[Merged] features-linux: Expose idmap information

[rata]

High level container runtimes sometimes need to know if the OCI runtime supports idmap mounts or not, as the OCI runtime silently ignores unknown fields.

This means that if it doesn't support idmap mounts, a container with userns will be started, without idmap mounts, and the files created on the volumes will have a "garbage" owner/group. Furthermore, as the userns mapping is not guaranteed to be stable over time, it will be completely unusable.

Let's expose idmap support in the features subcommand, so high level container runtimes use the feature safely.

---

cc @giuseppe @AkihiroSuda

[giuseppe]

LGTM

[AkihiroSuda]

Thanks

[cyphar]

I don't think a boolean is sufficient to describe the state of idmapped mount support.

At the moment, runc only supports this for one specific case (which will be fixed by opencontainers/runc#3985). Once we fix this, runc will only support these flags for bind mounts. However, the specification allows you to set these fields for any mount, which runc doesn't currently support (because it would require reworking a lot of our mount infrastructure). I don't know if crun supports arbitrary mounts to have this flag added either (@giuseppe?). Same for youki (@utam0k?).

The problem with a boolean is that it's not clear to me whether this should be true or false in any of these cases. Does true mean that setting the idmapping flags is supported at all (even with restrictions), or that it is fully supported?

I don't know if there is a nice way to describe all of these cases. You could have a string saying which filesystem types are supported, but bind-mounts are not treated as a filesystem type by the spec... We can probably ignore the way runc currently supports idmapped mounts because I suspect nobody is going to release a runtime with the feature that is that restricted.

[AkihiroSuda]

What about having two flags: "mountExtensions": ["idmapFixed", "idmapFlexible"]

[cyphar]

That would work for the level of idmapped supports, but for mount types I think we will need something as well.

For instance, in runc we would need to explicitly work to add support for tmpfs because we have special handling for tmpcopyup (as well as proc, sys, cgroup -- but none of those filesystems have FS_ALLOW_IDMAP so it's not super important).

Now that I think about it, we could just have a list of supported filesystem types (the runtime could use /proc/filesystems and filter out filesystems they need special handling for, or just have a fixed list they support). For bind-mounts we might be able have idmapBind as an extension? Or we could add bind as a filesystem type...

[cyphar]

Maybe this could be an object like:

"mountExtensions": {
  "idmap": {
    "modes": ["sameAsUserns", "arbitrary"],
    "filesystemTypes": ["ext4", "tmpfs", "foobarfs"],
    "supportsBind": true
  }
}

wdyt?

Also we need to figure out how to deal with recursive mounts -- see #1216. If we add a separate flag for this, we will need to add an entry to this struct.

[AkihiroSuda]

SGTM, but probably s/Userns/UserNS/, as Userns may look like Users

[cyphar]

To be fair, the fact this is silently ignored is a pretty serious issue

What exactly is silently ignored and with which runc version(s)?

I was referring to the issue you mention in the PR description -- the new fields are ignored on older runc versions (by design) and thus you end up with misconfigured mounts.

That is exactly what I did, for this to be extensible. Can you have another look? :)

Ah, you pushed a new version since my last comment. My bad. 😅

[rata]

@cyphar Also, crun is using open_tree(), mount_setattr() and move_mount(); not fsconfig, for idmap mounts.

[giuseppe]

@giuseppe Sorry, by "arbitrary mounts", I mean do you support doing idmapped mounts for non-bindmounts? (In other words, do you use fsopen/fsconfig to configure mounts and apply idmapped mounts to them? Can I create a type: tmpfs mount with an id mapping?)

no, that is not supported at the moment. idmapped mounts work only with bind mounts

[rata]

IIUC what is relevant for this PR is solved. Otherwise, please feel free to re-open.

[cyphar]

I'll keep the conversation as "unresolved" so that it's not hidden when you open the PR after it's been merged. I can open an issue to discuss additional fields we might need for users to fully understand what features are supported.

[cyphar]

Aside from these changes, looks good.

[rata]

@cyphar All should be solved now, PTAL

[cyphar]

LGTM, thanks!

[AkihiroSuda]

How to detect whether the runtime supports arbitrary mapping?

[rata]

@AkihiroSuda We can add other fields for that.

I'm not convinced it is useful, though. From the high-level container runtime, it is not that you will choose different mappings if that is supported or not. You need the mappings you need, and all you care about is that runc will not just ignore the setting and create a big mess (as files in volumes will be owned by the hostUID/GID, etc.).

If that is not supported, what you want is runc to throw an error, not discover it via features IMHO. So, I don't see why exposing that would be useful.

[cyphar]

Knowing the support level is useful for the same reason the rest of the features subcommand is useful -- it means you don't have to trial-and-error test which features are available.

@AkihiroSuda I will open an issue where we can flesh out which extra fields we want (based on the above discussion). I felt that merging this as-is is okay, as we can discuss the details of extending it separately.

[rata]

@cyphar can you cc me?

[rata]

Oh, it is already open

[AkihiroSuda]

@cyphar Next time can we use the merge button on the GitHub web UI?
On the web UI this PR is marked as "closed" and caused a confusion to me.

[cyphar]

Putting "closed" in the merge commit used to not cause issues, it seems GitHub has changed something. I will avoid putting it in the future.

I prefer merging from the cli because my merge commits are signed that way.