add seccomp profile, hooks dir override for containerd

[drahnr]

Allow to pass an explicit seccomp profile in json format, to override the default abilities for the worker.

This allows for a more fine gained control to, i.e. allow simplistic passthrough of GPUs and other worker specific devices.

For some devices, pre and post hooks are required to be used with i.e. containerd. The client has to pass these on. As such, the worker has to be instructed to pass them on to the container runtime. (WIP)

Changes proposed by this PR

ref #6912

• comply to all contributing guidelines
• add flag for seccomp filter override
• allow hooks dir override
• add a test case

Notes to reviewer

I am new to golang, if there are any idioms I am violating, happy to correct!

Release Note

• Adds a worker cli option to override the seccomp filter
• Adds a worker containerd cli option to pass on a oci hooks dir, for i.e. nvidia gpu mapping

[xtremerui]

Hi @drahnr , I have noticed the commit history is a bit messing up.

To fix it, the easiest way IMO is

• git checkout a new branch from latest master
• git cherry-pick your commits that related to this PR
• git push your new branch and create a PR from that

Later, if you want to get updates from master branch, you could

• git fetch master
• git rebase master into your working branch

[drahnr]

@xtremerui I am not sure why the unit and watsjs tests fail, to my knowledge the files I changed should not affect these checks. I can't seem to access the test result from the run when trying to login with my gh account. It's either errors or is loading indefinitely.

[xtremerui]

The error in unit test:

# github.com/concourse/concourse/worker/runtime
worker/runtime/backend_test.go:551:32: unexpected comma; expecting ]
FAIL	github.com/concourse/concourse/worker/runtime [setup failed]
FAIL

you can join contributors team in concourse/governance to view the build log

[drahnr]

@xtremerui I am not entirely sure what's happening, but the CI is gimping out on various, seemingly unrelated ends and I don't even know where to begin to debug.

[taylorsilva]

@drahnr In case you're still stuck, you can reproduce locally by running:

go test -v ./worker/runtime/spec

I got the same result as what's in CI

┌─[drahnr/master*][~/workspace/concourse/concourse]
└─▪ go test -v ./worker/runtime/spec
go: downloading github.com/stretchr/testify v1.8.0
=== RUN   TestSuite
=== RUN   TestSuite/TestContainerSpec
=== RUN   TestSuite/TestContainerSpec/defaults
=== RUN   TestSuite/TestContainerSpec/privileged_mounts
=== RUN   TestSuite/TestContainerSpec/env_with_path_already_configured
=== RUN   TestSuite/TestContainerSpec/mounts
=== RUN   TestSuite/TestContainerSpec/seccomp_is_not_empty_for_unprivileged
=== CONT  TestSuite
    spec_test.go:471:
                Error Trace:    /home/taylor/workspace/concourse/concourse/worker/runtime/spec/spec_test.go:471
                                                        /home/taylor/workspace/concourse/concourse/worker/runtime/spec/spec_test.go:526
                Error:          Should NOT be empty, but was &{ <nil> [] []   []}
                Test:           TestSuite
=== CONT  TestSuite/TestContainerSpec/seccomp_is_not_empty_for_unprivileged
    testing.go:1336: test executed panic(nil) or runtime.Goexit: subtest may have called FailNow on a parent test
=== CONT  TestSuite/TestContainerSpec
    testing.go:1336: test executed panic(nil) or runtime.Goexit: subtest may have called FailNow on a parent test
--- FAIL: TestSuite (0.00s)
    --- FAIL: TestSuite/TestContainerSpec (0.00s)
        --- PASS: TestSuite/TestContainerSpec/defaults (0.00s)
        --- PASS: TestSuite/TestContainerSpec/privileged_mounts (0.00s)
        --- PASS: TestSuite/TestContainerSpec/env_with_path_already_configured (0.00s)
        --- PASS: TestSuite/TestContainerSpec/mounts (0.00s)
        --- FAIL: TestSuite/TestContainerSpec/seccomp_is_not_empty_for_unprivileged (0.00s)
FAIL
FAIL    github.com/concourse/concourse/worker/runtime/spec      0.006s
FAIL

[taylorsilva]

Looks like your undo commit fixed all the unrelated stuff :)

[drahnr]

Sorry for the noise, new language (it's rather painful coming from rust).

How's the logging supposed to be implemented, the current fmt.Println is not ok I assume? I'd be very happy to get some input.

[drahnr]

@xtremerui / @taylorsilva I'd appreciate a review :)

[drahnr]

Gentle ping

[xtremerui]

@drahnr thx for the PR. Just want to make sure the feature is completely optional as we want to make v7.9 as a good upgrade for existing user without worring about behaviour changes.

[drahnr]

Just did another worker run, for both using the newly added flags and not using them. Either way works fine.

So as far as I can tell, this is fine to be merged. (I am still not convinced using println is the right appraoch, I'd be in need of some input here, otherwise good to go)

[drahnr]

Gentle ping

[drahnr]

Is there anything that's left or missing to do?

[xtremerui]

@drahnr So far it is just in pending for reviewing.

[xtremerui]

Thank you for the PR. Just some nits then we are good to go.

[xtremerui]

Not needed.

[drahnr]

The else case is needed, unless there is some lang feature I am not aware of? It's the only place where seccompProfile is initialized if no arg was given.

[xtremerui]

so if b.seccompProfilePath is not set, it will skip line 213 to 224, and exec line 225 and then line 228. That is the same as you remove line 224 and 226. Maybe I am not clear here in first place sorry about that.

I actually meant keeping line 225 while removing line 224 and 226.

[wailashi]

Wouldn't removing the else cause b.seccompProfile to always be set to the default?

[drahnr]

I agree with @wailashi see, next comment

[drahnr]

gentle 🎄 / ☃️ ping

[drahnr]

gentle ☃️ ping

[xtremerui]

Suggested change

	} else {
	b.seccompProfile = bespec.GetDefaultSeccompProfile()
	}
	b.seccompProfile = bespec.GetDefaultSeccompProfile()

[drahnr]

I do not understand the proposed changeset.

The if branch covers and fills b.seccompProfile from the provided path or fails, the else branch should fill it ( b.seccompProfile) with the default seccomp profile bspec.GetDefaultSeccompProfile().

If the else case is removed, it will override the loaded seccomp profile with the default one.

Either I do not understand the flow of go code, or I am missing some impl detail, right now I do not see how this would work and why the else branch is not needed. Could you clarify please?

[xtremerui]

oh my mistake here. I thought we either want to always set it to default or the provided one. If thats not the case then we are good here.

[drahnr]

We always want to set it either explicitly by loading from file, or using the default one. If you want to avoid the else branch we'd have to move b.seccompProfile = bespec.GetDefaultSeccompProfile() up before the if branch