virtcontainers: always pass sandbox as a pointer

[bergwolf]

Currently we sometimes pass it as a pointer and other times not. As
a result, the view of sandbox across virtcontainers may not be the same
and it costs extra memory copy each time we pass it by value. Fix it
by ensuring sandbox is always passed by pointers.

Fixes: #262

Signed-off-by: Peng Tao bergwolf@gmail.com

[jodh-intel]

Don't we now need check on all these params now they are pointers?:

var errNeedSandbox = errors.New("Sandbox cannot be empty")

    :

func (p *ccProxy) start(sandbox *Sandbox, params proxyParams) (int, string, error) {
    if sandbox == nil {
        return -1, "", errNeedSandbox
    }

    :
}

[bergwolf]

These are all internal functions. I think we should trust internal callers because otherwise we do not trust ourselves. That said, even if we do not trust internal callers, the check should be added as a separate PR since it is an existing issue for places where sandbox is already passed as pointer.

[jodh-intel]

Call me paranoid, but I'd honestly take the opposite approach and not trust anything! 😄

imho we need to "fail fast" since if we start trusting ourselves, we get into horrible situations where func1 calls func2 calls funcN, and funcN explodes because func1 forgot to check if sandbox == nil. That makes debugging very difficult. This is not theoretical - we've been in that situation before in the very early days of vc which prompted me to raise PRs such as containers/virtcontainers#163.

We also have precedent for checking all parameters, for example:

• https://github.com/kata-containers/runtime/blob/master/virtcontainers/container.go#L480..L483

How about adding such checks on a new commit on this PR to ensure those checks get applied and the issue doesn't just get lost in the backlog?

[bergwolf]

@jodh-intel Do you want to check every parameter in every function? Since that's what not trust anything means to me. From my point of view, I think we should check all parameters in all of the virtcontainers APIs but that's all. We are already doing this and it ensures that we fail fast.

OTOH, if we do not trust ourselves and check parameter in every function, we waste CPU time and memory on checking the same thing over and over again. Please create an issue for it if you think that's really necessary. I don't mind having such a discussion but it does not need to block this PR since it's a different/existing issue.

[bergwolf]

A few examples of where *Sandbox is not checked before being dereferenced in master:

• https://github.com/kata-containers/runtime/blob/master/virtcontainers/kata_agent.go#L132
• https://github.com/kata-containers/runtime/blob/master/virtcontainers/kata_agent.go#L183
• https://github.com/kata-containers/runtime/blob/master/virtcontainers/shim.go#L175
• https://github.com/kata-containers/runtime/blob/master/virtcontainers/container.go#L404

There a more of them for sure. And if we want to take precaution in all these functions, it should also apply to other parameters as well, not just the sandbox pointers.

[bergwolf]

Jenkins failed on kata-containers/tests#264

[jcvenegas]

Please push again, now the test is skipped.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@8d897f4). Click here to learn what that means.
The diff coverage is 68.25%.

@@            Coverage Diff            @@
##             master     #263   +/-   ##
=========================================
  Coverage          ?   65.58%           
=========================================
  Files             ?       74           
  Lines             ?     7932           
  Branches          ?        0           
=========================================
  Hits              ?     5202           
  Misses            ?     2169           
  Partials          ?      561

Impacted Files	Coverage Δ
virtcontainers/agent.go	92.15% <ø> (ø)
virtcontainers/kata_builtin_proxy.go	0% <0%> (ø)
virtcontainers/kata_builtin_shim.go	0% <0%> (ø)
virtcontainers/kata_proxy.go	0% <0%> (ø)
virtcontainers/noop_proxy.go	100% <100%> (ø)
virtcontainers/mount.go	79.86% <100%> (ø)
virtcontainers/cni.go	61.84% <100%> (ø)
virtcontainers/proxy.go	97.18% <100%> (ø)
virtcontainers/kata_shim.go	70% <100%> (ø)
virtcontainers/filesystem.go	68.39% <100%> (ø)
... and 13 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8d897f4...5fb4768. Read the comment docs.

[bergwolf]

CI green. @sboeuf @egernst @jodh-intel @laijs PTAL.

[devimc]

lgtm

[bergwolf]

@jodh-intel can we merge this?

[sboeuf]

@bergwolf I know you need this PR to be merged in order to move forward with #252.
But we should definitely follow @jodh-intel comments and add some checks to the codebase. The introduction of pointers has to be backed up by some better testing of the sandbox pointers.

Also, I know, as you mentioned it, that we might not check it properly in functions where it is already a pointer, that's why I propose that you can open an issue tracking this as a global thing to address through the entire codebase, marking this as high priority.

In the meantime, I am okay to merge this one, but I'd like @egernst and @amshinde feedbacks on this.

BTW, you need to rebase it before we can merge it.

[egernst]

I am okay with discussing checks in a separate issue and follow in PR pending the discussion.

@bergwolf - can you rebase?

[bergwolf]

@jodh-intel @egernst @sboeuf PR rebased and #280 is created to follow up the sanity check discussion.

[grahamwhaley]

@egernst @sboeuf @bergwolf - this is GREEN now - if we are not wanting to merge right now, please put a DNM on it - or somebody is going to press that button....

[amshinde]

lgtm

[egernst]

Too late :)