Add `runc features` command #3296

AkihiroSuda · 2021-11-29T10:40:19Z

The runc features command prints available features in JSON.

See types/features/features.go for the type definition.

{
    "ociVersionMin": "1.0.0",
    "ociVersionMax": "1.0.2-dev",
    "hooks": [
        "prestart",
        "createRuntime",
        "createContainer",
        "startContainer",
        "poststart",
        "poststop"
    ],
    "mountOptions": [
        "acl",
        "async",
        "atime",
        "bind",
        "defaults",
        "dev",
        "diratime",
        "dirsync",
        "exec",
        "iversion",
        "lazytime",
        "loud",
        "mand",
        "noacl",
        "noatime",
        "nodev",
        "nodiratime",
        "noexec",
        "noiversion",
        "nolazytime",
        "nomand",
        "norelatime",
        "nostrictatime",
        "nosuid",
        "private",
        "rbind",
        "relatime",
        "remount",
        "ro",
        "rprivate",
        "rshared",
        "rslave",
        "runbindable",
        "rw",
        "shared",
        "silent",
        "slave",
        "strictatime",
        "suid",
        "sync",
        "tmpcopyup",
        "unbindable"
    ],
    "linux": {
        "namespaces": [
            "cgroup",
            "ipc",
            "mount",
            "network",
            "pid",
            "user",
            "uts"
        ],
        "capabilities": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ",
            "CAP_PERFMON",
            "CAP_BPF",
            "CAP_CHECKPOINT_RESTORE"
        ],
        "cgroup": {
            "v1": true,
            "v2": true,
            "systemd": true,
            "systemdUser": true
        },
        "seccomp": {
            "enabled": true,
            "actions": [
                "SCMP_ACT_ALLOW",
                "SCMP_ACT_ERRNO",
                "SCMP_ACT_KILL",
                "SCMP_ACT_LOG",
                "SCMP_ACT_NOTIFY",
                "SCMP_ACT_TRACE",
                "SCMP_ACT_TRAP"
            ],
            "operators": [
                "SCMP_CMP_EQ",
                "SCMP_CMP_GE",
                "SCMP_CMP_GT",
                "SCMP_CMP_LE",
                "SCMP_CMP_LT",
                "SCMP_CMP_MASKED_EQ",
                "SCMP_CMP_NE"
            ],
            "archs": [
                "SCMP_ARCH_AARCH64",
                "SCMP_ARCH_ARM",
                "SCMP_ARCH_MIPS",
                "SCMP_ARCH_MIPS64",
                "SCMP_ARCH_MIPS64N32",
                "SCMP_ARCH_MIPSEL",
                "SCMP_ARCH_MIPSEL64",
                "SCMP_ARCH_MIPSEL64N32",
                "SCMP_ARCH_PPC",
                "SCMP_ARCH_PPC64",
                "SCMP_ARCH_PPC64LE",
                "SCMP_ARCH_S390",
                "SCMP_ARCH_S390X",
                "SCMP_ARCH_X32",
                "SCMP_ARCH_X86",
                "SCMP_ARCH_X86_64"
            ]
        },
        "apparmor": {
            "enabled": true
        },
        "selinux": {
            "enabled": true
        }
    },
    "annotations": {
        "io.github.seccomp.libseccomp.version": "2.5.1",
        "org.opencontainers.runc.checkpoint.enabled": "true",
        "org.opencontainers.runc.commit": "v1.0.0-402-g520702da",
        "org.opencontainers.runc.version": "1.0.0+dev"
    }
}

AkihiroSuda · 2021-11-29T10:43:02Z

cc @giuseppe for consistency with crun.

This is expected to be merged in runc first and then crun.

giuseppe · 2021-11-29T11:14:17Z

is it something that should be discussed in the runtime-specs so that other runtimes can benefit from it?

AkihiroSuda · 2021-11-29T11:20:35Z

is it something that should be discussed in the runtime-specs so that other runtimes can benefit from it?

