Support settings oci defaults on ecs variants

Release.toml

@@ -225,4 +225,6 @@ version = "1.15.0"
     "migrate_v1.15.0_oci-defaults-resource-setting.lz4",
     "migrate_v1.15.0_oci-defaults-max-open-files.lz4",
     "migrate_v1.15.0_seccomp-default-setting.lz4",
+    "migrate_v1.15.0_oci-defaults-docker-setting.lz4",
+    "migrate_v1.15.0_oci-defaults-docker-setting-metadata.lz4",
 ]

packages/containerd/containerd-cri-base-json

@@ -8,12 +8,12 @@
         "cwd": "/",
         {{~#if settings.oci-defaults.capabilities~}}
         "capabilities": {
-            {{~oci_defaults settings.oci-defaults.capabilities~}}
+            {{~oci_defaults "containerd" settings.oci-defaults.capabilities~}}
         },
         {{~/if~}}
         {{~#if settings.oci-defaults.resource-limits~}}
         "rlimits": [
-            {{~oci_defaults settings.oci-defaults.resource-limits~}}
+            {{~oci_defaults "containerd" settings.oci-defaults.resource-limits~}}
         ],
         {{~/if~}}
         "noNewPrivileges": true

packages/docker-engine/0002-Change-default-capabilities-using-daemon-config.patch

@@ -0,0 +1,102 @@
+From ccb69c8fbcbe272d663ad1c97de91a993a609c96 Mon Sep 17 00:00:00 2001
+From: Shikha Vyaghra <[email protected]>
+Date: Thu, 6 Jul 2023 17:26:45 +0000
+Subject: [PATCH] Change default capabilities using daemon config
+
+Default capabilities in spec can be changed by reading from daemon
+configuration file using a parameter "default-capabilities". If
+the capabilities will not be provided, then default capabilities
+in Moby code will be used.
+
+Signed-off-by: Shikha Vyaghra <[email protected]>
+---
+ cmd/dockerd/config_unix.go   |  1 +
+ daemon/config/config.go      | 13 +++++++------
+ daemon/config/config_unix.go |  1 +
+ daemon/oci_linux.go          | 13 ++++++++++---
+ 4 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go
+index f463686..862feff 100644
+--- a/cmd/dockerd/config_unix.go
++++ b/cmd/dockerd/config_unix.go
+@@ -41,6 +41,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
+ 	flags.BoolVar(&conf.BridgeConfig.EnableIPv6, "ipv6", false, "Enable IPv6 networking")
+ 	flags.StringVar(&conf.BridgeConfig.FixedCIDRv6, "fixed-cidr-v6", "", "IPv6 subnet for fixed IPs")
+ 	flags.BoolVar(&conf.BridgeConfig.EnableUserlandProxy, "userland-proxy", true, "Use userland proxy for loopback traffic")
++	flags.Var(opts.NewNamedListOptsRef("default-capabilities", &conf.Capabilities, nil), "default-capabilities", "Default capabilities for containers")
+ 	defaultUserlandProxyPath := ""
+ 	if rootless.RunningWithRootlessKit() {
+ 		var err error
+diff --git a/daemon/config/config.go b/daemon/config/config.go
+index 4990727..d4909be 100644
+--- a/daemon/config/config.go
++++ b/daemon/config/config.go
+@@ -67,12 +67,13 @@ var builtinRuntimes = map[string]bool{
+ // Use this to differentiate these options
+ // with others like the ones in CommonTLSOptions.
+ var flatOptions = map[string]bool{
+-	"cluster-store-opts": true,
+-	"log-opts":           true,
+-	"runtimes":           true,
+-	"default-ulimits":    true,
+-	"features":           true,
+-	"builder":            true,
++	"cluster-store-opts":    true,
++	"log-opts":              true,
++	"runtimes":              true,
++	"default-ulimits":       true,
++	"features":              true,
++	"builder":               true,
++	"default-capabilities":  true,
+ }
+
+ // skipValidateOptions contains configuration keys
+diff --git a/daemon/config/config_unix.go b/daemon/config/config_unix.go
+index 96805d3..cd187a2 100644
+--- a/daemon/config/config_unix.go
++++ b/daemon/config/config_unix.go
+@@ -39,6 +39,7 @@ type Config struct {
+ 	NoNewPrivileges      bool                     `json:"no-new-privileges,omitempty"`
+ 	IpcMode              string                   `json:"default-ipc-mode,omitempty"`
+ 	CgroupNamespaceMode  string                   `json:"default-cgroupns-mode,omitempty"`
++	Capabilities         []string                 `json:"default-capabilities,omitempty"`
+ 	// ResolvConf is the path to the configuration of the host resolver
+ 	ResolvConf string `json:"resolv-conf,omitempty"`
+ 	Rootless   bool   `json:"rootless,omitempty"`
+diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
+index a5a5acf..d3d4acc 100644
+--- a/daemon/oci_linux.go
++++ b/daemon/oci_linux.go
+@@ -156,10 +156,17 @@ func WithApparmor(c *container.Container) coci.SpecOpts {
+ }
+
+ // WithCapabilities sets the container's capabilties
+-func WithCapabilities(c *container.Container) coci.SpecOpts {
++func WithCapabilities(daemon *Daemon, c *container.Container) coci.SpecOpts {
+ 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
++		var defCaps []string
++		if len(daemon.configStore.Capabilities) != 0 {
++			defCaps = daemon.configStore.Capabilities
++		} else {
++			defCaps = caps.DefaultCapabilities()
++		}
++
+ 		capabilities, err := caps.TweakCapabilities(
+-			caps.DefaultCapabilities(),
++			defCaps,
+ 			c.HostConfig.CapAdd,
+ 			c.HostConfig.CapDrop,
+ 			c.HostConfig.Privileged,
+@@ -1023,7 +1030,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
+ 		WithUser(c),
+ 		WithRlimits(daemon, c),
+ 		WithNamespaces(daemon, c),
+-		WithCapabilities(c),
++		WithCapabilities(daemon, c),
+ 		WithSeccomp(daemon, c),
+ 		WithMounts(daemon, c),
+ 		WithLibnetwork(daemon, c),
+-- 
+2.40.1
+

