unprivileged: add CLI options for isolation and storage

Dockerfile

@@ -17,7 +17,9 @@ COPY imagecontent/etc/containers /etc/containers
 COPY imagecontent/usr/share/containers /usr/share/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
-    /var/lib/shared/overlay-layers && \
+    /var/lib/shared/overlay-layers \
+    /etc/pki/tls/certs /etc/docker/certs.d && \
+    chmod g+w /etc/pki/tls/certs /etc/docker/certs.d && \
     touch /var/lib/shared/overlay-images/images.lock \
     /var/lib/shared/overlay-layers/layers.lock
 

Dockerfile-dev

@@ -3,7 +3,6 @@ LABEL io.k8s.display-name="OpenShift Origin Builder" \
       io.k8s.description="This is a component of OpenShift Origin and is responsible for executing image builds." \
       io.openshift.tags="openshift,builder"
 
-# TODO: Add fuse-overlayfs once we build off of RHEL-8 UBI
 RUN INSTALL_PKGS=" \
       bind-utils bsdtar findutils fuse-overlayfs git hostname lsof \
       procps-ng runc socat tar tree util-linux wget which \
@@ -15,7 +14,9 @@ COPY imagecontent/etc/containers /etc/containers
 COPY imagecontent/usr/share/containers /usr/share/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
-    /var/lib/shared/overlay-layers && \
+    /var/lib/shared/overlay-layers \
+    /etc/pki/tls/certs /etc/docker/certs.d && \
+    chmod g+w /etc/pki/tls/certs /etc/docker/certs.d && \
     touch /var/lib/shared/overlay-images/images.lock \
     /var/lib/shared/overlay-layers/layers.lock
 

Dockerfile.rhel7

@@ -17,7 +17,9 @@ COPY imagecontent/etc/containers /etc/containers
 COPY imagecontent/usr/share/containers /usr/share/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
-    /var/lib/shared/overlay-layers && \
+    /var/lib/shared/overlay-layers \
+    /etc/pki/tls/certs /etc/docker/certs.d && \
+    chmod g+w /etc/pki/tls/certs /etc/docker/certs.d && \
     touch /var/lib/shared/overlay-images/images.lock \
     /var/lib/shared/overlay-layers/layers.lock
 

Dockerfile.rhel8

@@ -16,7 +16,9 @@ COPY imagecontent/etc/containers /etc/containers
 COPY imagecontent/usr/share/containers /usr/share/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
-    /var/lib/shared/overlay-layers && \
+    /var/lib/shared/overlay-layers \
+    /etc/pki/tls/certs /etc/docker/certs.d && \
+    chmod g+w /etc/pki/tls/certs /etc/docker/certs.d && \
     touch /var/lib/shared/overlay-images/images.lock \
     /var/lib/shared/overlay-layers/layers.lock
 

cmd/builder.go

@@ -11,6 +11,7 @@ import (
 	kcmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/containers/common/pkg/config"
 	"github.com/openshift/builder/pkg/build/builder/cmd"
 	"github.com/openshift/builder/pkg/version"
 )
@@ -65,31 +66,72 @@ func NewCmdVersion(fullName string, versionInfo k8sversion.Info, buildahVersion
 
 // NewCommandS2IBuilder provides a CLI handler for S2I build type
 func NewCommandS2IBuilder(name string) *cobra.Command {
+	var isolation, ociRuntime, storageDriver, storageOptions string
+
+	defaultConfig, err := config.DefaultConfig()
+	kcmdutil.CheckErr(err)
+
 	cmd := &cobra.Command{
 		Use:   name,
 		Short: "Run a Source-to-Image build",
 		Long:  s2iBuilderLong,
 		Run: func(c *cobra.Command, args []string) {
-			err := cmd.RunS2IBuild(c.OutOrStderr())
+			var err error
+			if isolation == "" {
+				isolation, err = builderDefaultIsolation()
+				kcmdutil.CheckErr(err)
+			}
+			if storageDriver == "" {
+				storageDriver, storageOptions, err = builderDefaultStorage()
+				kcmdutil.CheckErr(err)
+			}
+			err = cmd.RunS2IBuild(c.OutOrStderr(), isolation, ociRuntime, storageDriver, storageOptions)
 			kcmdutil.CheckErr(err)
 		},
 	}
 
+	flags := cmd.Flags()
+	flags.StringVar(&isolation, "isolation", isolation, "type of process `isolation` to use for RUN instructions")
+	flags.StringVar(&ociRuntime, "oci-runtime", defaultConfig.Engine.OCIRuntime, "runtime to invoke for OCI isolation")
+	flags.StringVar(&storageDriver, "storage-driver", storageDriver, "storage driver to use for storing layers, images, and working containers")
+	flags.StringVar(&storageOptions, "storage-options", storageOptions, "storage options to use when storing layers, images, and working containers")
+
 	cmd.AddCommand(NewCmdVersion(name, version.Get(), version.BuildahVersion(), os.Stdout))
 	return cmd
 }
 
