code improve and bugfix

Signed-off-by: zhongtao <zhongtao17@huawei.com>
(cherry picked from commit 287b224ffae5e96750bd13f62b91e8ec09dfb4fa)

0086-cdi-test-case-and-gateway.patch

@@ -0,0 +1,359 @@
+From 3fb6de60ecf10278a676a41f8d0c334d1f90d303 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Wed, 17 Apr 2024 18:02:48 +0800
+Subject: [PATCH 086/108] cdi:test case and gateway
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ CI/make-and-install.sh                        |   2 +-
+ CI/test_cases/container_cases/cdi_test.sh     | 205 ++++++++++++++++++
+ .../criconfigs/container-config-cdi.json      |  50 +++++
+ .../test_data/cdi_devices.json                |  53 +++++
+ 4 files changed, 309 insertions(+), 1 deletion(-)
+ create mode 100755 CI/test_cases/container_cases/cdi_test.sh
+ create mode 100644 CI/test_cases/container_cases/criconfigs/container-config-cdi.json
+ create mode 100644 CI/test_cases/container_cases/test_data/cdi_devices.json
+
+diff --git a/CI/make-and-install.sh b/CI/make-and-install.sh
+index 9d4c5533..61281965 100755
+--- a/CI/make-and-install.sh
++++ b/CI/make-and-install.sh
+@@ -105,7 +105,7 @@ cd build
+ if [[ ${enable_gcov} -ne 0 ]]; then
+   cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DCMAKE_BUILD_TYPE=Debug -DGCOV=ON -DENABLE_EMBEDDED=ON -DENABLE_COVERAGE=ON -DENABLE_CRI_API_V1=ON -DENABLE_CDI=ON -DENABLE_UT=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ..
+ else
+-  cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DENABLE_EMBEDDED=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_CRI_API_V1=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ..
++  cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DENABLE_EMBEDDED=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_CRI_API_V1=ON -DENABLE_CDI=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ..
+ fi
+ make -j $(nproc)
+ make install
+diff --git a/CI/test_cases/container_cases/cdi_test.sh b/CI/test_cases/container_cases/cdi_test.sh
+new file mode 100755
+index 00000000..dd7b1177
+--- /dev/null
++++ b/CI/test_cases/container_cases/cdi_test.sh
+@@ -0,0 +1,205 @@
++#!/bin/bash
++#
++# attributes: isulad cdi
++# concurrent: NA
++# spend time: 41
++
++#######################################################################
++##- Copyright (c) Huawei Technologies Co., Ltd. 2024. All rights reserved.
++# - iSulad licensed under the Mulan PSL v2.
++# - You can use this software according to the terms and conditions of the Mulan PSL v2.
++# - You may obtain a copy of Mulan PSL v2 at:
++# -     http://license.coscl.org.cn/MulanPSL2
++# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
++# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
++# - PURPOSE.
++# - See the Mulan PSL v2 for more details.
++##- @Description:CI
++##- @Author: liuxu
++##- @Create: 2024-04-16
++#######################################################################
++
++source ../helpers.sh
++curr_path=$(dirname $(readlink -f "$0"))
++data_path=$(realpath $curr_path/criconfigs)
++pause_img_path=$(realpath $curr_path/test_data)
++cdi_static_dir="/etc/cdi"
++
++function do_pre()
++{
++    cp /etc/isulad/daemon.json /etc/isulad/daemon.bak
++    sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json
++    sed -i "/\"cni-conf-dir\": \".*\"/a\ \ \ \ \"enable-cri-v1\": true," /etc/isulad/daemon.json
++    sed -i "/\"cni-conf-dir\": \".*\"/a\ \ \ \ \"enable-cdi\": true," /etc/isulad/daemon.json
++
++    check_valgrind_log
++    start_isulad_without_valgrind
++
++    isula load -i ${pause_img_path}/pause.tar
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause" && return ${FAILURE}
++
++    isula pull busybox
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull busybox" && return ${FAILURE}
++
++    crictl images | grep "mirrorgooglecontainers/pause-amd64"
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to find mirrorgooglecontainers/pause-amd64 image" && return ${FAILURE}
++
++    return 0
++}
++
++function do_post()
++{
++    cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
++    check_valgrind_log
++    start_isulad_without_valgrind
++}
++
++function verify_injected_vendor0() {
++    # check env
++    output=$(crictl exec --sync "$1" sh -c 'echo $VENDOR0')
++    [[ "$output" != "injected" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - env check failed" && return ${FAILURE}
++
++    # check hooks
++    cat /tmp/cdi_hook_test.log | grep "prestart"
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - hook check failed" && return ${FAILURE}
++
++    # check mounts
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %a /tmp/cdi_mounts_test')
++    [[ "$output" != "755" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - mount check failed" && return ${FAILURE}
++
++    return 0
++}
++
++function verify_injected_loop8() {
++    # check env
++    output=$(crictl exec --sync "$1" sh -c 'echo $LOOP8')
++    [[ "$output" != "CDI8" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - env check failed" && return ${FAILURE}
++
++    # check device nodes
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %a /dev/loop8')
++    [[ "$output" != "640" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - device nodes check failed" && return ${FAILURE}
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %t.%T /dev/loop8')
++    [[ "$output" != "7.8" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - device nodes check failed" && return ${FAILURE}
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %t.%T /dev/loop8c')
++    [[ "$output" != "7.b" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - device nodes check failed" && return ${FAILURE}
++
++    # check mounts
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %a /tmp/cdi_mounts_test_loop8')
++    [[ "$output" != "755" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - mount check failed" && return ${FAILURE}
++
++    return 0
++}
++
++function verify_injected_loop9() {
++    # check env
++    output=$(crictl exec --sync "$1" sh -c 'echo $LOOP9')
++    [[ "$output" != "present" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - env check failed" && return ${FAILURE}
++
++    # check device nodes
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %a /dev/loop9')
++    [[ "$output" != "644" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - device nodes check failed" && return ${FAILURE}
++    output=$(crictl exec --sync "$1" sh -c 'stat -c %t.%T /dev/loop9')
++    [[ "$output" != "7.9" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - device nodes check failed" && return ${FAILURE}
++
++    return 0
++}
++
++function check_full_cdi()
++{
++    verify_injected_vendor0 $1
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - verify_injected_vendor0 failed" && return ${FAILURE}
++    
++    verify_injected_loop8 $1
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - verify_injected_loop8 failed" && return ${FAILURE}
++    
++    verify_injected_loop9 $1
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - verify_injected_loop9 failed" && return ${FAILURE}
++
++    return 0
++}
++
++function do_test_help()
++{
++    msg_info "cdi test starting..."
++
++    isula rm -f `isula ps -a -q`
++
++    sid=`crictl runp ${data_path}/$1`
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run sandbox" && return ${FAILURE}
++
++    cid=`crictl create $sid ${data_path}/$2 ${data_path}/$1`
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - create container failed" && return ${FAILURE}
++
++    crictl start $cid
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start container failed" && return ${FAILURE}
++
++    crictl stats
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stats container failed" && return ${FAILURE}
++
++    check_full_cdi $cid
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check cdi failed" && return ${FAILURE}
++
++    crictl stop $cid
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop container failed" && return ${FAILURE}
++
++    crictl rm $cid
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm container failed" && return ${FAILURE}
++
++    crictl stopp $sid
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop sandbox failed" && return ${FAILURE}
++
++    crictl rmp $sid
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm sandbox failed" && return ${FAILURE}
++
++    return 0
++}
++
++function do_test_full_cdi()
++{
++    if [ ! -d "$cdi_static_dir" ]; then
++        mkdir -p "$cdi_static_dir"
++    fi
++    cp -f ${pause_img_path}/cdi_devices.json ${cdi_static_dir}/cdi_devices.json
++
++    mkdir -p /tmp/cdi_mounts_test
++    cat  > /tmp/cdi_mounts_test_loop8  << EOF
++origin data
++EOF
++    chmod  755  /tmp/cdi_mounts_test_loop8
++    mkdir -p /tmp/cdi_mounts_test_loop9
++    
++    mknod /dev/loop8 b 7 8
++    mknod /dev/loop9 b 7 9
++    mknod /dev/loop8c c 7 11
++
++    cat  > /tmp/cdi_printargs.sh  << EOF
++#!/bin/bash
++echo "\$(date +'%Y-%m-%d %H:%M:%S') Input parameter: \$1 \$2" >> /tmp/cdi_hook_test.log
++EOF
++    chmod  755  /tmp/cdi_printargs.sh
++
++    do_test_help "sandbox-config.json" "container-config-cdi.json" || ((ans++))
++
++    rm -f /tmp/cdi_printargs.sh
++    rm -f /tmp/cdi_hook_test.log
++    rm -f /dev/loop8
++    rm -f /dev/loop9
++    rm -f /dev/loop8c
++
++    rm -f ${cdi_static_dir}/cdi_devices.json
++    rm -f /tmp/cdi_printargs
++    rmdir /tmp/cdi_mounts_test
++    rm -f /tmp/cdi_mounts_test_loop8
++    rmdir /tmp/cdi_mounts_test_loop9
++    rm -f /tmp/cdi_printargs.sh
++
++    return 0
++}
++
++declare -i ans=0
++
++do_pre || ((ans++))
++do_test_full_cdi || ((ans++))
++do_post
++
++show_result ${ans} "${curr_path}/${0}"
+diff --git a/CI/test_cases/container_cases/criconfigs/container-config-cdi.json b/CI/test_cases/container_cases/criconfigs/container-config-cdi.json
+new file mode 100644
+index 00000000..b9805c8a
+--- /dev/null
++++ b/CI/test_cases/container_cases/criconfigs/container-config-cdi.json
+@@ -0,0 +1,50 @@
++{
++    "metadata": {
++        "name": "haozi"
++    },
++    "image":{
++        "image": "busybox:latest"
++    },
++    "command": [
++        "/bin/sh",
++        "-c",
++        "i=0; while true; do echo \"$i: $(date)\"; i=$((i+1)); sleep 10; done"
++    ],
++    "labels": {
++        "filter_label_key": "filter_label_val"
++    },
++    "annotations": {
++        "extension.network.kubernetes.io/cni/instancename": "pod_instance_name",
++        "cdi.k8s.io/test": "vendor0.com/device=loop8,vendor0.com/device=loop9"
++    },
++    "CDI_Devices":[
++        { "Name": "vendor0.com/device=loop8" },
++        { "Name": "vendor0.com/device=loop9" } 
++    ],
++    "mounts" : [
++        {
++            "container_path": "/tmp/contpath",
++            "host_path": "/tmp/hostpath",
++            "readonly": true,
++            "selinux_relabel": true,
++            "propagation": 0
++        },
++        {
++            "container_path": "/tmp/contpath2",
++            "host_path": "/tmp/hostpath2",
++            "readonly": false,
++            "selinux_relabel": false,
++            "propagation": 0
++        }
++    ],
++    "linux": {
++	    "security_context": {
++		    "namespace_options": {
++		        "host_network": true,
++		        "host_pid": false,
++		        "host_ipc": false
++		    }
++	    }
++    },
++    "log_path": "cri_test.log"
++}
+diff --git a/CI/test_cases/container_cases/test_data/cdi_devices.json b/CI/test_cases/container_cases/test_data/cdi_devices.json
+new file mode 100644
+index 00000000..f7fe65d4
+--- /dev/null
++++ b/CI/test_cases/container_cases/test_data/cdi_devices.json
+@@ -0,0 +1,53 @@
++{
++  "cdiVersion": "0.6.0",
++  "kind": "vendor0.com/device",
++  "annotations":{
++      "cdi_annotation":"cdi_annotation_value"
++  },
++  "devices": [
++    {
++      "name": "loop8",
++      "annotations":{
++          "loop8_annotation":"loop8_annotation_value"
++      },
++      "containerEdits": {
++          "env": [
++              "LOOP8=CDI8",
++              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/dev"
++          ],
++          "deviceNodes": [
++              {"path": "/dev/loop8", "type": "b", "fileMode": 416},
++              {"path": "/dev/loop8c", "type": "c"}
++          ],
++          "mounts": [
++              {"hostPath": "/tmp/cdi_mounts_test_loop8", "containerPath": "/tmp/cdi_mounts_test_loop8", "options": ["ro","nosuid","nodev","bind"]},
++              {"hostPath": "tmpfs", "containerPath": "/tmp/data", "type": "tmpfs", "options": ["nosuid","strictatime","mode=755","size=65536k"]}
++          ]
++      }
++    },{
++      "name": "loop9",
++      "containerEdits": {
++          "env":["LOOP9=present"],
++          "deviceNodes": [{
++                  "path": "/dev/loop9", "type": "b", "major": 7, "minor": 9, "fileMode": 420
++              }
++          ]
++      }
++    }
++  ],
++  "containerEdits": {
++    "env": [
++      "VENDOR0=injected",
++      "BAR=BARVALUE1"
++    ],
++    "hooks": [
++      {"hookName": "prestart", "path": "/tmp/cdi_printargs.sh", "args":["prestart0", "prestart1"], "env":["prestartenv=value"]},
++      {"hookName": "prestart", "path": "/tmp/cdi_printargs.sh", "args":["prestart0", "prestart1"], "env":["prestartenv=value"]},
++      {"hookName": "poststart", "path": "/tmp/cdi_printargs.sh", "args":["poststart0", "poststart1"], "env":["poststartenv=value"]},
++      {"hookName": "poststop", "path": "/tmp/cdi_printargs.sh", "args":["poststop0", "poststop1"], "env":["poststopenv=value"]}
++    ],
++    "mounts": [
++      {"hostPath": "/tmp/cdi_mounts_test", "containerPath": "/tmp/cdi_mounts_test", "options": ["ro","nosuid","nodev","bind"]}
++    ]
++  }
++}
+\ No newline at end of file
+-- 
+2.25.1
+

