Support feature subcommand

[musaprg]

derived from #2395, and fixes #815

This PR introduces a new youki features subcommand, which returns the Features Structure¹ defined in the OCI runtime spec. Features Structure is written in JSON format and contains runtime features supported by the youki.

TODO

• Add seccomp support information based on the feature flags
  • Waiting for the response of Add seccomp into feature flags of youki to be compiled in #2924

Footnotes

1. https://github.com/opencontainers/runtime-spec/blob/main/features.md ↩

[YJDoc2]

Hey @musaprg , just wanted to confirm if you are following up on this, or might be busy with something else. No worries if you can't continue, but let us know. Thanks!

[musaprg]

@YJDoc2 Hi. sorry I have been a bit busy these days, but I'm still working on it. I'll update the dependency and add missing implementations.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 95.56962% with 7 lines in your changes missing coverage. Please review.

Project coverage is 67.04%. Comparing base (ea96160) to head (e28d8ac).
Report is 14 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2837      +/-   ##
==========================================
+ Coverage   66.76%   67.04%   +0.28%     
==========================================
  Files         131      131              
  Lines       16673    16831     +158     
==========================================
+ Hits        11131    11285     +154     
- Misses       5542     5546       +4     

[musaprg]

@YJDoc2 @utam0k Hi, this PR is ready for review now. Could you check it at your convenience?
I don't think supporting seccomp support information in this PR would be necessary. I can implement it in another PR once #2924 gets merged. Thanks!

[YJDoc2]

Couple of comments.

[YJDoc2]

Hey @musaprg , I ran this on my system and compared with runc's output, and there are some differences -

• youki's output

`./youki features`

{ "ociVersionMin": "1.0.0", "ociVersionMax": "1.0.2", "hooks": [ "prestart", "createRuntime", "createContainer", "startContainer", "poststart", "poststop" ], "mountOptions": [ "async", "atime", "bind", "defaults", "dev", "diratime", "dirsync", "exec", "mand", "noatime", "nodev", "nodiratime", "noexec", "nomand", "norelatime", "nosuid", "nostrictatime", "private", "rbind", "rdev", "relatime", "remount", "rnoatime", "rnodev", "rnodiratime", "rnoexec", "rnorelatime", "rnosuid", "rnostrictatime", "ro", "rprivate", "rrw", "rshared", "rsuid", "rsymfollow", "rslave", "rstrictatime", "runbindable", "rw", "shared", "slave", "strictatime", "suid", "sync", "unbindable" ], "linux": { "namespaces": [ "pid", "network", "uts", "ipc", "mount", "user", "cgroup", "time" ], "capabilities": [], "cgroup": { "v1": false, "v2": false, "systemd": false, "systemdUser": false, "rdma": false }, "seccomp": null, "apparmor": { "enabled": true }, "selinux": { "enabled": false }, "intelRdt": { "enabled": true }, "mountExtensions": { "idmap": { "enabled": false } } }, "annotations": null, "potentiallyUnsafeConfigAnnotations": null }