 // NewCommandDockerBuilder provides a CLI handler for Docker build type
 func NewCommandDockerBuilder(name string) *cobra.Command {
+	var isolation, ociRuntime, storageDriver, storageOptions string
+
+	defaultConfig, err := config.DefaultConfig()
+	kcmdutil.CheckErr(err)
+
 	cmd := &cobra.Command{
 		Use:   name,
 		Short: "Run a Docker build",
 		Long:  dockerBuilderLong,
 		Run: func(c *cobra.Command, args []string) {
-			err := cmd.RunDockerBuild(c.OutOrStderr())
+			var err error
+			if isolation == "" {
+				isolation, err = builderDefaultIsolation()
+				kcmdutil.CheckErr(err)
+			}
+			if storageDriver == "" {
+				storageDriver, storageOptions, err = builderDefaultStorage()
+				kcmdutil.CheckErr(err)
+			}
+			err = cmd.RunDockerBuild(c.OutOrStderr(), isolation, ociRuntime, storageDriver, storageOptions)
 			kcmdutil.CheckErr(err)
 		},
 	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&isolation, "isolation", isolation, "type of process `isolation` to use for RUN instructions")
+	flags.StringVar(&ociRuntime, "oci-runtime", defaultConfig.Engine.OCIRuntime, "runtime to invoke for OCI isolation")
+	flags.StringVar(&storageDriver, "storage-driver", storageDriver, "storage driver to use for storing layers, images, and working containers")
+	flags.StringVar(&storageOptions, "storage-options", storageOptions, "storage options to use when storing layers, images, and working containers")
+
 	cmd.AddCommand(NewCmdVersion(name, version.Get(), version.BuildahVersion(), os.Stdout))
 	return cmd
 }

cmd/defaults.go

@@ -0,0 +1,106 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/containers/storage"
+	"k8s.io/klog/v2"
+)
+
+// Return "chroot" if we know we're not actually root, "oci" otherwise.
+func builderDefaultIsolation() (string, error) {
+	if inUserNamespace() {
+		// We probably don't have enough privileges to use a proper
+		// runtime.
+		// Lean on the container that we're in being itself
+		// unprivileged (i.e., having control groups including the
+		// device cgroup configured for us, being provided with a
+		// smaller set of devices in /dev, and likely running without a
+		// few capabilities that we don't need), and reduce the degree
+		// of isolation that we try to use to what we know we're
+		// actually allowed to do in an unprivileged container.
+		return "chroot", nil
+	}
+	// Use the proper runtime.
+	return "oci", nil
+}
+
+// Check that /dev/fuse is usable and we have the fuse-overlayfs helper.
+func builderCanUseOverlayFUSE() error {
+	device, err := os.Open("/dev/fuse")
+	if err != nil {
+		return fmt.Errorf("error opening device: %v", err)
+	}
+	defer device.Close()
+	if _, err := os.Stat("/usr/bin/fuse-overlayfs"); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Try various storage setups until we find one that works with the privileges
+// that we currently have.
+func builderDefaultStorage() (string, string, error) {
+	for _, candidate := range []struct {
+		driver, options string
+		also            func() error
+	}{
+		{"overlay", `["mountopt=metacopy=on"]`, nil},
+		{"overlay", ``, nil},
+		{"overlay", `["mount_program=/usr/bin/fuse-overlayfs","mountopt=metacopy=on"]`, builderCanUseOverlayFUSE},
+		{"overlay", `["mount_program=/usr/bin/fuse-overlayfs"]`, builderCanUseOverlayFUSE},
+		{"vfs", "", nil},
+	} {
+		var options []string
+		// Is there an additional test?
+		if candidate.also != nil {
+			if why := candidate.also(); why != nil {
+				klog.V(2).Info(why.Error())
+				continue
+			}
+		}
+		// Are there options for this case?
+		if candidate.options != "" {
+			err := json.Unmarshal([]byte(candidate.options), &options)
+			if err != nil {
+				klog.Errorf("internal error parsing options %q: %v", candidate.options, err)
+				continue
+			}
+		}
+		// Precreate some things.
+		if _, err := os.Stat(fmt.Sprintf("/var/lib/shared/%s-layers/layers.lock", candidate.driver)); err == nil {
+			if _, err := os.Stat(fmt.Sprintf("/var/lib/shared/%s-images/images.lock", candidate.driver)); err == nil {
+				if _, err := os.Stat(fmt.Sprintf("/var/lib/shared/%s-containers/containers.lock", candidate.driver)); err == nil {
+					options = append(options, fmt.Sprintf("%s.imagestore=/var/lib/shared", candidate.driver))
+				}
+			}
+		}
+		// Clear out the directory we're about to use.
+		os.RemoveAll("/var/lib/containers/storage/tmp")
+		os.RemoveAll("/run/containers/storage/tmp")
+		// Try to initialize storage.
+		store, err := storage.GetStore(storage.StoreOptions{
+			GraphRoot:          "/var/lib/containers/storage/tmp",
+			RunRoot:            "/run/containers/storage/tmp",
+			GraphDriverName:    candidate.driver,
+			GraphDriverOptions: options,
+		})
+		if err != nil {
+			klog.V(2).Infof("Unable to initialize storage %q with options %v: %v\n", candidate.driver, options, err)
+			continue
+		}
+		// Shut down the storage that we were able to initialize.
+		_, err = store.Shutdown(true)
+		// Re-encode the options before returning them.
+		reencodedOptions, err := json.Marshal(options)
+		if err != nil {
+			klog.Errorf("Error re-encoding options %v: %v\n", options, err)
+			continue
+		}
+		klog.Infof("Defaulting to storage driver %q with options %v.\n", candidate.driver, options)
+		return candidate.driver, string(reencodedOptions), nil
+	}
+	return "", "", nil
+}