0088-testcase-close-cdi-testcase.patch

@@ -0,0 +1,29 @@
+From eba353bef72bf62cd47f1b03a9fbd4c621ad479e Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Thu, 16 May 2024 18:00:01 +0800
+Subject: [PATCH 088/108] testcase:close cdi testcase
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ CI/test_cases/container_cases/cdi_test.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/CI/test_cases/container_cases/cdi_test.sh b/CI/test_cases/container_cases/cdi_test.sh
+index dd7b1177..f9fd4567 100755
+--- a/CI/test_cases/container_cases/cdi_test.sh
++++ b/CI/test_cases/container_cases/cdi_test.sh
+@@ -198,8 +198,8 @@ EOF
+ 
+ declare -i ans=0
+ 
+-do_pre || ((ans++))
+-do_test_full_cdi || ((ans++))
+-do_post
++# do_pre || ((ans++))
++# do_test_full_cdi || ((ans++))
++# do_post
+ 
+ show_result ${ans} "${curr_path}/${0}"
+-- 
+2.25.1
+

0089-docs-update-cni-doc.patch

@@ -0,0 +1,68 @@
+From 7fc8578097b9f8254962dc4fb277492b3251e5cb Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Thu, 16 May 2024 17:56:08 +0800
+Subject: [PATCH 089/108] docs:update cni doc
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ README.md                | 2 +-
+ README_zh.md             | 2 +-
+ docs/design/README.md    | 2 ++
+ docs/design/README_zh.md | 2 ++
+ 4 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/README.md b/README.md
+index 694ddbc2..7ddc62ab 100644
+--- a/README.md
++++ b/README.md
+@@ -228,7 +228,7 @@ Using [ptcr](https://gitee.com/openeuler/ptcr) as a performance test tool , it s
+ The standard specification versions that `iSulad` is compatible with are as follows:
+ 
+ - Compatible with OCI 1.0.0.
+-- Compatible with CNI 0.3.0 and above.
++- Compatible with CNI 0.3.0 - 1.0.0, iSulad supports CNI 1.0.0 from 2.1.4 version.
+ - Compatible with lcr 2.1.x and above.
+ 
+ ## Kubernetes Support
+diff --git a/README_zh.md b/README_zh.md
+index 5db28f3a..45ac66ac 100755
+--- a/README_zh.md
++++ b/README_zh.md
+@@ -224,7 +224,7 @@ $ sudo isula rm test
+ `iSulad` 能够兼容的标准规范版本如下：
+ 
+ - 兼容 1.0.0 版本的OCI
+-- 兼容 0.3.0 版本以上的CNI
++- 兼容 0.3.0-1.0.0 版本的CNI，iSulad从2.1.4版本后支持 CNI 1.0.0版本
+ - 兼容 2.1.x 版本以上的lcr
+ 
+ ## Kubernetes Support
+diff --git a/docs/design/README.md b/docs/design/README.md
+index d2a3702d..c171cb20 100644
+--- a/docs/design/README.md
++++ b/docs/design/README.md
+@@ -43,6 +43,8 @@ This section contains some design documents for users who want to learn more abo
+ 
+ - You can see how the cni operator modules are designed in [cni_operator_design](./detailed/Network/cni_operator_design.md).
+ 
++- You can see how the cni operator modules update to CNI v1.0.0 in [cni_1.0.0_change](./detailed/Network/cni_1.0.0_change.md)。
++
+ - You can see how the CRI adapter modules are designed in [CRI_adapter_design](./detailed/Network/CRI_adapter_design.md).
+ 
+ - You can see how the native network adapter modules are designed in [native_network_adapter_design](./detailed/Network/native_network_adapter_design.md).
+diff --git a/docs/design/README_zh.md b/docs/design/README_zh.md
+index c6172b6f..0f4cf13e 100644
+--- a/docs/design/README_zh.md
++++ b/docs/design/README_zh.md
+@@ -49,6 +49,8 @@
+ 
+ - 查看 cni operator 模块的设计文档： [cni_operator_design](./detailed/Network/cni_operator_design_zh.md) 。
+ 
++- 查看 cni operator 模块升级到CNI v1.0.0的设计文档： [cni_1.0.0_change](./detailed/Network/cni_1.0.0_change.md) 。
++
+ - 查看 CRI adapter 模块的设计文档： [CRI_adapter_design](./detailed/Network/CRI_adapter_design_zh.md) 。
+ 
+ - 查看 native network adapter 模块的设计文档： [native_network_adapter_design](./detailed/Network/native_network_adapter_design_zh.md) 。
+-- 
+2.25.1
+

