microsoft · shreyanshjain7174 · Mar 31, 2026
@@ -30,7 +30,6 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
-	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 // containerStatus has been introduced to enable parallel container creation
@@ -77,6 +76,10 @@ type Container struct {
 	// of this container is located. Usually, this is either `/run/gcs/c/<containerID>` or
 	// `/run/gcs/c/<UVMID>/container_<containerID>` if scratch is shared with UVM scratch.
 	scratchDirPath string
+
+	// sandboxRoot is the root directory of the pod within the guest.
+	// Used during cleanup to unmount sandbox-specific paths.
+	sandboxRoot string
 }
 
 func (c *Container) Start(ctx context.Context, conSettings stdio.ConnectionSettings) (_ int, err error) {
@@ -229,25 +232,14 @@ func (c *Container) Kill(ctx context.Context, signal syscall.Signal) error {
 func (c *Container) Delete(ctx context.Context) error {
 	entity := log.G(ctx).WithField(logfields.ContainerID, c.id)
 	entity.Info("opengcs::Container::Delete")
-	if c.isSandbox {
-		// Check if this is a virtual pod
-		virtualSandboxID := ""
-		if c.spec != nil && c.spec.Annotations != nil {
-			virtualSandboxID = c.spec.Annotations[annotations.VirtualPodID]
-		}
-
-		// remove user mounts in sandbox container - use virtual pod aware paths
-		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxMountsDir(c.id, virtualSandboxID), true); err != nil {
+	if c.isSandbox && c.sandboxRoot != "" {
+		if err := storage.UnmountAllInPath(ctx, sandboxMountsDir(c.sandboxRoot), true); err != nil {
 			entity.WithError(err).Error("failed to unmount sandbox mounts")
 		}
-
-		// remove user mounts in tmpfs sandbox container - use virtual pod aware paths
-		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxTmpfsMountsDir(c.id, virtualSandboxID), true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, sandboxTmpfsMountsDir(c.sandboxRoot), true); err != nil {
 			entity.WithError(err).Error("failed to unmount tmpfs sandbox mounts")
 		}
-
-		// remove hugepages mounts in sandbox container - use virtual pod aware paths
-		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareHugePagesMountsDir(c.id, virtualSandboxID), true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, sandboxHugePagesMountsDir(c.sandboxRoot), true); err != nil {
 			entity.WithError(err).Error("failed to unmount hugepages mounts")
 		}
 	}

@@ -20,35 +20,18 @@ import (
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
-func getSandboxHostnamePath(id, virtualSandboxID string) string {
-	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hostname")
-}
-
-func getSandboxHostsPath(id, virtualSandboxID string) string {
-	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hosts")
-}
-
-func getSandboxResolvPath(id, virtualSandboxID string) string {
-	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "resolv.conf")
-}
-
-func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (err error) {
+func setupSandboxContainerSpec(ctx context.Context, id, sandboxRoot string, spec *oci.Spec) (err error) {
 	ctx, span := oc.StartSpan(ctx, "hcsv2::setupSandboxContainerSpec")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("cid", id))
 
-	// Check if this is a virtual pod to use appropriate root directory
-	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
-
-	// Generate the sandbox root dir - virtual pod aware
-	rootDir := specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID)
-	if err := os.MkdirAll(rootDir, 0755); err != nil {
-		return errors.Wrapf(err, "failed to create sandbox root directory %q", rootDir)
+	if err := os.MkdirAll(sandboxRoot, 0755); err != nil {
+		return errors.Wrapf(err, "failed to create sandbox root directory %q", sandboxRoot)
 	}
 	defer func() {
 		if err != nil {
-			_ = os.RemoveAll(rootDir)
+			_ = os.RemoveAll(sandboxRoot)
 		}
 	}()
 
@@ -62,19 +45,20 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		}
 	}
 
-	sandboxHostnamePath := getSandboxHostnamePath(id, virtualSandboxID)
+	sandboxHostnamePath := filepath.Join(sandboxRoot, "hostname")
 	if err := os.WriteFile(sandboxHostnamePath, []byte(hostname+"\n"), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write hostname to %q", sandboxHostnamePath)
 	}
 
 	// Write the hosts
 	sandboxHostsContent := network.GenerateEtcHostsContent(ctx, hostname)
-	sandboxHostsPath := getSandboxHostsPath(id, virtualSandboxID)
+	sandboxHostsPath := filepath.Join(sandboxRoot, "hosts")
 	if err := os.WriteFile(sandboxHostsPath, []byte(sandboxHostsContent), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write sandbox hosts to %q", sandboxHostsPath)
 	}
 
 	// Check if this is a virtual pod sandbox container by comparing container ID with virtual pod ID
+	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
 	isVirtualPodSandbox := virtualSandboxID != "" && id == virtualSandboxID
 	if strings.EqualFold(spec.Annotations[annotations.SkipPodNetworking], "true") || isVirtualPodSandbox {
 		ns := GetOrAddNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
@@ -97,7 +81,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		if err != nil {
 			return errors.Wrap(err, "failed to generate sandbox resolv.conf content")
 		}
-		sandboxResolvPath := getSandboxResolvPath(id, virtualSandboxID)
+		sandboxResolvPath := filepath.Join(sandboxRoot, "resolv.conf")
 		if err := os.WriteFile(sandboxResolvPath, []byte(resolvContent), 0644); err != nil {
 			return errors.Wrap(err, "failed to write sandbox resolv.conf")
 		}
@@ -125,10 +109,8 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 
 	// Set cgroup path - check if this is a virtual pod
 	if virtualSandboxID != "" {
-		// Virtual pod sandbox gets its own cgroup under /containers/virtual-pods using the virtual pod ID
 		spec.Linux.CgroupsPath = "/containers/virtual-pods/" + virtualSandboxID
 	} else {
-		// Traditional sandbox goes under /containers
 		spec.Linux.CgroupsPath = "/containers/" + id
 	}