runtime helpers will listen on an anonymous xpc connection and vend endpoints from this via only one handler exposed by the SandboxService (createEndpoint). From that point onwards all communication will be through the endpoint the service vended a client. The second change is the runtime helper will not exit on its own when the container exits, and the event mechanism has been removed. Now the APIServer simply calls wait() to listen for container exit in the background, and once we get an exit we will explicitly tell the helper to shutdown. The rationale is if shutdown is driven by the APIServer now, we can be certain we received everything we need from the helpers before they power down.
dcantah
force-pushed
the
move-to-api-server-for-everythang
branch
from
07707d5 to
66fef47
Compare
jglogan
approved these changes
Sep 19, 2025
wlan0
approved these changes
Sep 20, 2025
dkovba
reviewed
Sep 20, 2025
| if let h { | ||
| request.set(key: key, value: h) | ||
| } | ||
| } |
There was a problem hiding this comment.
This code repeats 4 times. Consider extracting it into helper methods in XPCMessage:
static func stdioKey(for index: Int) throws -> XPCKeys {
switch index {
case 0: return .stdin
case 1: return .stdout
case 2: return .stderr
default:
throw ContainerizationError(.invalidArgument, message: "invalid fd \(index)")
}
}
static func setStdioHandles(on request: XPCMessage, stdio:
[FileHandle?]) throws {
for (index, handle) in stdio.enumerated() {
if let handle {
request.set(key: stdioKey(for: index), value: handle)
}
}
}
There was a problem hiding this comment.
John had commented the same, I'm going to do that (and some other cleanups) in a followup
7 tasks
jglogan
added a commit
that referenced
this pull request
Sep 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Today, we have a sort of odd model all things considered. We talk to the APIServer to do the initial container creation, which mostly all of the work is just registering the runtime helper with launchd. After this registration, almost all communication from a client is talking directly to that runtime helper. This has a couple rather annoying issues in that we now need a sort of event/notification channel that the helper will establish with the APIServer for errors/start/exited cases.
If instead of talking to the runtime helper directly, we instead took a detour through the APIServer, the APIServer is clued into exactly what order of operations is occurring. This makes "did starting the container fail? Okay we should clean up" scenarios much simpler, and it also simplifies the clients quite a bit as they don't need this split brained client model, everyone just talks to the APIServer. This change is in pursuit of that. I have reworked our clients, the ContainerService and some of our XPC types to accomplish it.
The biggest "contract" change is in the SandboxService. Today we have on the flag when we register any runtime helper that makes any xpc messages wake up the registered process. This isn't great in scenarios where the process have may crashed, or it exited normally and we're just trying to invoke an RPC on it. Today the helper would spawn again and try and answer our request. It'd be much nicer if we have a connection object that will become invalid if the process that vended it to us is gone. To accomplish this, now the runtime helpers will listen on an anonymous xpc connection and vend endpoints from this via only one handler exposed by the SandboxService (createEndpoint). From that point onwards all communication will be through the endpoint the service vended a client.