0090-modify-the-user-error-log-to-be-the-same-as-before.patch

@@ -0,0 +1,100 @@
+From 3b0f34c7cd55686cf18f65efbdc0be8a84f13e3e Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Mon, 20 May 2024 17:54:04 +1400
+Subject: [PATCH 090/108] modify the user error log to be the same as before
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ src/daemon/common/id_name_manager.c           |  4 +--
+ .../executor/container_cb/execution_create.c  | 26 +++++++++++--------
+ .../container_cb/execution_information.c      |  4 ++-
+ 3 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/src/daemon/common/id_name_manager.c b/src/daemon/common/id_name_manager.c
+index 263a584d..f64094b9 100644
+--- a/src/daemon/common/id_name_manager.c
++++ b/src/daemon/common/id_name_manager.c
+@@ -242,7 +242,7 @@ static bool try_add_name(const char *name)
+     }
+ 
+     if (!util_valid_container_name(name)) {
+-        ERROR("Failed to add invalid name: %s", name);
++        ERROR("Invalid container name (%s), only [a-zA-Z0-9][a-zA-Z0-9_.-]+$ are allowed.", name);
+         return false;
+     }
+ 
+@@ -262,7 +262,7 @@ static bool try_remove_name(const char *name)
+     }
+ 
+     if (!util_valid_container_name(name)) {
+-        ERROR("Failed to remove invalid name: %s", name);
++        ERROR("Invalid container name (%s), only [a-zA-Z0-9][a-zA-Z0-9_.-]+$ are allowed.", name);
+         return false;
+     }
+ 
+diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c
+index 785b4e27..041089dd 100644
+--- a/src/daemon/executor/container_cb/execution_create.c
++++ b/src/daemon/executor/container_cb/execution_create.c
+@@ -761,8 +761,17 @@ static int maintain_container_id(const container_create_request *request, char *
+ #endif
+ 
+     if (!nret) {
+-        ERROR("Failed to add entry to id name manager with new id and name");
+-        isulad_set_error_message("Failed to add entry to id name manager with new id and name");
++        __isula_auto_free char *used_id = NULL;
++        used_id = container_name_index_get(name);
++        if(used_id != NULL) {
++            ERROR("Name %s is in use by container %s", name, used_id);
++            isulad_set_error_message("Conflict. The name \"%s\" is already in use by container %s. "
++                                    "You have to remove (or rename) that container to be able to reuse that name.",
++                                    name, used_id);
++        } else {
++            ERROR("Failed to add entry to id name manager with new id and name");
++            isulad_set_error_message("Failed to add entry to id name manager with new id and name");
++        }
+         ret = -1;
+         goto out;
+     }
+@@ -775,19 +784,14 @@ static int maintain_container_id(const container_create_request *request, char *
+         goto out;
+     }
+ 
+-    char *used_id = NULL;
+-    used_id = container_name_index_get(name);
+-    ERROR("Name %s is in use by container %s", name, used_id);
+-    isulad_set_error_message("Conflict. The name \"%s\" is already in use by container %s. "
+-                             "You have to remove (or rename) that container to be able to reuse that name.",
+-                             name, used_id);
+-    free(used_id);
+-    used_id = NULL;
+-    ret = -1;
+     if (!skip_id_name_manage && !id_name_manager_remove_entry(id, name)) {
+         WARN("Failed to remove %s and %s from id name manager", id, name);
+     }
+ 
++    ERROR("Failed to add %s to container name index", name);
++    isulad_set_error_message("Failed to add %s to container name index", name);
++    ret = -1;
++
+ out:
+     *out_id = id;
+     *out_name = name;
+diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c
+index c02cc830..58924257 100644
+--- a/src/daemon/executor/container_cb/execution_information.c
++++ b/src/daemon/executor/container_cb/execution_information.c
+@@ -1149,7 +1149,9 @@ static int container_rename(container_t *cont, const char *new_name)
+ 
+     if (!id_name_manager_rename(new_name, old_name)) {
+         ERROR("Failed to rename %s to %s in id-name manager", old_name, new_name);
+-        isulad_set_error_message("Failed to rename %s to %s in id-name manager", old_name, new_name);
++        isulad_set_error_message("Conflict. The name \"%s\" is already in use by container %s. "
++                                 "You have to remove (or rename) that container to be able to reuse that name.",
++                                 new_name, new_name);
+         ret = -1;
+         goto out;
+     }
+-- 
+2.25.1
+

0091-add-enable-cri-v1-in-k8s-integration.patch

@@ -0,0 +1,54 @@
+From 1f69ffe589f7225a1db83377e276ddbab963bd16 Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Tue, 21 May 2024 01:13:08 +0000
+Subject: [PATCH 091/108] add enable cri v1 in k8s integration
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ docs/manual/k8s_integration.md    | 9 +++++++++
+ docs/manual/k8s_integration_zh.md | 9 +++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/docs/manual/k8s_integration.md b/docs/manual/k8s_integration.md
+index 8fcd0a54..14de0ef4 100644
+--- a/docs/manual/k8s_integration.md
++++ b/docs/manual/k8s_integration.md
+@@ -20,6 +20,15 @@
+ 
+    if `hosts` is not configured, the default endpoint is `unix:///var/run/isulad.sock`.
+ 
++   `iSulad` supports both `CRI V1alpha2` and `CRI V1`, and uses `CRI V1alph2` by default.
++   If `CRI V1` is required, it can be configured in `/etc/isulad/daemon.json` to enable `CRI V1`:
++
++   ```json
++       "enable-cri-v1": true,
++   ```
++
++   If `iSulad` is compiled from source codes, `-D ENABLE_CRI_API_V1=ON` option is required in cmake.
++
+ 2. Restart `isulad`:
+ 
+    ```bash
+diff --git a/docs/manual/k8s_integration_zh.md b/docs/manual/k8s_integration_zh.md
+index 6dda1e4d..26ba6cc4 100644
+--- a/docs/manual/k8s_integration_zh.md
++++ b/docs/manual/k8s_integration_zh.md
+@@ -20,6 +20,15 @@
+ 
+    如果`hosts`没有配置，默认的`endpoint`为``unix:///var/run/isulad.sock``
+ 
++   `iSulad`同时支持`CRI V1alpha2`和`CRI V1`两种`CRI`接口，默认使用`CRI V1alph2`，若需使用`CRI V1`，
++   需要在`/etc/isulad/daemon.json`对`iSulad`进行相关配置，配置方式为：
++
++   ```json
++       "enable-cri-v1": true,
++   ```
++
++   若使用源码编译`iSulad`，还需在编译时增加cmake编译选项`-D ENABLE_CRI_API_V1=ON`。
++
+ 2. 重启`isulad`
+ 
+    ```bash
+-- 
+2.25.1
+

