Jailer support

[dreadl0ck]

Jailer Support

This pull request adds support to use the jailer for securing firecracker vms launched with firectl.

It extends the flag set with the following flags, following the firecracker flag naming of the firecracker and jailer binaries:

type options struct {
    ...
    Id       string `long:"id" description:"Jailer VMM id"`
    ExecFile string `long:"exec-file" description:"Jailer executable"`
    JailerBinary  string `long:"jailer" description:"Jailer binary"`

    Uid      int    `long:"uid" description:"Jailer uid for dropping privileges"`
    Gid      int    `long:"gid" description:"Jailer gid for dropping privileges"`
    NumaNode int    `long:"node" description:"Jailer numa node"`

    ChrootBaseDir string `long:"chroot-base-dir" description:"Jailer chroot base directory"`
    Daemonize     bool   `long:"daemonize" description:"Run jailer as daemon"`
}

It makes use of the official Go SDK to invoke the jailer and is configured entirely via commandline flags.

The new command line interface looks like this:

$ firectl -h
Usage:
  firectl [OPTIONS]

Application Options:
      --firecracker-binary=     Path to firecracker binary
      --kernel=                 Path to the kernel image (default: ./vmlinux)
      --kernel-opts=            Kernel commandline (default: ro console=ttyS0 noapic reboot=k
                                panic=1 pci=off nomodules)
      --root-drive=             Path to root disk image
      --root-partition=         Root partition UUID
      --add-drive=              Path to additional drive, suffixed with :ro or :rw, can be specified
                                multiple times
      --tap-device=             NIC info, specified as DEVICE/MAC, can be specified multiple times
      --vsock-device=           Vsock interface, specified as PATH:CID. Multiple OK
      --vmm-log-fifo=           FIFO for firecracker logs
      --log-level=              vmm log level (default: Debug)
      --metrics-fifo=           FIFO for firecracker metrics
  -t, --disable-hyperthreading  Disable CPU Hyperthreading
  -c, --ncpus=                  Number of CPUs (default: 1)
      --cpu-template=           Firecracker CPU Template (C3 or T2)
  -m, --memory=                 VM memory, in MiB (default: 512)
      --metadata=               Firecracker Metadata for MMDS (json)
  -l, --firecracker-log=        pipes the fifo contents to the specified file
  -s, --socket-path=            path to use for firecracker socket, defaults to a unique file in in
                                the first existing directory from {$HOME, $TMPDIR, or /tmp}
  -d, --debug                   Enable debug output
      --version                 Outputs the version of the application
      --id=                     Jailer VMM id
      --exec-file=              Jailer executable
      --jailer=                 Jailer binary
      --uid=                    Jailer uid for dropping privileges
      --gid=                    Jailer gid for dropping privileges
      --node=                   Jailer numa node
      --chroot-base-dir=        Jailer chroot base directory
      --daemonize               Run jailer as daemon

Help Options:
  -h, --help                    Show this help message

I made a small change to the API to keep the configuration simple and ease debugging: https://github.com/firecracker-microvm/firecracker-go-sdk/pull/255

However, this pull request does not depend on it and uses the latest version v0.21.0 to accomplish its task.

cc @ppartarr

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[dreadl0ck]

Updated the commits to include the "signed-off" line

[nmeyerhans]

Thanks for this. I'll take a look as soon as I've got some time. Seems like I also need to spend some time with the buildkite configuration, too.

[nmeyerhans]

I've added a couple new commits on top of yours to introduce SDK 0.22.0 support. It looks like at least options.go is still in need of having go fmt run on it. Could you please do that and squash the changes into the relevant commits before I merge?

[dreadl0ck]

Done, squashed all my commits into a single one #f1c8ba0.