feat(shim): implement containerd Task.Update for cgroup resize

a7i · a7i · commit 2da344c212f3 · 2026-03-25T17:56:01.000-04:00
Wire shim Task.Update to runsc update --resources (same contract as go-runc). Add proc and runsc tests for validation; add runsccmd Linux test for CLI stdin/argv. Closes #12790
diff --git a/pkg/shim/v1/proc/BUILD b/pkg/shim/v1/proc/BUILD
@@ -1,4 +1,4 @@
-load("//tools:defs.bzl", "go_library")
+load("//tools:defs.bzl", "go_library", "go_test")
 
 package(
     default_applicable_licenses = ["//:license"],
@@ -40,3 +40,10 @@ go_library(
         "@org_golang_x_sys//unix:go_default_library",
     ],
 )
+
+go_test(
+    name = "proc_test",
+    size = "small",
+    srcs = ["update_test.go"],
+    library = ":proc",
+)
diff --git a/pkg/shim/v1/proc/deleted_state.go b/pkg/shim/v1/proc/deleted_state.go
@@ -22,6 +22,7 @@ import (
 	"github.com/containerd/console"
 	"github.com/containerd/errdefs"
 	runc "github.com/containerd/go-runc"
+	google_protobuf "github.com/gogo/protobuf/types"
 	"gvisor.dev/gvisor/pkg/shim/v1/extension"
 )
 
@@ -57,3 +58,7 @@ func (s *deletedState) State(context.Context) (string, error) {
 func (s *deletedState) Stats(context.Context, string) (*runc.Stats, error) {
 	return nil, fmt.Errorf("cannot stat a stopped container/process")
 }
+
+func (*deletedState) Update(context.Context, *google_protobuf.Any) error {
+	return fmt.Errorf("cannot update a deleted container/process: %w", errdefs.ErrNotFound)
+}
diff --git a/pkg/shim/v1/proc/init.go b/pkg/shim/v1/proc/init.go
@@ -34,6 +34,7 @@ import (
 
 	"github.com/containerd/fifo"
 	runc "github.com/containerd/go-runc"
+	google_protobuf "github.com/gogo/protobuf/types"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/shim/v1/extension"
@@ -452,6 +453,26 @@ func (p *Init) Stats(ctx context.Context, id string) (*runc.Stats, error) {
 	return p.initState.Stats(ctx, id)
 }
 
+// Update applies resource changes from a containerd task Update request (JSON
+// LinuxResources in the protobuf Any), matching containerd/pkg/process Init.Update.
+func (p *Init) Update(ctx context.Context, r *google_protobuf.Any) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	return p.initState.Update(ctx, r)
+}
+
+func (p *Init) update(ctx context.Context, r *google_protobuf.Any) error {
+	if r == nil {
+		return fmt.Errorf("resources are required: %w", errdefs.ErrInvalidArgument)
+	}
+	var resources specs.LinuxResources
+	if err := json.Unmarshal(r.Value, &resources); err != nil {
+		return fmt.Errorf("decoding resources: %w", err)
+	}
+	return p.runtime.Update(ctx, p.id, &resources)
+}
+
 func (p *Init) stats(ctx context.Context, id string) (*runc.Stats, error) {
 	return p.Runtime().Stats(ctx, id)
 }
diff --git a/pkg/shim/v1/proc/init_state.go b/pkg/shim/v1/proc/init_state.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/containerd/errdefs"
 	runc "github.com/containerd/go-runc"
+	google_protobuf "github.com/gogo/protobuf/types"
 	"golang.org/x/sys/unix"
 
 	"gvisor.dev/gvisor/pkg/shim/v1/extension"
@@ -57,6 +58,7 @@ type initState interface {
 	Stats(context.Context, string) (*runc.Stats, error)
 	Kill(context.Context, uint32, bool) error
 	SetExited(int)
+	Update(context.Context, *google_protobuf.Any) error
 }
 
 type createdState struct {
@@ -132,6 +134,10 @@ func (s *createdState) Stats(ctx context.Context, id string) (*runc.Stats, error
 	return s.p.stats(ctx, id)
 }
 
+func (s *createdState) Update(ctx context.Context, r *google_protobuf.Any) error {
+	return s.p.update(ctx, r)
+}
+
 type runningState struct {
 	p *Init
 }
@@ -182,6 +188,10 @@ func (s *runningState) Stats(ctx context.Context, id string) (*runc.Stats, error
 	return s.p.stats(ctx, id)
 }
 
+func (s *runningState) Update(ctx context.Context, r *google_protobuf.Any) error {
+	return s.p.update(ctx, r)
+}
+
 type stoppedState struct {
 	process *Init
 }
@@ -231,6 +241,10 @@ func (s *stoppedState) Stats(context.Context, string) (*runc.Stats, error) {
 	return nil, fmt.Errorf("cannot stat a stopped container")
 }
 