0092-isolate-oom-monitor-codes.patch

@@ -0,0 +1,317 @@
+From d97656a8b99f4fa95a9c15abfbac777a94b84d55 Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Mon, 20 May 2024 08:48:00 +0000
+Subject: [PATCH 092/108] isolate oom monitor codes
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ cmake/options.cmake                                |  7 +++++++
+ src/daemon/common/cgroup/cgroup.c                  |  2 ++
+ src/daemon/common/cgroup/cgroup.h                  |  2 ++
+ src/daemon/common/cgroup/cgroup_common.h           |  4 ++++
+ src/daemon/common/cgroup/cgroup_v1.c               |  8 ++++++++
+ src/daemon/common/cgroup/cgroup_v2.c               |  8 ++++++++
+ src/daemon/common/cri/v1/v1_cri_helpers.cc         |  2 ++
+ src/daemon/modules/container/container_state.c     |  2 ++
+ .../modules/container/supervisor/supervisor.c      | 14 ++++++++++++++
+ 9 files changed, 49 insertions(+)
+
+diff --git a/cmake/options.cmake b/cmake/options.cmake
+index a15b8194..5b17f631 100644
+--- a/cmake/options.cmake
++++ b/cmake/options.cmake
+@@ -58,6 +58,13 @@ if (ENABLE_SANDBOXER STREQUAL "ON")
+     message("${Green}--  Enable sandbox API${ColourReset}")
+ endif()
+ 
++option(ENABLE_OOM_MONITOR "Enable oom monitor" ON)
++IF (ENABLE_OOM_MONITOR STREQUAL "ON")
++    add_definitions(-DENABLE_OOM_MONITOR)
++    set(ENABLE_OOM_MONITOR 1)
++    message("${Green}--  Enable oom monitor${ColourReset}")
++endif()
++
+ option(ENABLE_SYSTEMD_NOTIFY "Enable systemd notify" ON)
+ if (ENABLE_SYSTEMD_NOTIFY STREQUAL "ON")
+     add_definitions(-DSYSTEMD_NOTIFY)
+diff --git a/src/daemon/common/cgroup/cgroup.c b/src/daemon/common/cgroup/cgroup.c
+index 71bf9801..77fafdae 100644
+--- a/src/daemon/common/cgroup/cgroup.c
++++ b/src/daemon/common/cgroup/cgroup.c
+@@ -197,6 +197,7 @@ char *common_convert_cgroup_path(const char *cgroup_path)
+     return util_strdup_s(result);
+ }
+ 
++#ifdef ENABLE_OOM_MONITOR
+ cgroup_oom_handler_info_t *common_get_cgroup_oom_handler(int fd, const char *name, const char *cgroup_path,
+                                                          const char *exit_fifo)
+ {
+@@ -225,3 +226,4 @@ void common_free_cgroup_oom_handler_info(cgroup_oom_handler_info_t *info)
+     free(info->cgroup_memory_event_path);
+     free(info);
+ }
++#endif
+diff --git a/src/daemon/common/cgroup/cgroup.h b/src/daemon/common/cgroup/cgroup.h
+index 0bbb70a0..1ebbfa98 100644
+--- a/src/daemon/common/cgroup/cgroup.h
++++ b/src/daemon/common/cgroup/cgroup.h
+@@ -43,9 +43,11 @@ char *common_get_own_cgroup_path(const char *subsystem);
+ 
+ char *common_convert_cgroup_path(const char *cgroup_path);
+ 
++#ifdef ENABLE_OOM_MONITOR
+ cgroup_oom_handler_info_t *common_get_cgroup_oom_handler(int fd, const char *name, const char *cgroup_path,
+                                                          const char *exit_fifo);
+ void common_free_cgroup_oom_handler_info(cgroup_oom_handler_info_t *info);
++#endif
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/src/daemon/common/cgroup/cgroup_common.h b/src/daemon/common/cgroup/cgroup_common.h
+index 46a7de50..01fc669c 100644
+--- a/src/daemon/common/cgroup/cgroup_common.h
++++ b/src/daemon/common/cgroup/cgroup_common.h
+@@ -116,6 +116,7 @@ typedef struct {
+     cgroup_pids_metrics_t cgpids_metrics;
+ } cgroup_metrics_t;
+ 
++#ifdef ENABLE_OOM_MONITOR
+ #define CGROUP_OOM_HANDLE_CONTINUE false
+ #define CGROUP_OOM_HANDLE_CLOSE true
+ 
+@@ -126,6 +127,7 @@ typedef struct _cgroup_oom_handler_info_t {
+     char *cgroup_memory_event_path;
+     bool (*oom_event_handler)(int, void *);
+ } cgroup_oom_handler_info_t;
++#endif
+ 
+ typedef struct {
+     int (*get_cgroup_version)(void);
+@@ -140,8 +142,10 @@ typedef struct {
+     char *(*get_init_cgroup_path)(const char *subsystem);
+     char *(*get_own_cgroup_path)(const char *subsystem);
+ 
++#ifdef ENABLE_OOM_MONITOR
+     cgroup_oom_handler_info_t *(*get_cgroup_oom_handler)(int fd, const char *name, const char *cgroup_path,
+                                                          const char *exit_fifo);
++#endif
+ } cgroup_ops;
+ 
+ #ifdef __cplusplus
+diff --git a/src/daemon/common/cgroup/cgroup_v1.c b/src/daemon/common/cgroup/cgroup_v1.c
+index 45b1d096..018336ea 100644
+--- a/src/daemon/common/cgroup/cgroup_v1.c
++++ b/src/daemon/common/cgroup/cgroup_v1.c
+@@ -20,12 +20,16 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#ifdef ENABLE_OOM_MONITOR
+ #include <sys/eventfd.h>
++#endif
+ 
+ #include "utils.h"
+ #include "sysinfo.h"
+ #include "err_msg.h"
++#ifdef ENABLE_OOM_MONITOR
+ #include "events_sender_api.h"
++#endif
+ 
+ #define CGROUP_HUGETLB_LIMIT "hugetlb.%s.limit_in_bytes"
+ #define CGROUP_MOUNT_PATH_PREFIX "/sys/fs/cgroup/"
+@@ -1052,6 +1056,7 @@ static char *common_get_cgroup_path(const char *path, const char *subsystem)
+     return res;
+ }
+ 
++#ifdef ENABLE_OOM_MONITOR
+ static bool oom_cb_cgroup_v1(int fd, void *cbdata)
+ {
+     cgroup_oom_handler_info_t *info = (cgroup_oom_handler_info_t *)cbdata;
+@@ -1205,6 +1210,7 @@ cleanup:
+     common_free_cgroup_oom_handler_info(info);
+     return NULL;
+ }
++#endif
+ 
+ char *get_init_cgroup_path_v1(const char *subsystem)
+ {
+@@ -1232,6 +1238,8 @@ int cgroup_v1_ops_init(cgroup_ops *ops)
+     ops->get_cgroup_mnt_and_root_path = get_cgroup_mnt_and_root_path_v1;
+     ops->get_init_cgroup_path = get_init_cgroup_path_v1;
+     ops->get_own_cgroup_path = get_own_cgroup_v1;
++#ifdef ENABLE_OOM_MONITOR
+     ops->get_cgroup_oom_handler = get_cgroup_oom_handler_v1;
++#endif
+     return 0;
+ }
+\ No newline at end of file
+diff --git a/src/daemon/common/cgroup/cgroup_v2.c b/src/daemon/common/cgroup/cgroup_v2.c
+index 76754dc1..ce72e6c4 100644
+--- a/src/daemon/common/cgroup/cgroup_v2.c
++++ b/src/daemon/common/cgroup/cgroup_v2.c
+@@ -17,14 +17,18 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/stat.h>
++#ifdef ENABLE_OOM_MONITOR
+ #include <sys/inotify.h>
++#endif
+ 
+ #include <isula_libutils/auto_cleanup.h>
+ 
+ #include "utils.h"
+ #include "path.h"
+ #include "sysinfo.h"
++#ifdef ENABLE_OOM_MONITOR
+ #include "events_sender_api.h"
++#endif
+ 
+ // Cgroup V2 Item Definition
+ #define CGROUP2_CPU_WEIGHT "cpu.weight"
+@@ -416,6 +420,7 @@ static int get_cgroup_mnt_and_root_v2(const char *subsystem, char **mountpoint,
+     return 0;
+ }
+ 
++#ifdef ENABLE_OOM_MONITOR
+ static bool oom_cb_cgroup_v2(int fd, void *cbdata)
+ {
+     const size_t events_size = sizeof(struct inotify_event) + NAME_MAX + 1;
+@@ -547,6 +552,7 @@ cleanup:
+     common_free_cgroup_oom_handler_info(info);
+     return NULL;
+ }
++#endif
+ 
+ int get_cgroup_version_v2()
+ {
+@@ -562,6 +568,8 @@ int cgroup_v2_ops_init(cgroup_ops *ops)
+     ops->get_cgroup_info = get_cgroup_info_v2;
+     ops->get_cgroup_metrics = get_cgroup_metrics_v2;
+     ops->get_cgroup_mnt_and_root_path = get_cgroup_mnt_and_root_v2;
++#ifdef ENABLE_OOM_MONITOR
+     ops->get_cgroup_oom_handler = get_cgroup_oom_handler_v2;
++#endif
+     return 0;
+ }
+\ No newline at end of file
+diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc
+index 478dd105..31b6b137 100644
+--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc
++++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc
+@@ -517,9 +517,11 @@ void UpdateBaseStatusFromInspect(
+         } else { // Case 3
+             state = runtime::v1::CONTAINER_CREATED;
+         }
++#ifdef ENABLE_OOM_MONITOR
+         if (inspect->state->oom_killed == true) {
+             reason = "OOMKilled";
+         }
++#endif
+         if (inspect->state->error != nullptr) {
+             message = inspect->state->error;
+         }
+diff --git a/src/daemon/modules/container/container_state.c b/src/daemon/modules/container/container_state.c
+index 452a2b26..f8ad0537 100644
+--- a/src/daemon/modules/container/container_state.c
++++ b/src/daemon/modules/container/container_state.c
+@@ -587,7 +587,9 @@ container_inspect_state *container_state_to_inspect_state(container_state_t *s)
+     state->running = s->state->running;
+     state->paused = s->state->paused;
+     state->restarting = s->state->restarting;
++#ifdef ENABLE_OOM_MONITOR
+     state->oom_killed = s->state->oom_killed;
++#endif
+     state->pid = s->state->pid;
+ 
+     state->exit_code = s->state->exit_code;
+diff --git a/src/daemon/modules/container/supervisor/supervisor.c b/src/daemon/modules/container/supervisor/supervisor.c
+index 39d9fdb8..294783eb 100644
+--- a/src/daemon/modules/container/supervisor/supervisor.c
++++ b/src/daemon/modules/container/supervisor/supervisor.c
+@@ -42,8 +42,10 @@
+ #ifdef ENABLE_CRI_API_V1
+ #include "sandbox_ops.h"
+ #endif
++#ifdef ENABLE_OOM_MONITOR
+ #include "cgroup.h"
+ #include "specs_api.h"
++#endif
+ 
+ pthread_mutex_t g_supervisor_lock = PTHREAD_MUTEX_INITIALIZER;
+ struct epoll_descr g_supervisor_descr;
+@@ -286,6 +288,7 @@ static int supervisor_exit_cb(int fd, uint32_t events, void *cbdata, struct epol
+     return EPOLL_LOOP_HANDLE_CONTINUE;
+ }
+ 
++#ifdef ENABLE_OOM_MONITOR
+ static int oom_handle_cb(int fd, uint32_t events, void *cbdata, struct epoll_descr *descr)
+ {
+     cgroup_oom_handler_info_t *oom_handler_info = (cgroup_oom_handler_info_t *)cbdata;
+@@ -305,6 +308,7 @@ static int oom_handle_cb(int fd, uint32_t events, void *cbdata, struct epoll_des
+ 
+     return EPOLL_LOOP_HANDLE_CONTINUE;
+ }
++#endif
+ 
+ /* supervisor add exit monitor */
+ int container_supervisor_add_exit_monitor(int fd, const char *exit_fifo, const pid_ppid_info_t *pid_info,
+@@ -312,8 +316,10 @@ int container_supervisor_add_exit_monitor(int fd, const char *exit_fifo, const p
+ {
+     int ret = 0;
+     struct supervisor_handler_data *data = NULL;
++#ifdef ENABLE_OOM_MONITOR
+     cgroup_oom_handler_info_t *oom_handler_info = NULL;
+     __isula_auto_free char *cgroup_path = NULL;
++#endif
+ 
+     if (fd < 0) {
+         ERROR("Invalid exit fifo fd");
+@@ -326,12 +332,14 @@ int container_supervisor_add_exit_monitor(int fd, const char *exit_fifo, const p
+         return -1;
+     }
+ 
++#ifdef ENABLE_OOM_MONITOR
+     cgroup_path = merge_container_cgroups_path(cont->common_config->id, cont->hostconfig);
+     if (cgroup_path == NULL) {
+         ERROR("Failed to get cgroup path");
+         close(fd);
+         return -1;
+     }
++#endif
+ 
+     data = util_common_calloc_s(sizeof(struct supervisor_handler_data));
+     if (data == NULL) {
+@@ -353,9 +361,12 @@ int container_supervisor_add_exit_monitor(int fd, const char *exit_fifo, const p
+     data->pid_info.start_time = pid_info->start_time;
+     data->pid_info.ppid = pid_info->ppid;
+     data->pid_info.pstart_time = pid_info->pstart_time;
++#ifdef ENABLE_OOM_MONITOR
+     oom_handler_info = common_get_cgroup_oom_handler(fd, cont->common_config->id, cgroup_path, exit_fifo);
++#endif
+ 
+     supervisor_handler_lock();
++#ifdef ENABLE_OOM_MONITOR
+     if (oom_handler_info != NULL) {
+         ret = epoll_loop_add_handler(&g_supervisor_descr, oom_handler_info->oom_event_fd, oom_handle_cb, oom_handler_info);
+         if (ret != 0) {
+@@ -363,6 +374,7 @@ int container_supervisor_add_exit_monitor(int fd, const char *exit_fifo, const p
+             goto err;
+         }
+     }
++#endif
+ 
+     ret = epoll_loop_add_handler(&g_supervisor_descr, fd, supervisor_exit_cb, data);
+     if (ret != 0) {
+@@ -374,7 +386,9 @@ int container_supervisor_add_exit_monitor(int fd, const char *exit_fifo, const p
+ 
+ err:
+     supervisor_handler_data_free(data);
++#ifdef ENABLE_OOM_MONITOR
+     common_free_cgroup_oom_handler_info(oom_handler_info);
++#endif
+ out:
+     supervisor_handler_unlock();
+     return ret;
+-- 
+2.25.1
+

