Replace sandbox entirely with OCI runtime and maybe a container manager

[pxeger]

At the moment we're using bwrap and a whole load of custom logic to sandbox execution. This can be drastically simplified by switching to an OCI-compliant runtime, which is essentially a standardised version of the kind of interface sandbox provides.

crun looks to be the most promising at the moment, as it is mature, fast, supports rootless mode, and cgroup v2 (see #5). In future we could consider using gvisor/runsc or even kata-containers for better sandboxing.

Is it worth using a container manager like podman, or can its functionality be replicated in the API?

I think Podman would be able to interface with Docker images directly, negating the need for either manual image extraction or another tool (#30). However, it also has a lot of stuff that might create too much setup complexity (it uses user namespaces by default which requires managing user/group ID mappings, and includes a lot of extraneous functionality). It also seems like it might be too slow (1.3s to run echo hello :/)

conmon (which is included with Podman) might also replace some or all of the functionality of our wrapper, but it also might not meet our needs and just add extra overhead.

---

Thank you to @RedwolfPrograms for his RTO prototype - it made me look into some of the more standard container tooling again in more detail, which I initially ignored as too complex when starting ATO.

[pxeger]

Current plan:

• use crun for sandboxing
• don't use a container manager
• use containers-storage for mounting images (command-line tool /usr/bin/containers-storage)
  • only mount once
  • mount as root
  • set ForceMask="shared" in /etc/containers/storage.conf to allow user to read mounted images
• use skopeo to download images and copy them to the containers-storage backend

[pxeger]

Obsoleted by #84