+func (s *stoppedState) Update(context.Context, *google_protobuf.Any) error {
+	return fmt.Errorf("cannot update a stopped container: %w", errdefs.ErrFailedPrecondition)
+}
+
 func handleStoppedKill(signal uint32) error {
 	switch unix.Signal(signal) {
 	case unix.SIGTERM, unix.SIGKILL:
diff --git a/pkg/shim/v1/proc/update_test.go b/pkg/shim/v1/proc/update_test.go
@@ -0,0 +1,60 @@
+// Copyright 2026 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/containerd/containerd/pkg/stdio"
+	"github.com/containerd/errdefs"
+	"github.com/gogo/protobuf/types"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"gvisor.dev/gvisor/pkg/shim/v1/runsccmd"
+)
+
+func TestInitUpdateNilAny(t *testing.T) {
+	p := New("id", &runsccmd.Runsc{}, stdio.Stdio{})
+	p.initState = &runningState{p: p}
+	err := p.Update(context.Background(), nil)
+	if !errors.Is(err, errdefs.ErrInvalidArgument) {
+		t.Fatalf("Update(nil): %v, want ErrInvalidArgument", err)
+	}
+}
+
+func TestInitUpdateInvalidJSON(t *testing.T) {
+	p := New("id", &runsccmd.Runsc{}, stdio.Stdio{})
+	p.initState = &runningState{p: p}
+	err := p.Update(context.Background(), &types.Any{Value: []byte(`{`)})
+	if err == nil || !strings.Contains(err.Error(), "decoding resources") {
+		t.Fatalf("Update(bad JSON): %v", err)
+	}
+}
+
+func TestInitUpdateStoppedState(t *testing.T) {
+	p := New("id", &runsccmd.Runsc{}, stdio.Stdio{})
+	p.initState = &stoppedState{process: p}
+	empty, err := json.Marshal(&specs.LinuxResources{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = p.Update(context.Background(), &types.Any{Value: empty})
+	if !errors.Is(err, errdefs.ErrFailedPrecondition) {
+		t.Fatalf("Update(stopped): %v, want ErrFailedPrecondition", err)
+	}
+}
diff --git a/pkg/shim/v1/runsc/container.go b/pkg/shim/v1/runsc/container.go
@@ -215,6 +215,22 @@ func (c *Container) CloseIO(ctx context.Context, r *task.CloseIORequest) error {
 	return nil
 }
 
+// Update applies cgroup resource limits for the init task (containerd Task.Update).
+func (c *Container) Update(ctx context.Context, r *task.UpdateTaskRequest) error {
+	if r.Resources == nil {
+		return fmt.Errorf("resources are required: %w", errdefs.ErrInvalidArgument)
+	}
+	p, err := c.Process("")
+	if err != nil {
+		return err
+	}
+	initp, ok := p.(*proc.Init)
+	if !ok {
+		return fmt.Errorf("update requires init process: %w", errdefs.ErrFailedPrecondition)
+	}
+	return initp.Update(ctx, r.Resources)
+}
+
 // Restore a process in the container.
 func (c *Container) Restore(ctx context.Context, r *extension.RestoreRequest) (extension.Process, error) {
 	p, err := c.Process(r.Start.ExecID)
diff --git a/pkg/shim/v1/runsc/service.go b/pkg/shim/v1/runsc/service.go
@@ -766,7 +766,14 @@ func (s *runscService) getV2Stats(stats *runc.Stats, r *taskAPI.StatsRequest) (*
 
 // Update updates a running container.
 func (s *runscService) Update(ctx context.Context, r *taskAPI.UpdateTaskRequest) (*types.Empty, error) {
-	return empty, errdefs.ErrNotImplemented
+	c, err := s.getContainer(r.ID)
+	if err != nil {
+		return nil, err
+	}
+	if err := c.Update(ctx, r); err != nil {
+		return nil, errdefs.ToGRPC(err)
+	}
+	return empty, nil
 }
 
 // Wait waits for the container to exit.
diff --git a/pkg/shim/v1/runsc/service_test.go b/pkg/shim/v1/runsc/service_test.go
@@ -15,12 +15,24 @@
 package runsc
 
 import (
+	"context"
+	"errors"
 	"testing"
 
+	"github.com/containerd/containerd/runtime/v2/task"
+	"github.com/containerd/errdefs"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"gvisor.dev/gvisor/pkg/shim/v1/utils"
 )
 