0093-change-fork-process-exit-mode.patch

@@ -0,0 +1,64 @@
+From 0ff5a421e31096fbd10cf00c45a3849297023391 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Thu, 23 May 2024 01:09:41 +1400
+Subject: [PATCH 093/108] change fork process exit mode
+
+---
+ src/utils/tar/util_archive.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
+index 52b51162..204dab83 100644
+--- a/src/utils/tar/util_archive.c
++++ b/src/utils/tar/util_archive.c
+@@ -897,9 +897,9 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co
+ 
+ child_out:
+         if (ret != 0) {
+-            exit(EXIT_FAILURE);
++            _exit(EXIT_FAILURE);
+         }
+-        exit(EXIT_SUCCESS);
++        _exit(EXIT_SUCCESS);
+     }
+     close(pipe_stderr[1]);
+     pipe_stderr[1] = -1;
+@@ -1342,9 +1342,9 @@ int archive_chroot_tar(const char *path, const char *file, const char *root_dir,
+ child_out:
+ 
+         if (ret != 0) {
+-            exit(EXIT_FAILURE);
++            _exit(EXIT_FAILURE);
+         } else {
+-            exit(EXIT_SUCCESS);
++            _exit(EXIT_SUCCESS);
+         }
+     }
+     close(pipe_for_read[1]);
+@@ -1577,9 +1577,9 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha
+ 
+ child_out:
+         if (ret != 0) {
+-            exit(EXIT_FAILURE);
++            _exit(EXIT_FAILURE);
+         }
+-        exit(EXIT_SUCCESS);
++        _exit(EXIT_SUCCESS);
+     }
+ 
+     close(pipe_stderr[1]);
+@@ -1727,9 +1727,9 @@ child_out:
+         free(tar_base_name);
+ 
+         if (ret != 0) {
+-            exit(EXIT_FAILURE);
++            _exit(EXIT_FAILURE);
+         } else {
+-            exit(EXIT_SUCCESS);
++            _exit(EXIT_SUCCESS);
+         }
+     }
+ 
+-- 
+2.25.1
+

0094-fix-error-log-for-verify_cpu_realtime.patch

@@ -0,0 +1,26 @@
+From 1671a136d1b7d209c453a8ad2b1bf062a3afbe09 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Tue, 28 May 2024 17:23:45 +1400
+Subject: [PATCH 094/108] fix error log for verify_cpu_realtime
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ src/daemon/modules/spec/verify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c
+index 57e16ef9..1ce76c1d 100644
+--- a/src/daemon/modules/spec/verify.c
++++ b/src/daemon/modules/spec/verify.c
+@@ -390,7 +390,7 @@ static int verify_cpu_realtime(const sysinfo_t *sysinfo, int64_t realtime_period
+ 
+     if (realtime_runtime != 0 && !(sysinfo->cgcpuinfo.cpu_rt_runtime)) {
+         ERROR("Invalid --cpu-rt-runtime: Your kernel does not support cgroup rt runtime");
+-        isulad_set_error_message("Invalid --cpu-rt-period: Your kernel does not support cgroup rt runtime");
++        isulad_set_error_message("Invalid --cpu-rt-runtime: Your kernel does not support cgroup rt runtime");
+         ret = -1;
+         goto out;
+     }
+-- 
+2.25.1
+

0095-bugfix-change-max-network-name-len.patch

@@ -0,0 +1,54 @@
+From e2a7e6bfb0f0e97e5e1543fac7a5e0807fadaba0 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Thu, 30 May 2024 16:50:56 +0800
+Subject: [PATCH 095/108] bugfix: change max network name len
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ docs/design/detailed/Network/native_network_adapter_design.md   | 2 +-
+ .../design/detailed/Network/native_network_adapter_design_zh.md | 2 +-
+ src/utils/cutils/utils.h                                        | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs/design/detailed/Network/native_network_adapter_design.md b/docs/design/detailed/Network/native_network_adapter_design.md
+index b58989eb..1010bd73 100644
+--- a/docs/design/detailed/Network/native_network_adapter_design.md
++++ b/docs/design/detailed/Network/native_network_adapter_design.md
+@@ -204,7 +204,7 @@ Client:
+ 1. Parse the parameters passed in by the user.
+ 2. Verify the incoming parameters, including:
+    - Only one network is allowed to be created at a time, that is, at most one name can be specified.
+-   - If name is specified, check whether the length of name exceeds MAX_NETWORK_NAME_LEN(128).
++   - If name is specified, check whether the length of name exceeds MAX_NETWORK_NAME_LEN(255).
+ 3. Send the request to the server
+ 
+ Server:
+diff --git a/docs/design/detailed/Network/native_network_adapter_design_zh.md b/docs/design/detailed/Network/native_network_adapter_design_zh.md
+index 30860f3d..62c4b6ef 100644
+--- a/docs/design/detailed/Network/native_network_adapter_design_zh.md
++++ b/docs/design/detailed/Network/native_network_adapter_design_zh.md
+@@ -204,7 +204,7 @@ int native_network_add_container_list(const char *network_name, const char *cont
+ 1. 解析用户传入的参数
+ 2. 对传入的参数进行校验，包括
+    - 每次只允许创建一个网络， 即最多指定一个name
+-   - 若指定name，检查name长度是否超过MAX_NETWORK_NAME_LEN(128)
++   - 若指定name，检查name长度是否超过MAX_NETWORK_NAME_LEN(255)
+ 3. 发送请求到服务端
+ 
+ 服务端：
+diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h
+index 3671272a..4417a165 100644
+--- a/src/utils/cutils/utils.h
++++ b/src/utils/cutils/utils.h
+@@ -99,7 +99,7 @@ int malloc_trim(size_t pad);
+ #define MAX_IMAGE_REF_LEN 384
+ #define MAX_CONTAINER_NAME_LEN 1024
+ #define MAX_RUNTIME_NAME_LEN 32
+-#define MAX_NETWORK_NAME_LEN 128
++#define MAX_NETWORK_NAME_LEN 255
+ 
+ #define LOGIN_USERNAME_LEN 255
+ #define LOGIN_PASSWORD_LEN 255
+-- 
+2.25.1
+

0096-del-useless-info.patch

@@ -0,0 +1,26 @@
+From b36cfa4325f43b3fa1468ba360b3d51f6ef1c3ca Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Thu, 30 May 2024 17:14:48 +0800
+Subject: [PATCH 096/108] del useless info
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ release_notes | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/release_notes b/release_notes
+index 2d564c7e..fdcd3690 100644
+--- a/release_notes
++++ b/release_notes
+@@ -72,7 +72,7 @@
+ 
+     dev stats:
+       - 357 files changed, 7886 insertions(+), 2849 deletions(-)
+-      - contributors: zhongtao, jikai, haozi007, jake, liuxu, xuxuepeng, zhangxiaoyu, sailorvii, chen524, dreamloy, l00804245, yangjiaqi
++      - contributors: zhongtao, jikai, haozi007, jake, liuxu, xuxuepeng, zhangxiaoyu, sailorvii, chen524, dreamloy, yangjiaqi
+ 
+ 2023-11-07 xuepengxu release 2.1.4
+     - !2238 modify the default value of EANBLE_IMAGE_LIBARAY to off * modify the default value of EANBLE_IMAGE_LIBARAY to off
+-- 
+2.25.1
+

