atomic: use runc by default with --user

[giuseppe]

Description

Now that runc has support for rootless containers, let's switch to using it by default. A newer version of runc that is currently present on Fedora 27 is needed.

Move into atomic some of the transformations that were previously made by bwrap-oci/bubblewrap to adapt the config.json file to run as a non privileged user. For example, force the user namespace to be specified and that a valid uid/gid mapping is provided.

More changes might be needed in future, but for now, this is enough to get the etcd system container to run as a non privileged user using runc.

[giuseppe]

bot, please retry

[giuseppe]

yes, I think the easiest way is to compare the output of runc spec and runc spec --rootless. runc is very strict and it errors out immediately if some configuration is not allowed, so we must be a bit more careful that with bwrap-oci (that in any case was implementing only a subset of OCI).

I cannot add a test case yet as it requires a newer runc that what is currently available on Fedora 27, I have tested with a new runc that the etcd system container can still run without any modification to its configuration.

[giuseppe]

@rhatdan any comments on this PR?

[rhatdan]

LGTM But I have a few questions.

What happens if the user is not listed in /etc/subuid and /etc/subgid? Do I get a decent error message?

[giuseppe]

the /etc/subuid and /etc/subgid are used only for additional ids, if the file doesn't exist or the user is not present then we don't add any. By default we always have current user on the host -> root in the container

[giuseppe]

As additional feature, I thought of adding --rootfs to podman so that it can be used with user/system containers:

1) storage will still be managed by atomic/ostree 2) podman will only manage the container, as runc does now. The podman CLI is much easier to use than the config.json

Changes needed: 1) --rootfs in podman 2) change atomic to allow customization of ExecStartPre\ExecStart\ExecStop\ExecStopPost. At the moment these are not possible to set with --set as they are hardcoded.

[giuseppe]

the second part was quite straightforward to implement: https://github.com/projectatomic/atomic/pull/1231

[rhatdan]

I thought if a user does not have an entry in the /etc/subuid and /etc/subgid file, he is not allowed ot use userns?

[giuseppe]

no, the user is still allowed, but cannot map more than one user from the host:

$ id -nu
gscrivano
$ grep -c gscrivano /etc/subuid
0
$ unshare -r id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[rhatdan]

@rh-atomic-bot r+

[rh-atomic-bot]

:pushpin: Commit f76be30 has been approved by rhatdan

[rh-atomic-bot]

:hourglass: Testing commit f76be30 with merge e045e8b...

[rh-atomic-bot]

:sunny: Test successful - status-papr Approved by: rhatdan Pushing e045e8baef317f16958ed74566e7032cd5a96957 to master...