support DisableCgroup, DisableApparmor, RestrictOOMScoreAdj

[AkihiroSuda]

Add following config for supporting "rootless" mode

• DisableCgroup: disable cgroup
• DisableApparmor: disable Apparmor
• RestrictOOMScoreAdj: restrict the lower bound of OOMScoreAdj

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

---

A quick way to test this PR is to use Usernetes v20181109.0 ( https://github.com/rootless-containers/usernetes )

$ ./run.sh default-containerd
$ ./kubectl.sh run -it --rm --image alpine foo

cc @giuseppe for consistency with CRI-O implementation (https://github.com/kubernetes-sigs/cri-o/blob/2accad9fab352c445bb4c414d9d3c8cdf351c524/server/rootless.go could be simplified as in this PR with the latest runc IIUC)

[mikebrow]

See comments, I missed containerd/containerd#2766 going in, sry. If we want this back ported to earlier releases we'll want to keep these changes you made and walk them back as deprecated.. then do a follow up commit putting them in as runc options vs cri root options.

[Random-Liu]

In OCI spec, both AppArmor and OOMScoreAdj is a Process level configuration. I think we can match that, so I'm fine with a daemon level NoAppArmor and RestrictOOMScoreAdj option.

As for NoCgroup, although it is Linux specific, but it is still different from the existing runtime options, e.g. "NoPivot":

• Options like "NoPivot" or "SystemdCgroup" are actually runc specific (they are runc flags), and they are actually changing runc's behavior.
• However, NoCgroup (NoAppArmor and RestrictOOMScoreAdj as well) is changing the cri plugin's behavior - it changes how cri should config the OCI spec. Given so, I think it is a cri daemon level configuration. As for the fact that it is Linux specific, we need to have different groups of daemon level configurations for Windows and Linux in the future anyway.

@AkihiroSuda Are these options only useful for rootless? If that is the case, can we add a Rootless section in the config? So that it is clear to the user that this is for rootless.

[mikebrow]

@AkihiroSuda Are these options only useful for rootless? If that is the case, can we add a Rootless section in the config? So that it is clear to the user that this is for rootless.

I was sort of thinking these are runtime config options required for filtering oci spec generation to make sure it will run rootless. But I don't see why we would want to filter/force all pods on the host to be rootless. Is that the goal here? Push rootless up the stack or to support running the shims/runc/containerd as rootless? Switching to rootless at the host/containerd/cri level seems like a pretty big switch.

It might be better to return error if an apparmor profile is specified and is disabled, than to filter the profile option.

How will these changes effect kata support?

[Random-Liu]

Switching to rootless at the host/containerd/cri level seems like a pretty big switch.

If I understand correctly, "Rootless" means run containerd as a non-root user. If that is the case, it is a daemon level thing to me.

It is "rootless" containerd, not running a non-root container.

[AkihiroSuda]

In this context I mean running everything (runc, containerd, kubelet) as a non-root user. I can explain the details in person and show you demo during KubeCon Shanghai

[mikebrow]

ok. Even kubelet, interesting.

[mikebrow]

Maybe what's needed here is a single check to see if we are running as root or not then use that as flag to filter out any attempt to do something that is known to fail when not running as root. For example, if !runningAsRoot && apparmorProfile != "" return err.."apparmor is not supported when running as non-root..."

[AkihiroSuda]

It might be complicating, if we want to support automatic detection, maybe we should change the variable type from bool to string, and reserve "auto" for the future implementation (Either way, probably we should allow setting NoCgroups=false even in rootless mode, because cgroups can be used when the fs is chowned)

[AkihiroSuda]

@Random-Liu @mikebrow any thought?

[mikebrow]

Suggest: using a string for a rootless option, "auto" should be default. False would make sure we are running as root otherwise throw error on init, true would make sure we are not running as root otherwise error on init. Agree to implementing NoCgroup, NoAppArmor, and RestrictOOMScoreAdj as daemon level options. See @Random-Liu's comment above regarding:

move implementation of these options to the place the option was originally configured, e.g. OOMScoreAdj is configured in setOCILinuxResource

Thoughts?

[AkihiroSuda]

thanks, updated

[mikebrow]

/LGTM

[Random-Liu]

Add unit test cases for this logic.

[AkihiroSuda]

Can we cover this in an integrated test (in a follow-up PR)?

[Random-Liu]

It is current hard to write an integration test with different containerd configurations.

I think a unit test would be easier. You can check existing unit tests, it should be simple to add a similar one. :)

[AkihiroSuda]

updated

[Random-Liu]

It is current hard to write an integration test with different containerd configurations.

I think a unit test would be easier. You can check existing unit tests, it should be simple to add a similar one. :)

[Random-Liu]

LGTM other than the comments.

[AkihiroSuda]

thanks, updated

[Random-Liu]

/lgtm