0097-code-improve.patch

@@ -0,0 +1,83 @@
+From 2aa26649f20ae5992ace7bb8cb62a5ee9c3f7a81 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Thu, 30 May 2024 21:30:43 +1400
+Subject: [PATCH 097/108] code improve
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ src/cmd/isula/volume/prune.c                             | 2 +-
+ src/cmd/options/opt_log.c                                | 2 +-
+ src/daemon/executor/container_cb/execution_extend.c      | 3 ++-
+ src/daemon/executor/container_cb/execution_information.c | 2 +-
+ src/daemon/modules/image/oci/registry_type.c             | 2 +-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/cmd/isula/volume/prune.c b/src/cmd/isula/volume/prune.c
+index c8d632ed..3b5bfbf1 100644
+--- a/src/cmd/isula/volume/prune.c
++++ b/src/cmd/isula/volume/prune.c
+@@ -79,7 +79,7 @@ out:
+ 
+ int cmd_volume_prune_main(int argc, const char **argv)
+ {
+-    int i = 0;
++    size_t i = 0;
+     struct isula_libutils_log_config lconf = { 0 };
+     int exit_code = 1;
+     command_t cmd;
+diff --git a/src/cmd/options/opt_log.c b/src/cmd/options/opt_log.c
+index b1abcfaf..8ffb9966 100644
+--- a/src/cmd/options/opt_log.c
++++ b/src/cmd/options/opt_log.c
+@@ -67,7 +67,7 @@ static int log_opt_syslog_facility(const char *key, const char *value, char **pa
+                                       "authpriv", "ftp",    "local0", "local1", "local2",
+                                       "local3",   "local4", "local5", "local6", "local7"
+                                     };
+-    int i;
++    size_t i;
+     size_t f_len = sizeof(facility_values) / sizeof(const char *);
+ 
+     for (i = 0; i < f_len; i++) {
+diff --git a/src/daemon/executor/container_cb/execution_extend.c b/src/daemon/executor/container_cb/execution_extend.c
+index 52401633..ed072848 100644
+--- a/src/daemon/executor/container_cb/execution_extend.c
++++ b/src/daemon/executor/container_cb/execution_extend.c
+@@ -990,7 +990,8 @@ out:
+ 
+ static int update_container_unified(const char *id, const host_config *hostconfig, host_config *chostconfig)
+ {
+-    int i, cgroup_version;
++    int cgroup_version;
++    size_t i;
+ 
+     if (hostconfig->unified == NULL || hostconfig->unified->len == 0) {
+         return 0;
+diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c
+index 58924257..4aee3aef 100644
+--- a/src/daemon/executor/container_cb/execution_information.c
++++ b/src/daemon/executor/container_cb/execution_information.c
+@@ -244,7 +244,7 @@ static int get_proxy_env(char **proxy, const char *type)
+     }
+     *col_pos = '\0';
+     nret = snprintf(*proxy, proxy_len, "%s:%s%s", tmp_proxy, mask_str, at_pos);
+-    if (nret < 0 || nret >= proxy_len) {
++    if (nret < 0 || (size_t)nret >= proxy_len) {
+         ret = -1;
+         free(*proxy);
+         *proxy = NULL;
+diff --git a/src/daemon/modules/image/oci/registry_type.c b/src/daemon/modules/image/oci/registry_type.c
+index 6c9ff747..7a2c25ed 100644
+--- a/src/daemon/modules/image/oci/registry_type.c
++++ b/src/daemon/modules/image/oci/registry_type.c
+@@ -59,7 +59,7 @@ void free_layer_blob(layer_blob *layer)
+ 
+ void free_pull_desc(pull_descriptor *desc)
+ {
+-    int i = 0;
++    size_t i = 0;
+ 
+     if (desc == NULL) {
+         return;
+-- 
+2.25.1
+

0098-cdi-add-debug-info.patch

@@ -0,0 +1,33 @@
+From 5a5f4879246783932ab620b2461a7cd832ddc1f0 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Fri, 31 May 2024 16:38:26 +0800
+Subject: [PATCH 098/108] cdi:add debug info
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ src/daemon/modules/device/cdi/cdi_cache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/daemon/modules/device/cdi/cdi_cache.c b/src/daemon/modules/device/cdi/cdi_cache.c
+index e9a9b804..cd7158dd 100644
+--- a/src/daemon/modules/device/cdi/cdi_cache.c
++++ b/src/daemon/modules/device/cdi/cdi_cache.c
+@@ -306,6 +306,7 @@ static void refresh_scan_spec_func(struct cdi_scan_fn_maps *scan_fn_maps, const
+             ERROR("Failed to insert device to devices by name %s", qualified);
+             goto error_out;
+         }
++        DEBUG("Add device %s into memory", qualified);
+         free(qualified);
+         qualified = NULL;
+     }
+@@ -445,6 +446,7 @@ static int cdi_inject_devices(struct cdi_cache *c, oci_runtime_spec *oci_spec, s
+ 
+     for (i = 0; i < devices->len; i++) {
+         device = devices->items[i];
++        DEBUG("Search cdi devices %s.", device);
+         d = map_search(c->devices, (void *)device);
+         if (d == NULL) {
+             if (util_append_string_array(unresolved, device) != 0) {
+-- 
+2.25.1
+

0099-bugfix-cni-network-name-UT.patch

@@ -0,0 +1,28 @@
+From 4a98535064319a9df3143d9c4b397f44fbbb56c5 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Mon, 3 Jun 2024 16:11:06 +0800
+Subject: [PATCH 099/108] bugfix:cni network name UT
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ test/cutils/utils_network/utils_network_ut.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/cutils/utils_network/utils_network_ut.cc b/test/cutils/utils_network/utils_network_ut.cc
+index 33eb6eb5..68f6f011 100644
+--- a/test/cutils/utils_network/utils_network_ut.cc
++++ b/test/cutils/utils_network/utils_network_ut.cc
+@@ -344,8 +344,8 @@ TEST(utils_network, test_net_contain_ip)
+ TEST(utils_network, test_validate_network_name)
+ {
+     ASSERT_EQ(util_validate_network_name(nullptr), false);
+-    ASSERT_EQ(util_validate_network_name(std::string(128, 'a').c_str()), true);
+-    ASSERT_EQ(util_validate_network_name(std::string(129, 'a').c_str()), false);
++    ASSERT_EQ(util_validate_network_name(std::string(255, 'a').c_str()), true);
++    ASSERT_EQ(util_validate_network_name(std::string(256, 'a').c_str()), false);
+     ASSERT_EQ(util_validate_network_name(std::string(".abce").c_str()), false);
+ }
+ 
+-- 
+2.25.1
+

0100-bugfix-malloc-right-type-size.patch

@@ -0,0 +1,40 @@
+From 7bf26415fcba090e281324ba92f7d7e6487b94fc Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Tue, 4 Jun 2024 16:30:19 +0800
+Subject: [PATCH 100/108] bugfix:malloc right type size
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ src/client/connect/rest/rest_volumes_client.c | 2 +-
+ src/daemon/modules/service/service_network.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/client/connect/rest/rest_volumes_client.c b/src/client/connect/rest/rest_volumes_client.c
+index 88254e6c..2327c28e 100644
+--- a/src/client/connect/rest/rest_volumes_client.c
++++ b/src/client/connect/rest/rest_volumes_client.c
+@@ -251,7 +251,7 @@ static int prune_request_to_rest(const struct isula_prune_volume_request *reques
+     parser_error err = NULL;
+     int ret = 0;
+ 
+-    nrequest = util_common_calloc_s(sizeof(volume_list_volume_request));
++    nrequest = util_common_calloc_s(sizeof(volume_prune_volume_request));
+     if (nrequest == NULL) {
+         ERROR("Out of memory");
+         return -1;
+diff --git a/src/daemon/modules/service/service_network.c b/src/daemon/modules/service/service_network.c
+index 6754cf1a..fe6dbf1d 100644
+--- a/src/daemon/modules/service/service_network.c
++++ b/src/daemon/modules/service/service_network.c
+@@ -74,7 +74,7 @@ static struct attach_net_conf_list *build_attach_networks(const defs_map_string_
+         return NULL;
+     }
+ 
+-    list = (struct attach_net_conf_list *)util_common_calloc_s(sizeof(struct attach_net_conf));
++    list = (struct attach_net_conf_list *)util_common_calloc_s(sizeof(struct attach_net_conf_list));
+     if (list == NULL) {
+         ERROR("Out of memory");
+         return NULL;
+-- 
+2.25.1
+

0101-use-isula_clean_path-rather-than-realpath.patch

@@ -0,0 +1,26 @@
+From 60a2b15e0090018b7850b37369964bf62e253419 Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Wed, 5 Jun 2024 02:07:23 +0000
+Subject: [PATCH 101/108] use isula_clean_path rather than realpath
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ src/cmd/isulad-shim/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c
+index 18fae03f..dd41c77f 100644
+--- a/src/cmd/isulad-shim/process.c
++++ b/src/cmd/isulad-shim/process.c
+@@ -489,7 +489,7 @@ static bool attach_fifopath_security_check(process_t *p, const char *fifopath)
+         return false;
+     }
+ 
+-    if (realpath(fifopath, real_path) == NULL) {
++    if (isula_clean_path(fifopath, real_path, sizeof(real_path)) == NULL) {
+         ERROR("Failed to get realpath for '%s': %d.", real_path, SHIM_SYS_ERR(errno));
+         return false;
+     }
+-- 
+2.25.1
+

0102-fix-false-engine-rootpath-reference.patch

@@ -0,0 +1,32 @@
+From fa25a8923e47ed6b65e0bcd08954589f5b26092c Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Wed, 5 Jun 2024 02:10:48 +0000
+Subject: [PATCH 102/108] fix false engine rootpath reference
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ src/daemon/config/isulad_config.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c
+index 80689bce..d7b54498 100644
+--- a/src/daemon/config/isulad_config.c
++++ b/src/daemon/config/isulad_config.c
+@@ -398,12 +398,12 @@ char *conf_get_sandbox_rootpath(void)
+         ERROR("Get rootpath failed");
+         return epath;
+     }
+-    if (strlen(rootpath) > (PATH_MAX - strlen(ENGINE_ROOTPATH_NAME)) - 2) {
++    if (strlen(rootpath) > (PATH_MAX - strlen(SANDBOX_ROOTPATH_NAME)) - 2) {
+         ERROR("Root path is too long");
+         return epath;
+     }
+     // rootpath + "/" + SANDBOX_ROOTPATH_NAME + "/0"
+-    len = strlen(rootpath) + 1 + strlen(ENGINE_ROOTPATH_NAME) + 1;
++    len = strlen(rootpath) + 1 + strlen(SANDBOX_ROOTPATH_NAME) + 1;
+     epath = util_smart_calloc_s(sizeof(char), len);
+     if (epath == NULL) {
+         ERROR("Out of memory");
+-- 
+2.25.1
+

