rootless: harden slirp4netns with mount namespace and seccomp

[AkihiroSuda]

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

- What I did

When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.

- How I did it

bump up rootlesskit: rootless-containers/rootlesskit@2fcff6c...791ac8c

- How to verify it

Run rootless mode with slirp4netns v0.4.0+ installed

- Description for the changelog

rootless: harden slirp4netns with mount namespace and seccomp

- A picture of a cute animal (not mandatory but encouraged)

🐧

[thaJeztah]

LGTM, but left a comment/thought

[thaJeztah]

What is the default if no auto is set? If we omit these flags, would it not use sandbox or seccomp?

Basically wondering if we need the DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX env-vars or if we should omit these flags in the script (assuming people install the latest version of rootless kit)

[AkihiroSuda]

The rootlesskit default value is currently false but planned to be auto in future https://github.com/rootless-containers/rootlesskit/blob/v0.7.0/cmd/rootlesskit/main.go#L63-L72

[thaJeztah]

Ah, thanks for explaining; yes, auto sounds like a better default

[thaJeztah]

CI failure was unrelated; kicked Jenkins

[cpuguy83]

LGTM

[thaJeztah]

Janky failure looks like a flaky test (tracked through #23626)

https://ci.docker.com/public/job/moby/job/PR-39840/3/execution/node/178/log/?consoleFull

05:32:26  FAIL: docker_api_swarm_service_test.go:96: DockerSwarmSuite.TestAPISwarmServicesMultipleAgents
05:32:26  
05:32:26  Creating a new daemon at: /go/src/github.com/docker/docker/bundles/test-integration/3/DockerSwarmSuite.TestAPISwarmServicesMultipleAgents
05:32:26  [d2ef28083cfa7] waiting for daemon to start
05:32:26  [d2ef28083cfa7] waiting for daemon to start
05:32:26  [d2ef28083cfa7] daemon started
05:32:26  
05:32:26  Creating a new daemon at: /go/src/github.com/docker/docker/bundles/test-integration/3/DockerSwarmSuite.TestAPISwarmServicesMultipleAgents
05:32:26  [d20bd59c69050] waiting for daemon to start
05:32:26  [d20bd59c69050] waiting for daemon to start
05:32:26  [d20bd59c69050] daemon started
05:32:26  
05:32:26  [d20bd59c69050] joining swarm manager [d2ef28083cfa7]@0.0.0.0:2477, swarm listen addr 0.0.0.0:2478
05:32:26  Creating a new daemon at: /go/src/github.com/docker/docker/bundles/test-integration/3/DockerSwarmSuite.TestAPISwarmServicesMultipleAgents
05:32:26  [d74ad5297e1e2] waiting for daemon to start
05:32:26  [d74ad5297e1e2] waiting for daemon to start
05:32:26  [d74ad5297e1e2] daemon started
05:32:26  
05:32:26  [d74ad5297e1e2] joining swarm manager [d2ef28083cfa7]@0.0.0.0:2477, swarm listen addr 0.0.0.0:2479
05:32:26  waited for 2.461883589s (out of 30s)
05:32:26  waited for 10.067687ms (out of 30s)
05:32:26  waited for 21.418765ms (out of 30s)
05:32:26  waited for 193.170983ms (out of 30s)
05:32:26  [d20bd59c69050] Stopping daemon
05:32:26  [d20bd59c69050] exiting daemon
05:32:26  [d20bd59c69050] Daemon stopped
05:32:26  waited for 5.425236891s (out of 30s)
05:32:26  docker_api_swarm_service_test.go:120:
05:32:26      waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
05:32:26  docker_utils_test.go:435:
05:32:26      c.Assert(v, checker, args...)
05:32:26  ... obtained int = 6
05:32:26  ... expected int = 5
05:32:26  ... output: "6f62b6f86fed\ne18bcef00cd9\ndbbd811e9851\n", output: "90c4f95eb58a\n0d1eee4017b1\nfc756a31ae5c\n"
05:32:26  
05:32:26  waited for 30.093634604s (out of 30s)
05:32:26  [d2ef28083cfa7] Stopping daemon
05:32:26  [d2ef28083cfa7] exiting daemon
05:32:26  [d2ef28083cfa7] Daemon stopped
05:32:26  [d74ad5297e1e2] Stopping daemon
05:32:26  [d74ad5297e1e2] exiting daemon
05:32:26  [d74ad5297e1e2] Daemon stopped

[thaJeztah]

Merging this one, because I don't think any of this runs in CI