• runc's output

`runc features`

{ "ociVersionMin": "1.0.0", "ociVersionMax": "1.0.2-dev", "hooks": [ "prestart", "createRuntime", "createContainer", "startContainer", "poststart", "poststop" ], "mountOptions": [ "acl", "async", "atime", "bind", "defaults", "dev", "diratime", "dirsync", "exec", "iversion", "lazytime", "loud", "mand", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nolazytime", "nomand", "norelatime", "nostrictatime", "nosuid", "nosymfollow", "private", "ratime", "rbind", "rdev", "rdiratime", "relatime", "remount", "rexec", "rnoatime", "rnodev", "rnodiratime", "rnoexec", "rnorelatime", "rnostrictatime", "rnosuid", "rnosymfollow", "ro", "rprivate", "rrelatime", "rro", "rrw", "rshared", "rslave", "rstrictatime", "rsuid", "rsymfollow", "runbindable", "rw", "shared", "silent", "slave", "strictatime", "suid", "symfollow", "sync", "tmpcopyup", "unbindable" ], "linux": { "namespaces": [ "cgroup", "ipc", "mount", "network", "pid", "user", "uts" ], "capabilities": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ", "CAP_PERFMON", "CAP_BPF", "CAP_CHECKPOINT_RESTORE" ], "cgroup": { "v1": true, "v2": true, "systemd": true, "systemdUser": true }, "seccomp": { "enabled": true, "actions": [ "SCMP_ACT_ALLOW", "SCMP_ACT_ERRNO", "SCMP_ACT_KILL", "SCMP_ACT_KILL_PROCESS", "SCMP_ACT_KILL_THREAD", "SCMP_ACT_LOG", "SCMP_ACT_NOTIFY", "SCMP_ACT_TRACE", "SCMP_ACT_TRAP" ], "operators": [ "SCMP_CMP_EQ", "SCMP_CMP_GE", "SCMP_CMP_GT", "SCMP_CMP_LE", "SCMP_CMP_LT", "SCMP_CMP_MASKED_EQ", "SCMP_CMP_NE" ], "archs": [ "SCMP_ARCH_AARCH64", "SCMP_ARCH_ARM", "SCMP_ARCH_MIPS", "SCMP_ARCH_MIPS64", "SCMP_ARCH_MIPS64N32", "SCMP_ARCH_MIPSEL", "SCMP_ARCH_MIPSEL64", "SCMP_ARCH_MIPSEL64N32", "SCMP_ARCH_PPC", "SCMP_ARCH_PPC64", "SCMP_ARCH_PPC64LE", "SCMP_ARCH_RISCV64", "SCMP_ARCH_S390", "SCMP_ARCH_S390X", "SCMP_ARCH_X32", "SCMP_ARCH_X86", "SCMP_ARCH_X86_64" ] }, "apparmor": { "enabled": true }, "selinux": { "enabled": true } }, "annotations": { "io.github.seccomp.libseccomp.version": "2.5.3", "org.opencontainers.runc.checkpoint.enabled": "true", "org.opencontainers.runc.commit": "v1.1.13-0-g58aa920", "org.opencontainers.runc.version": "1.1.13" } }

The major differences I see here are capabilities list, cgroup and systemd info, also seccomp info. Can you take a look?

[musaprg]

@YJDoc2 IIUC, as for the systemd-related fields, it depends on the youki's feature flags indicating which feature should be compiled in. I guess executing cargo build without any feature flags won't include any cgroup features such as v1, v2, systemd, systemd-user. Could you try scripts/build.sh -o $PWD -c youki -f v2 for example?

[musaprg]

As for the seccomp information, #2924 is required to be merged, so I've just left it as null, which means unknown about seccomp support.

[musaprg]

As for capabilities, I probably misunderstood the spec. The capabilities listed there don't have to be actually supported on the kernel running youki. I've fixed it in b8f902a.

The recognized names of the capabilities, including capabilities that might not be supported by the host operating system. The runtime MUST recognize the elements in this array in the process.capabilities object of config.json.
https://github.com/opencontainers/runtime-spec/blob/main/features-linux.md#capabilities

[musaprg]

I noticed that namespaces also should include all possible namespaces regardless of whether it's supported on the kernel. I've fixed it in a73d957.

The recognized names of the namespaces, including namespaces that might not be supported by the host operating system. The runtime MUST recognize the elements in this array as the type of linux.namespaces objects in config.json.

[utam0k]

This may be slightly beyond the scope of this PR, but I'm considering methods to ensure this list is regularly updated. WDYT?

[musaprg]

OK, I'll try.

[YJDoc2]

Hey, unless either of you have done implementation of the updation, I think we should go ahead with hard-coded parts in this PR and merge once reviewed, and the dynamic values can be done in #2937 or so. WDYT?

[musaprg]

Sorry, I have been a bit busy recently. Separating PR sounds good to me, but either would be fine. I'll continue working on #2937 in that case.