Support idmap mounts for volumes

[rata]

This PR implements support for this runtime-spec change that added idmap mounts support: opencontainers/runtime-spec#1143

We open the idmap source paths and call mount_setattr() in runc PARENT,
as we need privileges in the init userns for that, and then sends the
fds to the child process. For this fd passing we use the same mechanism
used in other parts of thecode, the _LIBCONTAINER_ env vars.

The mount is finished (unix.MoveMount) from go code, inside the userns,
so we reuse all the prepareBindMount() security checks and the remount
logic for some flags too.

This PR only supports idmap mounts when userns are used AND the mappings
are the same specified for the userns mapping. This limitation is to
simplify the initial implementation, as all our users so far only need
this, and we can avoid sending over netlink the mappings, creating a
userns with this custom mapping, etc. Future PRs will remove this
limitation.

As the idmap case is quite similar to the existing mount sources case we
open with O_PATH, some simple refactors are done to share more code and
to group the slices of fds in go code. To that end, we created the
mountFds struct, and add all the slices of fds there.

This replaces PR #3429, as that PR tries to mount already when we are inside the user namespace. AFAIK, that will never work and therefore this PR tries a completely different way to do the idmap mounts.

This PR is co-authored-by: Francis Laniel <flaniel@linux.microsoft.com>

cc @eiffel-fl

Question

One open question I have is I added most validations in libcontainer/configs/validate/validator.go but I couldn't help to notice that other parts of the code do some other validations. All examples that I tried hit the validations, but am I missing adding the validations in some other part, that don't use this maybe when runc is called differently? Or adding them there should be enough?

TODO

• Pass idmap mount sources using bootstrap data (now hardcoded an example path)
• Add integration tests
• Modify the mountToRootfs() function to not move_mount and finish the idmap mount
• Update runtime spec to have the new fields for UID/GID mappings
• Address all TODOs I added in this PR

Changelog entry

• Support idmap mounts as specified in the OCI runtime-spec. Currently the mount mappings need to be identical to the mappings used in the user namespace section.
• Enforce absolute paths for mounts

Closes: #3429
Closes: #3020

[rata]

@AkihiroSuda can we add this to the 1.2 milestone? 🙏

[rata]

We have something working now. Will polish and push next week. Still tests and that missing.

[rata]

Test failures seem unrelated, for example:

make[1]: Entering directory '/go/src/github.com/opencontainers/runc'
fatal: detected dubious ownership in repository at '/go/src/github.com/opencontainers/runc'
To add an exception for this directory, call:

	git config --global --add safe.directory /go/src/github.com/opencontainers/runc
go build -trimpath -buildmode=pie -a -tags "seccomp urfave_cli_no_docs netgo osusergo" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev -linkmode external -extldflags --static-pie -w -s -buildid=" -o runc .
error obtaining VCS status: exit status 128
	Use -buildvcs=false to disable VCS stamping.
make[1]: *** [Makefile:69: static] Error 1

or go 1.19 with -race failing due to criu:

Run # criu repo
Warning: apt-key output should not be parsed (stdout is not a terminal)
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
gpg: no valid OpenPGP data found.
Error: Process completed with exit code 2.

[AkihiroSuda]

Please rebase, then the CI should be green

[thaJeztah]

We've had some issues with packages in the containerd repository (which was related to mirrors configured on the workers that only have a subset of architectures).

I gave CI a kick (hoping it was just a fluke) 🤞

[thaJeztah]

LGTM, thanks so much!

⚠️ ⚠️ I did not review the C code extensively; I'm not a C-coder, and don't want to pretend being one, so other than "a proper glance", haven't reviewed those commits. Reviews from others on those files therefore would be appreciated 👍

[lifubang]

Two small suggestions. we aleady have 3 LGTMs, I think we can move forward now.

[rata]

@lifubang thanks, fixed that too. Feel free to merge now! 🎉

[lifubang]

Thanks everyone working on this.

[cyphar]

Ah, this was merged while I was reviewing it. I guess I'll send a fix-up PR then... (I had 6-7 other comments but GitHub won't let me post them because the "diff has changed"...)

[cyphar]

Suggested change

	if err := unix.MoveMount(m.idmapFD, "", -1, dest, unix.MOVE_MOUNT_F_EMPTY_PATH); err != nil {
	if err := unix.MoveMount(m.idmapFD, "", unix.AT_FDCWD, dest, unix.MOVE_MOUNT_F_EMPTY_PATH); err != nil {

[cyphar]

nit: We don't usually call these wrappers sys_foo, we just call them foo, but I guess it doesn't really matter.

[cyphar]

Suggested change

	int fd_tree = sys_open_tree(-EBADF, idmap_src,
	int fd_tree = sys_open_tree(AT_FDCWD, idmap_src,

[rata]

We are enforcing that the path is a abs dir. If we use AT_FDCWD it will work (if the validation is skipped for some reason), while with this IIRC it will fail if the path is a rel path.

Why is this suggestion better?

[rata]

@cyphar Sure, feel free to open a PR and tag me if that works for you. Otherwise, let me know what suggested changes you had in mind

[lifubang]

Ah, this was merged while I was reviewing it.

Sorry to interrupt your code review. Maybe you can set this PR's label to status/2-codereview if the label is status/4-merge(This is learned from @thaJeztah ^_^) when you are doing an important code review. Thanks.

By the way, I think all the maintainers should have a msg group in a instant messaging tool If convenient. Then we can announce some important things in this msg group.

[AkihiroSuda]

msg

Do you have an account in opencontainers.slack.com ?
If you don't have, you can create one in https://communityinviter.com/apps/opencontainers/join-the-oci-community

[lifubang]

msg

Do you have an account in opencontainers.slack.com ? If you don't have, you can create one in https://communityinviter.com/apps/opencontainers/join-the-oci-community

Has created one account: Lifubang. Can you bring me in runc user group if there is? Thanks.

[AkihiroSuda]

Done, but not much active currently