Linux containers on FreeBSD

This allows running Linux containers on FreeBSD and modifies the
mounts so that they represent the linux emulated filesystems, as per:
https://wiki.freebsd.org/LinuxJails

Co-authored-by: Gijs Peskens <gijs@peskens.net>, Samuel Karp <samuelkarp@users.noreply.github.com>
Signed-off-by: Artem Khramov <akhramov@pm.me>

oci/spec_opts.go

@@ -377,6 +377,7 @@ func WithImageConfigArgs(image Image, args []string) SpecOpts {
 			return fmt.Errorf("unknown image config media type %s", ic.MediaType)
 		}
 
+		appendOSMounts(s, ociimage.OS)
 		setProcess(s)
 		if s.Linux != nil {
 			defaults := config.Env

oci/spec_opts_darwin.go

@@ -0,0 +1,25 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package oci
+
+import (
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func appendOSMounts(s *Spec, os string) error {
+	return nil
+}

oci/spec_opts_freebsd.go

@@ -0,0 +1,84 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package oci
+
+import (
+	"path/filepath"
+
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// appendOSMounts modifies the mount spec to mount emulated Linux filesystems on FreeBSD,
+// as per: https://wiki.freebsd.org/LinuxJails
+func appendOSMounts(s *Spec, os string) error {
+	// No-op for FreeBSD containers
+	if os != "linux" {
+		return nil
+	}
+	var mounts []specs.Mount
+	var (
+		haveProc  = false
+		haveDevFd = false
+	)
+	/* If the mounts exist, we modify them in place, to keep the current order
+	   otherwise we add them below the for-loop. The nosuid noexec options are
+	   for consistency with Linux mounts: on FreeBSD it is by default impossible
+	   to execute anything from these filesystems.
+	*/
+	for _, m := range s.Mounts {
+		path := filepath.Clean(m.Destination)
+		if path == "/proc" {
+			mounts = append(mounts, specs.Mount{
+				Destination: "/proc",
+				Type:        "linprocfs",
+				Source:      "linprocfs",
+				Options:     []string{"nosuid", "noexec"},
+			})
+			haveProc = true
+			continue
+		}
+		if path == "/dev/fd" {
+			m.Options = append(m.Options, "linrdlink")
+			haveDevFd = true
+		}
+		mounts = append(mounts, m)
+	}
+	if !haveProc {
+		mounts = append(mounts, specs.Mount{
+			Destination: "/proc",
+			Type:        "linprocfs",
+			Source:      "linprocfs",
+			Options:     []string{},
+		})
+	}
+
+	if !haveDevFd {
+		mounts = append(mounts, specs.Mount{
+			Destination: "/dev/fd",
+			Type:        "fdescfs",
+			Source:      "fdescfs",
+			Options:     []string{"linrdlink"},
+		})
+	}
+	mounts = append(mounts, specs.Mount{
+		Destination: "/sys",
+		Type:        "linsysfs",
+		Source:      "linsysfs",
+		Options:     []string{"nosuid", "noexec", "nodev"}})
+	s.Mounts = mounts
+	return nil
+}

oci/spec_opts_linux.go

@@ -203,3 +203,7 @@ func WithCDI(annotations map[string]string, cdiSpecDirs []string) SpecOpts {
 		return nil
 	}
 }
+
+func appendOSMounts(s *Spec, os string) error {
+	return nil
+}

oci/spec_opts_windows.go

@@ -115,3 +115,7 @@ func escapeAndCombineArgs(args []string) string {
 	}
 	return strings.Join(escaped, " ")
 }
+
+func appendOSMounts(s *Spec, os string) error {
+	return nil
+}

platforms/defaults_freebsd.go

@@ -0,0 +1,42 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"runtime"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Ordered(DefaultSpec(), specs.Platform{
+		OS:           "linux",
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	})
+}

platforms/defaults_unix.go

@@ -1,5 +1,5 @@
-//go:build !windows && !darwin
-// +build !windows,!darwin
+//go:build !windows && !darwin && !freebsd
+// +build !windows,!darwin,!freebsd
 
 /*
    Copyright The containerd Authors.