Full Linux OCI runtime spec support

[cpuguy83]

Right now we have only partial support for the OCI runtime spec.
While some things in the spec may not make sense for running wasm code itself, it is useful for sandboxing for the wasm runtime and/or the execution of the wasm for defense-in-depth as well as ensuring fewer surprises for users expecting their settings to actually apply.

Some things missing:

• cgroups: In progress: Support for cgroups #21
• Lifecycle Hooks: https://github.com/opencontainers/runtime-spec/blob/main/runtime.md#lifecycle https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#posix-platform-hooks (Docker has at least some of this in their fork: https://github.com/second-state/runwasi/pull/13/files @rumpl)
• hybrid cgroup: In Support for cgroups #21 there is support for cgroupv1 and cgroupv2, but not hybrid mode
• systemd cgroup: Support for cgroups #21 now implements cgroupfs mode but does not support systemd cgroups
• namespaces: We do setup the network namespace, but other namespace support is still needed https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#namespaces
• seccomp: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp
• apparmor: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• selinux: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#mount-label https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• devices: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#devices
• sysctl: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#sysctl
• masked paths: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#masked-paths
• personality: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#personality
• rlimits: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#posix-process
• capabilities: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• oom score: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• no-new-privileges: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• Users/Groups: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#user
• IntelRDT: This is pretty low-priority and is very new in OCI https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#intelrdt

[cpuguy83]

@Mossaka

[Mossaka]

Wow, thanks!! That's a long list of TODOs.

[utam0k]

@cpuguy83 @Mossaka
Hi, runwasi team. I'm from youki which implements the OCI runtime spec in Rust. We have already supported wasm and full linux OCI runtime spec.
https://containers.github.io/youki/user/webassembly.html
Can we cooperate? A crate from youki is also provided for ease of use by other container-related people.

[Mossaka]

Hey @utam0k !

I am happy to cooperate with Youki on OCI runtime spec considering both projects are written in Rust! Do you want to sync up on this topic some time later this week?

[utam0k]

@Mossaka I'm looking forward to working with you!
I'm a little busy these days and may not have time. Why don't we communicate on discord first for closer communication in private? May I ask you to join the youki discord groupand send me a friend request?

[Mossaka]

May I ask you to join the youki discord groupand send me a friend request?

Done

[ipuustin]

I started looking at implementing device files and seccomp support in https://github.com/ipuustin/runwasi/commits/seccomp using libcontainer features. Right now there is a slight incompatibility due to different oci-spec versions though.

[utam0k]

@cpuguy83 @Mossaka I'd like to address the wasmtime part in the same way. When is the best time?

[ipuustin]

@cpuguy83 @Mossaka I'd like to address the wasmtime part in the same way. When is the best time?

I think anytime. :-) I made an issue for tracking it: #110