Jailer support

[dreadl0ck]

Jailer Support

This pull request adds support to use the jailer for securing firecracker vms launched with firectl.

It extends the flag set with the following flags, following the firecracker flag naming of the firecracker and jailer binaries:

type options struct {
	...
	Id       string `long:"id" description:"Jailer VMM id"`
	ExecFile string `long:"exec-file" description:"Jailer executable"`
	JailerBinary  string `long:"jailer" description:"Jailer binary"`
	
	Uid      int    `long:"uid" description:"Jailer uid for dropping privileges"`
	Gid      int    `long:"gid" description:"Jailer gid for dropping privileges"`
	NumaNode int    `long:"node" description:"Jailer numa node"`
	
	ChrootBaseDir string `long:"chroot-base-dir" description:"Jailer chroot base directory"`
	Daemonize     bool   `long:"daemonize" description:"Run jailer as daemon"`
}

It makes use of the official Go SDK to invoke the jailer and is configured entirely via commandline flags.

The new command line interface looks like this:

$ firectl -h
Usage:
  firectl [OPTIONS]

Application Options:
      --firecracker-binary=     Path to firecracker binary
      --kernel=                 Path to the kernel image (default: ./vmlinux)
      --kernel-opts=            Kernel commandline (default: ro console=ttyS0 noapic reboot=k
                                panic=1 pci=off nomodules)
      --root-drive=             Path to root disk image
      --root-partition=         Root partition UUID
      --add-drive=              Path to additional drive, suffixed with :ro or :rw, can be specified
                                multiple times
      --tap-device=             NIC info, specified as DEVICE/MAC, can be specified multiple times
      --vsock-device=           Vsock interface, specified as PATH:CID. Multiple OK
      --vmm-log-fifo=           FIFO for firecracker logs
      --log-level=              vmm log level (default: Debug)
      --metrics-fifo=           FIFO for firecracker metrics
  -t, --disable-hyperthreading  Disable CPU Hyperthreading
  -c, --ncpus=                  Number of CPUs (default: 1)
      --cpu-template=           Firecracker CPU Template (C3 or T2)
  -m, --memory=                 VM memory, in MiB (default: 512)
      --metadata=               Firecracker Metadata for MMDS (json)
  -l, --firecracker-log=        pipes the fifo contents to the specified file
  -s, --socket-path=            path to use for firecracker socket, defaults to a unique file in in
                                the first existing directory from {$HOME, $TMPDIR, or /tmp}
  -d, --debug                   Enable debug output
      --version                 Outputs the version of the application
      --id=                     Jailer VMM id
      --exec-file=              Jailer executable
      --jailer=                 Jailer binary
      --uid=                    Jailer uid for dropping privileges
      --gid=                    Jailer gid for dropping privileges
      --node=                   Jailer numa node
      --chroot-base-dir=        Jailer chroot base directory
      --daemonize               Run jailer as daemon

Help Options:
  -h, --help                    Show this help message

I made a small change to the API to keep the configuration simple and ease debugging: firecracker-microvm/firecracker-go-sdk#255

However, this pull request does not depend on it and uses the latest version v0.21.0 to accomplish its task.

cc @ppartarr

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[dreadl0ck]

Updated the commits to include the "signed-off" line

[nmeyerhans]

Thanks for this. I'll take a look as soon as I've got some time. Seems like I also need to spend some time with the buildkite configuration, too.

[nmeyerhans]

This looks good to me. My only concern is about the go.sum reference to the firecracker-go-sdk module. I'll try to investigate that a little deeper; please feel free to do so yourself, if you're able. I'd like to confirm that we have the right value in that file before merging.

[nmeyerhans]

There seems to be something wrong with the firecracker-go-sdk served by proxy.golang.org and/or sum.golang.org, and I'm running in to firecracker-microvm/firecracker-go-sdk#224 and/or firecracker-microvm/firecracker-go-sdk#235 when trying to build your changes. I can obviously work around this while reviewing, but I'm not sure this checksum (h1.41W/...) is the correct one.

[dreadl0ck]

Hmm, I ran 'go mod tidy', thats what caused the go.sum changes.

We could just revert the go.sum file to the previous state?

I executed go mod tidy on macOS, even though I can't build the project for darwin,
due to one of its dependencies:

$ go install
go build github.com/containernetworking/plugins/pkg/ns: build constraints exclude all Go files in /Users/username/go/pkg/mod/github.com/containernetworking/[email protected]/pkg/ns

Running go mod tidy again gives me the following output:

$ git status
On branch jailer-support
Your branch is up to date with 'origin/jailer-support'.

nothing to commit, working tree clean
$ go mod tidy
go: downloading github.com/firecracker-microvm/firecracker-go-sdk v0.21.0
go: downloading github.com/go-openapi/strfmt v0.19.5
go: downloading github.com/stretchr/testify v1.5.1
go: downloading github.com/go-openapi/errors v0.19.3
go: downloading github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
go: downloading go.mongodb.org/mongo-driver v1.4.0
go: downloading github.com/go-openapi/runtime v0.19.11
go: downloading github.com/go-openapi/swag v0.19.7
go: downloading github.com/hashicorp/go-multierror v1.1.0
go: downloading github.com/containernetworking/cni v0.8.0
go: downloading github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b
go: downloading github.com/sparrc/go-ping v0.0.0-20190613174326-4e5b6552494c
go: downloading gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127
go: downloading github.com/containernetworking/plugins v0.8.7-0.20200805193842-bd589992fbe0
go: downloading github.com/mailru/easyjson v0.7.2
go: downloading github.com/hashicorp/errwrap v1.0.0
go: downloading github.com/go-openapi/validate v0.19.6
go: downloading github.com/onsi/gomega v1.10.1
go: downloading github.com/onsi/ginkgo v1.14.0
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/go-openapi/analysis v0.19.5
go: downloading github.com/kr/text v0.1.0
go: downloading github.com/go-openapi/loads v0.19.4
go: downloading github.com/go-openapi/spec v0.19.9
go: downloading github.com/nxadm/tail v1.4.4
go: downloading github.com/vishvananda/netlink v1.1.0
go: downloading github.com/go-openapi/jsonpointer v0.19.3
go: downloading github.com/fsnotify/fsnotify v1.4.9
go: downloading github.com/go-openapi/jsonreference v0.19.4
go: downloading github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae
go: downloading github.com/PuerkitoBio/purell v1.1.1
go: downloading github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
go: downloading github.com/tidwall/pretty v1.0.1

[nmeyerhans]

We could just revert the go.sum file to the previous state?

When firecracker-microvm/firecracker-go-sdk#266 gets merged, we can update to version 0.22. I think that's the better way to go. Let's wait for that and see if the new version resolves the proxy/hash issue.

[nmeyerhans]

👍

[nmeyerhans]

I've added a couple new commits on top of yours to introduce SDK 0.22.0 support. It looks like at least options.go is still in need of having go fmt run on it. Could you please do that and squash the changes into the relevant commits before I merge?

[dreadl0ck]

Done, squashed all my commits into a single one #f1c8ba0.

[nmeyerhans]

Thanks for contributing this useful feature.