implement rootless mode

Please refer to docs/rootless.md

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

Author: AkihiroSuda

cmd/buildkitd/main.go

@@ -97,6 +97,12 @@ func main() {
 			Name:  "tlscacert",
 			Usage: "ca certificate to verify clients",
 		},
+		cli.BoolFlag{
+			Name:  "rootless",
+			Usage: "execute without root privileges",
+			// TODO(AkihiroSuda): autodetect rootless mode
+			// TODO(AkihiroSuda): user-friendly help messages
+		},
 	}
 
 	app.Flags = append(app.Flags, appFlags...)

cmd/buildkitd/main_containerd_worker.go

@@ -52,6 +52,9 @@ func containerdWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([
 	if err != nil {
 		return nil, err
 	}
+	if c.GlobalBool("rootless") {
+		logrus.Warn("rootless mode is not supported for containerd workers")
+	}
 	opt, err := containerd.NewWorkerOpt(common.root, socket, ctd.DefaultSnapshotter, labels)
 	if err != nil {
 		return nil, err

cmd/buildkitd/main_oci_worker.go

@@ -5,6 +5,7 @@ package main
 import (
 	"os/exec"
 
+	"github.com/moby/buildkit/executor/runcexecutor"
 	"github.com/moby/buildkit/worker"
 	"github.com/moby/buildkit/worker/base"
 	"github.com/moby/buildkit/worker/runc"
@@ -27,6 +28,11 @@ func init() {
 			Name:  "oci-worker-labels",
 			Usage: "user-specific annotation labels (com.example.foo=bar)",
 		},
+		cli.BoolTFlag{
+			Name:  "oci-worker-overlayfs",
+			Usage: "enable overlayfs snapshotter", // and differ when implemented
+			// TODO(AkihiroSuda): autodetect overlayfs availability?
+		},
 	)
 	// TODO: allow multiple oci runtimes and snapshotters
 }
@@ -43,7 +49,10 @@ func ociWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([]worker
 	if err != nil {
 		return nil, err
 	}
-	opt, err := runc.NewWorkerOpt(common.root, labels)
+	exeOpt := runcexecutor.Opt{
+		Rootless: c.GlobalBool("rootless"),
+	}
+	opt, err := runc.NewWorkerOpt(common.root, labels, c.GlobalBoolT("oci-worker-overlayfs"), &exeOpt)
 	if err != nil {
 		return nil, err
 	}

docs/rootless.md

@@ -0,0 +1,47 @@
+# Rootless mode (Experimental)
+
+Requirements:
+- runc with https://github.com/opencontainers/runc/pull/1688
+- Some distros such as Arch Linux require `echo 1 > /proc/sys/kernel/unprivileged_ns_clone`
+
+
+## Terminal 1:
+
+```
+$ unshare -U -m
+unshared$ echo $$
+3539
+```
+
+Unsharing mountns (and userns) is required for mounting filesystems without real root privileges.
+
+## Terminal 2:
+
+```
+$ id -u
+1001
+$ grep $(whoami) /etc/subuid
+suda:231072:65536
+$ grep $(whoami) /etc/subgid
+suda:231072:65536
+$ newuidmap 3539 0 1001 1 1 231072 65536
+$ newgidmap 3539 0 1001 1 1 231072 65536
+```
+
+## Terminal 1:
+
+```
+unshared# buildkitd --root /home/suda/.local/share/buildkit --addr unix:///run/user/1001/buildkitd.sock --containerd-worker false --oci-worker-overlayfs=false  --root
+less
+```
+
+- On Ubuntu, no need to specify `--oci-worker-overlayfs` to `false`, as unprivileged overlayfs is supported: http://kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/fs/overlayfs?h=Ubuntu-4.13.0-25.29&id=0a414bdc3d01f3b61ed86cfe3ce8b63a9240eba7
+- containerd worker is not supported ( pending PR: https://github.com/containerd/containerd/pull/2006 )
+
+## Terminal 2:
+
+```
+$ go run ./examples/buildkit0 | buildctl --addr unix:///run/user/1001/buildkitd.sock build
+```
+
+- `apt` is not supported (pending PRs: https://github.com/opencontainers/runc/pull/1693 https://github.com/opencontainers/runc/pull/1692 )

executor/oci/rootless.go

@@ -0,0 +1,20 @@
+package oci
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/oci"
+	"github.com/opencontainers/runc/libcontainer/specconv"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// WithRootless sets the container to be rootless mode.
+// This function will be removed when containerd/containerd#2006 gets merged
+func WithRootless(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+	specconv.ToRootless(s)
+	// without removing CgroupsPath, runc fails:
+	// "process_linux.go:279: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/default: permission denied\""
+	s.Linux.CgroupsPath = ""
+	return nil
+}

executor/runcexecutor/executor.go

@@ -21,12 +21,17 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+type Opt struct {
+	Rootless bool // execute runc without root privileges
+}
+
 type runcExecutor struct {
+	Opt
 	runc *runc.Runc
 	root string
 }
 
-func New(root string) (executor.Executor, error) {
+func New(root string, opt *Opt) (executor.Executor, error) {
 	if err := exec.Command("runc", "--version").Run(); err != nil {
 		return nil, errors.Wrap(err, "failed to find runc binary")
 	}
@@ -48,7 +53,12 @@ func New(root string) (executor.Executor, error) {
 		Setpgid:      true,
 	}
 
+	var xopt Opt
+	if opt != nil {
+		xopt = *opt
+	}
 	w := &runcExecutor{
+		Opt:  xopt,
 		runc: runtime,
 		root: root,
 	}
@@ -98,7 +108,11 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 		return err
 	}
 	defer f.Close()
-	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, containerdoci.WithUIDGID(uid, gid))
+	specOpts := []containerdoci.SpecOpts{containerdoci.WithUIDGID(uid, gid)}
+	if w.Opt.Rootless {
+		specOpts = append(specOpts, oci.WithRootless)
+	}
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, specOpts...)
 	if err != nil {
 		return err
 	}

vendor.conf

@@ -26,6 +26,7 @@ github.com/containerd/console 84eeaae905fa414d03e07bcd6c8d3f19e7cf180e
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
 
 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
 github.com/docker/go-units v0.3.1