This commit should be squashed

Provides shim context to runc jailer and clears up some documentation

Signed-off-by: xibz <[email protected]>

Author: xibz

runtime/jailer.go

@@ -72,5 +72,5 @@ func newJailer(
 	}
 
 	l := logger.WithField("jailer", "runc")
-	return newRuncJailer(l, ociBundlePath, service.config.JailerConfig.RuncBinaryPath, jailerUID, jailerGID)
+	return newRuncJailer(ctx, l, ociBundlePath, service.config.JailerConfig.RuncBinaryPath, jailerUID, jailerGID)
 }

runtime/runc_jailer.go

@@ -36,6 +36,7 @@ import (
 
 // runcJailer uses runc to set up a jailed environment for the Firecracker VM.
 type runcJailer struct {
+	ctx    context.Context
 	logger *logrus.Entry
 	// ociBundlePath is the path that will be used to create an OCI bundle,
 	// https://github.com/opencontainers/runtime-spec/blob/master/bundle.md
@@ -46,11 +47,12 @@ type runcJailer struct {
 	gid            uint32
 }
 
-func newRuncJailer(logger *logrus.Entry, ociBundlePath, runcBinPath string, uid, gid uint32) (*runcJailer, error) {
+func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath, runcBinPath string, uid, gid uint32) (*runcJailer, error) {
 	l := logger.WithField("ociBundlePath", ociBundlePath).
 		WithField("runcBinaryPath", runcBinPath)
 
 	j := &runcJailer{
+		ctx:            ctx,
 		logger:         l,
 		ociBundlePath:  ociBundlePath,
 		runcBinaryPath: runcBinPath,
@@ -141,7 +143,7 @@ func (j *runcJailer) BuildJailedRootHandler(cfg *Config, socketPath *string, vmI
 			if err := copyFile(
 				cfg.FirecrackerBinaryPath,
 				newFirecrackerBinPath,
-				0700,
+				0500,
 			); err != nil {
 				return errors.Wrapf(err, "could not copy firecracker binary from path %v", cfg.FirecrackerBinaryPath)
 			}
@@ -267,7 +269,11 @@ func (j runcJailer) ExposeDeviceToJail(srcDevicePath string) error {
 	// Here we only care about block devices, ie S_IFBLK.  If it is a block type
 	// we will manually call mknod and create that device.
 	if (stat.Mode & syscall.S_IFMT) == syscall.S_IFBLK {
-		path := filepath.Join(j.RootPath(), "dev")
+		path := filepath.Join(j.RootPath(), filepath.Dir(srcDevicePath))
+		if err := os.MkdirAll(path, 0700); err != nil {
+			return err
+		}
+
 		dst := filepath.Join(path, filepath.Base(srcDevicePath))
 		if err := exposeBlockDeviceToJail(dst, int(stat.Rdev), int(uid), int(gid)); err != nil {
 			return err
@@ -318,7 +324,7 @@ func copyFile(src, dst string, mode os.FileMode) error {
 }
 
 func (j runcJailer) jailerCommand(containerName string) *exec.Cmd {
-	cmd := exec.Command(j.runcBinaryPath, "run", containerName)
+	cmd := exec.CommandContext(j.ctx, j.runcBinaryPath, "run", containerName)
 	cmd.Dir = j.OCIBundlePath()
 	return cmd
 }

runtime/runc_jailer_test.go

@@ -52,7 +52,7 @@ func TestBuildJailedRootHandler_Isolated(t *testing.T) {
 	defer firecrackerFd.Close()
 
 	l := logrus.NewEntry(logrus.New())
-	jailer, err := newRuncJailer(l, dir, "bin-path", 123, 456)
+	jailer, err := newRuncJailer(context.Background(), l, dir, "bin-path", 123, 456)
 	require.NoError(t, err, "failed to create runc jailer")
 
 	cfg := Config{

runtime/service.go

@@ -462,7 +462,7 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 	}()
 
 	s.logger.Info("creating new VM")
-	s.jailer, err = newJailer(requestCtx, s.logger, string(s.shimDir), s, request)
+	s.jailer, err = newJailer(s.shimCtx, s.logger, string(s.shimDir), s, request)
 	if err != nil {
 		return errors.Wrap(err, "failed to create jailer")
 	}
@@ -487,7 +487,10 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 	}
 	opts = append(opts, jailedOpts...)
 
-	// use shimCtx so the VM is killed when the shim shuts down
+	// In the event that a noop jailer is used, we will pass in the shim context
+	// and have the SDK construct a new machine using that context. Otherwise, a
+	// custom process runner will be provided via options which will stomp over
+	// the shim context that was provided here.
 	s.machine, err = firecracker.NewMachine(s.shimCtx, *s.machineConfig, opts...)
 	if err != nil {
 		return errors.Wrapf(err, "failed to create new machine instance")

tools/docker/Dockerfile

@@ -150,6 +150,7 @@ COPY _submodules/firecracker/target/$FIRECRACKER_TARGET/release/firecracker /usr
 COPY _submodules/firecracker/target/$FIRECRACKER_TARGET/release/jailer /usr/local/bin/jailer
 COPY _submodules/runc/runc /usr/local/bin
 COPY tools/image-builder/rootfs.img /var/lib/firecracker-containerd/runtime/default-rootfs.img
+COPY runtime/firecracker-runc-config.json.example /etc/containerd/firecracker-runc-config.json 
 
 # pull the images the tests need into the content store so we don't need internet
 # access during the tests themselves