+func TestContainerUpdateNilResources(t *testing.T) {
+	c := &Container{}
+	err := c.Update(context.Background(), &task.UpdateTaskRequest{ID: "x", Resources: nil})
+	if !errors.Is(err, errdefs.ErrInvalidArgument) {
+		t.Fatalf("Update(nil Resources): %v, want ErrInvalidArgument", err)
+	}
+}
+
 func TestCgroupPath(t *testing.T) {
 	for _, tc := range []struct {
 		name string
diff --git a/pkg/shim/v1/runsccmd/BUILD b/pkg/shim/v1/runsccmd/BUILD
@@ -1,4 +1,4 @@
-load("//tools:defs.bzl", "go_library")
+load("//tools:defs.bzl", "go_library", "go_test")
 
 package(
     default_applicable_licenses = ["//:license"],
@@ -19,3 +19,10 @@ go_library(
         "@org_golang_x_sys//unix:go_default_library",
     ],
 )
+
+go_test(
+    name = "runsccmd_test",
+    size = "small",
+    srcs = ["runsc_test.go"],
+    library = ":runsccmd",
+)
diff --git a/pkg/shim/v1/runsccmd/runsc.go b/pkg/shim/v1/runsccmd/runsc.go
@@ -205,6 +205,18 @@ func (r *Runsc) Resume(context context.Context, id string) error {
 	return nil
 }
 
+// Update applies cgroup resource changes to a created or running container
+// (OCI runtime update). This matches github.com/containerd/go-runc Update.
+func (r *Runsc) Update(ctx context.Context, id string, resources *specs.LinuxResources) error {
+	buf := new(bytes.Buffer)
+	if err := json.NewEncoder(buf).Encode(resources); err != nil {
+		return err
+	}
+	cmd := r.command(ctx, append([]string{"update", "--resources", "-", id})...)
+	cmd.Stdin = buf
+	return r.runOrError(cmd)
+}
+
 // Start will start an already created container.
 func (r *Runsc) Start(context context.Context, id string, cio runc.IO) error {
 	return r.start(context, cio, r.command(context, "start", id))
diff --git a/pkg/shim/v1/runsccmd/runsc_test.go b/pkg/shim/v1/runsccmd/runsc_test.go
@@ -0,0 +1,87 @@
+// Copyright 2026 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build linux
+
+package runsccmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// TestRunscUpdateCLI verifies Update runs the OCI update flow: JSON resources on
+// stdin and "update --resources - <id>" in argv (same contract as go-runc).
+func TestRunscUpdateCLI(t *testing.T) {
+	ctx := context.Background()
+	dir := t.TempDir()
+	argsLog := filepath.Join(dir, "args.txt")
+	stdinLog := filepath.Join(dir, "stdin.txt")
+	script := filepath.Join(dir, "fake-runsc")
+	scriptBody := fmt.Sprintf(`#!/bin/sh
+printf '%%s\n' "$*" >%q
+cat >%q
+exit 0
+`, argsLog, stdinLog)
+	if err := os.WriteFile(script, []byte(scriptBody), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	limit := int64(4096)
+	wantRes := &specs.LinuxResources{
+		Memory: &specs.LinuxMemory{Limit: &limit},
+	}
+
+	r := &Runsc{
+		Command: script,
+		Root:    filepath.Join(dir, "root"),
+	}
+	if err := r.Update(ctx, "cid-1", wantRes); err != nil {
+		t.Fatalf("Update: %v", err)
+	}
+
+	rawArgs, err := os.ReadFile(argsLog)
+	if err != nil {
+		t.Fatal(err)
+	}
+	args := strings.Fields(string(rawArgs))
+	var joined strings.Builder
+	for _, a := range args {
+		joined.WriteString(a)
+		joined.WriteByte(' ')
+	}
+	s := joined.String()
+	if !strings.Contains(s, "update ") || !strings.Contains(s, "--resources ") || !strings.Contains(s, "- cid-1") {
+		t.Fatalf("argv missing expected update flags: %q", string(rawArgs))
+	}
+
+	rawStdin, err := os.ReadFile(stdinLog)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var got specs.LinuxResources
+	if err := json.Unmarshal(rawStdin, &got); err != nil {
+		t.Fatalf("stdin JSON: %v", err)
+	}
+	if got.Memory == nil || got.Memory.Limit == nil || *got.Memory.Limit != limit {
+		t.Fatalf("stdin resources: got %+v, want memory limit %d", got.Memory, limit)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ import (`
`22`	`22`	`"github.com/containerd/console"`
`23`	`23`	`"github.com/containerd/errdefs"`
`24`	`24`	`runc "github.com/containerd/go-runc"`
	`25`	`+ google_protobuf "github.com/gogo/protobuf/types"`
`25`	`26`	`"gvisor.dev/gvisor/pkg/shim/v1/extension"`
`26`	`27`	`)`
`27`	`28`
`@@ -57,3 +58,7 @@ func (s *deletedState) State(context.Context) (string, error) {`
`57`	`58`	`func (s deletedState) Stats(context.Context, string) (runc.Stats, error) {`
`58`	`59`	`return nil, fmt.Errorf("cannot stat a stopped container/process")`
`59`	`60`	`}`
	`61`	`+`
	`62`	`+func (deletedState) Update(context.Context, google_protobuf.Any) error {`
	`63`	`+ return fmt.Errorf("cannot update a deleted container/process: %w", errdefs.ErrNotFound)`
	`64`	`+}`