Merge pull request #249 from xibz/enable_jailer_runc

Adding runc jailing

Author: xibz

.gitignore

@@ -1,3 +1,4 @@
 .idea/
 bin/
+runtime/logs
 *stamp

examples/etc/containerd/firecracker-runtime.json

@@ -5,5 +5,8 @@
   "root_drive": "/var/lib/firecracker-containerd/runtime/default-rootfs.img",
   "cpu_count": 1,
   "cpu_template": "T2",
-  "log_level": "Debug"
+  "log_level": "Debug",
+  "jailer": {
+    "runc_binary_path": "/usr/local/bin/runc"
+  }
 }

proto/firecracker.pb.go

@@ -32,6 +32,8 @@ message CreateVMRequest {
 
     // Whether the VM should exit after all tasks running in it have been deleted.
     bool ExitAfterAllTasksDeleted = 9;
+
+    JailerConfig JailerConfig = 10;
 }
 
 message StopVMRequest {
@@ -54,4 +56,7 @@ message GetVMInfoResponse {
 message SetVMMetadataRequest {
     string VMID = 1;
     string Metadata = 2;
-}
+}
+
+message JailerConfig {
+}

proto/firecracker.proto

@@ -47,11 +47,17 @@ type Config struct {
 	LogLevel              string `json:"log_level"`
 	HtEnabled             bool   `json:"ht_enabled"`
 	Debug                 bool   `json:"debug"`
-
 	// If a CreateVM call specifies no network interfaces and DefaultNetworkInterfaces is non-empty,
 	// the VM will default to using the network interfaces as specified here. This is especially
 	// useful when a CNI-based network interface is provided in DefaultNetworkInterfaces.
 	DefaultNetworkInterfaces []proto.FirecrackerNetworkInterface `json:"default_network_interfaces"`
+	JailerConfig             JailerConfig                        `json:"jailer"`
+}
+
+// JailerConfig houses a set of configurable values for jailing
+// TODO: Add netns field
+type JailerConfig struct {
+	RuncBinaryPath string `json:"runc_binary_path"`
 }
 
 // LoadConfig loads configuration from JSON file at 'path'
@@ -76,6 +82,7 @@ func LoadConfig(path string) (*Config, error) {
 		CPUCount:        defaultCPUCount,
 		CPUTemplate:     string(defaultCPUTemplate),
 	}
+
 	if err := json.Unmarshal(data, cfg); err != nil {
 		return nil, errors.Wrapf(err, "failed to unmarshal config from %q", path)
 	}

runtime/config.go

@@ -51,7 +51,10 @@ type stubDriveHandler struct {
 	mutex          sync.Mutex
 }
 
-func newStubDriveHandler(path string, logger *logrus.Entry, count int) (*stubDriveHandler, error) {
+// stubDrivesOpt is used to make and modify changes to the stub drives.
+type stubDrivesOpt func(stubDrives []models.Drive) error
+
+func newStubDriveHandler(path string, logger *logrus.Entry, count int, opts ...stubDrivesOpt) (*stubDriveHandler, error) {
 	h := stubDriveHandler{
 		RootPath: path,
 		logger:   logger,
@@ -60,6 +63,13 @@ func newStubDriveHandler(path string, logger *logrus.Entry, count int) (*stubDri
 	if err != nil {
 		return nil, err
 	}
+
+	for _, opt := range opts {
+		if err := opt(drives); err != nil {
+			h.logger.WithError(err).Debug("failed to apply option to stub drives")
+			return nil, err
+		}
+	}
 	h.drives = drives
 	return &h, nil
 }

runtime/drive_handler.go

@@ -0,0 +1,130 @@
+{
+    "ociVersion": "1.0.1",
+    "process": {
+        "terminal": false,
+        "user": {
+            "uid": 0,
+            "gid": 0
+        },
+        "args": [
+            "/firecracker",
+            "--api-sock",
+            "api.socket"
+        ],
+        "env": [
+            "PATH=/"
+        ],
+        "cwd": "/",
+        "capabilities": {
+            "effective": [
+            ],
+            "bounding": [
+            ],
+            "inheritable": [
+            ],
+            "permitted": [
+            ],
+            "ambient": [
+            ]
+        },
+        "rlimits": [
+            {
+                "type": "RLIMIT_NOFILE",
+                "hard": 1024,
+                "soft": 1024
+            }
+        ],
+        "noNewPrivileges": true
+    },
+    "root": {
+        "path": "rootfs",
+        "readonly": false
+    },
+    "hostname": "runc",
+    "mounts": [
+        {
+            "destination": "/proc",
+            "type": "proc",
+            "source": "proc"
+        }
+    ],
+    "linux": {
+        "devices": [
+            {
+               "path": "/dev/kvm",
+               "type": "c",
+               "major": 10,
+               "minor": 232,
+               "fileMode": 438,
+               "uid": 0,
+               "gid": 0
+            },
+            {
+               "path": "/dev/net/tun",
+               "type": "c",
+               "major": 10,
+               "minor": 200,
+               "fileMode": 438,
+               "uid": 0,
+               "gid": 0
+            }
+        ],
+        "resources": {
+            "devices": [
+                {
+                    "allow": false,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+                    "major": 10,
+                    "minor": 232,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+                    "major": 10,
+                    "minor": 200,
+                    "access": "rwm"
+                }
+            ]
+        },
+        "namespaces": [
+            {
+                "type": "cgroup"
+            },
+            {
+                "type": "pid"
+            },
+            {
+                "type": "network"
+            },
+            {
+                "type": "ipc"
+            },
+            {
+                "type": "uts"
+            },
+            {
+                "type": "mount"
+            }
+        ],
+        "maskedPaths": [
+            "/proc/asound",
+            "/proc/kcore",
+            "/proc/latency_stats",
+            "/proc/timer_list",
+            "/proc/timer_stats",
+            "/proc/sched_debug",
+            "/sys/firmware",
+            "/proc/scsi"
+        ],
+        "readonlyPaths": [
+            "/proc/bus",
+            "/proc/fs",
+            "/proc/irq",
+            "/proc/sys",
+            "/proc/sysrq-trigger"
+        ]
+    }
+}