Remove nested container code

executor/runtime/docker/capabilities.go

@@ -37,7 +37,7 @@ func setupAdditionalCapabilities(c *runtimeTypes.Container, hostCfg *container.H
 	if err != nil {
 		return err
 	}
-	if fuseEnabled || c.TitusInfo.GetAllowNestedContainers() {
+	if fuseEnabled {
 		if _, ok := addedCapabilities[SYS_ADMIN]; !ok {
 			hostCfg.CapAdd = append(hostCfg.CapAdd, SYS_ADMIN)
 		}
@@ -55,14 +55,8 @@ func setupAdditionalCapabilities(c *runtimeTypes.Container, hostCfg *container.H
 		seccompProfile = "fuse-container.json"
 
 	}
-	// We can do this here because nested containers can do everything fuse containers can
-	if c.TitusInfo.GetAllowNestedContainers() {
-		apparmorProfile = "docker-nested"
-		seccompProfile = "nested-container.json"
-		c.Env["TINI_UNSHARE"] = trueString
-	}
 
-	if c.TitusInfo.GetAllowNestedContainers() || c.IsSystemD {
+	if c.IsSystemD {
 		// Tell Tini to exec systemd so it's pid 1
 		c.Env["TINI_HANDOFF"] = trueString
 	}

executor/runtime/docker/capabilities_test.go

@@ -6,7 +6,6 @@ import (
 	"github.com/Netflix/titus-executor/api/netflix/titus"
 	runtimeTypes "github.com/Netflix/titus-executor/executor/runtime/types"
 	"github.com/docker/docker/api/types/container"
-	"github.com/gogo/protobuf/proto"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -41,41 +40,3 @@ func TestFuseProfile(t *testing.T) {
 	assert.Len(t, hostConfig.SecurityOpt, 2)
 	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-fuse")
 }
-
-func TestNestedContainerProfile(t *testing.T) {
-	c := runtimeTypes.Container{
-		Env: map[string]string{},
-		TitusInfo: &titus.ContainerInfo{
-			AllowNestedContainers: proto.Bool(true),
-		},
-	}
-	hostConfig := container.HostConfig{}
-
-	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
-
-	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
-	assert.Len(t, hostConfig.CapDrop, 0)
-	assert.Len(t, hostConfig.SecurityOpt, 2)
-	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-nested")
-
-}
-
-func TestFuseAndNestedContainerProfileProfile(t *testing.T) {
-	c := runtimeTypes.Container{
-		Env: map[string]string{},
-		TitusInfo: &titus.ContainerInfo{
-			AllowNestedContainers: proto.Bool(true),
-			PassthroughAttributes: map[string]string{
-				runtimeTypes.FuseEnabledParam: "true",
-			},
-		},
-	}
-	hostConfig := container.HostConfig{}
-
-	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
-
-	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
-	assert.Len(t, hostConfig.CapDrop, 0)
-	assert.Len(t, hostConfig.SecurityOpt, 2)
-	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-nested")
-}

executor/runtime/docker/docker.go

@@ -1713,10 +1713,6 @@ func (r *DockerRuntime) setupPostStartLogDirTiniHandleConnection2(parentCtx cont
 		return err
 	}
 
-	if err := setupContainerNesting(parentCtx, c, cred); err != nil {
-		log.Error("Unable to setup container nesting: ", err)
-		return err
-	}
 	/* This can be "broken" if the titus-executor crashes. The link will be dangling, and point to a
 	 * /proc/${PID}/fd/${FD}. It's not "bad", because Titus Task names should be unique
 	 */

executor/runtime/docker/docker_linux.go

@@ -13,13 +13,9 @@ import (
 	"time"
 	"unsafe"
 
-	"io/ioutil"
-	"strings"
-
 	"github.com/Netflix/titus-executor/config"
 	runtimeTypes "github.com/Netflix/titus-executor/executor/runtime/types"
 	"github.com/coreos/go-systemd/dbus"
-	"github.com/hashicorp/go-multierror"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -46,7 +42,6 @@ const (
 	sshdSystemdUnit            = "titus-sshd"
 	metricStartTimeout         = time.Minute
 	umountNoFollow             = 0x8
-	sysFsCgroup                = "/sys/fs/cgroup"
 )
 
 func getPeerInfo(unixConn *net.UnixConn) (ucred, error) {
@@ -186,39 +181,6 @@ func cleanupCgroups(cgroupPath string) error {
 	return nil
 }
 
-func setupContainerNesting(parentCtx context.Context, c *runtimeTypes.Container, cred ucred) error {
-	if !c.IsSystemD && !c.TitusInfo.GetAllowNestedContainers() {
-		return nil
-	}
-
-	cgroupPath := filepath.Join("/proc/", strconv.FormatInt(int64(cred.pid), 10), "cgroup")
-	cgroups, err := ioutil.ReadFile(cgroupPath) // nolint: gosec
-	if err != nil {
-		return err
-	}
-	var ret error
-	for _, line := range strings.Split(string(cgroups), "\n") {
-		cgroupInfo := strings.Split(strings.TrimSpace(line), ":")
-		if len(cgroupInfo) != 3 {
-			continue
-		}
-		controllerType := cgroupInfo[1]
-		if len(controllerType) == 0 {
-			continue
-		}
-		// This is to handle the name=systemd cgroup, we should probably parse /proc/mounts, but this is a little bit easier
-		controllerType = strings.TrimPrefix(controllerType, "name=")
-		controllerPath := cgroupInfo[2]
-		fsPath := filepath.Join(sysFsCgroup, controllerType, controllerPath)
-		err = os.Chown(fsPath, int(cred.uid), int(cred.gid))
-		if err != nil {
-			ret = multierror.Append(ret, err)
-		}
-	}
-
-	return ret
-}
-
 func setupOOMAdj(c *runtimeTypes.Container, cred ucred) error {
 	oomScore := 1000
 

executor/runtime/docker/docker_unsupported.go

@@ -38,10 +38,6 @@ func cleanupCgroups(cgroupPath string) error {
 	return errUnsupported
 }
 
-func setupContainerNesting(parentCtx context.Context, c *runtimeTypes.Container, cred ucred) error {
-	return errUnsupported
-}
-
 func setupOOMAdj(c *runtimeTypes.Container, cred ucred) error {
 	return errUnsupported
 }

executor/runtime/docker/seccomp/Makefile

@@ -2,6 +2,6 @@
 
 all: seccomp.go
 
-seccomp.go: default.json nested-container.json fuse-container.json
-	go-bindata -pkg seccomp -o seccomp.go default.json nested-container.json fuse-container.json
+seccomp.go: default.json fuse-container.json
+	go-bindata -pkg seccomp -o seccomp.go default.json fuse-container.json