I'm not sure, as the proposed JSON contains runc-specific features such as criu, and perhaps some CLI stuffs (which are out of the scope of the Runtime Spec) in the future.

types/features/features.go

kolyshkin

This looks very good overall, thank you @AkihiroSuda!

My only comments are nits -- mostly, a few missing periods at end of sentences.

Also, I would avoid using github markdown in docstrings / comments -- they are not formatted by godoc (go.pkg.dev, etc) and thus look weird.

AkihiroSuda · 2021-11-29T17:25:23Z

types/features/features.go

+
+const (
+	// AnnotationRuncVersion represents the version of runc, e.g., "1.2.3", or "1.2.3+dev".
+	// Third party implementations such as crun and runsc SHOULD NOT use this annotation.


(On second thought, crun MAY use this annotation to report the most compatible runc version)

Reworded: Third party implementations such as crun and runsc MAY use this annotation to report the most compatible runc version, however, parsing this annotation value is discouraged.

cyphar · 2021-11-30T06:23:47Z

I'm a bit apprehensive about having this be something we define outside of the runtime-spec. We do have a lot of behaviour that is out-of-spec, but given that this feature appears to be needed to work around existing runtime-spec deficiencies (several aspects of the runtime-spec use strings to specify values which the kernel accepts as bitflags -- meaning that runtimes need to have the right string-to-bitflag mappings available), having this feature entirely out-of-spec seems less than ideal.

Maybe we can prototype it outside of the runtime-spec (but if we're doing that then this feature would need to be feature-gated or otherwise have a warning saying "this may change in the future"), but long-term this should be part of the runtime-spec because not doing so would widen the (already worryingly large) gap between the runtime-spec and what a runtime actually has to implement to be a drop-in replacement for runc.

AkihiroSuda · 2021-11-30T06:31:06Z

Maybe we can prototype it outside of the runtime-spec (but if we're doing that then this feature would need to be feature-gated or otherwise have a warning saying "this may change in the future"), but long-term this should be part of the runtime-spec because not doing so would widen the (already worryingly large) gap between the runtime-spec and what a runtime actually has to implement to be a drop-in replacement for runc.

SGTM.

The Annotation strings are runc-specific but other fields can be probably moved to Runtime Spec, eventually.

AkihiroSuda · 2021-11-30T07:08:12Z

Moved the criu field to an annotation, as criu is out of the scope of the Runtime Spec.

kolyshkin · 2021-12-03T23:42:13Z

@cyphar PTAL

kolyshkin · 2021-12-06T11:08:16Z

Very much hope we can do an rc1 this week.

cyphar · 2021-12-07T03:03:37Z

I'll do a quick pass through all the remaining PRs and set up the rc1 release PR.

cyphar · 2021-12-07T05:14:36Z

features.go

+	ArgsUsage: "",
+	Description: `Show the enabled features.
+   The result is parsable as a JSON.
+   See https://pkg.go.dev/github.com/opencontainers/runc/types/features for the type definition.


It would be nice to mention here that the output is subject to change, which will be slightly more visible than the changelog. But we can add that later.

cyphar

LGTM, but as mentioned above I will specify in the changelog that this is subject to change. We should probably also mention this in the help output.

AkihiroSuda · 2021-12-09T09:04:50Z

Runtime-spec PR: opencontainers/runtime-spec#1130

The 'features' subcommand is not publicly documented yet, but it was introduced in `runc` in opencontainers/runc#3296. Signed-off-by: Christophe de Dinechin <[email protected]>

The `runc features` subcommand returns a JSON formatted string listing the supported features. It is not documented, but it was implemented here: opencontainers/runc#3296. Based on the code, it does not seem to take any option. Signed-off-by: Christophe de Dinechin <[email protected]>

The 'features' subcommand is not publicly documented yet, but it was introduced in `runc` in opencontainers/runc#3296. Signed-off-by: Christophe de Dinechin <[email protected]>

The `features` subcommand is implemented in `runc`, but not documented. See opencontainers/runc#3296 Signed-off-by: Christophe de Dinechin <[email protected]> Suggested-by: Toru Komatsu <[email protected]>