0103-bugfix-add-note.patch

@@ -0,0 +1,25 @@
+From 8eea40e09aa34da85cfa191f07cfe7e123c9809d Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Wed, 5 Jun 2024 10:18:06 +0800
+Subject: [PATCH 103/108] bugfix:add note
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ src/utils/cutils/utils_array.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/utils/cutils/utils_array.h b/src/utils/cutils/utils_array.h
+index 0c4fd217..553c2c13 100644
+--- a/src/utils/cutils/utils_array.h
++++ b/src/utils/cutils/utils_array.h
+@@ -30,6 +30,7 @@ void util_free_array_by_len(char **array, size_t len);
+ 
+ void util_free_array(char **array);
+ 
++// this function just copies the first len elements of array and does not automatically add NULL element in the end.
+ char **util_copy_array_by_len(char **array, size_t len);
+ 
+ int util_grow_array(char ***orig_array, size_t *orig_capacity, size_t size,
+-- 
+2.25.1
+

0104-bugfix-adapt-network-name-max-len.patch

@@ -0,0 +1,64 @@
+From 174f7d9d959bd129675651ccf7ef460794188b63 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Wed, 5 Jun 2024 10:40:22 +0800
+Subject: [PATCH 104/108] bugfix:adapt network name max len
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ CI/test_cases/network_cases/network_create.sh | 5 +++--
+ src/utils/cutils/utils.h                      | 7 ++++++-
+ test/cutils/utils_network/utils_network_ut.cc | 4 ++--
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/CI/test_cases/network_cases/network_create.sh b/CI/test_cases/network_cases/network_create.sh
+index 3107da12..da54fdd0 100755
+--- a/CI/test_cases/network_cases/network_create.sh
++++ b/CI/test_cases/network_cases/network_create.sh
+@@ -33,8 +33,9 @@ function test_network_create()
+     local name1="cni1"
+     local name2="cni2"
+     local name3="a"
+-    for i in $(seq 1 7);do
+-        name3=${name3}${name3}
++    local basechar="a"
++    for i in $(seq 1 199);do
++        name3=${name3}${basechar}
+     done
+     local name4=${name3}b
+     local invalid_name=".xx"
+diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h
+index 4417a165..ce0ca703 100644
+--- a/src/utils/cutils/utils.h
++++ b/src/utils/cutils/utils.h
+@@ -99,7 +99,12 @@ int malloc_trim(size_t pad);
+ #define MAX_IMAGE_REF_LEN 384
+ #define MAX_CONTAINER_NAME_LEN 1024
+ #define MAX_RUNTIME_NAME_LEN 32
+-#define MAX_NETWORK_NAME_LEN 255
++/* 
++ * Linux limits the length of the file name to 255,
++ * isulad will create file by name "${ISULAD_CNI_NETWORK_CONF_FILE_PRE}${network_name}.conflist"
++ * when create native network,so we limit the length of the network name to 200.
++ */
++#define MAX_NETWORK_NAME_LEN 200
+ 
+ #define LOGIN_USERNAME_LEN 255
+ #define LOGIN_PASSWORD_LEN 255
+diff --git a/test/cutils/utils_network/utils_network_ut.cc b/test/cutils/utils_network/utils_network_ut.cc
+index 68f6f011..be85e398 100644
+--- a/test/cutils/utils_network/utils_network_ut.cc
++++ b/test/cutils/utils_network/utils_network_ut.cc
+@@ -344,8 +344,8 @@ TEST(utils_network, test_net_contain_ip)
+ TEST(utils_network, test_validate_network_name)
+ {
+     ASSERT_EQ(util_validate_network_name(nullptr), false);
+-    ASSERT_EQ(util_validate_network_name(std::string(255, 'a').c_str()), true);
+-    ASSERT_EQ(util_validate_network_name(std::string(256, 'a').c_str()), false);
++    ASSERT_EQ(util_validate_network_name(std::string(200, 'a').c_str()), true);
++    ASSERT_EQ(util_validate_network_name(std::string(201, 'a').c_str()), false);
+     ASSERT_EQ(util_validate_network_name(std::string(".abce").c_str()), false);
+ }
+ 
+-- 
+2.25.1
+

0105-start-sandbox-before-setup-network-by-default.patch

@@ -0,0 +1,140 @@
+From e6b3528acff10fb2bc62e2da0c3754f1e36cbd54 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Wed, 5 Jun 2024 10:04:59 +0800
+Subject: [PATCH 105/108] start sandbox before setup network by default
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ src/daemon/common/cri/cri_helpers.cc          | 12 +++++++
+ src/daemon/common/cri/cri_helpers.h           |  3 ++
+ .../cri_pod_sandbox_manager_service.cc        | 34 +++++++++++++------
+ src/daemon/modules/spec/specs.c               |  2 +-
+ src/utils/cutils/utils_file.c                 |  2 +-
+ 5 files changed, 41 insertions(+), 12 deletions(-)
+
+diff --git a/src/daemon/common/cri/cri_helpers.cc b/src/daemon/common/cri/cri_helpers.cc
+index 68d569cc..8117403c 100644
+--- a/src/daemon/common/cri/cri_helpers.cc
++++ b/src/daemon/common/cri/cri_helpers.cc
+@@ -47,6 +47,8 @@ const std::string Constants::DOCKER_IMAGEID_PREFIX { "docker://" };
+ const std::string Constants::DOCKER_PULLABLE_IMAGEID_PREFIX { "docker-pullable://" };
+ const std::string Constants::RUNTIME_READY { "RuntimeReady" };
+ const std::string Constants::NETWORK_READY { "NetworkReady" };
++// Kata 2.x need create network namespace and setup network befoce run podsandbox
++const std::string Constants::NETWORK_SETUP_ANNOTATION_KEY { "cri.sandbox.network.setup.v2" };
+ const std::string Constants::POD_CHECKPOINT_KEY { "cri.sandbox.isulad.checkpoint" };
+ const std::string Constants::CONTAINER_TYPE_ANNOTATION_KEY { "io.kubernetes.cri.container-type" };
+ const std::string Constants::CONTAINER_NAME_ANNOTATION_KEY { "io.kubernetes.cri.container-name" };
+@@ -1140,4 +1142,14 @@ auto GetPodSELinuxLabelOpts(const std::string &selinuxLabel, Errors &error)
+     return fmtiSuladOpts(selinuxOpts, securityOptSep);
+ }
+ 
++bool SetupNetworkFirst(const std::map<std::string, std::string> &annotations)
++{
++    auto iter = annotations.find(CRIHelpers::Constants::NETWORK_SETUP_ANNOTATION_KEY);
++    if (iter == annotations.end()) {
++        return false;
++    }
++
++    return iter->second == std::string("true");
++}
++
+ } // namespace CRIHelpers
+diff --git a/src/daemon/common/cri/cri_helpers.h b/src/daemon/common/cri/cri_helpers.h
+index 5c450b32..11a80b45 100644
+--- a/src/daemon/common/cri/cri_helpers.h
++++ b/src/daemon/common/cri/cri_helpers.h
+@@ -49,6 +49,7 @@ public:
+     static const std::string DOCKER_PULLABLE_IMAGEID_PREFIX;
+     static const std::string RUNTIME_READY;
+     static const std::string NETWORK_READY;
++    static const std::string NETWORK_SETUP_ANNOTATION_KEY;
+     static const std::string POD_CHECKPOINT_KEY;
+     static const size_t MAX_CHECKPOINT_KEY_LEN { 250 };
+     static const std::string CONTAINER_TYPE_ANNOTATION_KEY;
+@@ -151,6 +152,8 @@ auto GetPodSELinuxLabelOpts(const std::string &selinuxLabel, Errors &error) -> s
+ auto GetlegacySeccompiSuladOpts(const std::string &seccompProfile, Errors &error) -> std::vector<iSuladOpt>;
+ 
+ auto GetSeccompiSuladOptsByPath(const char *dstpath, Errors &error) -> std::vector<iSuladOpt>;
++
++bool SetupNetworkFirst(const std::map<std::string, std::string> &annotations);
+ }; // namespace CRIHelpers
+ 
+ #endif // DAEMON_ENTRY_CRI_CRI_HELPERS_H
+diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
+index af6b5fff..f852f4df 100644
+--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
++++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
+@@ -655,19 +655,33 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1alpha2::PodSandbox
+         }
+     }
+ 
+-    // Step 7: Setup networking for the sandbox.
+-    SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
+-    if (error.NotEmpty()) {
+-        goto cleanup_ns;
+-    }
++    // Step 7: According to the annotation and network namespace mode,
++    //         determine the order of start sandbox and setup network.
++    if (CRIHelpers::SetupNetworkFirst(stdAnnos)) {
++        // Step 7.1: Setup networking for the sandbox, and then start the sandbox container.
++        SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
++        if (error.NotEmpty()) {
++            goto cleanup_ns;
++        }
+ 
+-    // Step 8: Start the sandbox container.
+-    StartSandboxContainer(response_id, error);
+-    if (error.NotEmpty()) {
+-        goto cleanup_network;
++        StartSandboxContainer(response_id, error);
++        if (error.NotEmpty()) {
++            goto cleanup_network;
++        }
++    } else {
++        // Step 7.2: (Default)Start the sandbox container, and then setup networking for the sandbox.
++        StartSandboxContainer(response_id, error);
++        if (error.NotEmpty()) {
++            goto cleanup_ns;
++        }
++
++        SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
++        if (error.NotEmpty()) {
++            goto cleanup_ns;
++        }
+     }
+ 
+-    // Step 9: Save network settings json to disk
++    // Step 8: Save network settings json to disk
+     if (namespace_is_cni(inspect_data->host_config->network_mode)) {
+         Errors tmpErr;
+         UpdatePodSandboxNetworkSettings(response_id, network_setting_json, tmpErr);
+diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
+index 122f9992..f0538e26 100644
+--- a/src/daemon/modules/spec/specs.c
++++ b/src/daemon/modules/spec/specs.c
+@@ -1601,7 +1601,7 @@ static int merge_share_network_namespace(const oci_runtime_spec *oci_spec, const
+     int ret = 0;
+     char *ns_path = NULL;
+ 
+-    if (host_spec->network_mode == NULL) {
++    if (host_spec->network_mode == NULL || strlen(host_spec->network_mode) == 0) {
+         return 0;
+     }
+ 
+diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
+index 6fc6852d..90bb156f 100644
+--- a/src/utils/cutils/utils_file.c
++++ b/src/utils/cutils/utils_file.c
+@@ -85,7 +85,7 @@ bool util_file_exists(const char *f)
+     struct stat buf;
+     int nret;
+ 
+-    if (f == NULL) {
++    if (f == NULL || strlen(f) == 0) {
+         return false;
+     }
+ 
+-- 
+2.25.1
+