cmd/main.go

@@ -10,10 +10,12 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/spf13/cobra"
 
 	"k8s.io/component-base/logs"
+	kcmdutil "k8s.io/kubectl/pkg/cmd/util"
 
 	"github.com/openshift/builder/pkg/build/builder"
 	"github.com/openshift/builder/pkg/version"
@@ -52,19 +54,37 @@ func main() {
 	fs := s2ifs.NewFileSystem()
 	err := fs.Copy(clusterCASrc, clusterCADst, map[string]string{})
 	if err != nil {
-		fmt.Printf("Error setting up cluster CA cert: %v", err)
+		fmt.Printf("Error setting up cluster CA cert: %v\n", err)
 		os.Exit(1)
 	}
 
 	runtimeCASrc := fmt.Sprintf("%s/certs.d", builder.ConfigMapCertsMountPath)
 	err = fs.CopyContents(runtimeCASrc, runtimeCertRoot, map[string]string{})
 	if err != nil {
-		fmt.Printf("Error setting up service CA cert: %v", err)
+		fmt.Printf("Error setting up service CA cert: %v\n", err)
 		os.Exit(1)
 	}
 
 	basename := filepath.Base(os.Args[0])
 	command := CommandFor(basename)
+
+	flags := command.Flags()
+	var uidmap, gidmap string
+	var useNewuidmap, useNewgidmap bool
+	flags.StringVar(&uidmap, "uidmap", "", "re-exec in a user namespace using the specified UID map")
+	flags.StringVar(&gidmap, "gidmap", "", "re-exec in a user namespace using the specified GID map")
+	flags.BoolVar(&useNewuidmap, "use-newuidmap", os.Geteuid() != 0, "use newuidmap to set up UID mappings")
+	flags.BoolVar(&useNewgidmap, "use-newgidmap", os.Geteuid() != 0, "use newgidmap to set up GID mappings")
+	wrapped := command.Run
+	command.Run = func(c *cobra.Command, args []string) {
+		storeOptions, err := storage.DefaultStoreOptions(false, 0)
+		kcmdutil.CheckErr(err)
+		os.MkdirAll(storeOptions.GraphRoot, 0775)
+		os.MkdirAll(storeOptions.RunRoot, 0775)
+		maybeReexecUsingUserNamespace(uidmap, useNewuidmap, gidmap, useNewgidmap)
+		wrapped(c, args)
+	}
+
 	if err := command.Execute(); err != nil {
 		os.Exit(1)
 	}
@@ -76,15 +96,15 @@ func CommandFor(basename string) *cobra.Command {
 	var cmd *cobra.Command
 
 	switch basename {
-	case "openshift-sti-build":
+	case "openshift-sti-build", "openshift-sti-build-in-a-user-namespace":
 		cmd = NewCommandS2IBuilder(basename)
-	case "openshift-docker-build":
+	case "openshift-docker-build", "openshift-docker-build-in-a-user-namespace":
 		cmd = NewCommandDockerBuilder(basename)
-	case "openshift-git-clone":
+	case "openshift-git-clone", "openshift-git-clone-in-a-user-namespace":
 		cmd = NewCommandGitClone(basename)
-	case "openshift-manage-dockerfile":
+	case "openshift-manage-dockerfile", "openshift-manage-dockerfile-in-a-user-namespace":
 		cmd = NewCommandManageDockerfile(basename)
-	case "openshift-extract-image-content":
+	case "openshift-extract-image-content", "openshift-extract-image-content-in-a-user-namespace":
 		cmd = NewCommandExtractImageContent(basename)
 	default:
 		fmt.Printf("unknown command name: %s\n", basename)