oci: Add --fakeroot support to --oci mode

[dtrudg]

Description of the Pull Request (PR):

Implements initial --fakeroot support for --oci mode. Mirrors behavior with --compat / --contain.

The process of accomplishing this is fairly complex. In theory, we should be able to call crun directly from host namespaces. We can let crun create a default userns and user mapping, or be able to request arbitrary explicit uid mappings (permitted by /etc/subuid /etc/subgid) to be applied.

Unfortunately this can hit bugs as this path is not well tested in crun. See e.g.

• newuidmap called with nonsense args containers/crun#1077
• default gid map not allowed error when uid != gid containers/crun#1072

To avoid requiring the very latest crun with fixes, instead move to creating a userns ourselves, with a 'fakeroot' ID mapping in place, and call crun from that. This is the kind of flow implemented in other runtimes that call crun, such as podman.... so crun is well tested with it.

We can use the singularity starter with the fakeroot engine ,and a minimal config, to create the userns and id mapping. We already use it this way to perform a simple rm cleanup in --fakeroot execution of a native singularity container. This approach avoids having to implement further C/Go executables, or making large imports, such as the reexec + unshare packages from github.com/containers/storage

We are now, by default, calling crun or runc with a fakeroot setup... with host uid/gid mapped to 0 inside the userns. This is default for most OCI runtimes, however singularity default is to preserve the host id.

We need to have (fake) root inside the userns for crun / runc to work properly... so to return to the host uid in the container we insert an inner user namespace / ID mapping request into the bundle config.json. This reverses the mapping, i.e.

• User ID on host (1001)
• Root in outer user namespace (0)
• User ID in container (1001)

I've added a README.md in this PR, as things are rather complex:

https://github.com/sylabs/singularity/blob/9680663bb1eccbfade2de9f639e1e4be49ffb3bf/internal/pkg/runtime/launcher/oci/README.md

Note that there are likely still some rough edges, and the oci launcher package is getting toward the point where it should be split, but I don't want to add too much more to this single review.

This fixes or addresses the following GitHub issues:

• Fixes Support '--fakeroot' with OCI launcher. #1035

Before submitting a PR, make sure you have done the following:

• Read the Guidelines for Contributing, and this PR conforms to the stated requirements.
• Added changes to the CHANGELOG if necessary according to the Contribution Guidelines
• Added tests to validate this PR, linted with make check and tested this PR locally with a make test, and make testall if possible (see CONTRIBUTING.md).
• Based this PR against the appropriate branch according to the Contribution Guidelines
• Added myself as a contributor to the Contributors File

[tri-adam]

Phew, there's a lot here! Thank you very much for the added README... very helpful.

Haven't had a chance to test extensively myself, so approving based on code review. Will definitely be digging deeper early next week, and don't think there's any need to hold up merging if you're comfortable doing so.

[dtrudg]

Will merge this now, as there are a couple of small PRs to knock out next, and I can branch those of main then, instead of stacking the,.