0106-Revert-use-isula_clean_path-rather-than-realpath.patch

@@ -0,0 +1,28 @@
+From f690c9a2dff298b41dc607e4ea6dd09113a322fb Mon Sep 17 00:00:00 2001
+From: jikai <jikai11@huawei.com>
+Date: Thu, 6 Jun 2024 02:13:36 +0000
+Subject: [PATCH 106/108] Revert "use isula_clean_path rather than realpath"
+
+This reverts commit 60a2b15e0090018b7850b37369964bf62e253419.
+
+Signed-off-by: jikai <jikai11@huawei.com>
+---
+ src/cmd/isulad-shim/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c
+index dd41c77f..18fae03f 100644
+--- a/src/cmd/isulad-shim/process.c
++++ b/src/cmd/isulad-shim/process.c
+@@ -489,7 +489,7 @@ static bool attach_fifopath_security_check(process_t *p, const char *fifopath)
+         return false;
+     }
+ 
+-    if (isula_clean_path(fifopath, real_path, sizeof(real_path)) == NULL) {
++    if (realpath(fifopath, real_path) == NULL) {
+         ERROR("Failed to get realpath for '%s': %d.", real_path, SHIM_SYS_ERR(errno));
+         return false;
+     }
+-- 
+2.25.1
+

0107-bugfix-for-start-sandbox-before-setup-network-by-def.patch

@@ -0,0 +1,28 @@
+From 63f4f9bc9c36825d85a14f6a33102194d30e12a7 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Fri, 7 Jun 2024 02:24:49 +1400
+Subject: [PATCH 107/108] bugfix for start sandbox before setup network by
+ default
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ .../entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc       | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
+index f852f4df..bc3f4031 100644
+--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
++++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
+@@ -677,6 +677,9 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1alpha2::PodSandbox
+ 
+         SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
+         if (error.NotEmpty()) {
++            Errors stopError;
++            StopContainerHelper(response_id, stopError);
++            WARN("Error stop container: %s: %s", response_id.c_str(), stopError.GetCMessage());
+             goto cleanup_ns;
+         }
+     }
+-- 
+2.25.1
+

0108-skip-test-rely-on-docker.io.patch

@@ -0,0 +1,59 @@
+From d3e7b0b0d19ca4937716d835e3627714157d6cc3 Mon Sep 17 00:00:00 2001
+From: zhongtao <zhongtao17@huawei.com>
+Date: Tue, 11 Jun 2024 17:14:58 +0800
+Subject: [PATCH 108/108] skip test rely on docker.io
+
+Signed-off-by: zhongtao <zhongtao17@huawei.com>
+---
+ CI/test_cases/image_cases/image_search.sh      | 4 +++-
+ CI/test_cases/image_cases/integration_check.sh | 2 +-
+ CI/test_cases/image_cases/registry.sh          | 5 +++--
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/CI/test_cases/image_cases/image_search.sh b/CI/test_cases/image_cases/image_search.sh
+index 11af02f1..4bf0e099 100755
+--- a/CI/test_cases/image_cases/image_search.sh
++++ b/CI/test_cases/image_cases/image_search.sh
+@@ -76,7 +76,9 @@ function test_image_search()
+ 
+ declare -i ans=0
+ 
+-test_image_search || ((ans++))
++# unable to pull image from docker.io without agent, skip this test
++# registry API v1 is not implemented in https://3laho3y3.mirror.aliyuncs.com and isula search cannot be tested
++# test_image_search || ((ans++))
+ 
+ show_result ${ans} "${curr_path}/${0}"
+ 
+diff --git a/CI/test_cases/image_cases/integration_check.sh b/CI/test_cases/image_cases/integration_check.sh
+index 6ec3ab52..f340348d 100755
+--- a/CI/test_cases/image_cases/integration_check.sh
++++ b/CI/test_cases/image_cases/integration_check.sh
+@@ -27,7 +27,7 @@ image="busybox"
+ function test_image_info()
+ {
+   local ret=0
+-  local uimage="docker.io/library/nats"
++  local uimage="nats"
+   local test="list && inspect image info test => (${FUNCNAME[@]})"
+   local lid
+   local cid
+diff --git a/CI/test_cases/image_cases/registry.sh b/CI/test_cases/image_cases/registry.sh
+index e33983d6..7ea9a0c5 100755
+--- a/CI/test_cases/image_cases/registry.sh
++++ b/CI/test_cases/image_cases/registry.sh
+@@ -74,8 +74,9 @@ function isula_pull()
+     isula run --rm -ti busybox echo hello 2>&1 | grep pulling
+     [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - --pull missing failed" && ((ret++))
+ 
+-    isula pull docker.io/library/busybox:latest
+-    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - --pull docker.io/library/busybox:latest failed" && ((ret++))
++    # Unable to pull image from docker.io without agent, skip this test
++    # isula pull docker.io/library/busybox:latest
++    # [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - --pull docker.io/library/busybox:latest failed" && ((ret++))
+ 
+     isula pull 3laho3y3.mirror.aliyuncs.com/library/busybox
+     fn_check_eq "$?" "0" "isula pull 3laho3y3.mirror.aliyuncs.com/library/busybox"
+-- 
+2.25.1
+

iSulad.spec

@@ -1,5 +1,5 @@
 %global _version 2.1.5
-%global _release 9
+%global _release 10
 %global is_systemd 1
 %global enable_criv1 1
 %global enable_cdi 1
@@ -101,6 +101,29 @@ Patch0082:	0082-fix-shim-controller-set-incorrect-sandbox-status-sta.patch
 Patch0083:	0083-fix-bug-for-invalid-env-write.patch
 Patch0084:	0084-trim-key-value-for-env.patch
 Patch0085:	0085-cdi-allow-env-variable-has-an-empty-value.patch
+Patch0086:	0086-cdi-test-case-and-gateway.patch
+Patch0087:	0087-code-improve.patch
+Patch0088:	0088-testcase-close-cdi-testcase.patch
+Patch0089:	0089-docs-update-cni-doc.patch
+Patch0090:	0090-modify-the-user-error-log-to-be-the-same-as-before.patch
+Patch0091:	0091-add-enable-cri-v1-in-k8s-integration.patch
+Patch0092:	0092-isolate-oom-monitor-codes.patch
+Patch0093:	0093-change-fork-process-exit-mode.patch
+Patch0094:	0094-fix-error-log-for-verify_cpu_realtime.patch
+Patch0095:	0095-bugfix-change-max-network-name-len.patch
+Patch0096:	0096-del-useless-info.patch
+Patch0097:	0097-code-improve.patch
+Patch0098:	0098-cdi-add-debug-info.patch
+Patch0099:	0099-bugfix-cni-network-name-UT.patch
+Patch0100:	0100-bugfix-malloc-right-type-size.patch
+Patch0101:	0101-use-isula_clean_path-rather-than-realpath.patch
+Patch0102:	0102-fix-false-engine-rootpath-reference.patch
+Patch0103:	0103-bugfix-add-note.patch
+Patch0104:	0104-bugfix-adapt-network-name-max-len.patch
+Patch0105:	0105-start-sandbox-before-setup-network-by-default.patch
+Patch0106:	0106-Revert-use-isula_clean_path-rather-than-realpath.patch
+Patch0107:	0107-bugfix-for-start-sandbox-before-setup-network-by-def.patch
+Patch0108:	0108-skip-test-rely-on-docker.io.patch
 
 %ifarch x86_64 aarch64
 Provides:       libhttpclient.so()(64bit)
@@ -357,6 +380,12 @@ fi
 %endif
 
 %changelog
+* Tue Jun 11 2024 zhongtao <zhongtao17@huawei.com> - 2.1.5-10
+- Type: update
+- ID: NA
+- SUG: NA
+- DESC: code improve and bugfix
+
 * Sat May 11 2024 liuxu <liuxu156@huawei.com> - 2.1.5-9
 - Type: update
 - ID: NA