packages/docker-engine/daemon-json

@@ -7,7 +7,14 @@
   "default-runtime": "shimpei",
   "runtimes": { "shimpei": { "path": "shimpei" } },
   "selinux-enabled": true,
-  "default-ulimits": { "nofile": { "Name": "nofile", "Soft": 1024, "Hard": 4096 } }
+  {{~#if settings.oci-defaults.capabilities~}}
+  "default-capabilities": {{~oci_defaults "docker" settings.oci-defaults.capabilities~}}
+  {{~/if~}}
+  {{~#if settings.oci-defaults.resource-limits~}}
+  "default-ulimits": {
+    {{~oci_defaults "docker" settings.oci-defaults.resource-limits~}}
+  }
+  {{~/if~}}
   {{#if settings.container-registry.mirrors}}
   {{#each settings.container-registry.mirrors}}
   {{#if (eq registry "docker.io" )}},

packages/docker-engine/daemon-nvidia-json

@@ -7,7 +7,14 @@
   "default-runtime": "shimpei",
   "runtimes": { "shimpei": { "path": "shimpei" }, "nvidia": { "path": "nvidia-oci" } },
   "selinux-enabled": true,
-  "default-ulimits": { "nofile": { "Name": "nofile", "Soft": 1024, "Hard": 4096 } }
+  {{~#if settings.oci-defaults.capabilities~}}
+  "default-capabilities": {{~oci_defaults "docker" settings.oci-defaults.capabilities~}}
+  {{~/if~}}
+  {{~#if settings.oci-defaults.resource-limits~}}
+  "default-ulimits": {
+  {{~oci_defaults "docker" settings.oci-defaults.resource-limits~}}
+  }
+  {{~/if~}}
   {{#if settings.container-registry.mirrors}}
   {{#each settings.container-registry.mirrors}}
   {{#if (eq registry "docker.io" )}},

packages/docker-engine/docker-engine.spec

@@ -31,6 +31,7 @@ Source1000: clarify.toml
 
 # Backport to fix host header issue when compiling with Go 1.20.6 or later
 Patch0001: 0001-non-tcp-host-header.patch
+Patch0002: 0002-Change-default-capabilities-using-daemon-config.patch
 
 BuildRequires: git
 BuildRequires: %{_cross_os}glibc-devel

sources/Cargo.toml

@@ -60,6 +60,8 @@ members = [
     "api/migration/migrations/v1.15.0/oci-defaults-resource-setting",
     "api/migration/migrations/v1.15.0/oci-defaults-max-open-files",
     "api/migration/migrations/v1.15.0/seccomp-default-setting",
+    "api/migration/migrations/v1.15.0/oci-defaults-docker-setting",
+    "api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata",
 
     "bloodhound",
 

sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "oci-defaults-docker-setting-metadata"
+version = "0.1.0"
+edition = "2021"
+authors = ["Shikha Vyaghra <[email protected]>"]
+license = "Apache-2.0 OR MIT"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}
+
+[build-dependencies]
+bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" }

sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/build.rs

@@ -0,0 +1,6 @@
+use bottlerocket_variant::Variant;
+
+fn main() {
+    let variant = Variant::from_env().unwrap();
+    variant.emit_cfgs();
+}

sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/src/main.rs

@@ -0,0 +1,29 @@
+use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata};
+use migration_helpers::{migrate, Result};
+use std::process;
+
+/// We updated the 'affected-services' list metadata for 'settings.oci-defaults'
+/// to include itself and containerd on upgrade, and to remove those values on
+/// downgrade, depending on the running variant.
+fn run() -> Result<()> {
+    if cfg!(variant_runtime = "ecs") {
+        migrate(AddMetadataMigration(&[SettingMetadata {
+            metadata: &["affected-services"],
+            setting: "settings.oci-defaults",
+        }]))?
+    } else {
+        migrate(NoOpMigration)?;
+    }
+
+    Ok(())
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}

sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "oci-defaults-docker-setting"
+version = "0.1.0"
+edition = "2021"
+authors = ["Shikha Vyaghra <[email protected]>"]
+license = "Apache-2.0 OR MIT"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}
+
+[build-dependencies]
+bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" }

sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/build.rs

@@ -0,0 +1,6 @@
+use bottlerocket_variant::Variant;
+
+fn main() {
+    let variant = Variant::from_env().unwrap();
+    variant.emit_cfgs();
+}

sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/src/main.rs

@@ -0,0 +1,31 @@
+use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration};
+use migration_helpers::{migrate, Result};
+use std::process;
+
+/// We added new settings for configuring the default OCI runtime spec for ECS,
+/// `settings.oci-defaults`, which will initially contain
+/// `settings.oci-defaults.capabilities` and
+/// `settings.oci-defaults.resource-limits`
+fn run() -> Result<()> {
+    if cfg!(variant_runtime = "ecs") {
+        migrate(AddPrefixesMigration(vec![
+            "settings.oci-defaults",
+            "services.oci-defaults",
+            "configuration-files.oci-defaults",
+        ]))?
+    } else {
+        migrate(NoOpMigration)?;
+    }
+
+    Ok(())
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}